ScreenShot
Created | 2024.09.17 13:18 | Machine | s1_win7_x6403 |
Filename | me.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 33 detected (AIDetectMalware, Znyonm, GenericKD, Vjhb, Attribute, HighConfidence, malicious, moderate confidence, LESS, bWQ1Ot, f3Uo17GC1, MulDrop28, Detected, ABTrojan, QVJQ, Artemis, Chgt, susgen, PossibleThreat) | ||
md5 | b691fc64d3750b2f7fd2041064f7cbc4 | ||
sha256 | d52a633fee08de3642e5cdbf18c2e57e2b46ec1a43cfb5cd7e1591ba175d4600 | ||
ssdeep | 12288:ZoeJDzAJAAuQqA9WU7eDoy7IhnFD9xQFBeJ2bmrHIu/YuaJQ8abvAcqdB7P9ykJ:K4x3QqA9KMy7IXRyeJsmU2KyvAcE7xJ | ||
imphash | a4a43699e2266ae95649e1db3bf37269 | ||
impfuzzy | 12:mDzjA9A+pZ1nd6wuRTf1ExbxaZCdG4HWbfMXug9Yow:mDnWA+pZ1swu7Exdo4bH5Il |
Network IP location
Signature (11cnts)
Level | Description |
---|---|
danger | File has been identified by 33 AntiVirus engines on VirusTotal as malicious |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | Foreign language identified in PE resource |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Uses Windows utilities for basic Windows functionality |
info | Checks amount of memory in system |
info | Command line console output was observed |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | The executable uses a known packer |
Rules (10cnts)
Level | Name | Description | Collection |
---|---|---|---|
watch | ASPack_Zero | ASPack packed file | binaries (download) |
watch | ASPack_Zero | ASPack packed file | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | mzp_file_format | MZP(Delphi) file format | binaries (download) |
info | mzp_file_format | MZP(Delphi) file format | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x644fb8 GetProcAddress
0x644fbc GetModuleHandleA
0x644fc0 LoadLibraryA
user32.dll
0x64526c GetKeyboardType
advapi32.dll
0x645274 RegQueryValueExA
oleaut32.dll
0x64527c SysFreeString
advapi32.dll
0x645284 RegSetValueExA
version.dll
0x64528c VerQueryValueA
gdi32.dll
0x645294 UnrealizeObject
user32.dll
0x64529c CreateWindowExW
ole32.dll
0x6452a4 IsEqualGUID
oleaut32.dll
0x6452ac SafeArrayPtrOfIndex
ole32.dll
0x6452b4 CreateStreamOnHGlobal
oleaut32.dll
0x6452bc CreateErrorInfo
comctl32.dll
0x6452c4 ImageList_SetIconSize
imm32.dll
0x6452cc ImmGetCompositionStringW
winspool.drv
0x6452d4 OpenPrinterA
shell32.dll
0x6452dc ShellExecuteExA
wininet.dll
0x6452e4 InternetSetOptionA
urlmon.dll
0x6452ec CoInternetCreateZoneManager
shell32.dll
0x6452f4 SHGetSpecialFolderLocation
EAT(Export Address Table) is none
kernel32.dll
0x644fb8 GetProcAddress
0x644fbc GetModuleHandleA
0x644fc0 LoadLibraryA
user32.dll
0x64526c GetKeyboardType
advapi32.dll
0x645274 RegQueryValueExA
oleaut32.dll
0x64527c SysFreeString
advapi32.dll
0x645284 RegSetValueExA
version.dll
0x64528c VerQueryValueA
gdi32.dll
0x645294 UnrealizeObject
user32.dll
0x64529c CreateWindowExW
ole32.dll
0x6452a4 IsEqualGUID
oleaut32.dll
0x6452ac SafeArrayPtrOfIndex
ole32.dll
0x6452b4 CreateStreamOnHGlobal
oleaut32.dll
0x6452bc CreateErrorInfo
comctl32.dll
0x6452c4 ImageList_SetIconSize
imm32.dll
0x6452cc ImmGetCompositionStringW
winspool.drv
0x6452d4 OpenPrinterA
shell32.dll
0x6452dc ShellExecuteExA
wininet.dll
0x6452e4 InternetSetOptionA
urlmon.dll
0x6452ec CoInternetCreateZoneManager
shell32.dll
0x6452f4 SHGetSpecialFolderLocation
EAT(Export Address Table) is none