ScreenShot
| Created | 2025.05.01 10:04 | Machine | s1_win7_x6403 |
| Filename | zal.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 49 detected (AIDetectMalware, Fsysna, Malicious, score, Ghanarava, pmJfaug8CimO, Unsafe, Save, confidence, 100%, Attribute, HighConfidence, moderate confidence, a variant of Generik, MSKKII, hlqe, CLOUD, Real Protect, high, Static AI, Suspicious PE, Detected, CoinMiner, Zbot, GenericRXAA, Miner, FraudLoa, Gencirc, tti2CG9oN9M, susgen, PossibleThreat, hfyk) | ||
| md5 | d73c8c5b1187959d8d1409b2f359d2f9 | ||
| sha256 | 3dc7912dfcb7657ebde9066d0bd5de54db334b5d2fa655acce752ecd498d4748 | ||
| ssdeep | 6144:5s3Zu8C89io10Am8sSWMwuKU7psi2jFkmGgCX/2J:y840bNXBpU7nvmhlJ | ||
| imphash | e253f8ec0371c0d6a5b2b4676e8c61c6 | ||
| impfuzzy | 3:oTEKCROXCHLqRKQRElAWBJAEPw1MO/OywS9KTXzhAXwEQaxREJdqMEldVu2bW6LG:omRgCH7BJAEoZ/OEGDzyRg3E7s2btyBB | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 49 AntiVirus engines on VirusTotal as malicious |
| watch | Deletes executed files from disk |
| watch | Installs itself for autorun at Windows startup |
| notice | A process created a hidden window |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Command line console output was observed |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | mzp_file_format | MZP(Delphi) file format | binaries (download) |
| info | mzp_file_format | MZP(Delphi) file format | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
advapi32.dll
0xe37e84 RegCloseKey
gdi32.dll
0xe37e8c TextOutA
KERNEL32.DLL
0xe37e94 LoadLibraryA
0xe37e98 ExitProcess
0xe37e9c GetProcAddress
0xe37ea0 VirtualProtect
oleaut32.dll
0xe37ea8 VariantCopy
shell32.dll
0xe37eb0 ShellExecuteA
user32.dll
0xe37eb8 EndPaint
EAT(Export Address Table) is none
advapi32.dll
0xe37e84 RegCloseKey
gdi32.dll
0xe37e8c TextOutA
KERNEL32.DLL
0xe37e94 LoadLibraryA
0xe37e98 ExitProcess
0xe37e9c GetProcAddress
0xe37ea0 VirtualProtect
oleaut32.dll
0xe37ea8 VariantCopy
shell32.dll
0xe37eb0 ShellExecuteA
user32.dll
0xe37eb8 EndPaint
EAT(Export Address Table) is none