ScreenShot
| Created | 2021.04.09 17:03 | Machine | s1_win7_x6402 |
| Filename | bg8.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 6 detected (Unsafe, FileRepMalware, Injuke, Wacatac) | ||
| md5 | 57e8ac3aec87c298a240dc0853747dd5 | ||
| sha256 | 0fb0c5adab8984099449d207c2513cdd18d62d795e761cf4d3a70df6b2a0973b | ||
| ssdeep | 6144:R1urcdRp0ZtFWOorzZvKAHS2c8C2fRx3uQ1UsdHw:Yie2lztHnCO0 | ||
| imphash | 7babf25e4ed6abf9b92ec07e1cf261dd | ||
| impfuzzy | 24:bS1o0qtSmlJnc+pl3eDoTY2BUSOovbO9Ziv2jM6:bS1YtSkc+pp/YR3AA | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | File has been identified by 6 AntiVirus engines on VirusTotal as malicious |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_files_operation | Affect private profile | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140010000 QueryPerformanceCounter
0x140010008 GetCurrentProcessId
0x140010010 GetCurrentThreadId
0x140010018 GetSystemTimeAsFileTime
0x140010020 InitializeSListHead
0x140010028 RtlCaptureContext
0x140010030 RtlLookupFunctionEntry
0x140010038 RtlVirtualUnwind
0x140010040 IsDebuggerPresent
0x140010048 UnhandledExceptionFilter
0x140010050 SetUnhandledExceptionFilter
0x140010058 GetStartupInfoW
0x140010060 IsProcessorFeaturePresent
0x140010068 GetModuleHandleW
0x140010070 RtlUnwindEx
0x140010078 GetLastError
0x140010080 SetLastError
0x140010088 EnterCriticalSection
0x140010090 LeaveCriticalSection
0x140010098 DeleteCriticalSection
0x1400100a0 InitializeCriticalSectionAndSpinCount
0x1400100a8 TlsAlloc
0x1400100b0 TlsGetValue
0x1400100b8 TlsSetValue
0x1400100c0 TlsFree
0x1400100c8 FreeLibrary
0x1400100d0 GetProcAddress
0x1400100d8 LoadLibraryExW
0x1400100e0 RaiseException
0x1400100e8 GetStdHandle
0x1400100f0 WriteFile
0x1400100f8 GetModuleFileNameW
0x140010100 GetCurrentProcess
0x140010108 ExitProcess
0x140010110 TerminateProcess
0x140010118 GetModuleHandleExW
0x140010120 HeapAlloc
0x140010128 HeapFree
0x140010130 FindClose
0x140010138 FindFirstFileExW
0x140010140 FindNextFileW
0x140010148 IsValidCodePage
0x140010150 GetACP
0x140010158 GetOEMCP
0x140010160 GetCPInfo
0x140010168 GetCommandLineA
0x140010170 GetCommandLineW
0x140010178 MultiByteToWideChar
0x140010180 WideCharToMultiByte
0x140010188 GetEnvironmentStringsW
0x140010190 FreeEnvironmentStringsW
0x140010198 SetStdHandle
0x1400101a0 GetFileType
0x1400101a8 GetStringTypeW
0x1400101b0 LCMapStringW
0x1400101b8 GetProcessHeap
0x1400101c0 HeapSize
0x1400101c8 HeapReAlloc
0x1400101d0 FlushFileBuffers
0x1400101d8 GetConsoleCP
0x1400101e0 GetConsoleMode
0x1400101e8 SetFilePointerEx
0x1400101f0 CreateFileW
0x1400101f8 CloseHandle
0x140010200 WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x140010000 QueryPerformanceCounter
0x140010008 GetCurrentProcessId
0x140010010 GetCurrentThreadId
0x140010018 GetSystemTimeAsFileTime
0x140010020 InitializeSListHead
0x140010028 RtlCaptureContext
0x140010030 RtlLookupFunctionEntry
0x140010038 RtlVirtualUnwind
0x140010040 IsDebuggerPresent
0x140010048 UnhandledExceptionFilter
0x140010050 SetUnhandledExceptionFilter
0x140010058 GetStartupInfoW
0x140010060 IsProcessorFeaturePresent
0x140010068 GetModuleHandleW
0x140010070 RtlUnwindEx
0x140010078 GetLastError
0x140010080 SetLastError
0x140010088 EnterCriticalSection
0x140010090 LeaveCriticalSection
0x140010098 DeleteCriticalSection
0x1400100a0 InitializeCriticalSectionAndSpinCount
0x1400100a8 TlsAlloc
0x1400100b0 TlsGetValue
0x1400100b8 TlsSetValue
0x1400100c0 TlsFree
0x1400100c8 FreeLibrary
0x1400100d0 GetProcAddress
0x1400100d8 LoadLibraryExW
0x1400100e0 RaiseException
0x1400100e8 GetStdHandle
0x1400100f0 WriteFile
0x1400100f8 GetModuleFileNameW
0x140010100 GetCurrentProcess
0x140010108 ExitProcess
0x140010110 TerminateProcess
0x140010118 GetModuleHandleExW
0x140010120 HeapAlloc
0x140010128 HeapFree
0x140010130 FindClose
0x140010138 FindFirstFileExW
0x140010140 FindNextFileW
0x140010148 IsValidCodePage
0x140010150 GetACP
0x140010158 GetOEMCP
0x140010160 GetCPInfo
0x140010168 GetCommandLineA
0x140010170 GetCommandLineW
0x140010178 MultiByteToWideChar
0x140010180 WideCharToMultiByte
0x140010188 GetEnvironmentStringsW
0x140010190 FreeEnvironmentStringsW
0x140010198 SetStdHandle
0x1400101a0 GetFileType
0x1400101a8 GetStringTypeW
0x1400101b0 LCMapStringW
0x1400101b8 GetProcessHeap
0x1400101c0 HeapSize
0x1400101c8 HeapReAlloc
0x1400101d0 FlushFileBuffers
0x1400101d8 GetConsoleCP
0x1400101e0 GetConsoleMode
0x1400101e8 SetFilePointerEx
0x1400101f0 CreateFileW
0x1400101f8 CloseHandle
0x140010200 WriteConsoleW
EAT(Export Address Table) is none