|
file.zip
|
Zip archive data, at least v2.0 to extract, compression method=deflate
|
initial sample
|
 |
|
|
| Filetype: |
Zip archive data, at least v2.0 to extract, compression method=deflate
|
| Entropy: |
7.99859454661898
|
| Filename: |
file.zip
|
| Filesize: |
358766
|
| MD5: |
6da382bb9e3a7d435b57f2d5aa7cba34
|
| SHA1: |
7439b08ef1d4cae39192951c80f2f7ec646ec045
|
| SHA256: |
f4078e1ec71b088a554c65ffa245570014d56ea95d93a761532a83acc638cfce
|
| SHA512: |
ce2d2e8693e99a44d528ee1feb6f0afba8282f6aaa8f244ae00b62f8afa4d98f407a1a2e563e5640fa1c9092cfbcf38ae9c2bd816a84345dfffc3a352cc0f849
|
| SSDEEP: |
6144:4cnl1+aJpiswmam9gu8lv02jo9eZSFZexjLR/sZRqKRJoOmoeNmHcitJ1:4cnd/wYO02c9eZlJ+IKvhegn1
|
| Preview: |
PK...........X..? .x..........file.exeUT...8.Qf..Tfux..............<..T...o.^....G...a..>=>...?0.DDEMPQA@>.Q..|.z0.m...QVH4.fKM.r..UI..[..YW....Z.....X.5h...D.RQ..=.~..{..e.x..{...{.9..{..6.M.....=z..'..9.L.3..{....<.zi...._....k.C.-.*k...+.]..9:.}......k
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Hides that the sample has been downloaded from the Internet (zone.identifier) |
Hooking and other Techniques for Hiding and Protection |
Hidden Files and Directories
|
| Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
|
| Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
|
| Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
| Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
| May sleep (evasive loops) to hinder dynamic analysis |
Malware Analysis System Evasion |
|
| Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
|
| Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
| Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
| Creates mutexes |
System Summary |
|
| Queries a list of all running processes |
Malware Analysis System Evasion |
|
| Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
| Tries to load missing DLLs |
System Summary |
|
| Uses an in-process (OLE) Automation server |
System Summary |
|
| Uses Microsoft Silverlight |
System Summary |
|
|
|
C:\Users\user\AppData\Local\star.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
| File: |
C:\Users\user\AppData\Local\star.exe
|
| Category: |
dropped
|
| Dump: |
star.exe.15.dr
|
| ID: |
dr_1
|
| Target ID: |
15
|
| Process: |
C:\Windows\SysWOW64\cmd.exe
|
| Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
| Entropy: |
6.396843231622265
|
| Encrypted: |
false
|
| Size: |
626176
|
| Whitelisted: |
false
|
| Signature Hits |
Behavior Group |
Mitre Attack |
|
| Antivirus detection for dropped file |
AV Detection |
|
| Multi AV Scanner detection for dropped file |
AV Detection |
Security Software Discovery
|
| Machine Learning detection for dropped file |
AV Detection |
|
| Drops PE files |
Persistence and Installation Behavior |
|
| Creates files inside the user directory |
System Summary |
|
|
|
\Device\Null
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
| File: |
\Device\Null
|
| Category: |
dropped
|
| Dump: |
Null.21.dr
|
| ID: |
dr_3
|
| Target ID: |
21
|
| Process: |
C:\Windows\SysWOW64\PING.EXE
|
| Type: |
ASCII text, with CRLF line terminators
|
| Entropy: |
4.647354968007433
|
| Encrypted: |
false
|
| Size: |
926
|
| Whitelisted: |
false
|
|
