ScreenShot
| Created | 2024.08.12 09:40 | Machine | s1_win7_x6403 |
| Filename | Mailer.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 60 detected (AIDetectMalware, Jorik, lrUS, malicious, moderate confidence, score, Swrort, Marte, Unsafe, Save, Rozena, GenericRXAA, CobaltStrike, ccnc, Crypto, CLOUD, ZPACK, SMAL01, Real Protect, high, Detected, ai score=83, A@4jwdqr, Meterpreter, 12DT0MV, Eldorado, Bifrose, R12476, ZexaF, cmKfa4g8Bcgi, Genetic, Metasploit, GenAsa, tdGI4TGA, confidence, 100%) | ||
| md5 | 07924a75dd7d92d04c18063bea0d0b61 | ||
| sha256 | c5bd778d6cb31d3e6970e4df3d5d058bd9f95db7faae9fa55c5854d53b78898b | ||
| ssdeep | 768:Iwe8hnGkbDwaqsMyzzbrHWRAYzuxUbcaUM5lgVl0oAkDB4j8PkKIhSGLPUq3:Iwe8hGEq1y3HWRAOucWf0oF9P3GLsq3 | ||
| imphash | 25b3acc640473b6fce722f16eff93149 | ||
| impfuzzy | 3:oTEBlWAJOYAJWBJAEPw1MO/OywS9KTXzhAXwEQaxRGUpNx+AXAxxWAqXn:oI0YZBJAEoZ/OEGDzyRNx4xxKXn | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 60 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | The executable uses a known packer |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x41883c FreeSid
KERNEL32.DLL
0x418844 LoadLibraryA
0x418848 ExitProcess
0x41884c GetProcAddress
0x418850 VirtualProtect
MSVCRT.dll
0x418858 _iob
WS2_32.dll
0x418860 WSARecv
WSOCK32.dll
0x418868 WSAGetLastError
EAT(Export Address Table) is none
ADVAPI32.dll
0x41883c FreeSid
KERNEL32.DLL
0x418844 LoadLibraryA
0x418848 ExitProcess
0x41884c GetProcAddress
0x418850 VirtualProtect
MSVCRT.dll
0x418858 _iob
WS2_32.dll
0x418860 WSARecv
WSOCK32.dll
0x418868 WSAGetLastError
EAT(Export Address Table) is none