ScreenShot
| Created | 2021.04.16 18:10 | Machine | s1_win7_x6401 |
| Filename | winlog.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 20 detected (AIDetect, malware1, malicious, high confidence, Unsafe, Save, confidence, 100%, ZexaF, uqX@a4Nt71dG, Attribute, HighConfidence, Wacatac, score, ET#94%, RDMK, cmRtazqc0s4dFuBTNoyC7+40hGjk, Static AI, Suspicious PE, QVM10) | ||
| md5 | e4c965e4ab3053c66ac8873a17935202 | ||
| sha256 | 7b309f5521adf12425f1283d64aff52b9b22cd645dbc2de357a851af9388093f | ||
| ssdeep | 6144:6q8BYh+lLATA3JRtrj+k0bXBH+/p27euvt8x6sNfi52XA:6bBdlsk37tPQrBWU7eqtsfi0 | ||
| imphash | a4692d4002a6ed074a99800cf8705837 | ||
| impfuzzy | 48:q1aPpOPLkHCD2O8ct0Xcu9ep/1t76P+D5cPd1GnNZedi:MAOTkHc8cSXV2/1t76PY5cl1GHF | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 20 AntiVirus engines on VirusTotal as malicious |
| watch | Tries to unhook Windows functions monitored by Cuckoo |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Trojan_Win32_Glupteba_1_Zero | Trojan Win32 Glupteba | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasOverlay | Overlay Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_mutex | Create or check mutex | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x428008 WriteConsoleW
0x42800c GetDefaultCommConfigW
0x428010 CreateMutexA
0x428014 GetStdHandle
0x428018 InterlockedIncrement
0x42801c SetSystemTimeAdjustment
0x428020 FileTimeToSystemTime
0x428024 GetNamedPipeHandleStateW
0x428028 CallNamedPipeW
0x42802c BeginUpdateResourceA
0x428030 BuildCommDCBAndTimeoutsA
0x428034 EnterCriticalSection
0x428038 DebugActiveProcessStop
0x42803c EnumTimeFormatsW
0x428040 TlsSetValue
0x428044 GetACP
0x428048 ReadFile
0x42804c GetCurrentActCtx
0x428050 ReleaseActCtx
0x428054 AddRefActCtx
0x428058 GetHandleInformation
0x42805c OpenFile
0x428060 VerifyVersionInfoA
0x428064 GetVersionExW
0x428068 FreeLibrary
0x42806c LoadLibraryExW
0x428070 GetComputerNameW
0x428074 CommConfigDialogA
0x428078 GetProcAddress
0x42807c lstrcpyA
0x428080 GetProcessPriorityBoost
0x428084 GlobalAlloc
0x428088 SetFilePointer
0x42808c SetWaitableTimer
0x428090 GetCurrentDirectoryW
0x428094 VirtualFree
0x428098 GetCommMask
0x42809c HeapFree
0x4280a0 RaiseException
0x4280a4 GetBinaryTypeW
0x4280a8 LocalSize
0x4280ac SetConsoleMode
0x4280b0 GetLargestConsoleWindowSize
0x4280b4 WriteConsoleInputW
0x4280b8 OpenMutexW
0x4280bc SetThreadContext
0x4280c0 AddAtomW
0x4280c4 FindVolumeMountPointClose
0x4280c8 GetSystemTime
0x4280cc GetCommandLineW
0x4280d0 SetLocalTime
0x4280d4 GetLastError
0x4280d8 GetSystemTimeAsFileTime
0x4280dc DisconnectNamedPipe
0x4280e0 GetConsoleCursorInfo
0x4280e4 TerminateThread
0x4280e8 GetFileAttributesW
