ScreenShot
| Created | 2024.10.18 10:16 | Machine | s1_win7_x6403 |
| Filename | 20230120_1.bin | ||
| Type | PE32+ executable (native) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 47 detected (FakeCert, Malicious, score, Artemis, Ulise, Unsafe, Sign, confidence, 100%, high confidence, a variant of Generik, RWFWGQ, CLASSIC, Hitbrovi, edpvz, Tool, Static AI, Malicious PE, R560727, Gencirc, 885UkWm3uEM, susgen, PossibleThreat, PALLAS) | ||
| md5 | 2f3fd904ea51687468b39b707a1587a4 | ||
| sha256 | d7ac8ffc3d50c9be9dabacbef939d960a414e89ea2185860064c918b8762788c | ||
| ssdeep | 3072:Sm+HmtKuvwA8M/6L053dFPE0TABxj3Ag9kbhjx6fTW:Sm9tKuvH8MN5rPwBx8h1/ | ||
| imphash | 118a2343ba7a5763d9034e65dcc58b46 | ||
| impfuzzy | 24:bXIogQgEQXIkg8oJqBuqmiVrQ2qXdYLy8LJ6yPKnbgC8yPhIYO2UgBkMQaQze:kc1ku55TNqRJ6hOyp3 | ||
Network IP location
Signature (3cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 47 AntiVirus engines on VirusTotal as malicious |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
cng.sys
0x140003000 BCryptSetProperty
0x140003008 BCryptCloseAlgorithmProvider
0x140003010 BCryptGenerateSymmetricKey
0x140003018 BCryptDecrypt
0x140003020 BCryptDestroyKey
0x140003028 BCryptOpenAlgorithmProvider
ntoskrnl.exe
0x140003038 RtlInitUnicodeString
0x140003040 KeWaitForSingleObject
0x140003048 ExAllocatePoolWithTag
0x140003050 ExFreePoolWithTag
0x140003058 MmGetSystemRoutineAddress
0x140003060 MmProtectMdlSystemAddress
0x140003068 MmMapLockedPagesSpecifyCache
0x140003070 MmAllocatePagesForMdlEx
0x140003078 PsCreateSystemThread
0x140003080 ObReferenceObjectByHandle
0x140003088 ObReferenceObjectByHandleWithTag
0x140003090 ObCloseHandle
0x140003098 ObfDereferenceObject
0x1400030a0 ZwCreateFile
0x1400030a8 ZwReadFile
0x1400030b0 ZwWriteFile
0x1400030b8 ZwClose
0x1400030c0 MmIsAddressValid
0x1400030c8 IoCreateFileEx
0x1400030d0 MmFlushImageSection
0x1400030d8 ZwDeleteFile
0x1400030e0 IoFileObjectType
0x1400030e8 RtlGetVersion
0x1400030f0 ZwQueryInformationFile
0x1400030f8 MmGetVirtualForPhysical
0x140003100 KeBugCheckEx
EAT(Export Address Table) is none
cng.sys
0x140003000 BCryptSetProperty
0x140003008 BCryptCloseAlgorithmProvider
0x140003010 BCryptGenerateSymmetricKey
0x140003018 BCryptDecrypt
0x140003020 BCryptDestroyKey
0x140003028 BCryptOpenAlgorithmProvider
ntoskrnl.exe
0x140003038 RtlInitUnicodeString
0x140003040 KeWaitForSingleObject
0x140003048 ExAllocatePoolWithTag
0x140003050 ExFreePoolWithTag
0x140003058 MmGetSystemRoutineAddress
0x140003060 MmProtectMdlSystemAddress
0x140003068 MmMapLockedPagesSpecifyCache
0x140003070 MmAllocatePagesForMdlEx
0x140003078 PsCreateSystemThread
0x140003080 ObReferenceObjectByHandle
0x140003088 ObReferenceObjectByHandleWithTag
0x140003090 ObCloseHandle
0x140003098 ObfDereferenceObject
0x1400030a0 ZwCreateFile
0x1400030a8 ZwReadFile
0x1400030b0 ZwWriteFile
0x1400030b8 ZwClose
0x1400030c0 MmIsAddressValid
0x1400030c8 IoCreateFileEx
0x1400030d0 MmFlushImageSection
0x1400030d8 ZwDeleteFile
0x1400030e0 IoFileObjectType
0x1400030e8 RtlGetVersion
0x1400030f0 ZwQueryInformationFile
0x1400030f8 MmGetVirtualForPhysical
0x140003100 KeBugCheckEx
EAT(Export Address Table) is none