ScreenShot
Created | 2021.04.23 10:09 | Machine | s1_win7_x6401 |
Filename | check.dll | ||
Type | PE32 executable (DLL) (native) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 22 detected (AIDetect, malware2, malicious, high confidence, GenericKD, Wacapew, confidence, 100%, Strealer, CLOUD, Artemis, score, ai score=86, PossibleThreat, PALLAS) | ||
md5 | 19cf698a9ec21bb5a1b12c9c462e2d3d | ||
sha256 | 94dfc86b7314e9b0981a4e3667d5b82711ab82a3079f2441788bb9523249a7eb | ||
ssdeep | 12288:oIa8AH657UylIxg2IAnrEfKqKrIm0DAg7Bhlkb:QLu2IGklKQ7lkb | ||
imphash | fe54aa4914f46efb2484d8839e21efc3 | ||
impfuzzy | 3:Px+yw6BJO7aqs2dWtMB1JM/MDJt1AjTE:p+yfA2eg2J7P1aE |
Network IP location
Signature (13cnts)
Level | Description |
---|---|
danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
warning | File has been identified by 22 AntiVirus engines on VirusTotal as malicious |
watch | Communicates with host for which no DNS query was performed |
notice | A process attempted to delay the analysis task. |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
info | Checks if process is being debugged by a debugger |
info | One or more processes crashed |
info | Queries for the computername |
Rules (6cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | IsDLL | (no description) | binaries (upload) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
info | HasDebugData | DebugData Check | binaries (upload) |
info | HasRichSignature | Rich Signature Check | binaries (upload) |
info | win_files_operation | Affect private profile | binaries (upload) |
Network (7cnts) ?
Suricata ids
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET INFO TLS Handshake Failure
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
PE API
IAT(Import Address Table) Library
SHLWAPI.dll
0x10008010 wnsprintfA
KERNEL32.dll
0x10008000 CloseHandle
0x10008004 CreateFileA
0x10008008 WriteFile
USER32.dll
0x10008018 GetClientRect
0x1000801c GetClassNameA
0x10008020 GetWindowTextA
EAT(Export Address Table) Library
0x1000252b StartW
SHLWAPI.dll
0x10008010 wnsprintfA
KERNEL32.dll
0x10008000 CloseHandle
0x10008004 CreateFileA
0x10008008 WriteFile
USER32.dll
0x10008018 GetClientRect
0x1000801c GetClassNameA
0x10008020 GetWindowTextA
EAT(Export Address Table) Library
0x1000252b StartW