0x4280ec SetLastError
0x4280f0 lstrlenA
0x4280f4 CompareStringW
0x4280f8 CompareStringA
0x4280fc LoadLibraryW
0x428100 CreateJobObjectW
0x428104 RtlUnwind
0x428108 TerminateProcess
0x42810c GetCurrentProcess
0x428110 UnhandledExceptionFilter
0x428114 SetUnhandledExceptionFilter
0x428118 IsDebuggerPresent
0x42811c GetStartupInfoW
0x428120 HeapAlloc
0x428124 LeaveCriticalSection
0x428128 GetModuleHandleA
0x42812c GetModuleHandleW
0x428130 TlsGetValue
0x428134 TlsAlloc
0x428138 TlsFree
0x42813c GetCurrentThreadId
0x428140 InterlockedDecrement
0x428144 GetCurrentThread
0x428148 Sleep
0x42814c ExitProcess
0x428150 WriteFile
0x428154 GetModuleFileNameA
0x428158 GetModuleFileNameW
0x42815c FreeEnvironmentStringsW
0x428160 GetEnvironmentStringsW
0x428164 SetHandleCount
0x428168 GetFileType
0x42816c GetStartupInfoA
0x428170 DeleteCriticalSection
0x428174 HeapCreate
0x428178 HeapDestroy
0x42817c QueryPerformanceCounter
0x428180 GetTickCount
0x428184 GetCurrentProcessId
0x428188 WideCharToMultiByte
0x42818c GetConsoleCP
0x428190 GetConsoleMode
0x428194 GetCPInfo
0x428198 GetOEMCP
0x42819c IsValidCodePage
0x4281a0 FatalAppExitA
0x4281a4 VirtualAlloc
0x4281a8 HeapReAlloc
0x4281ac HeapSize
0x4281b0 SetConsoleCtrlHandler
0x4281b4 InterlockedExchange
0x4281b8 LoadLibraryA
0x4281bc InitializeCriticalSectionAndSpinCount
0x4281c0 SetStdHandle
0x4281c4 WriteConsoleA
0x4281c8 GetConsoleOutputCP
0x4281cc MultiByteToWideChar
0x4281d0 LCMapStringA
0x4281d4 LCMapStringW
0x4281d8 GetStringTypeA
0x4281dc GetStringTypeW
0x4281e0 GetTimeFormatA
0x4281e4 GetDateFormatA
0x4281e8 GetUserDefaultLCID
0x4281ec GetLocaleInfoA
0x4281f0 EnumSystemLocalesA
0x4281f4 IsValidLocale
0x4281f8 FlushFileBuffers
0x4281fc GetLocaleInfoW
0x428200 CreateFileA
0x428204 CloseHandle
0x428208 GetTimeZoneInformation
0x42820c SetEnvironmentVariableA
USER32.dll
0x428214 GetComboBoxInfo
ADVAPI32.dll
0x428000 IsTextUnicode
EAT(Export Address Table) is none
KERNEL32.dll
0x428008 WriteConsoleW
0x42800c GetDefaultCommConfigW
0x428010 CreateMutexA
0x428014 GetStdHandle
0x428018 InterlockedIncrement
0x42801c SetSystemTimeAdjustment
0x428020 FileTimeToSystemTime
0x428024 GetNamedPipeHandleStateW
0x428028 CallNamedPipeW
0x42802c BeginUpdateResourceA
0x428030 BuildCommDCBAndTimeoutsA
0x428034 EnterCriticalSection
0x428038 DebugActiveProcessStop
0x42803c EnumTimeFormatsW
0x428040 TlsSetValue
0x428044 GetACP
0x428048 ReadFile
0x42804c GetCurrentActCtx
0x428050 ReleaseActCtx
0x428054 AddRefActCtx
0x428058 GetHandleInformation
0x42805c OpenFile
0x428060 VerifyVersionInfoA
0x428064 GetVersionExW
0x428068 FreeLibrary
0x42806c LoadLibraryExW
0x428070 GetComputerNameW
0x428074 CommConfigDialogA
