ScreenShot
| Created | 2025.03.13 09:47 | Machine | s1_win7_x6401 |
| Filename | muk.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 57 detected (AIDetectMalware, Remcos, Malicious, score, Ghanarava, Dump, Unsafe, Save, confidence, 100%, Attribute, HighConfidence, moderate confidence, Rescoms, RATX, kvsovm, AyOt9ijbbiR, YXFCLZ, Real Protect, high, Static AI, Malicious PE, Detected, GrayWare, Wacapew, Wacatac, ABApplication, ODWR, R625809, Artemis, BScope, GdSda) | ||
| md5 | 444c83a662cc3f056b30e69ef646c097 | ||
| sha256 | f01c012ed02d1c83885899e0f6dfa0f053a7a16548de074d859428df064d0802 | ||
| ssdeep | 3072:QrO63tSvNCRwz34cPY5ggG2UfMvIn6T7vxVuzebnf1hCp/AjgqI3hTBLdS7TXwIn:2H3tEIOz34cPY5gXQH7USGhlU7 | ||
| imphash | 3318a4310235d39fc3cad1d3c7dfd161 | ||
| impfuzzy | 6:omRgCHWvC365rBJAEoZ/OEGDzyRZr4/b4RUptIKVSZozAhQcY46cErxKXn:omRgYh+ABZG/Dzgr4kYSIAx7LErxMn | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 57 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | Network_Downloader | File Downloader | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x488724 RegCloseKey
GDI32.dll
0x48872c BitBlt
gdiplus.dll
0x488734 GdipFree
KERNEL32.DLL
0x48873c LoadLibraryA
0x488740 ExitProcess
0x488744 GetProcAddress
0x488748 VirtualProtect
ole32.dll
0x488750 CoGetObject
SHELL32.dll
0x488758 ExtractIconA
SHLWAPI.dll
0x488760 StrToIntA
urlmon.dll
0x488768 URLDownloadToFileW
USER32.dll
0x488770 DrawIcon
WININET.dll
0x488778 InternetOpenW
WINMM.dll
0x488780 PlaySoundW
WS2_32.dll
0x488788 WSAGetLastError
EAT(Export Address Table) is none
ADVAPI32.dll
0x488724 RegCloseKey
GDI32.dll
0x48872c BitBlt
gdiplus.dll
0x488734 GdipFree
KERNEL32.DLL
0x48873c LoadLibraryA
0x488740 ExitProcess
0x488744 GetProcAddress
0x488748 VirtualProtect
ole32.dll
0x488750 CoGetObject
SHELL32.dll
0x488758 ExtractIconA
SHLWAPI.dll
0x488760 StrToIntA
urlmon.dll
0x488768 URLDownloadToFileW
USER32.dll
0x488770 DrawIcon
WININET.dll
0x488778 InternetOpenW
WINMM.dll
0x488780 PlaySoundW
WS2_32.dll
0x488788 WSAGetLastError
EAT(Export Address Table) is none