ScreenShot
| Created | 2025.03.08 12:05 | Machine | s1_win7_x6403 |
| Filename | 3158e964-6e73-4443-84f8-ddb304d57b87 | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 55 detected (Common, Ekstak, Malicious, score, Ghanarava, Trojan Generic, VYRH, GenericKD, Unsafe, Save, confidence, GenusT, EPEJ, Attribute, HighConfidence, high confidence, MalwareX, Zard, azpli, Kryptik@AI, RDML, Bitoj3s8WSCxZBGsP51, uwcxt, moderate, Static AI, Suspicious PE, Detected, Wacatac, ABTrojan, LPSD, TrojanGeneric, Chgt, R002H0CBM25, Gencirc, susgen, B9nj) | ||
| md5 | ce869420036665a228c86599361f0423 | ||
| sha256 | eb04f77eb4f92dd2b46d04408166a32505e5016435ccd84476f20eeba542dafd | ||
| ssdeep | 6144:IPz8VYvGAYCJSDKsI2lbTZ4P+DGGilC+QooPCp1InDCCZx5Wt/ixduuZ8BEby209:YcYvu5WiBOPAil1Qok+G5W8xcuZYUQw | ||
| imphash | 802d02f4448b6e25480dd2c62dd4c5a4 | ||
| impfuzzy | 3:oTEBlWAJOYAJWBJAEPwh0zJzsS9KTXzhAXwEQaxRGU0QZoWbW6LtgQ8ySoMfAE:oI0YZBJAEtRGDzyRNLbBSZoE | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | An executable file was downloaded by the process 3158e964-6e73-4443-84f8-ddb304d57b87.exe |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Network_Downloader | File Downloader | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DROP Spamhaus DROP Listed Traffic Inbound group 12
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET INFO Executable Download from dotted-quad Host
ET INFO TLS Handshake Failure
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET INFO Executable Download from dotted-quad Host
ET INFO TLS Handshake Failure
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x681f78 FreeSid
KERnEl32.dll
0x681f88 LoadLibraryA
0x681f90 DeleteAtom
0x681f98 GetProcAddress
0x681fa0 VirtualProtect
msVcRT.DlL
0x681fb0 exit
RPCRT4.dll
0x681fc0 UuidCreate
SHELL32.dll
0x681fd0 ShellExecuteExA
urlmon.dll
0x681fe0 URLDownloadToFileA
EAT(Export Address Table) is none
ADVAPI32.dll
0x681f78 FreeSid
KERnEl32.dll
0x681f88 LoadLibraryA
0x681f90 DeleteAtom
0x681f98 GetProcAddress
0x681fa0 VirtualProtect
msVcRT.DlL
0x681fb0 exit
RPCRT4.dll
0x681fc0 UuidCreate
SHELL32.dll
0x681fd0 ShellExecuteExA
urlmon.dll
0x681fe0 URLDownloadToFileA
EAT(Export Address Table) is none