ScreenShot
Created | 2021.04.22 22:02 | Machine | s1_win7_x6401 |
Filename | O28C.dll | ||
Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 49 detected (malicious, high confidence, GenericKD, Emotet, EmotetCrypt, confidence, 100%, Eldorado, Attribute, HighConfidence, MalwareX, Gencirc, S + Troj, R049C0DA321, Static AI, Malicious PE, score, R361809, ai score=80, Kryptik, CLASSIC, HILQ) | ||
md5 | d0b30b11795c869a2d3c83be6761067b | ||
sha256 | 9ca0cd857f782c3209e50197e74bdd75d6c7d2a74f76fcdd18a6cfd1e95532d5 | ||
ssdeep | 3072:haA+SItMob7Rb+5jGOuNns4IJUu/AHD7GxVhmoOqLMUFZrtIJA7jKjV51mUanDi:stMo3RM6+UuqGXh9OEgACJfanu | ||
imphash | 43bec81592be9b6dbf07d99790d8c844 | ||
impfuzzy | 24:x+BzkYHQyaSrJYk0Dfal/t0GdPOov1fkUcftLyvEw3M:x+laSUapt0Gdmwcft4EuM |
Network IP location
Signature (8cnts)
Level | Description |
---|---|
danger | File has been identified by 49 AntiVirus engines on VirusTotal as malicious |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
notice | Expresses interest in specific running processes |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
info | Checks if process is being debugged by a debugger |
info | Uses Windows APIs to generate a cryptographic key |
Rules (8cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | Win32_Trojan_Emotet_RL_Gen_Zero | Win32 Trojan Emotet | binaries (upload) |
info | IsDLL | (no description) | binaries (upload) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
info | HasRichSignature | Rich Signature Check | binaries (upload) |
info | IsPacked | Entropy Check | binaries (upload) |
info | IsWindowsGUI | (no description) | binaries (upload) |
Network (0cnts) ?
Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1000e000 GetLocaleInfoA
0x1000e004 GetStringTypeW
0x1000e008 GetStringTypeA
0x1000e00c LCMapStringW
0x1000e010 MultiByteToWideChar
0x1000e014 LCMapStringA
0x1000e018 IsValidCodePage
0x1000e01c GetOEMCP
0x1000e020 GetACP
0x1000e024 GetCPInfo
0x1000e028 GetSystemTimeAsFileTime
0x1000e02c GetCurrentProcessId
0x1000e030 GetTickCount
0x1000e034 QueryPerformanceCounter
0x1000e038 GetEnvironmentStringsW
0x1000e03c WideCharToMultiByte
0x1000e040 FreeEnvironmentStringsW
0x1000e044 GetEnvironmentStrings
0x1000e048 FreeEnvironmentStringsA
0x1000e04c GetNativeSystemInfo
0x1000e050 HeapAlloc
0x1000e054 GetProcessHeap
0x1000e058 HeapFree
0x1000e05c FreeLibrary
0x1000e060 IsBadReadPtr
0x1000e064 VirtualProtect
0x1000e068 SetLastError
0x1000e06c VirtualFree
0x1000e070 VirtualQuery
0x1000e074 LoadLibraryA
0x1000e078 GetProcAddress
0x1000e07c WriteFileGather
0x1000e080 VirtualAlloc
0x1000e084 VirtualAllocExNuma
0x1000e088 GetCurrentProcess
0x1000e08c InitializeCriticalSectionAndSpinCount
0x1000e090 TerminateProcess
0x1000e094 UnhandledExceptionFilter
0x1000e098 SetUnhandledExceptionFilter
