ScreenShot
| Created | 2021.04.02 10:48 | Machine | s1_win7_x6401 |
| Filename | Zenar.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 28 detected (AIDetect, malware2, Save, malicious, Attribute, HighConfidence, score, GenericKD, OxyPump, Unsafe, CoinMiner, ZexaF, ouW@aeSEXkfi, CLOUD, Static AI, Malicious PE, PossibleThreat, confidence, HwoCRhsA) | ||
| md5 | 85fe410ff23b4ef7db799ecdf574dd91 | ||
| sha256 | 9b877d63088137a893a8b4b9f6774b25f7f9edaa6345e09130b3d18dcbed2ff7 | ||
| ssdeep | 6144:LkfzyEnKwa1oLsfi8X4jqbGelDBDDAObo+WH2Xe:LkKv1oLsfwo13DDfbX | ||
| imphash | acdd73556a2f4251aa9cc8f0603d2c5e | ||
| impfuzzy | 24:YyLzLC4Xtvju9QHcsZoeDPOOIJy1HYrcpVWZYtygM/lmroEOovbOxv1GM+H/S2k5:3vVZoxOr1ucpVeYtygM/Ec3Ra/SO0D | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| warning | File has been identified by 28 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Network activity contains more than one unique useragent |
| watch | One or more of the buffers contains an embedded PE file |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| info | Checks amount of memory in system |
| info | This executable has a PDB path |
Rules (23cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| notice | Str_Win32_Http_API | Match Windows Http API call | binaries (upload) |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (download) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (download) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | network_dns | Communications use DNS | binaries (download) |
| info | network_http | Communications over HTTP | binaries (upload) |
| info | network_tcp_listen | Listen for incoming communication | binaries (download) |
| info | network_tcp_socket | Communications over RAW socket | binaries (download) |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | binaries (upload) |
| info | win_files_operation | Affect private profile | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_mutex | Create or check mutex | binaries (download) |
| info | win_registry | Affect system registries | binaries (download) |
Network (5cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x429000 CreateDirectoryW
0x429004 OutputDebugStringA
0x429008 TerminateProcess
0x42900c GetModuleFileNameW
0x429010 GetFileAttributesW
0x429014 OpenProcess
0x429018 SetFileAttributesW
0x42901c CreateToolhelp32Snapshot
0x429020 MultiByteToWideChar
0x429024 Sleep
0x429028 GetLastError
0x42902c Process32NextW
0x429030 Process32FirstW
0x429034 CloseHandle
0x429038 LoadLibraryW
0x42903c CreateThread
0x429040 CreateProcessW
0x429044 GetConsoleWindow
0x429048 CreateProcessA
0x42904c MoveFileW
0x429050 WriteConsoleW
0x429054 HeapSize
0x429058 GetProcessHeap
0x42905c SetStdHandle
0x429060 SetEnvironmentVariableW
0x429064 FreeEnvironmentStringsW
0x429068 GetEnvironmentStringsW
0x42906c GetOEMCP
0x429070 GetACP
0x429074 IsValidCodePage
0x429078 FindFirstFileExW
0x42907c HeapReAlloc
0x429080 ReadConsoleW
0x429084 EnumSystemLocalesW
0x429088 GetUserDefaultLCID
0x42908c IsValidLocale
0x429090 FreeLibrary
0x429094 GetProcAddress
0x429098 WideCharToMultiByte
0x42909c CreateFileW
0x4290a0 GetFileSize
0x4290a4 ReadFile
0x4290a8 SetEndOfFile
0x4290ac SetFilePointer
0x4290b0 SetFileTime
0x4290b4 WriteFile
0x4290b8 GetStdHandle
0x4290bc GetFileInformationByHandle
0x4290c0 DeleteFileW
0x4290c4 SetLastError
0x4290c8 GetCurrentProcessId
0x4290cc GetCurrentThreadId
0x4290d0 GetModuleHandleW
0x4290d4 FindClose
0x4290d8 FindFirstFileW
0x4290dc FindNextFileW
0x4290e0 GetModuleHandleA
0x4290e4 VirtualAlloc
0x4290e8 VirtualFree
0x4290ec GetStringTypeW
0x4290f0 EnterCriticalSection
0x4290f4 LeaveCriticalSection
0x4290f8 InitializeCriticalSectionEx
0x4290fc DeleteCriticalSection
0x429100 EncodePointer
0x429104 DecodePointer
0x429108 LCMapStringEx
0x42910c GetCPInfo
0x429110 UnhandledExceptionFilter
0x429114 SetUnhandledExceptionFilter
0x429118 GetCurrentProcess
0x42911c IsProcessorFeaturePresent
0x429120 QueryPerformanceCounter
0x429124 GetSystemTimeAsFileTime
0x429128 InitializeSListHead
0x42912c IsDebuggerPresent
0x429130 GetStartupInfoW
0x429134 RtlUnwind
