ScreenShot
| Created | 2024.09.24 10:57 | Machine | s1_win7_x6401 |
| Filename | m2123.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 13 detected (AIDetectMalware, Unsafe, ETUB, Malicious, CLOUD, high, score, Detected, HeurC, KVMH008, Artemis, Hostschanger) | ||
| md5 | 03bda990b8fd0d4cc27611edbceea3f0 | ||
| sha256 | c96b8380f3acee84358759a9b70a5e7f46b0b0084b875ec82d6cd787a72f727d | ||
| ssdeep | 12288:VyKRi53dU4nH1I1dNTW6xQBZhEFNaIxH7A3OyEmH/7x7wMoVaWTHt37Vx0Sn5GZi:tRi1dUJTW6xQBZh6JA+yEmDBw1THt3zn | ||
| imphash | 20c4b14b5064e66d073d37066475b11c | ||
| impfuzzy | 12:QvXysbJBeDoAHtAnO7ZGTOd1xvZNfhdoGDQ3n6gwD3:uysFADojnOF0OtRdhdoGDQ3n6gwL | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| watch | File has been identified by 13 AntiVirus engines on VirusTotal as malicious |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
Rules (29cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (upload) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| warning | hide_executable_file | Hide executable file | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | PDF_Format_Z | PDF Format | binaries (download) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | DllRegisterServer_Zero | execute regsvr32.exe | binaries (download) |
| info | icon_file_format | icon file format | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x403000 OutputDebugStringA
0x403004 FreeLibrary
0x403008 GetLastError
0x40300c lstrcpynW
0x403010 GetProcAddress
0x403014 LoadLibraryExW
0x403018 GetSystemDirectoryW
0x40301c UnmapViewOfFile
0x403020 MultiByteToWideChar
0x403024 MapViewOfFile
0x403028 CloseHandle
0x40302c CreateFileMappingW
0x403030 GetFileSize
0x403034 CreateFileW
0x403038 lstrlenW
0x40303c GetCommandLineW
0x403040 ExitProcess
0x403044 Sleep
0x403048 DeleteFileW
0x40304c SetFileAttributesW
0x403050 GetFileAttributesW
0x403054 GetTempPathW
0x403058 GetModuleHandleW
0x40305c GetModuleFileNameW
0x403060 GetTickCount
0x403064 GetCurrentThreadId
0x403068 GetSystemTimeAsFileTime
0x40306c GetVersionExW
0x403070 GetCurrentProcessId
0x403074 HeapAlloc
0x403078 GetProcessHeap
0x40307c HeapFree
0x403080 ReadFile
0x403084 WriteFile
0x403088 SetFileTime
0x40308c SetFilePointer
USER32.dll
0x403094 wvsprintfA
0x403098 wsprintfW
0x40309c PostMessageW
0x4030a0 MessageBoxA
EAT(Export Address Table) is none
KERNEL32.dll
0x403000 OutputDebugStringA
0x403004 FreeLibrary
0x403008 GetLastError
0x40300c lstrcpynW
0x403010 GetProcAddress
0x403014 LoadLibraryExW
0x403018 GetSystemDirectoryW
0x40301c UnmapViewOfFile
0x403020 MultiByteToWideChar
0x403024 MapViewOfFile
0x403028 CloseHandle
0x40302c CreateFileMappingW
0x403030 GetFileSize
0x403034 CreateFileW
0x403038 lstrlenW
0x40303c GetCommandLineW
0x403040 ExitProcess
0x403044 Sleep
0x403048 DeleteFileW
0x40304c SetFileAttributesW
0x403050 GetFileAttributesW
0x403054 GetTempPathW
0x403058 GetModuleHandleW
0x40305c GetModuleFileNameW
0x403060 GetTickCount
0x403064 GetCurrentThreadId
0x403068 GetSystemTimeAsFileTime
0x40306c GetVersionExW
0x403070 GetCurrentProcessId
0x403074 HeapAlloc
0x403078 GetProcessHeap
0x40307c HeapFree
0x403080 ReadFile
0x403084 WriteFile
0x403088 SetFileTime
0x40308c SetFilePointer
USER32.dll
0x403094 wvsprintfA
0x403098 wsprintfW
0x40309c PostMessageW
0x4030a0 MessageBoxA
EAT(Export Address Table) is none