| Created | 2025.04.03 10:09 | Machine | s1_win7_x6401 |
| Filename | 2paodhpl52.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 40 detected (AIDetectMalware, Nuitka, Malicious, score, Ghanarava, Unsafe, confidence, 100%, high confidence, a variant of Python, Y suspicious, Disco, Generic Reputation PUA, Static AI, Suspicious PE, Detected, Sabsik, ABApplication, BTNA, Artemis, Python, QQPass, QQRob, Kflw, susgen, AGen) | ||
| md5 | 7b5f98de297dfb4e0430e04d806f641b | ||
| sha256 | a85112eb95fdabb423f95ec3d4dbdeee8c5b262d3ac1d6013ff1e6fc03b9f9ba | ||
| ssdeep | 393216:N9zZmHIWR5xhwNNiSaJ/PGlux5Pre2LNINriLgC:NE6NN6J3GI5P5KrY | ||
| imphash | ae21233514eb2e47a60a61ce2f15abb9 | ||
| impfuzzy | 48:p8XOst9nR3nZ+kNPlslEJGp6qJ8k3k1vkqqyesXh:eXdth9nZrNPlYEJGph6k3mkqqh2 | ||
No network connection information
Signature (6cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 40 AntiVirus engines on VirusTotal as malicious |
| watch | Drops a binary and executes it |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
Rules (18cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| info | DllRegisterServer_Zero | execute regsvr32.exe | binaries (download) |
| info | ftp_command | ftp command | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | wget_command | wget command | binaries (download) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x14004a378 CloseHandle
0x14004a380 CopyFileW
0x14004a388 CreateDirectoryW
0x14004a390 CreateFileMappingW
0x14004a398 CreateFileW
0x14004a3a0 CreateProcessW
0x14004a3a8 DeleteCriticalSection
0x14004a3b0 DeleteFileW
0x14004a3b8 EnterCriticalSection
0x14004a3c0 FindResourceA
0x14004a3c8 FormatMessageA
0x14004a3d0 FreeLibrary
0x14004a3d8 GenerateConsoleCtrlEvent
0x14004a3e0 GetCommandLineW
0x14004a3e8 GetCurrentProcessId
0x14004a3f0 GetEnvironmentVariableW
0x14004a3f8 GetExitCodeProcess
0x14004a400 GetFileAttributesW
0x14004a408 GetFileSize
0x14004a410 GetLastError
0x14004a418 GetModuleFileNameW
0x14004a420 GetModuleHandleA
0x14004a428 GetProcAddress
0x14004a430 GetProcessId
0x14004a438 GetStartupInfoW
0x14004a440 GetStdHandle
0x14004a448 GetSystemTimeAsFileTime
0x14004a450 GetTempPathW
0x14004a458 InitializeCriticalSection
0x14004a460 IsDBCSLeadByteEx
0x14004a468 LeaveCriticalSection
0x14004a470 LoadLibraryA
0x14004a478 LoadResource
0x14004a480 LockResource
0x14004a488 MapViewOfFile
0x14004a490 MultiByteToWideChar
0x14004a498 ReadFile
0x14004a4a0 SetConsoleCtrlHandler
0x14004a4a8 SetEnvironmentVariableW
0x14004a4b0 SetUnhandledExceptionFilter
0x14004a4b8 SizeofResource
0x14004a4c0 Sleep
0x14004a4c8 TerminateProcess
0x14004a4d0 TlsGetValue
0x14004a4d8 UnmapViewOfFile
0x14004a4e0 VirtualProtect
0x14004a4e8 VirtualQuery
0x14004a4f0 WaitForSingleObject
0x14004a4f8 WideCharToMultiByte
0x14004a500 WriteFile
msvcrt.dll
0x14004a510 __C_specific_handler
0x14004a518 ___lc_codepage_func
0x14004a520 ___mb_cur_max_func
0x14004a528 __iob_func
0x14004a530 __set_app_type
0x14004a538 __setusermatherr
0x14004a540 __wargv
0x14004a548 __wgetmainargs
0x14004a550 __winitenv
0x14004a558 _amsg_exit
0x14004a560 _cexit
0x14004a568 _commode
0x14004a570 _errno
0x14004a578 _fmode
0x14004a580 _initterm
0x14004a588 _lock
0x14004a590 _onexit
