ScreenShot
| Created | 2024.02.05 16:41 | Machine | s1_win7_x6401 |
| Filename | IP.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 65 detected (AIDetectMalware, Zegost, mxwo, malicious, high confidence, score, MacriRI, S17487091, GenericKD, unsafe, Save, Attribute, HighConfidence, Farfli, FDSP, CrypterX, Macri, epixwy, Lebag, KTSE, FileCoder, Tool, SMCK, high, AutoG, TrojanDDoS, Detected, ai score=85, Redosdru, FG@6j5x7c, Deepscan, KFVF, Dialer, R23969, SScope, VTFlooder, Gencirc, GenAsa, pd90PKR7MRk, Static AI, Malicious PE, susgen, confidence, 100%) | ||
| md5 | 1af97bb3b7d31c81534bc48a84021f32 | ||
| sha256 | 7c7edaf79218ec77462a5097f6860347b905b01ea8c1bc807f6731847770d9b2 | ||
| ssdeep | 6144:4Gyne2Ko9cK2OHnV7D2djek72aTALaFIm85ZDOFBjb/8o05NYXafC2IxFVD:Pm78gnV/2okya+bFOfv8t5NY12GFR | ||
| imphash | ef39d474ee88b9215814d74ee695b02b | ||
| impfuzzy | 12:EqqcDoAtTa4CAOovaZGju1E3wXJmv8ERRvxIKLFQLRJ:2cDooTaOOovu6ujgv8ERRvxrG | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 65 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a service |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | The executable uses a known packer |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x406000 HeapAlloc
0x406004 GetProcessHeap
0x406008 VirtualAlloc
0x40600c VirtualProtect
0x406010 VirtualFree
0x406014 GetProcAddress
0x406018 LoadLibraryA
0x40601c IsBadReadPtr
0x406020 HeapFree
0x406024 FreeLibrary
0x406028 HeapReAlloc
0x40602c GetModuleHandleA
0x406030 GetStartupInfoA
0x406034 GetCommandLineA
0x406038 GetVersion
0x40603c ExitProcess
0x406040 GetModuleFileNameA
0x406044 GetEnvironmentVariableA
0x406048 GetVersionExA
0x40604c HeapDestroy
0x406050 HeapCreate
0x406054 TerminateProcess
0x406058 GetCurrentProcess
0x40605c UnhandledExceptionFilter
0x406060 FreeEnvironmentStringsA
0x406064 FreeEnvironmentStringsW
0x406068 WideCharToMultiByte
0x40606c GetEnvironmentStrings
0x406070 GetEnvironmentStringsW
0x406074 SetHandleCount
0x406078 GetStdHandle
0x40607c GetFileType
0x406080 RtlUnwind
0x406084 WriteFile
0x406088 GetCPInfo
0x40608c GetACP
0x406090 GetOEMCP
0x406094 MultiByteToWideChar
0x406098 LCMapStringA
0x40609c LCMapStringW
0x4060a0 GetStringTypeA
0x4060a4 GetStringTypeW
EAT(Export Address Table) is none
KERNEL32.dll
0x406000 HeapAlloc
0x406004 GetProcessHeap
0x406008 VirtualAlloc
0x40600c VirtualProtect
0x406010 VirtualFree
0x406014 GetProcAddress
0x406018 LoadLibraryA
0x40601c IsBadReadPtr
0x406020 HeapFree
0x406024 FreeLibrary
0x406028 HeapReAlloc
0x40602c GetModuleHandleA
0x406030 GetStartupInfoA
0x406034 GetCommandLineA
0x406038 GetVersion
0x40603c ExitProcess
0x406040 GetModuleFileNameA
0x406044 GetEnvironmentVariableA
0x406048 GetVersionExA
0x40604c HeapDestroy
0x406050 HeapCreate
0x406054 TerminateProcess
0x406058 GetCurrentProcess
0x40605c UnhandledExceptionFilter
0x406060 FreeEnvironmentStringsA
0x406064 FreeEnvironmentStringsW
0x406068 WideCharToMultiByte
0x40606c GetEnvironmentStrings
0x406070 GetEnvironmentStringsW
0x406074 SetHandleCount
0x406078 GetStdHandle
0x40607c GetFileType
0x406080 RtlUnwind
0x406084 WriteFile
0x406088 GetCPInfo
0x40608c GetACP
0x406090 GetOEMCP
0x406094 MultiByteToWideChar
0x406098 LCMapStringA
0x40609c LCMapStringW
0x4060a0 GetStringTypeA
0x4060a4 GetStringTypeW
EAT(Export Address Table) is none