ScreenShot
| Created | 2021.04.08 09:33 | Machine | s1_win7_x6401 |
| Filename | cv76.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 18 detected (malicious, high confidence, Artemis, Unsafe, Save, Bazar, FileRepMalware, Wacatac, score, Static AI, Malicious PE, confidence) | ||
| md5 | c41188e4415567a1465712a6c85331a6 | ||
| sha256 | efb6ef1dffa3bc6f3b7796be4f5681b9da6a243b09029c2381b4009bf6b6eb3d | ||
| ssdeep | 1536:XvamWLz+HfTEea2+NgarZ63GO+SHsyuiIoNbrmqrOke34T5a+94jogCBuyav0P:XvamTIeH4tZ6WOztuYrHNeota+GjZBM | ||
| imphash | 1d966ce243704108b9d093af3ed6228f | ||
| impfuzzy | 6:/KOgAi5XpBZ/Oa9KgQTNrOLEOAFwyRzwDDJagDyQpGKjOA1agDyQ+2:iOKJXZGuKrdOoveUwDDAxQIKjzExQz | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| warning | Generates some ICMP traffic |
| watch | Communicates with host for which no DNS query was performed |
| watch | Drops a binary and executes it |
| watch | File has been identified by 18 AntiVirus engines on VirusTotal as malicious |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Queries for the computername |
Rules (55cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | create_service | Create a windows service | memory |
| info | cred_local | Steal credential | memory |
| info | escalate_priv | Escalade priviledges | memory |
| info | HasDebugData | DebugData Check | binaries (download) |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (download) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
| info | IsPacked | Entropy Check | binaries (download) |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (download) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | keylogger | Run a keylogger | memory |
| info | migrate_apc | APC queue tasks migration | memory |
| info | network_dga | Communication using dga | memory |
| info | network_dns | Communications use DNS | memory |
| info | network_dropper | File downloader/dropper | memory |
| info | network_ftp | Communications over FTP | memory |
| info | network_http | Communications over HTTP | memory |
| info | network_p2p_win | Communications over P2P network | memory |
| info | network_tcp_listen | Listen for incoming communication | memory |
| info | network_tcp_socket | Communications over RAW socket | memory |
| info | network_udp_sock | Communications over UDP network | memory |
| info | screenshot | Take screenshot | memory |
| info | sniff_audio | Record Audio | memory |
| info | spreading_share | Malware can spread east-west using share drive | memory |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
| info | win_files_operation | Affect private profile | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_files_operation | Affect private profile | memory |
| info | win_mutex | Create or check mutex | memory |
| info | win_private_profile | Affect private profile | memory |
| info | win_registry | Affect system registries | memory |
| info | win_token | Affect system token | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140019000 CreateFileA
0x140019008 DeleteFileA
0x140019010 CloseHandle
0x140019018 GetLastError
0x140019020 MoveFileA
0x140019028 WriteFile
0x140019030 ExitProcess
0x140019038 GetSystemTime
0x140019040 GlobalAlloc
0x140019048 GetTimeFormatA
0x140019050 GetCommandLineA
0x140019058 VirtualAlloc
0x140019060 VirtualProtect
USER32.dll
0x140019070 MessageBoxA
0x140019078 SetWindowTextA
0x140019080 SetCursorPos
0x140019088 GetWindowTextA
0x140019090 OpenClipboard
EAT(Export Address Table) is none
KERNEL32.dll
0x140019000 CreateFileA
0x140019008 DeleteFileA
0x140019010 CloseHandle
0x140019018 GetLastError
0x140019020 MoveFileA
0x140019028 WriteFile
0x140019030 ExitProcess
0x140019038 GetSystemTime
0x140019040 GlobalAlloc
0x140019048 GetTimeFormatA
0x140019050 GetCommandLineA
0x140019058 VirtualAlloc
0x140019060 VirtualProtect
USER32.dll
0x140019070 MessageBoxA
0x140019078 SetWindowTextA
0x140019080 SetCursorPos
0x140019088 GetWindowTextA
0x140019090 OpenClipboard
EAT(Export Address Table) is none