ScreenShot
| Created | 2021.04.12 08:04 | Machine | s1_win7_x6402 |
| Filename | chrome_elf.dll | ||
| Type | PE32 executable (DLL) (console) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 18 detected (malicious, high confidence, Bulz, Kryptik, GXYG, Deepscan, Shellex, CLOUD, Farfli, ai score=88, Genetic) | ||
| md5 | 98e44115d6f4faaa25524d66776c4eb7 | ||
| sha256 | 69d8803acb91391e58dca18e69448c74fb604e6e6e53ee3fdc5446207a00f0c6 | ||
| ssdeep | 49152:OMMYZfLghGFn/uNHpYbajfOGnCzV5vdn:Osz/ep5pq5 | ||
| imphash | bfa09c2150c5efbf28278293aa8014c7 | ||
| impfuzzy | 6:dBJAEHGDzyRY8zDWvC3658Tz0j9w5/KJwdwp6WNLbBnaMBqAAeliTXi21:VA/Dz98zDhruq5FCpzxCteliXP | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | File has been identified by 18 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Foreign language identified in PE resource |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (8cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | IsConsole | (no description) | binaries (upload) |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | screenshot | Take screenshot | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x10423830 LoadLibraryA
0x10423834 GetProcAddress
0x10423838 VirtualProtect
ADVAPI32.dll
0x10423840 RegEnumKeyA
GDI32.dll
0x10423848 BitBlt
gdiplus.dll
0x10423850 GdipFree
IMM32.dll
0x10423858 ImmGetContext
MSIMG32.dll
0x10423860 AlphaBlend
ole32.dll
0x10423868 DoDragDrop
OLEACC.dll
0x10423870 LresultFromObject
OLEAUT32.dll
0x10423878 SysAllocString
SHELL32.dll
0x10423880 DragFinish
SHLWAPI.dll
0x10423888 PathIsUNCA
USER32.dll
0x10423890 GetDC
UxTheme.dll
0x10423898 IsAppThemed
WINMM.dll
0x104238a0 PlaySoundA
WINSPOOL.DRV
0x104238a8 GetJobA
EAT(Export Address Table) Library
0x100045f0 SignalChromeElf
KERNEL32.DLL
0x10423830 LoadLibraryA
0x10423834 GetProcAddress
0x10423838 VirtualProtect
ADVAPI32.dll
0x10423840 RegEnumKeyA
GDI32.dll
0x10423848 BitBlt
gdiplus.dll
0x10423850 GdipFree
IMM32.dll
0x10423858 ImmGetContext
MSIMG32.dll
0x10423860 AlphaBlend
ole32.dll
0x10423868 DoDragDrop
OLEACC.dll
0x10423870 LresultFromObject
OLEAUT32.dll
0x10423878 SysAllocString
SHELL32.dll
0x10423880 DragFinish
SHLWAPI.dll
0x10423888 PathIsUNCA
USER32.dll
0x10423890 GetDC
UxTheme.dll
0x10423898 IsAppThemed
WINMM.dll
0x104238a0 PlaySoundA
WINSPOOL.DRV
0x104238a8 GetJobA
EAT(Export Address Table) Library
0x100045f0 SignalChromeElf