ScreenShot
| Created | 2025.04.02 10:05 | Machine | s1_win7_x6403 |
| Filename | invoice.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 26 detected (AIDetectMalware, Lazy, Unsafe, Save, malicious, confidence, 100%, GenHeur, MalPbs, gen2, high confidence, GenKryptik, HHUD, Kryptik@AI, RDML, i3iOxKzU69W1htAsnVUIVg, high, score, Static AI, Malicious PE, Ztjl) | ||
| md5 | 57bcb61167abd03d9d98705ab39e79ab | ||
| sha256 | 7c321f8a0d6c357d3406afb96408968d107c81f8282e2353ea4cebed67432f88 | ||
| ssdeep | 24576:BAzEBC+2X2jofsfO1AVPul+3Dhs2ccmsh:BAz+J2mMfd1LDlRsh | ||
| imphash | 71f2fc6f961ae32c66027ae469c38c53 | ||
| impfuzzy | 12:vVKKZkZGcOcJhCrPQE/mlA/j9r1ByB5w4F+fnQ6iA092+IK+Av5kXtAhS:kVLOChKPQE/KA/JrS5w4F+fnQnA095Ol | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 26 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x4698b4 CloseHandle
0x4698b8 CreateToolhelp32Snapshot
0x4698bc ExitProcess
0x4698c0 GetCommandLineW
0x4698c4 GetLastError
0x4698c8 GetModuleHandleW
0x4698cc GetSystemInfo
0x4698d0 GetTickCount
0x4698d4 GlobalMemoryStatusEx
0x4698d8 Process32FirstW
0x4698dc Process32NextW
0x4698e0 Sleep
0x4698e4 lstrcmpiW
USER32.dll
0x4698ec BeginPaint
0x4698f0 DefWindowProcW
0x4698f4 DestroyWindow
0x4698f8 DispatchMessageW
0x4698fc DrawTextW
0x469900 EndPaint
0x469904 FillRect
0x469908 GetDC
0x46990c GetMessageW
0x469910 LoadCursorW
0x469914 PostQuitMessage
0x469918 RegisterClassExW
0x46991c ReleaseDC
0x469920 SetCursor
0x469924 SetFocus
0x469928 ShowWindow
0x46992c TranslateMessage
0x469930 UpdateWindow
EAT(Export Address Table) is none
KERNEL32.dll
0x4698b4 CloseHandle
0x4698b8 CreateToolhelp32Snapshot
0x4698bc ExitProcess
0x4698c0 GetCommandLineW
0x4698c4 GetLastError
0x4698c8 GetModuleHandleW
0x4698cc GetSystemInfo
0x4698d0 GetTickCount
0x4698d4 GlobalMemoryStatusEx
0x4698d8 Process32FirstW
0x4698dc Process32NextW
0x4698e0 Sleep
0x4698e4 lstrcmpiW
USER32.dll
0x4698ec BeginPaint
0x4698f0 DefWindowProcW
0x4698f4 DestroyWindow
0x4698f8 DispatchMessageW
0x4698fc DrawTextW
0x469900 EndPaint
0x469904 FillRect
0x469908 GetDC
0x46990c GetMessageW
0x469910 LoadCursorW
0x469914 PostQuitMessage
0x469918 RegisterClassExW
0x46991c ReleaseDC
0x469920 SetCursor
0x469924 SetFocus
0x469928 ShowWindow
0x46992c TranslateMessage
0x469930 UpdateWindow
EAT(Export Address Table) is none