ScreenShot
| Created | 2024.09.17 14:27 | Machine | s1_win7_x6403 |
| Filename | install_lodop32.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 21 detected (AIDetectMalware, Unsafe, Caosoft, Malicious, ivwnvb, DownLoader26, high, score, Generic ML PUA, Bancos, Detected, BScope, joRqC+WQiKw) | ||
| md5 | cee0d7092ec83373078d0045a0c74c40 | ||
| sha256 | 99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77 | ||
| ssdeep | 49152:xJxNHabdDlGc/za1rlFQFigZL+l63UBU3EWttCwYXn6CQqilfG1M3FB:xOLa1ZFU6l0YU3l3QCjgMVB | ||
| imphash | aebf0adf24a58356d19229180b831620 | ||
| impfuzzy | 6:dBJAEHGDzyRlbRmVOZ/EwRgsuVM4PIMQw5/KJbxaZC3E7s2b/MyyTc5KTXqVqS:VA/DzqYOZ9Rgi4gQ5OxaZC3EvITQqXup | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| warning | File has been identified by 21 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | Foreign language identified in PE resource |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | One or more processes crashed |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (8cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | DllRegisterServer_Zero | execute regsvr32.exe | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | mzp_file_format | MZP(Delphi) file format | binaries (download) |
| info | mzp_file_format | MZP(Delphi) file format | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x6f0edc LoadLibraryA
0x6f0ee0 GetProcAddress
0x6f0ee4 VirtualProtect
0x6f0ee8 VirtualAlloc
0x6f0eec VirtualFree
0x6f0ef0 ExitProcess
advapi32.dll
0x6f0ef8 RegCloseKey
comctl32.dll
0x6f0f00 ImageList_Add
gdi32.dll
0x6f0f08 Pie
msimg32.dll
0x6f0f10 AlphaBlend
ole32.dll
0x6f0f18 IsEqualGUID
oleaut32.dll
0x6f0f20 VariantCopy
shell32.dll
0x6f0f28 ShellExecuteW
user32.dll
0x6f0f30 GetDC
version.dll
0x6f0f38 VerQueryValueW
winspool.drv
0x6f0f40 OpenPrinterW
EAT(Export Address Table) is none
KERNEL32.DLL
0x6f0edc LoadLibraryA
0x6f0ee0 GetProcAddress
0x6f0ee4 VirtualProtect
0x6f0ee8 VirtualAlloc
0x6f0eec VirtualFree
0x6f0ef0 ExitProcess
advapi32.dll
0x6f0ef8 RegCloseKey
comctl32.dll
0x6f0f00 ImageList_Add
gdi32.dll
0x6f0f08 Pie
msimg32.dll
0x6f0f10 AlphaBlend
ole32.dll
0x6f0f18 IsEqualGUID
oleaut32.dll
0x6f0f20 VariantCopy
shell32.dll
0x6f0f28 ShellExecuteW
user32.dll
0x6f0f30 GetDC
version.dll
0x6f0f38 VerQueryValueW
winspool.drv
0x6f0f40 OpenPrinterW
EAT(Export Address Table) is none