ScreenShot
| Created | 2025.02.19 11:26 | Machine | s1_win7_x6401 |
| Filename | emgg.ps1 | ||
| Type | ASCII text, with very long lines, with CRLF line terminators | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | |||
| VT API (file) | |||
| md5 | d3b7a6cbb1106c831806fa680b1dad50 | ||
| sha256 | c3146cbcfe1e5827ad6011c73da8f3ee6a0806bb30ae2dbb467de36804fe8043 | ||
| ssdeep | 768:oYHe0IDMDex1gvUXQOGuYBTyGkRdL7bZgevdtfT4lnHKuPZqzFBeTY748w5BkiFR:NdrgdgqxdL7rFFT4lRqzOTTBU4 | ||
| imphash | |||
| impfuzzy | |||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| danger | The process powershell.exe wrote an executable file to disk which it then attempted to execute |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| watch | Drops a binary and executes it |
| watch | One or more non-whitelisted processes were created |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Creates executable files on the filesystem |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | hide_executable_file | Hide executable file | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | ConfuserEx_Zero | Confuser .NET | binaries (download) |
| info | IsPE64 | (no description) | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
