ScreenShot
| Created | 2021.04.06 17:08 | Machine | s1_win7_x6401 |
| Filename | poploader-2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 41 detected (HfsAdware, Kuaizip, Sigmal, S2722134, Artemis, Unsafe, KZip, Attribute, HighConfidence, R002H0CJN19, fuxvpb, Malware@#3mmi1ad7zmwl2, Generic PUA DA, ai score=95, TSGeneric, malicious, high confidence, BScope, 641NX91xg6U, Malicious PE, Score, susgen, FileRepMalware, confidence) | ||
| md5 | ce7d134fdcc4b4f44a279dc959886c9e | ||
| sha256 | 010cc8cdd8f6c896454526cd5300c01a1aa9328810095b385026fe3995696d09 | ||
| ssdeep | 12288:aX7BhiCASPcUnyizx9IWzZGB+VusVOmpDNpybkc0a08YiHaQQ+uO7d:atJ3nyi8PspdBpi/tYiHr | ||
| imphash | a84edaed60a531c7a21b1ca842ff26fc | ||
| impfuzzy | 96:G/6zUMVNeYz+fcdltzGhgh3IOmk5FU1qqC:G6cg0gtoko7C | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 41 AntiVirus engines on VirusTotal as malicious |
| notice | A process created a hidden window |
| notice | Foreign language identified in PE resource |
| info | This executable has a PDB path |
Rules (17cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| notice | network_smtp_raw | Communications smtp | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasDigitalSignature | DigitalSignature Check | binaries (upload) |
| info | HasOverlay | Overlay Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | network_dns | Communications use DNS | binaries (upload) |
| info | network_tcp_listen | Listen for incoming communication | binaries (upload) |
| info | network_tcp_socket | Communications over RAW socket | binaries (upload) |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | binaries (upload) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_mutex | Create or check mutex | binaries (upload) |
| info | win_registry | Affect system registries | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x47804c GetCommandLineA
0x478050 CloseHandle
0x478054 CreateMutexW
0x478058 GetLastError
0x47805c GetProcAddress
0x478060 LoadLibraryW
0x478064 GetModuleHandleExW
0x478068 GetModuleFileNameW
0x47806c GetTickCount
0x478070 GetTempPathA
0x478074 GetLocalTime
0x478078 GetProcessHeap
0x47807c SetEnvironmentVariableA
0x478080 CompareStringW
0x478084 CompareStringA
0x478088 GetLocaleInfoW
0x47808c WriteConsoleW
0x478090 GetConsoleOutputCP
0x478094 SetStdHandle
0x478098 GetCurrentDirectoryA
0x47809c GetFullPathNameA
0x4780a0 GetModuleHandleA
0x4780a4 GetStringTypeW
0x4780a8 GetStringTypeA
0x4780ac IsValidLocale
0x4780b0 EnumSystemLocalesA
0x4780b4 GetLocaleInfoA
0x4780b8 GetUserDefaultLCID
0x4780bc InitializeCriticalSectionAndSpinCount
0x4780c0 InterlockedExchange
0x4780c4 FlushFileBuffers
0x4780c8 QueryPerformanceCounter
0x4780cc GetStartupInfoA
0x4780d0 SetHandleCount
0x4780d4 GetCommandLineW
0x4780d8 GetEnvironmentStringsW
0x4780dc FreeEnvironmentStringsW
0x4780e0 Sleep
0x4780e4 CreateFileW
0x4780e8 WideCharToMultiByte
0x4780ec CreateThread
0x4780f0 WaitForSingleObject
0x4780f4 FreeLibrary
0x4780f8 ExpandEnvironmentStringsA
0x4780fc LoadLibraryA
0x478100 MultiByteToWideChar
0x478104 GetModuleFileNameA
0x478108 DeleteFileA
0x47810c MoveFileExA
0x478110 CreateToolhelp32Snapshot
0x478114 Process32FirstW
0x478118 lstrcmpiA
0x47811c Process32NextW
0x478120 TerminateProcess
0x478124 ReadFile
0x478128 GetCurrentThreadId
0x47812c InitializeCriticalSection
0x478130 DeleteCriticalSection
0x478134 EnterCriticalSection
0x478138 LeaveCriticalSection
0x47813c SetEndOfFile
0x478140 SetConsoleCtrlHandler
0x478144 FreeConsole
0x478148 GetStdHandle
0x47814c GetConsoleMode
0x478150 WriteConsoleA
0x478154 CreateFileA
