ScreenShot
| Created | 2021.03.30 10:58 | Machine | s1_win7_x6402 |
| Filename | md4_4igk.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 50 detected (AIDetect, malware1, DownLoader38, GenericKD, Unsafe, TrojanBanker, Passteal, malicious, ZexaF, TmGfaC0z7oeb, AdAgent, Eldorado, Attribute, HighConfidence, iquala, R002C0PCO21, Score, owqft, kcloud, Ymacco, Artemis, ai score=82, BScope, CryptInject, R002H0CCM21, FBAdsCard, CLOUD, GdSda, confidence, HgIASRQA) | ||
| md5 | ef80e35e5a0f4c12933955423dad720c | ||
| sha256 | 5b3e57fdf14cfa4d7688faecfa29c77974b8c92c97fffd786e82b0d582325315 | ||
| ssdeep | 12288:Fbd2oj1dgx82oWP/8YALurvih4YjfLS2NDEfa5wurfi6Hafu5VSWMSav:b7gx82oW8YAL2VEj5eXu5c | ||
| imphash | 924a6639786c2fe663b19a5bd1192f47 | ||
| impfuzzy | 6:dBJAEHGDzyRlbkZ/ArR3gqgUVZmHQc6SbK1GUxAd+XQGbKNEWzx/0yn:VA/DzqkZSngoZ0tu4oQmWrzx/0yn | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 50 AntiVirus engines on VirusTotal as malicious |
| warning | Generates some ICMP traffic |
| watch | Communicates with host for which no DNS query was performed |
| watch | Disables proxy possibly for traffic interception |
| notice | Foreign language identified in PE resource |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | binaries (upload) |
Network (5cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x5a3e60 LoadLibraryA
0x5a3e64 GetProcAddress
0x5a3e68 VirtualProtect
0x5a3e6c ExitProcess
ESENT.dll
0x5a3e74 JetMove
ole32.dll
0x5a3e7c OleRun
OLEAUT32.dll
0x5a3e84 GetErrorInfo
QUARTZ.dll
0x5a3e8c AMGetErrorTextW
SHELL32.dll
0x5a3e94 SHGetSpecialFolderPathW
SHLWAPI.dll
0x5a3e9c PathFileExistsW
USER32.dll
0x5a3ea4 wsprintfA
WINHTTP.dll
0x5a3eac WinHttpOpen
WS2_32.dll
0x5a3eb4 WSAStartup
EAT(Export Address Table) is none
KERNEL32.DLL
0x5a3e60 LoadLibraryA
0x5a3e64 GetProcAddress
0x5a3e68 VirtualProtect
0x5a3e6c ExitProcess
ESENT.dll
0x5a3e74 JetMove
ole32.dll
0x5a3e7c OleRun
OLEAUT32.dll
0x5a3e84 GetErrorInfo
QUARTZ.dll
0x5a3e8c AMGetErrorTextW
SHELL32.dll
0x5a3e94 SHGetSpecialFolderPathW
SHLWAPI.dll
0x5a3e9c PathFileExistsW
USER32.dll
0x5a3ea4 wsprintfA
WINHTTP.dll
0x5a3eac WinHttpOpen
WS2_32.dll
0x5a3eb4 WSAStartup
EAT(Export Address Table) is none