ScreenShot
| Created | 2021.04.13 16:41 | Machine | s1_win7_x6401 |
| Filename | a9e09cd67ad4df01_zhxpwnkb2xox5j.dll | ||
| Type | PE32 executable (DLL) (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 11 detected (Unsafe, ZedlaF, au4@a8OIs8mi, Eldorado, EPCK, Malicious, score, Kryptik, Artemis, FormBook, CLOUD, EPAI) | ||
| md5 | 38b02c707606809973c80710a99fcd07 | ||
| sha256 | a9e09cd67ad4df0184b813f1ace7e12f9f4b16f66ab47edf19d4584e4683ca49 | ||
| ssdeep | 48:atzbZ4khubZOGh8friWIiVGDy+4dgpyHvP/eCNkBRe/WGRuqSC:G/8YBibiVGUdggHvP/LWzexn | ||
| imphash | a2c24e505877f49196365f7e8c56857e | ||
| impfuzzy | 12:ZQGq6xFh9vi4Fvl8Fds5Q4AJ1McLq5wC7tR95Clqg7n:ZQgv9vi4oDsBs6cuuCJRKlqg7n | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| watch | File has been identified by 11 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | IsConsole | (no description) | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x10003000 CreateFileW
0x10003004 GetFileSize
0x10003008 ReadFile
0x1000300c GetTempPathW
0x10003010 IsDebuggerPresent
0x10003014 DebugBreak
0x10003018 HeapCreate
0x1000301c HeapAlloc
0x10003020 VirtualProtect
0x10003024 lstrcatW
rtutils.dll
0x10003074 TracePutsExA
0x10003078 LogEventA
0x1000307c TracePrintfExW
0x10003080 TraceGetConsoleA
0x10003084 RouterLogDeregisterW
pdh.dll
0x10003060 PdhValidatePathW
0x10003064 PdhSelectDataSourceA
0x10003068 PdhGetCounterTimeBase
0x1000306c PdhCloseLog
urlmon.dll
0x1000308c RegisterBindStatusCallback
0x10003090 FindMimeFromData
0x10003094 GetClassFileOrMime
0x10003098 CopyBindInfo
MSACM32.dll
0x1000302c acmDriverMessage
0x10003030 acmMetrics
0x10003034 acmFormatEnumA
0x10003038 acmDriverID
0x1000303c acmFormatEnumW
ODBC32.dll
0x10003044 None
0x10003048 None
0x1000304c None
SHELL32.dll
0x10003054 SHGetFileInfoA
0x10003058 ExtractAssociatedIconW
EAT(Export Address Table) Library
0x10001000 Rcxlxosdkhvclf
KERNEL32.dll
0x10003000 CreateFileW
0x10003004 GetFileSize
0x10003008 ReadFile
0x1000300c GetTempPathW
0x10003010 IsDebuggerPresent
0x10003014 DebugBreak
0x10003018 HeapCreate
0x1000301c HeapAlloc
0x10003020 VirtualProtect
0x10003024 lstrcatW
rtutils.dll
0x10003074 TracePutsExA
0x10003078 LogEventA
0x1000307c TracePrintfExW
0x10003080 TraceGetConsoleA
0x10003084 RouterLogDeregisterW
pdh.dll
0x10003060 PdhValidatePathW
0x10003064 PdhSelectDataSourceA
0x10003068 PdhGetCounterTimeBase
0x1000306c PdhCloseLog
urlmon.dll
0x1000308c RegisterBindStatusCallback
0x10003090 FindMimeFromData
0x10003094 GetClassFileOrMime
0x10003098 CopyBindInfo
MSACM32.dll
0x1000302c acmDriverMessage
0x10003030 acmMetrics
0x10003034 acmFormatEnumA
0x10003038 acmDriverID
0x1000303c acmFormatEnumW
ODBC32.dll
0x10003044 None
0x10003048 None
0x1000304c None
SHELL32.dll
0x10003054 SHGetFileInfoA
0x10003058 ExtractAssociatedIconW
EAT(Export Address Table) Library
0x10001000 Rcxlxosdkhvclf