ScreenShot
| Created | 2025.05.01 10:02 | Machine | s1_win7_x6401 |
| Filename | budiao.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 59 detected (AIDetectMalware, Bjlog, lzuS, Malicious, score, Upatre, Unsafe, Save, confidence, Attribute, HighConfidence, high confidence, FlyStudio, Fsysna, knluax, Fuerboos, IJSIEQzfFOS, AGEN, Wsgame, Hupigon, R049C0RDM25, Real Protect, high, Static AI, Malicious PE, BindEx, Detected, se22135, MNSP, Gen@2697wr, Wacatac, Eldorado, Artemis, GdSda, Probably Heur, ExeHeaderP, Gencirc, GenAsa, iFI0cidiERI, susgen, Sabsik) | ||
| md5 | dc32ba80887418ea09295359cd843c2c | ||
| sha256 | 7eadc82b0f376e2164df3361720fa159033fa724c2ce9ed47a051be9dcad2fbb | ||
| ssdeep | 12288:I3sHTtT5wQo89cXyTIuz3TWwS0tcTGBNrw8M:IO5I89iawwSneNr2 | ||
| imphash | 6b46852d52a20560bf06073226f2ddfe | ||
| impfuzzy | 6:dBJAEHGDzyRlbRmVOZ/QHAzaz+SME9iXmJJcJOqRgKLbFLMKJAmeXw6wJuVMXXRL:VA/DzqYOZEAza6SMEMX+mOqRg8+mxHDh | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 59 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Foreign language identified in PE resource |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | DllRegisterServer_Zero | execute regsvr32.exe | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x5a5294 LoadLibraryA
0x5a5298 GetProcAddress
0x5a529c VirtualProtect
0x5a52a0 VirtualAlloc
0x5a52a4 VirtualFree
0x5a52a8 ExitProcess
USER32.DLL
0x5a52b0 GetScrollPos
GDI32.DLL
0x5a52b8 GetClipRgn
WINMM.DLL
0x5a52c0 midiStreamRestart
WINSPOOL.DRV
0x5a52c8 ClosePrinter
ADVAPI32.DLL
0x5a52d0 RegCloseKey
SHELL32.DLL
0x5a52d8 ShellExecuteA
OLE32.DLL
0x5a52e0 OleInitialize
OLEAUT32.DLL
0x5a52e8 UnRegisterTypeLib
COMCTL32.DLL
0x5a52f0 ImageList_Destroy
WS2_32.DLL
0x5a52f8 recv
COMDLG32.DLL
0x5a5300 GetFileTitleA
EAT(Export Address Table) is none
KERNEL32.DLL
0x5a5294 LoadLibraryA
0x5a5298 GetProcAddress
0x5a529c VirtualProtect
0x5a52a0 VirtualAlloc
0x5a52a4 VirtualFree
0x5a52a8 ExitProcess
USER32.DLL
0x5a52b0 GetScrollPos
GDI32.DLL
0x5a52b8 GetClipRgn
WINMM.DLL
0x5a52c0 midiStreamRestart
WINSPOOL.DRV
0x5a52c8 ClosePrinter
ADVAPI32.DLL
0x5a52d0 RegCloseKey
SHELL32.DLL
0x5a52d8 ShellExecuteA
OLE32.DLL
0x5a52e0 OleInitialize
OLEAUT32.DLL
0x5a52e8 UnRegisterTypeLib
COMCTL32.DLL
0x5a52f0 ImageList_Destroy
WS2_32.DLL
0x5a52f8 recv
COMDLG32.DLL
0x5a5300 GetFileTitleA
EAT(Export Address Table) is none