ScreenShot
| Created | 2024.11.13 14:09 | Machine | s1_win7_x6403 |
| Filename | ASUFER.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, RAR self-extracting archive | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 56 detected (AIDetectMalware, lCIq, Malicious, score, GenericRXCJ, Unsafe, confidence, AYQF, Gampass, moderate confidence, multiple detections, Genome, wGet, DelayedStart, Systroj, dddlxb, Upatre, CLOUD, Tool, Starter, TSPY, FAREIT, YYSRV, Detected, HackTool, MUPX, Gen@24tbus, Multiverze, RFBI, Tiggre, R299355, Probably Heur, ExeHeaderL, Ncnw, GenAsa, w6RILdF4Q) | ||
| md5 | 3e47dd3f7b0be7bc26abea791d386145 | ||
| sha256 | ce760056cd6800c9d0e05e6c84b6360ab626d86381b0d9ab0764d1b27736ed86 | ||
| ssdeep | 24576:bA6foqZxz4UMRM0dZj5YKGYRu8YnwVbE/x8Ub7pq2sBkbRBxh4yXom1rWZE3zj:UitZxzrsM+ZNYNRXuU420kPxhRXdaZEv | ||
| imphash | af7b8813a2e213ad2ed4a1d42c1b2975 | ||
| impfuzzy | 6:dBJAEHGDzyRlbRmVOZ/EwRgsyIBMeGaTKOdLMKJAm3EQbS4QG:VA/DzqYOZ9RghIBXGq+m3EP4QG | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 56 AntiVirus engines on VirusTotal as malicious |
| warning | Stops Windows services |
| watch | Attempts to disable System Restore |
| watch | Installs itself for autorun at Windows startup |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Executes one or more WMI queries |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Command line console output was observed |
| info | Queries for the computername |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x427f04 LoadLibraryA
0x427f08 GetProcAddress
0x427f0c VirtualProtect
0x427f10 VirtualAlloc
0x427f14 VirtualFree
0x427f18 ExitProcess
ADVAPI32.dll
0x427f20 RegCloseKey
COMCTL32.dll
0x427f28 None
COMDLG32.dll
0x427f30 GetSaveFileNameA
GDI32.dll
0x427f38 DeleteDC
ole32.dll
0x427f40 OleInitialize
OLEAUT32.dll
0x427f48 VariantInit
SHELL32.dll
0x427f50 SHGetMalloc
USER32.dll
0x427f58 GetDC
EAT(Export Address Table) is none
KERNEL32.DLL
0x427f04 LoadLibraryA
0x427f08 GetProcAddress
0x427f0c VirtualProtect
0x427f10 VirtualAlloc
0x427f14 VirtualFree
0x427f18 ExitProcess
ADVAPI32.dll
0x427f20 RegCloseKey
COMCTL32.dll
0x427f28 None
COMDLG32.dll
0x427f30 GetSaveFileNameA
GDI32.dll
0x427f38 DeleteDC
ole32.dll
0x427f40 OleInitialize
OLEAUT32.dll
0x427f48 VariantInit
SHELL32.dll
0x427f50 SHGetMalloc
USER32.dll
0x427f58 GetDC
EAT(Export Address Table) is none