0x14004a598 _unlock
0x14004a5a0 _wcmdln
0x14004a5a8 _wcsdup
0x14004a5b0 _wcsicmp
0x14004a5b8 _wrename
0x14004a5c0 abort
0x14004a5c8 calloc
0x14004a5d0 exit
0x14004a5d8 fprintf
0x14004a5e0 fputc
0x14004a5e8 free
0x14004a5f0 fwrite
0x14004a5f8 localeconv
0x14004a600 malloc
0x14004a608 mbstowcs
0x14004a610 memcpy
0x14004a618 memmove
0x14004a620 memset
0x14004a628 puts
0x14004a630 signal
0x14004a638 strerror
0x14004a640 strlen
0x14004a648 strncmp
0x14004a650 vfprintf
0x14004a658 wcschr
0x14004a660 wcscmp
0x14004a668 wcslen
0x14004a670 wcsncmp
SHELL32.dll
0x14004a680 CommandLineToArgvW
0x14004a688 SHFileOperationW
0x14004a690 SHGetFolderPathW
EAT(Export Address Table) is none
KERNEL32.dll
0x14004a378 CloseHandle
0x14004a380 CopyFileW
0x14004a388 CreateDirectoryW
0x14004a390 CreateFileMappingW
0x14004a398 CreateFileW
0x14004a3a0 CreateProcessW
0x14004a3a8 DeleteCriticalSection
0x14004a3b0 DeleteFileW
0x14004a3b8 EnterCriticalSection
0x14004a3c0 FindResourceA
0x14004a3c8 FormatMessageA
0x14004a3d0 FreeLibrary
0x14004a3d8 GenerateConsoleCtrlEvent
0x14004a3e0 GetCommandLineW
0x14004a3e8 GetCurrentProcessId
0x14004a3f0 GetEnvironmentVariableW
0x14004a3f8 GetExitCodeProcess
0x14004a400 GetFileAttributesW
0x14004a408 GetFileSize
0x14004a410 GetLastError
0x14004a418 GetModuleFileNameW
0x14004a420 GetModuleHandleA
0x14004a428 GetProcAddress
0x14004a430 GetProcessId
0x14004a438 GetStartupInfoW
0x14004a440 GetStdHandle
0x14004a448 GetSystemTimeAsFileTime
0x14004a450 GetTempPathW
0x14004a458 InitializeCriticalSection
0x14004a460 IsDBCSLeadByteEx
0x14004a468 LeaveCriticalSection
0x14004a470 LoadLibraryA
0x14004a478 LoadResource
0x14004a480 LockResource
0x14004a488 MapViewOfFile
0x14004a490 MultiByteToWideChar
0x14004a498 ReadFile
0x14004a4a0 SetConsoleCtrlHandler
0x14004a4a8 SetEnvironmentVariableW
0x14004a4b0 SetUnhandledExceptionFilter
0x14004a4b8 SizeofResource
0x14004a4c0 Sleep
0x14004a4c8 TerminateProcess
0x14004a4d0 TlsGetValue
0x14004a4d8 UnmapViewOfFile
0x14004a4e0 VirtualProtect
0x14004a4e8 VirtualQuery
0x14004a4f0 WaitForSingleObject
0x14004a4f8 WideCharToMultiByte
0x14004a500 WriteFile
msvcrt.dll
0x14004a510 __C_specific_handler
0x14004a518 ___lc_codepage_func
0x14004a520 ___mb_cur_max_func
0x14004a528 __iob_func
0x14004a530 __set_app_type
0x14004a538 __setusermatherr
0x14004a540 __wargv
0x14004a548 __wgetmainargs
0x14004a550 __winitenv
0x14004a558 _amsg_exit
0x14004a560 _cexit
0x14004a568 _commode
0x14004a570 _errno
0x14004a578 _fmode
0x14004a580 _initterm
0x14004a588 _lock
0x14004a590 _onexit
0x14004a598 _unlock
0x14004a5a0 _wcmdln
0x14004a5a8 _wcsdup
0x14004a5b0 _wcsicmp
0x14004a5b8 _wrename
0x14004a5c0 abort
0x14004a5c8 calloc
0x14004a5d0 exit
0x14004a5d8 fprintf
0x14004a5e0 fputc
0x14004a5e8 free
0x14004a5f0 fwrite
0x14004a5f8 localeconv
0x14004a600 malloc
0x14004a608 mbstowcs
0x14004a610 memcpy
0x14004a618 memmove
0x14004a620 memset
0x14004a628 puts
0x14004a630 signal
0x14004a638 strerror
0x14004a640 strlen
0x14004a648 strncmp
0x14004a650 vfprintf
0x14004a658 wcschr
0x14004a660 wcscmp
0x14004a668 wcslen
0x14004a670 wcsncmp
SHELL32.dll
0x14004a680 CommandLineToArgvW
0x14004a688 SHFileOperationW
0x14004a690 SHGetFolderPathW
EAT(Export Address Table) is none