0x428078 GetProcAddress
0x42807c lstrcpyA
0x428080 GetProcessPriorityBoost
0x428084 GlobalAlloc
0x428088 SetFilePointer
0x42808c SetWaitableTimer
0x428090 GetCurrentDirectoryW
0x428094 VirtualFree
0x428098 GetCommMask
0x42809c HeapFree
0x4280a0 RaiseException
0x4280a4 GetBinaryTypeW
0x4280a8 LocalSize
0x4280ac SetConsoleMode
0x4280b0 GetLargestConsoleWindowSize
0x4280b4 WriteConsoleInputW
0x4280b8 OpenMutexW
0x4280bc SetThreadContext
0x4280c0 AddAtomW
0x4280c4 FindVolumeMountPointClose
0x4280c8 GetSystemTime
0x4280cc GetCommandLineW
0x4280d0 SetLocalTime
0x4280d4 GetLastError
0x4280d8 GetSystemTimeAsFileTime
0x4280dc DisconnectNamedPipe
0x4280e0 GetConsoleCursorInfo
0x4280e4 TerminateThread
0x4280e8 GetFileAttributesW
0x4280ec SetLastError
0x4280f0 lstrlenA
0x4280f4 CompareStringW
0x4280f8 CompareStringA
0x4280fc LoadLibraryW
0x428100 CreateJobObjectW
0x428104 RtlUnwind
0x428108 TerminateProcess
0x42810c GetCurrentProcess
0x428110 UnhandledExceptionFilter
0x428114 SetUnhandledExceptionFilter
0x428118 IsDebuggerPresent
0x42811c GetStartupInfoW
0x428120 HeapAlloc
0x428124 LeaveCriticalSection
0x428128 GetModuleHandleA
0x42812c GetModuleHandleW
0x428130 TlsGetValue
0x428134 TlsAlloc
0x428138 TlsFree
0x42813c GetCurrentThreadId
0x428140 InterlockedDecrement
0x428144 GetCurrentThread
0x428148 Sleep
0x42814c ExitProcess
0x428150 WriteFile
0x428154 GetModuleFileNameA
0x428158 GetModuleFileNameW
0x42815c FreeEnvironmentStringsW
0x428160 GetEnvironmentStringsW
0x428164 SetHandleCount
0x428168 GetFileType
0x42816c GetStartupInfoA
0x428170 DeleteCriticalSection
0x428174 HeapCreate
0x428178 HeapDestroy
0x42817c QueryPerformanceCounter
0x428180 GetTickCount
0x428184 GetCurrentProcessId
0x428188 WideCharToMultiByte
0x42818c GetConsoleCP
0x428190 GetConsoleMode
0x428194 GetCPInfo
0x428198 GetOEMCP
0x42819c IsValidCodePage
0x4281a0 FatalAppExitA
0x4281a4 VirtualAlloc
0x4281a8 HeapReAlloc
0x4281ac HeapSize
0x4281b0 SetConsoleCtrlHandler
0x4281b4 InterlockedExchange
0x4281b8 LoadLibraryA
0x4281bc InitializeCriticalSectionAndSpinCount
0x4281c0 SetStdHandle
0x4281c4 WriteConsoleA
0x4281c8 GetConsoleOutputCP
0x4281cc MultiByteToWideChar
0x4281d0 LCMapStringA
0x4281d4 LCMapStringW
0x4281d8 GetStringTypeA
0x4281dc GetStringTypeW
0x4281e0 GetTimeFormatA
0x4281e4 GetDateFormatA
0x4281e8 GetUserDefaultLCID
0x4281ec GetLocaleInfoA
0x4281f0 EnumSystemLocalesA
0x4281f4 IsValidLocale
0x4281f8 FlushFileBuffers
0x4281fc GetLocaleInfoW
0x428200 CreateFileA
0x428204 CloseHandle
0x428208 GetTimeZoneInformation
0x42820c SetEnvironmentVariableA
USER32.dll
0x428214 GetComboBoxInfo
ADVAPI32.dll
0x428000 IsTextUnicode
EAT(Export Address Table) is none