ScreenShot
Created | 2021.03.12 12:44 | Machine | s1_win7_x6402 |
Filename | 494818992.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, RAR self-extracting archive | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 53 detected (AIDetect, malware1, malicious, high confidence, GenericKD, Hesv, Unsafe, LightStone, Save, Runner, Eldorado, Rasftuby, Lmul, R + Mal, RarMal, AGEN, R002C0RBP21, ai score=82, Wacatac, Phonzy, score, R340855, Vasal, WcuqdUyJaf0, Uztuby, susgen, Genetic, confidence, 100%, HgIASPsA) | ||
md5 | a1dbce02232adc2298ea67e387694b42 | ||
sha256 | 89aefce491b5677cb05a89d53089cc18abbdbbc85306aae3d8c229d719447f70 | ||
ssdeep | 12288:Xo4JzBT1gv4sY+tn6TzSjqthlT2Gce7pWVfZdBjO7yegyfmjKzL:XnsF6TzSjqtvCGcq8fZdVO7rJ3L | ||
imphash | 4bb6c97d0fd6fbaeabdd43515fbc6b28 | ||
impfuzzy | 3:P7VLl2WBJAEPw1MO/OywS9KTXzhAXwEQaxRn:p5rBJAEoZ/OEGDzyRn |
Network IP location
Signature (24cnts)
Level | Description |
---|---|
danger | File has been identified by 53 AntiVirus engines on VirusTotal as malicious |
watch | A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. |
watch | Attempts to remove evidence of file being downloaded from the Internet |
watch | Communicates with host for which no DNS query was performed |
watch | Installs itself for autorun at Windows startup |
watch | One or more non-whitelisted processes were created |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | The process wscript.exe wrote an executable file to disk |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Potentially malicious URLs were found in the process memory dump |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | The executable is compressed using UPX |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Collects information to fingerprint the system (MachineGuid |
info | Command line console output was observed |
info | Queries for the computername |
info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (49cnts)
Level | Name | Description | Collection |
---|---|---|---|
watch | UPX_Zero | UPX packed file | binaries (upload) |
notice | Str_Win32_Http_API | Match Windows Http API call | memory |
notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
info | anti_dbg | Checks if being debugged | memory |
info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
info | Check_Dlls | (no description) | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerCheck__RemoteAPI | (no description) | memory |
info | DebuggerException__ConsoleCtrl | (no description) | memory |
info | DebuggerException__SetConsoleCtrl | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
info | win_hook | Affect hook table | memory |
info | create_com_service | Create a COM server | memory |
info | create_service | Create a windows service | memory |
info | cred_local | Steal credential | memory |
info | escalate_priv | Escalade priviledges | memory |
info | HasOverlay | Overlay Check | binaries (upload) |
info | HasRichSignature | Rich Signature Check | binaries (upload) |
info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
info | IsWindowsGUI | (no description) | binaries (upload) |
info | keylogger | Run a keylogger | memory |
info | migrate_apc | APC queue tasks migration | memory |
info | network_dga | Communication using dga | memory |
info | network_dns | Communications use DNS | memory |
info | network_dropper | File downloader/dropper | memory |
info | network_ftp | Communications over FTP | memory |
info | network_http | Communications over HTTP | memory |
info | network_p2p_win | Communications over P2P network | memory |
info | network_tcp_listen | Listen for incoming communication | memory |
info | network_tcp_socket | Communications over RAW socket | memory |
info | network_udp_sock | Communications over UDP network | memory |
info | screenshot | Take screenshot | memory |
info | sniff_audio | Record Audio | memory |
info | spreading_file | Malware can spread east-west file | memory |
info | spreading_share | Malware can spread east-west using share drive | memory |
info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
info | win_files_operation | Affect private profile | memory |
info | win_mutex | Create or check mutex | memory |
info | win_private_profile | Affect private profile | memory |
info | win_registry | Affect system registries | memory |
info | win_token | Affect system token | memory |
Network (0cnts) ?
Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
---|
Suricata ids
PE API
IAT(Import Address Table) Library
gdiplus.dll
0x480344 GdipFree
KERNEL32.DLL
0x48034c LoadLibraryA
0x480350 ExitProcess
0x480354 GetProcAddress
0x480358 VirtualProtect
EAT(Export Address Table) is none
gdiplus.dll
0x480344 GdipFree
KERNEL32.DLL
0x48034c LoadLibraryA
0x480350 ExitProcess
0x480354 GetProcAddress
0x480358 VirtualProtect
EAT(Export Address Table) is none