0x478158 WriteFile
0x47815c SetFilePointer
0x478160 SetLastError
0x478164 FormatMessageA
0x478168 VerifyVersionInfoA
0x47816c VerSetConditionMask
0x478170 SleepEx
0x478174 PeekNamedPipe
0x478178 WaitForMultipleObjects
0x47817c GetFileType
0x478180 HeapAlloc
0x478184 HeapReAlloc
0x478188 GetCurrentProcess
0x47818c UnhandledExceptionFilter
0x478190 SetUnhandledExceptionFilter
0x478194 IsDebuggerPresent
0x478198 GetSystemTimeAsFileTime
0x47819c GetStartupInfoW
0x4781a0 RaiseException
0x4781a4 RtlUnwind
0x4781a8 HeapFree
0x4781ac MoveFileA
0x4781b0 GetModuleHandleW
0x4781b4 ExitProcess
0x4781b8 InterlockedIncrement
0x4781bc InterlockedDecrement
0x4781c0 FindClose
0x4781c4 FileTimeToSystemTime
0x4781c8 FileTimeToLocalFileTime
0x4781cc GetDriveTypeA
0x4781d0 FindFirstFileA
0x4781d4 ExitThread
0x4781d8 GetCurrentProcessId
0x4781dc GetFileInformationByHandle
0x4781e0 TlsGetValue
0x4781e4 TlsAlloc
0x4781e8 TlsSetValue
0x4781ec TlsFree
0x4781f0 HeapSize
0x4781f4 GetConsoleCP
0x4781f8 VirtualFree
0x4781fc VirtualAlloc
0x478200 HeapCreate
0x478204 HeapDestroy
0x478208 GetCPInfo
0x47820c GetACP
0x478210 GetOEMCP
0x478214 IsValidCodePage
0x478218 LCMapStringA
0x47821c LCMapStringW
0x478220 GetTimeZoneInformation
ADVAPI32.dll
0x478000 CryptAcquireContextA
0x478004 RegOpenKeyExA
0x478008 RegQueryValueExA
0x47800c RegSetValueExA
0x478010 RegCreateKeyExA
0x478014 CryptReleaseContext
0x478018 CryptDestroyHash
0x47801c CryptGetHashParam
0x478020 CryptHashData
0x478024 CryptCreateHash
0x478028 CryptAcquireContextW
0x47802c RegCloseKey
0x478030 RegOpenKeyExW
0x478034 RegOpenCurrentUser
0x478038 CryptImportKey
0x47803c CryptEncrypt
0x478040 CryptDestroyKey
0x478044 CryptGenRandom
SHLWAPI.dll
0x478230 StrStrIA
0x478234 PathFileExistsW
0x478238 PathFileExistsA
0x47823c PathStripPathA
imagehlp.dll
0x478308 MakeSureDirectoryPathExists
WS2_32.dll
0x478290 WSASetLastError
0x478294 WSAStartup
0x478298 WSACleanup
0x47829c listen
0x4782a0 __WSAFDIsSet
0x4782a4 WSAGetLastError
0x4782a8 select
0x4782ac gethostname
0x4782b0 htonl
0x4782b4 ntohl
0x4782b8 recv
0x4782bc send
0x4782c0 WSAIoctl
0x4782c4 setsockopt
0x4782c8 getsockname
0x4782cc ntohs
0x4782d0 ind
0x4782d4 htons
0x4782d8 getsockopt
0x4782dc getpeername
0x4782e0 closesocket
0x4782e4 socket
0x4782e8 accept
0x4782ec recvfrom
0x4782f0 sendto
0x4782f4 getaddrinfo
0x4782f8 freeaddrinfo
0x4782fc ioctlsocket
0x478300 connect
WLDAP32.dll
0x47824c None
0x478250 None
0x478254 None
0x478258 None
0x47825c None
0x478260 None
0x478264 None
0x478268 None
0x47826c None
0x478270 None
0x478274 None
0x478278 None
0x47827c None
0x478280 None
0x478284 None
0x478288 None
USER32.dll
0x478244 GetMonitorInfoW
SHELL32.dll
0x478228 ShellExecuteA
EAT(Export Address Table) is none
KERNEL32.dll
0x47804c GetCommandLineA
0x478050 CloseHandle
0x478054 CreateMutexW
0x478058 GetLastError
0x47805c GetProcAddress
0x478060 LoadLibraryW
0x478064 GetModuleHandleExW
0x478068 GetModuleFileNameW
0x47806c GetTickCount
0x478070 GetTempPathA
0x478074 GetLocalTime
0x478078 GetProcessHeap
0x47807c SetEnvironmentVariableA
0x478080 CompareStringW
0x478084 CompareStringA
0x478088 GetLocaleInfoW
0x47808c WriteConsoleW
0x478090 GetConsoleOutputCP
0x478094 SetStdHandle
0x478098 GetCurrentDirectoryA
0x47809c GetFullPathNameA
0x4780a0 GetModuleHandleA
0x4780a4 GetStringTypeW
0x4780a8 GetStringTypeA
0x4780ac IsValidLocale
0x4780b0 EnumSystemLocalesA
0x4780b4 GetLocaleInfoA
0x4780b8 GetUserDefaultLCID
0x4780bc InitializeCriticalSectionAndSpinCount
0x4780c0 InterlockedExchange
0x4780c4 FlushFileBuffers
0x4780c8 QueryPerformanceCounter
0x4780cc GetStartupInfoA
