ScreenShot
| Created | 2021.03.22 10:26 | Machine | s1_win7_x6402 |
| Filename | REW.exe | ||
| Type | MS-DOS executable, MZ for MS-DOS | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 25 detected (Malicious, score, GenericKD, confidence, Agen, FileRepMalware, Artemis, SmallAHKDownloader, oftsb, ai score=82, Ymacco, vG2VySOCZ6E, InvalidSig, PossibleThreat, HgEASRIA) | ||
| md5 | 4437932f91042579798df965170c55a8 | ||
| sha256 | 0ed3ce0f13bd721bc78bd411e74aeb3e772588d2bb1b3f2d2be4e390164646ec | ||
| ssdeep | 12288:e7iLxBGNINxDRhDqaRQTBRwrl1MWsXI9a+2cO:e7iNBEmxfqzNdTXI0+2cO | ||
| imphash | caa5e6a2892587c2324418efee31c648 | ||
| impfuzzy | 6:nERGDm14CLPMeTc5suVMlEtiLWvGm3LKRgKLbBnaZr4BSo:EcDm1JL0eTQilnL6LKRgCor4BSo | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 25 AntiVirus engines on VirusTotal as malicious |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | HasModified_DOS_Message | DOS Message Check | binaries (upload) |
| info | HasOverlay | Overlay Check | binaries (upload) |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | screenshot | Take screenshot | binaries (upload) |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | binaries (upload) |
| info | win_registry | Affect system registries | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32
0x14012b118 GetModuleHandleA
0x14012b120 GetProcAddress
WSOCK32.dll
0x14012b130 WSACleanup
WINMM.dll
0x14012b140 mixerOpen
VERSION.dll
0x14012b150 VerQueryValueW
COMCTL32.dll
0x14012b160 ImageList_Create
PSAPI.DLL
0x14012b170 GetModuleBaseNameW
USER32.dll
0x14012b180 GetDC
GDI32.dll
0x14012b190 BitBlt
COMDLG32.dll
0x14012b1a0 GetOpenFileNameW
ADVAPI32.dll
0x14012b1b0 RegCloseKey
SHELL32.dll
0x14012b1c0 DragFinish
ole32.dll
0x14012b1d0 CoGetObject
OLEAUT32.dll
0x14012b1e0 SafeArrayGetLBound
EAT(Export Address Table) is none
KERNEL32
0x14012b118 GetModuleHandleA
0x14012b120 GetProcAddress
WSOCK32.dll
0x14012b130 WSACleanup
WINMM.dll
0x14012b140 mixerOpen
VERSION.dll
0x14012b150 VerQueryValueW
COMCTL32.dll
0x14012b160 ImageList_Create
PSAPI.DLL
0x14012b170 GetModuleBaseNameW
USER32.dll
0x14012b180 GetDC
GDI32.dll
0x14012b190 BitBlt
COMDLG32.dll
0x14012b1a0 GetOpenFileNameW
ADVAPI32.dll
0x14012b1b0 RegCloseKey
SHELL32.dll
0x14012b1c0 DragFinish
ole32.dll
0x14012b1d0 CoGetObject
OLEAUT32.dll
0x14012b1e0 SafeArrayGetLBound
EAT(Export Address Table) is none