ScreenShot
| Created | 2025.01.24 13:59 | Machine | s1_win7_x6403 |
| Filename | helps.hta | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 60 detected (AIDetectMalware, Farfli, Malicious, score, Mauvaise, Unsafe, Mint, Zard, Save, confidence, 100%, GenericKD, Attribute, HighConfidence, moderate confidence, dxihqn, CQejOpL0yUV, DownLoader16, ZEGOST, SM44, moderate, Static AI, Malicious PE, bqnp, Detected, AntiAV, ~D@fny3h, ABTrojan, FYFU, R97143, Artemis, BScope, gh0RAT, MachineLearning, Anomalous, Bjlog, Genetic, Gencirc, GenAsa, iwTZsTxBTgQ, ToBea, susgen) | ||
| md5 | 407c9a93188dc7088e19d688a589c8c5 | ||
| sha256 | 924c4682daa9e4f5dbb41a71458e6d37a927f86c01465ad209f9c78fe17973da | ||
| ssdeep | 1536:0DAVfkzHIrV6EG0bd881SvsKjh0uRN4fcezQ0zfIikL:34HIx6g1S3jhhRNHz0zQL | ||
| imphash | 0fd81f440ebc75b9643f0a9a76fd8d29 | ||
| impfuzzy | 6:dBJAEHGDvZ/ED2vI73T7dCgwyvcSbVIS11n:VA/DvZ2H7j7HwyvDpn | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 60 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Installs itself for autorun at Windows startup |
| notice | Creates a service |
| notice | Expresses interest in specific running processes |
| notice | Foreign language identified in PE resource |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | The executable uses a known packer |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x4327e0 LoadLibraryA
0x4327e4 GetProcAddress
0x4327e8 ExitProcess
ADVAPI32.dll
0x4327f0 LsaClose
GDI32.dll
0x4327f8 BitBlt
MSVCP60.dll
0x432800 ?_Xran@std@@YAXXZ
MSVCRT.dll
0x432808 free
MSVFW32.dll
0x432810 ICOpen
PSAPI.DLL
0x432818 EnumProcessModules
SHELL32.dll
0x432820 ShellExecuteA
WINMM.dll
0x432828 waveInStop
WS2_32.dll
0x432830 send
EAT(Export Address Table) Library
0x4014d3 dfdg
KERNEL32.DLL
0x4327e0 LoadLibraryA
0x4327e4 GetProcAddress
0x4327e8 ExitProcess
ADVAPI32.dll
0x4327f0 LsaClose
GDI32.dll
0x4327f8 BitBlt
MSVCP60.dll
0x432800 ?_Xran@std@@YAXXZ
MSVCRT.dll
0x432808 free
MSVFW32.dll
0x432810 ICOpen
PSAPI.DLL
0x432818 EnumProcessModules
SHELL32.dll
0x432820 ShellExecuteA
WINMM.dll
0x432828 waveInStop
WS2_32.dll
0x432830 send
EAT(Export Address Table) Library
0x4014d3 dfdg