ScreenShot
| Created | 2022.01.27 09:48 | Machine | s1_win7_x6403 |
| Filename | file3.exe | ||
| Type | MS-DOS executable | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 24 detected (Unsafe, malicious, ZexaF, Rr3@a09ASZcj, Obsidium, Eldorado, Attribute, HighConfidence, FileRepMalware, Artemis, Static AI, Malicious PE, Generic ML PUA, KVMH015, kcloud, Sabsik, score, BScope, Tiggre, Vidar, CLOUD, susgen, confidence) | ||
| md5 | 2b2ec30a2bf1c7166055e754a04c6ecf | ||
| sha256 | 74fad8e9b1a82d813dd72fce23abdc2d3819496750910c6cdcd70d7398831e2c | ||
| ssdeep | 24576:Zm787TsxrqnKnXDFOTDLmb/Gr5b+WkGNYgMJaWJxALO+N90HD:Zm78HsYKXxODmrih+CWfDAnNo | ||
| imphash | f215d2d21b2c3bb81a9678c44e03b1e1 | ||
| impfuzzy | 3:sUx2AEJtpNdKfBoM9CROXdqX1IQMJGECA:nEJt7dKpozRgsS3v | ||
Network IP location
Signature (35cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 24 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Checks for the presence of known devices from debuggers and forensic tools |
| watch | Checks for the presence of known windows from debuggers and forensic tools |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates an executable file in a user folder |
| watch | Detects VirtualBox through the presence of a device |
| watch | Harvests credentials from local email clients |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process file3.exe |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Expresses interest in specific running processes |
| notice | Foreign language identified in PE resource |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | Tries to locate where the browsers are installed |
Rules (23cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | TESTYARA | (no description) | binaries (download) |
Network (9cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x4b8064 GetModuleHandleA
user32.dll
0x4b8074 CreateWindowExA
advapi32.dll
0x4b8084 RegCloseKey
comctl32.dll
0x4b8094 InitMUILanguage
EAT(Export Address Table) is none
kernel32.dll
0x4b8064 GetModuleHandleA
user32.dll
0x4b8074 CreateWindowExA
advapi32.dll
0x4b8084 RegCloseKey
comctl32.dll
0x4b8094 InitMUILanguage
EAT(Export Address Table) is none