ScreenShot
| Created | 2021.04.12 11:17 | Machine | s1_win7_x6401 |
| Filename | uko.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 19 detected (malicious, high confidence, Unsafe, a variant of WinGo, GoCLR, Bulz, CobaltStrike, Cobalt, Score, 100%, Wacatac, Artemis, confidence) | ||
| md5 | 40367f496f45ba45b8545f90065b6940 | ||
| sha256 | 9d1ca3a1dad26b6c0195ac41fe5fa6e5e03706496944383ca9156fa99e57dc8a | ||
| ssdeep | 49152:JbtrUXdIFcV5RsizUE3q0b5+jOAjMNmSuDyYNq9YIrhSIdR1bRYU2Q55YhUxyb6j:nrUXdIFcG | ||
| imphash | 4035d2883e01d64f3e7a9dccb1d63af5 | ||
| impfuzzy | 24:UbVjhN5O+VuT2oLtXOr6kwmDruMztxdEr6UP:K5O+VAXOmGx0nP | ||
Network IP location
Signature (3cnts)
| Level | Description |
|---|---|
| watch | Detects the presence of Wine emulator |
| watch | File has been identified by 19 AntiVirus engines on VirusTotal as malicious |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | create_service | Create a windows service | binaries (upload) |
| info | escalate_priv | Escalade priviledges | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | network_dns | Communications use DNS | binaries (upload) |
| info | network_tcp_listen | Listen for incoming communication | binaries (upload) |
| info | network_tcp_socket | Communications over RAW socket | binaries (upload) |
| info | network_udp_sock | Communications over UDP network | binaries (upload) |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | binaries (upload) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_mutex | Create or check mutex | binaries (upload) |
| info | win_registry | Affect system registries | binaries (upload) |
| info | win_token | Affect system token | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x9fc020 WriteFile
0x9fc028 WriteConsoleW
0x9fc030 WaitForMultipleObjects
0x9fc038 WaitForSingleObject
0x9fc040 VirtualQuery
0x9fc048 VirtualFree
0x9fc050 VirtualAlloc
0x9fc058 SwitchToThread
0x9fc060 SuspendThread
0x9fc068 Sleep
0x9fc070 SetWaitableTimer
0x9fc078 SetUnhandledExceptionFilter
0x9fc080 SetProcessPriorityBoost
0x9fc088 SetEvent
0x9fc090 SetErrorMode
0x9fc098 SetConsoleCtrlHandler
0x9fc0a0 ResumeThread
0x9fc0a8 PostQueuedCompletionStatus
0x9fc0b0 LoadLibraryA
0x9fc0b8 LoadLibraryW
0x9fc0c0 SetThreadContext
0x9fc0c8 GetThreadContext
0x9fc0d0 GetSystemInfo
0x9fc0d8 GetSystemDirectoryA
0x9fc0e0 GetStdHandle
0x9fc0e8 GetQueuedCompletionStatusEx
0x9fc0f0 GetProcessAffinityMask
0x9fc0f8 GetProcAddress
0x9fc100 GetEnvironmentStringsW
0x9fc108 GetConsoleMode
0x9fc110 FreeEnvironmentStringsW
0x9fc118 ExitProcess
0x9fc120 DuplicateHandle
0x9fc128 CreateWaitableTimerExW
0x9fc130 CreateThread
0x9fc138 CreateIoCompletionPort
0x9fc140 CreateEventA
0x9fc148 CloseHandle
0x9fc150 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x9fc020 WriteFile
0x9fc028 WriteConsoleW
0x9fc030 WaitForMultipleObjects
0x9fc038 WaitForSingleObject
0x9fc040 VirtualQuery
0x9fc048 VirtualFree
0x9fc050 VirtualAlloc
0x9fc058 SwitchToThread
0x9fc060 SuspendThread
0x9fc068 Sleep
0x9fc070 SetWaitableTimer
0x9fc078 SetUnhandledExceptionFilter
0x9fc080 SetProcessPriorityBoost
0x9fc088 SetEvent
0x9fc090 SetErrorMode
0x9fc098 SetConsoleCtrlHandler
0x9fc0a0 ResumeThread
0x9fc0a8 PostQueuedCompletionStatus
0x9fc0b0 LoadLibraryA
0x9fc0b8 LoadLibraryW
0x9fc0c0 SetThreadContext
0x9fc0c8 GetThreadContext
0x9fc0d0 GetSystemInfo
0x9fc0d8 GetSystemDirectoryA
0x9fc0e0 GetStdHandle
0x9fc0e8 GetQueuedCompletionStatusEx
0x9fc0f0 GetProcessAffinityMask
0x9fc0f8 GetProcAddress
0x9fc100 GetEnvironmentStringsW
0x9fc108 GetConsoleMode
0x9fc110 FreeEnvironmentStringsW
0x9fc118 ExitProcess
0x9fc120 DuplicateHandle
0x9fc128 CreateWaitableTimerExW
0x9fc130 CreateThread
0x9fc138 CreateIoCompletionPort
0x9fc140 CreateEventA
0x9fc148 CloseHandle
0x9fc150 AddVectoredExceptionHandler
EAT(Export Address Table) is none