0x1000e09c IsDebuggerPresent
0x1000e0a0 RaiseException
0x1000e0a4 RtlUnwind
0x1000e0a8 GetCurrentThreadId
0x1000e0ac GetCommandLineA
0x1000e0b0 GetLastError
0x1000e0b4 GetModuleHandleA
0x1000e0b8 GetModuleHandleW
0x1000e0bc TlsGetValue
0x1000e0c0 TlsAlloc
0x1000e0c4 TlsSetValue
0x1000e0c8 TlsFree
0x1000e0cc InterlockedIncrement
0x1000e0d0 InterlockedDecrement
0x1000e0d4 DeleteCriticalSection
0x1000e0d8 LeaveCriticalSection
0x1000e0dc EnterCriticalSection
0x1000e0e0 HeapReAlloc
0x1000e0e4 HeapCreate
0x1000e0e8 HeapDestroy
0x1000e0ec Sleep
0x1000e0f0 ExitProcess
0x1000e0f4 WriteFile
0x1000e0f8 GetStdHandle
0x1000e0fc GetModuleFileNameA
0x1000e100 HeapSize
0x1000e104 SetHandleCount
0x1000e108 GetFileType
0x1000e10c GetStartupInfoA
USER32.dll
0x1000e114 MessageBoxA
0x1000e118 ShowWindow
EAT(Export Address Table) Library
0x10001220 Control_RunDLL
KERNEL32.dll
0x1000e000 GetLocaleInfoA
0x1000e004 GetStringTypeW
0x1000e008 GetStringTypeA
0x1000e00c LCMapStringW
0x1000e010 MultiByteToWideChar
0x1000e014 LCMapStringA
0x1000e018 IsValidCodePage
0x1000e01c GetOEMCP
0x1000e020 GetACP
0x1000e024 GetCPInfo
0x1000e028 GetSystemTimeAsFileTime
0x1000e02c GetCurrentProcessId
0x1000e030 GetTickCount
0x1000e034 QueryPerformanceCounter
0x1000e038 GetEnvironmentStringsW
0x1000e03c WideCharToMultiByte
0x1000e040 FreeEnvironmentStringsW
0x1000e044 GetEnvironmentStrings
0x1000e048 FreeEnvironmentStringsA
0x1000e04c GetNativeSystemInfo
0x1000e050 HeapAlloc
0x1000e054 GetProcessHeap
0x1000e058 HeapFree
0x1000e05c FreeLibrary
0x1000e060 IsBadReadPtr
0x1000e064 VirtualProtect
0x1000e068 SetLastError
0x1000e06c VirtualFree
0x1000e070 VirtualQuery
0x1000e074 LoadLibraryA
0x1000e078 GetProcAddress
0x1000e07c WriteFileGather
0x1000e080 VirtualAlloc
0x1000e084 VirtualAllocExNuma
0x1000e088 GetCurrentProcess
0x1000e08c InitializeCriticalSectionAndSpinCount
0x1000e090 TerminateProcess
0x1000e094 UnhandledExceptionFilter
0x1000e098 SetUnhandledExceptionFilter
0x1000e09c IsDebuggerPresent
0x1000e0a0 RaiseException
0x1000e0a4 RtlUnwind
0x1000e0a8 GetCurrentThreadId
0x1000e0ac GetCommandLineA
0x1000e0b0 GetLastError
0x1000e0b4 GetModuleHandleA
0x1000e0b8 GetModuleHandleW
0x1000e0bc TlsGetValue
0x1000e0c0 TlsAlloc
0x1000e0c4 TlsSetValue
0x1000e0c8 TlsFree
0x1000e0cc InterlockedIncrement
0x1000e0d0 InterlockedDecrement
0x1000e0d4 DeleteCriticalSection
0x1000e0d8 LeaveCriticalSection
0x1000e0dc EnterCriticalSection
0x1000e0e0 HeapReAlloc
0x1000e0e4 HeapCreate
0x1000e0e8 HeapDestroy
0x1000e0ec Sleep
0x1000e0f0 ExitProcess
0x1000e0f4 WriteFile
0x1000e0f8 GetStdHandle
0x1000e0fc GetModuleFileNameA
0x1000e100 HeapSize
0x1000e104 SetHandleCount
0x1000e108 GetFileType
0x1000e10c GetStartupInfoA
USER32.dll
0x1000e114 MessageBoxA
0x1000e118 ShowWindow
EAT(Export Address Table) Library
0x10001220 Control_RunDLL