0x429138 RaiseException
0x42913c InitializeCriticalSectionAndSpinCount
0x429140 TlsAlloc
0x429144 TlsGetValue
0x429148 TlsSetValue
0x42914c TlsFree
0x429150 LoadLibraryExW
0x429154 ExitProcess
0x429158 GetModuleHandleExW
0x42915c GetCommandLineA
0x429160 GetCommandLineW
0x429164 GetFileSizeEx
0x429168 SetFilePointerEx
0x42916c GetFileType
0x429170 FlushFileBuffers
0x429174 GetConsoleOutputCP
0x429178 GetConsoleMode
0x42917c HeapFree
0x429180 HeapAlloc
0x429184 CompareStringW
0x429188 LCMapStringW
0x42918c GetLocaleInfoW
USER32.dll
0x4291b4 CharUpperW
0x4291b8 ShowWindow
SHELL32.dll
0x4291a8 ShellExecuteW
0x4291ac SHFileOperationW
WININET.dll
0x4291c0 InternetOpenW
0x4291c4 HttpOpenRequestW
0x4291c8 FtpFindFirstFileW
0x4291cc FtpSetCurrentDirectoryW
0x4291d0 FtpGetFileW
0x4291d4 InternetFindNextFileW
0x4291d8 HttpSendRequestW
0x4291dc InternetCloseHandle
0x4291e0 InternetConnectW
0x4291e4 InternetReadFile
OLEAUT32.dll
0x429194 SysStringLen
0x429198 SysFreeString
0x42919c SysAllocStringLen
0x4291a0 SysAllocString
EAT(Export Address Table) is none
KERNEL32.dll
0x429000 CreateDirectoryW
0x429004 OutputDebugStringA
0x429008 TerminateProcess
0x42900c GetModuleFileNameW
0x429010 GetFileAttributesW
0x429014 OpenProcess
0x429018 SetFileAttributesW
0x42901c CreateToolhelp32Snapshot
0x429020 MultiByteToWideChar
0x429024 Sleep
0x429028 GetLastError
0x42902c Process32NextW
0x429030 Process32FirstW
0x429034 CloseHandle
0x429038 LoadLibraryW
0x42903c CreateThread
0x429040 CreateProcessW
0x429044 GetConsoleWindow
0x429048 CreateProcessA
0x42904c MoveFileW
0x429050 WriteConsoleW
0x429054 HeapSize
0x429058 GetProcessHeap
0x42905c SetStdHandle
0x429060 SetEnvironmentVariableW
0x429064 FreeEnvironmentStringsW
0x429068 GetEnvironmentStringsW
0x42906c GetOEMCP
0x429070 GetACP
0x429074 IsValidCodePage
0x429078 FindFirstFileExW
0x42907c HeapReAlloc
0x429080 ReadConsoleW
0x429084 EnumSystemLocalesW
0x429088 GetUserDefaultLCID
0x42908c IsValidLocale
0x429090 FreeLibrary
0x429094 GetProcAddress
0x429098 WideCharToMultiByte
0x42909c CreateFileW
0x4290a0 GetFileSize
0x4290a4 ReadFile
0x4290a8 SetEndOfFile
0x4290ac SetFilePointer
0x4290b0 SetFileTime
0x4290b4 WriteFile
0x4290b8 GetStdHandle
0x4290bc GetFileInformationByHandle
0x4290c0 DeleteFileW
0x4290c4 SetLastError
0x4290c8 GetCurrentProcessId
0x4290cc GetCurrentThreadId
0x4290d0 GetModuleHandleW
0x4290d4 FindClose
0x4290d8 FindFirstFileW
0x4290dc FindNextFileW
0x4290e0 GetModuleHandleA
0x4290e4 VirtualAlloc
0x4290e8 VirtualFree
0x4290ec GetStringTypeW
0x4290f0 EnterCriticalSection
0x4290f4 LeaveCriticalSection
0x4290f8 InitializeCriticalSectionEx
0x4290fc DeleteCriticalSection
0x429100 EncodePointer
0x429104 DecodePointer
0x429108 LCMapStringEx
0x42910c GetCPInfo
0x429110 UnhandledExceptionFilter
0x429114 SetUnhandledExceptionFilter
0x429118 GetCurrentProcess
0x42911c IsProcessorFeaturePresent
0x429120 QueryPerformanceCounter
0x429124 GetSystemTimeAsFileTime
0x429128 InitializeSListHead
0x42912c IsDebuggerPresent
0x429130 GetStartupInfoW
0x429134 RtlUnwind
0x429138 RaiseException
0x42913c InitializeCriticalSectionAndSpinCount
0x429140 TlsAlloc
0x429144 TlsGetValue
0x429148 TlsSetValue
0x42914c TlsFree
0x429150 LoadLibraryExW
0x429154 ExitProcess
0x429158 GetModuleHandleExW
0x42915c GetCommandLineA
0x429160 GetCommandLineW
0x429164 GetFileSizeEx
0x429168 SetFilePointerEx
0x42916c GetFileType
0x429170 FlushFileBuffers
0x429174 GetConsoleOutputCP
0x429178 GetConsoleMode
0x42917c HeapFree
0x429180 HeapAlloc
0x429184 CompareStringW
0x429188 LCMapStringW
0x42918c GetLocaleInfoW
USER32.dll
0x4291b4 CharUpperW
0x4291b8 ShowWindow
SHELL32.dll
0x4291a8 ShellExecuteW
0x4291ac SHFileOperationW
WININET.dll
0x4291c0 InternetOpenW
0x4291c4 HttpOpenRequestW
0x4291c8 FtpFindFirstFileW
0x4291cc FtpSetCurrentDirectoryW
0x4291d0 FtpGetFileW
0x4291d4 InternetFindNextFileW
0x4291d8 HttpSendRequestW
0x4291dc InternetCloseHandle
0x4291e0 InternetConnectW
0x4291e4 InternetReadFile
OLEAUT32.dll
0x429194 SysStringLen
0x429198 SysFreeString
0x42919c SysAllocStringLen
0x4291a0 SysAllocString
EAT(Export Address Table) is none