ScreenShot
| Created | 2025.02.20 03:41 | Machine | s1_win7_x6401 |
| Filename | 孟轩网1.0 64位.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 1 detected (Unsafe) | ||
| md5 | 306cd3926c2c44af0a1882041f2ec95a | ||
| sha256 | 2272ef32d4bd76103535ef3cb4f0b7e6acf1ab1bced348d10767facd89215147 | ||
| ssdeep | 98304:9v/1eH+fR8e0jvbI8S5MfWTrndx7/ssutayxIJByQm7rH0ZMwTiklOXlZmC:jeefEjDlMMfWXndxIsuoyxAyH0lWckl | ||
| imphash | 328873b7119eb5f987908b74429079c5 | ||
| impfuzzy | 12:o4EVE4Xd94BABZG/Dzs3ExV4QITQhrQd3mxCMX+m9oJ:9EqkiC+DAEcQbq2kWg | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| watch | Checks the version of Bios |
| watch | Detects the presence of Wine emulator |
| watch | Detects virtualization software with SCSI Disk Identifier trick(s) |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | File has been identified by one AntiVirus engine on VirusTotal as malicious |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
Rules (12cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | mzp_file_format | MZP(Delphi) file format | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
advapi32.dll
0x13957e4 FreeSid
cfgmgr32.dll
0x13957f4 CM_Get_Parent
comctl32.dll
0x1395804 ImageList_Add
comdlg32.dll
0x1395814 FindTextW
gdi32.dll
0x1395824 Pie
gdiplus.dll
0x1395834 GdipFree
IMAGEHLP.DLL
0x1395844 SymCleanup
KERNEL32.DLL
0x1395854 LoadLibraryA
0x139585c ExitProcess
0x1395864 GetProcAddress
0x139586c VirtualProtect
LZ32.DLL
0x139587c LZCopy
mpr.dll
0x139588c WNetCloseEnum
msvcrt.dll
0x139589c memcpy
ole32.dll
0x13958ac OleDraw
oleaut32.dll
0x13958bc VariantInit
SetupApi.dll
0x13958cc SetupDiGetClassDevsW
shell32.dll
0x13958dc SHGetMalloc
user32.dll
0x13958ec GetDC
version.dll
0x13958fc VerQueryValueW
winhttp.dll
0x139590c WinHttpOpen
wininet.dll
0x139591c FtpOpenFileW
winmm.dll
0x139592c timeGetTime
winspool.drv
0x139593c ClosePrinter
wsock32.dll
0x139594c socket
EAT(Export Address Table) is none
advapi32.dll
0x13957e4 FreeSid
cfgmgr32.dll
0x13957f4 CM_Get_Parent
comctl32.dll
0x1395804 ImageList_Add
comdlg32.dll
0x1395814 FindTextW
gdi32.dll
0x1395824 Pie
gdiplus.dll
0x1395834 GdipFree
IMAGEHLP.DLL
0x1395844 SymCleanup
KERNEL32.DLL
0x1395854 LoadLibraryA
0x139585c ExitProcess
0x1395864 GetProcAddress
0x139586c VirtualProtect
LZ32.DLL
0x139587c LZCopy
mpr.dll
0x139588c WNetCloseEnum
msvcrt.dll
0x139589c memcpy
ole32.dll
0x13958ac OleDraw
oleaut32.dll
0x13958bc VariantInit
SetupApi.dll
0x13958cc SetupDiGetClassDevsW
shell32.dll
0x13958dc SHGetMalloc
user32.dll
0x13958ec GetDC
version.dll
0x13958fc VerQueryValueW
winhttp.dll
0x139590c WinHttpOpen
wininet.dll
0x139591c FtpOpenFileW
winmm.dll
0x139592c timeGetTime
winspool.drv
0x139593c ClosePrinter
wsock32.dll
0x139594c socket
EAT(Export Address Table) is none