ScreenShot
| Created | 2025.04.28 10:18 | Machine | s1_win7_x6401 |
| Filename | namen.ps1 | ||
| Type | ASCII text, with CRLF line terminators | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 19 detected (powershell, asyncrat, GenericKD, GenScript, Detected, Ftgl) | ||
| md5 | e4ea2ac8d2a17b90650633ce30c5d7cd | ||
| sha256 | 23595aa0726cb2922cb947269fb1f3f29e26250a61ff6db6986105247b9f3d9d | ||
| ssdeep | 24:DFCJlXNLyzkgVdy9LqrykV9Qd6HrYORNO37Jx2xmfS02dguLCASxyFP37ZtSNjWC:DFCPNLyAJLqNLQd6H8gE7J88sd9L1F36 | ||
| imphash | |||
| impfuzzy | |||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | File has been identified by 19 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| watch | Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Poweshell is sending data to a remote host |
| notice | URL downloaded by powershell script |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| info | url_file_format | Microsoft Windows Internet Shortcut File Format | binaries (download) |
Suricata ids
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host VBS Request
ET HUNTING PowerShell DownloadString Command Common In Powershell Stagers
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Dotted Quad Host VBS Request
ET HUNTING PowerShell DownloadString Command Common In Powershell Stagers