ScreenShot
| Created | 2024.08.30 18:15 | Machine | s1_win7_x6401 |
| Filename | 1188%E7%83%88%E7%84%B0.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 17 detected (malicious, moderate confidence, Collected, APUS, Artemis, Perion, eieizd, CLOUD, PerionCRTD, Zeus, Detected, ApplicUnwnt@#3nz311z93b0l, PUADlManager, LTLogger, GenAsa, 4t2IKQiiCOQ, grayware, confidence) | ||
| md5 | 88783a57777926114b5c5c95af4c943c | ||
| sha256 | 94132d9dde2b730f4800ee383ddaa63d2e2f92264f07218295d2c5755a414b6a | ||
| ssdeep | 12288:7Egn2EkLvTjotXsXsjo3sPnXMRJmV0nzJEdMNZ:7R2EkLvPotX5jo3EQFl | ||
| imphash | 5b091649031f38ad86eb9061a77425fb | ||
| impfuzzy | 3:swBJAEPwS9KTXzhAXwEQaxRAAbs1MO/IJjOSzLxaZSc8KSxAdX:dBJAEHGDzyRlbkZ/ItvxaZyxAdX | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Disables proxy possibly for traffic interception |
| watch | File has been identified by 17 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
| info | One or more processes crashed |
| info | The executable uses a known packer |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PNG_Format_Zero | PNG Format | binaries (download) |
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x5156a8 LoadLibraryA
0x5156ac GetProcAddress
0x5156b0 VirtualProtect
0x5156b4 ExitProcess
MSVBVM60.DLL
0x5156bc None
OLE32.DLL
0x5156c4 IsEqualGUID
SHLWAPI.DLL
0x5156cc PathFileExistsW
EAT(Export Address Table) is none
KERNEL32.DLL
0x5156a8 LoadLibraryA
0x5156ac GetProcAddress
0x5156b0 VirtualProtect
0x5156b4 ExitProcess
MSVBVM60.DLL
0x5156bc None
OLE32.DLL
0x5156c4 IsEqualGUID
SHLWAPI.DLL
0x5156cc PathFileExistsW
EAT(Export Address Table) is none