0x4780d0 SetHandleCount
0x4780d4 GetCommandLineW
0x4780d8 GetEnvironmentStringsW
0x4780dc FreeEnvironmentStringsW
0x4780e0 Sleep
0x4780e4 CreateFileW
0x4780e8 WideCharToMultiByte
0x4780ec CreateThread
0x4780f0 WaitForSingleObject
0x4780f4 FreeLibrary
0x4780f8 ExpandEnvironmentStringsA
0x4780fc LoadLibraryA
0x478100 MultiByteToWideChar
0x478104 GetModuleFileNameA
0x478108 DeleteFileA
0x47810c MoveFileExA
0x478110 CreateToolhelp32Snapshot
0x478114 Process32FirstW
0x478118 lstrcmpiA
0x47811c Process32NextW
0x478120 TerminateProcess
0x478124 ReadFile
0x478128 GetCurrentThreadId
0x47812c InitializeCriticalSection
0x478130 DeleteCriticalSection
0x478134 EnterCriticalSection
0x478138 LeaveCriticalSection
0x47813c SetEndOfFile
0x478140 SetConsoleCtrlHandler
0x478144 FreeConsole
0x478148 GetStdHandle
0x47814c GetConsoleMode
0x478150 WriteConsoleA
0x478154 CreateFileA
0x478158 WriteFile
0x47815c SetFilePointer
0x478160 SetLastError
0x478164 FormatMessageA
0x478168 VerifyVersionInfoA
0x47816c VerSetConditionMask
0x478170 SleepEx
0x478174 PeekNamedPipe
0x478178 WaitForMultipleObjects
0x47817c GetFileType
0x478180 HeapAlloc
0x478184 HeapReAlloc
0x478188 GetCurrentProcess
0x47818c UnhandledExceptionFilter
0x478190 SetUnhandledExceptionFilter
0x478194 IsDebuggerPresent
0x478198 GetSystemTimeAsFileTime
0x47819c GetStartupInfoW
0x4781a0 RaiseException
0x4781a4 RtlUnwind
0x4781a8 HeapFree
0x4781ac MoveFileA
0x4781b0 GetModuleHandleW
0x4781b4 ExitProcess
0x4781b8 InterlockedIncrement
0x4781bc InterlockedDecrement
0x4781c0 FindClose
0x4781c4 FileTimeToSystemTime
0x4781c8 FileTimeToLocalFileTime
0x4781cc GetDriveTypeA
0x4781d0 FindFirstFileA
0x4781d4 ExitThread
0x4781d8 GetCurrentProcessId
0x4781dc GetFileInformationByHandle
0x4781e0 TlsGetValue
0x4781e4 TlsAlloc
0x4781e8 TlsSetValue
0x4781ec TlsFree
0x4781f0 HeapSize
0x4781f4 GetConsoleCP
0x4781f8 VirtualFree
0x4781fc VirtualAlloc
0x478200 HeapCreate
0x478204 HeapDestroy
0x478208 GetCPInfo
0x47820c GetACP
0x478210 GetOEMCP
0x478214 IsValidCodePage
0x478218 LCMapStringA
0x47821c LCMapStringW
0x478220 GetTimeZoneInformation
ADVAPI32.dll
0x478000 CryptAcquireContextA
0x478004 RegOpenKeyExA
0x478008 RegQueryValueExA
0x47800c RegSetValueExA
0x478010 RegCreateKeyExA
0x478014 CryptReleaseContext
0x478018 CryptDestroyHash
0x47801c CryptGetHashParam
0x478020 CryptHashData
0x478024 CryptCreateHash
0x478028 CryptAcquireContextW
0x47802c RegCloseKey
0x478030 RegOpenKeyExW
0x478034 RegOpenCurrentUser
0x478038 CryptImportKey
0x47803c CryptEncrypt
0x478040 CryptDestroyKey
0x478044 CryptGenRandom
SHLWAPI.dll
0x478230 StrStrIA
0x478234 PathFileExistsW
0x478238 PathFileExistsA
0x47823c PathStripPathA
imagehlp.dll
0x478308 MakeSureDirectoryPathExists
WS2_32.dll
0x478290 WSASetLastError
0x478294 WSAStartup
0x478298 WSACleanup
0x47829c listen
0x4782a0 __WSAFDIsSet
0x4782a4 WSAGetLastError
0x4782a8 select
0x4782ac gethostname
0x4782b0 htonl
0x4782b4 ntohl
0x4782b8 recv
0x4782bc send
0x4782c0 WSAIoctl
0x4782c4 setsockopt
0x4782c8 getsockname
0x4782cc ntohs
0x4782d0 ind
0x4782d4 htons
0x4782d8 getsockopt
0x4782dc getpeername
0x4782e0 closesocket
0x4782e4 socket
0x4782e8 accept
0x4782ec recvfrom
0x4782f0 sendto
0x4782f4 getaddrinfo
0x4782f8 freeaddrinfo
0x4782fc ioctlsocket
0x478300 connect
WLDAP32.dll
0x47824c None
0x478250 None
0x478254 None
0x478258 None
0x47825c None
0x478260 None
0x478264 None
0x478268 None
0x47826c None
0x478270 None
0x478274 None
0x478278 None
0x47827c None
0x478280 None
0x478284 None
0x478288 None
USER32.dll
0x478244 GetMonitorInfoW
SHELL32.dll
0x478228 ShellExecuteA
EAT(Export Address Table) is none