ScreenShot
| Created | 2021.04.28 07:42 | Machine | s1_win7_x6402 |
| Filename | 195145.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 10 detected (malicious, high confidence, Unsafe, Cobalt, SMOKELOADER, CLOUD) | ||
| md5 | 5b5a730628dc9eba2c12530d225c2f70 | ||
| sha256 | e54f38d06a4f11e1b92bb7454e70c949d3e1a4db83894db1ab76e9d64146ee06 | ||
| ssdeep | 6144:cZluCr7KHcEbEv+fKmwULUV8BoZM3q3Bur1VLcfZ1odtBk5Aum2m3axwRIeWWWWi:8Qb14ULr03Bur1Vgx1CtiyN9KxwRI | ||
| imphash | a6d9b7f182ef1cfe180f692d89ecc759 | ||
| impfuzzy | 24:8tJ8JacCW+XOeOXxo1gUdcDD1ncL2K9M3a0W6FBvpuvenjujb/MG95XGDZIkoDqE:CJBXOeOXxo1ycNYPIeg/RJGVIkoqE | ||
Network IP location
Signature (10cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes executed files from disk |
| watch | File has been identified by 10 AntiVirus engines on VirusTotal as malicious |
| notice | A process attempted to delay the analysis task. |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates a suspicious process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| info | Queries for the computername |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_registry | Affect system registries | binaries (upload) |
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x4c4310 ImpersonateAnonymousToken
0x4c4318 ImpersonateLoggedOnUser
0x4c4320 ImpersonateNamedPipeClient
0x4c4328 NotifyChangeEventLog
0x4c4330 OpenEventLogA
0x4c4338 ReadEventLogA
0x4c4340 RegCloseKey
KERNEL32.dll
0x4c4350 CloseHandle
0x4c4358 CreateFileA
0x4c4360 CreatePipe
0x4c4368 CreateProcessA
0x4c4370 DeleteCriticalSection
0x4c4378 DeleteFileA
0x4c4380 EnterCriticalSection
0x4c4388 FindNextStreamW
0x4c4390 FlushConsoleInputBuffer
0x4c4398 FlushFileBuffers
0x4c43a0 GetBinaryTypeA
0x4c43a8 GetCurrentProcess
0x4c43b0 GetCurrentProcessId
0x4c43b8 GetCurrentThreadId
0x4c43c0 GetExitCodeProcess
0x4c43c8 GetHandleInformation
0x4c43d0 GetLargestConsoleWindowSize
0x4c43d8 GetLastError
0x4c43e0 GetProcAddress
0x4c43e8 GetStartupInfoA
0x4c43f0 GetSystemTimeAsFileTime
0x4c43f8 GetTempFileNameA
0x4c4400 GetTempPathA
0x4c4408 GetTickCount
0x4c4410 InitializeCriticalSection
0x4c4418 LeaveCriticalSection
0x4c4420 LoadLibraryA
0x4c4428 OpenEventA
0x4c4430 PurgeComm
0x4c4438 QueryPerformanceCounter
0x4c4440 ReadFile
0x4c4448 ReleaseMutex
0x4c4450 RtlAddFunctionTable
0x4c4458 RtlCaptureContext
0x4c4460 RtlLookupFunctionEntry
0x4c4468 RtlVirtualUnwind
0x4c4470 SetCommBreak
0x4c4478 SetCommMask
0x4c4480 SetCurrentDirectoryA
0x4c4488 SetEndOfFile
0x4c4490 SetEnvironmentVariableA
0x4c4498 SetEvent
0x4c44a0 SetUnhandledExceptionFilter
0x4c44a8 Sleep
0x4c44b0 TerminateProcess
0x4c44b8 TlsGetValue
0x4c44c0 UnhandledExceptionFilter
0x4c44c8 VirtualProtect
0x4c44d0 VirtualQuery
0x4c44d8 WaitForSingleObject
0x4c44e0 WaitForSingleObjectEx
0x4c44e8 WaitNamedPipeA
msvcrt.dll
0x4c44f8 __C_specific_handler
0x4c4500 __getmainargs
0x4c4508 __initenv
0x4c4510 __iob_func
0x4c4518 __lconv_init
0x4c4520 __set_app_type
0x4c4528 __setusermatherr
0x4c4530 _acmdln
0x4c4538 _amsg_exit
0x4c4540 _cexit
0x4c4548 _fmode
0x4c4550 _initterm
0x4c4558 _onexit
0x4c4560 _snprintf
0x4c4568 abort
0x4c4570 calloc
0x4c4578 exit
0x4c4580 fprintf
0x4c4588 free
0x4c4590 fwrite
0x4c4598 malloc
0x4c45a0 memcpy
0x4c45a8 signal
0x4c45b0 strlen
0x4c45b8 strncmp
0x4c45c0 vfprintf
EAT(Export Address Table) is none
ADVAPI32.dll
0x4c4310 ImpersonateAnonymousToken
0x4c4318 ImpersonateLoggedOnUser
0x4c4320 ImpersonateNamedPipeClient
0x4c4328 NotifyChangeEventLog
0x4c4330 OpenEventLogA
0x4c4338 ReadEventLogA
0x4c4340 RegCloseKey
KERNEL32.dll
0x4c4350 CloseHandle
0x4c4358 CreateFileA
0x4c4360 CreatePipe
0x4c4368 CreateProcessA
0x4c4370 DeleteCriticalSection
0x4c4378 DeleteFileA
0x4c4380 EnterCriticalSection
0x4c4388 FindNextStreamW
0x4c4390 FlushConsoleInputBuffer
0x4c4398 FlushFileBuffers
0x4c43a0 GetBinaryTypeA
0x4c43a8 GetCurrentProcess
0x4c43b0 GetCurrentProcessId
0x4c43b8 GetCurrentThreadId
0x4c43c0 GetExitCodeProcess
0x4c43c8 GetHandleInformation
0x4c43d0 GetLargestConsoleWindowSize
0x4c43d8 GetLastError
0x4c43e0 GetProcAddress
0x4c43e8 GetStartupInfoA
0x4c43f0 GetSystemTimeAsFileTime
0x4c43f8 GetTempFileNameA
0x4c4400 GetTempPathA
0x4c4408 GetTickCount
0x4c4410 InitializeCriticalSection
0x4c4418 LeaveCriticalSection
0x4c4420 LoadLibraryA
0x4c4428 OpenEventA
0x4c4430 PurgeComm
0x4c4438 QueryPerformanceCounter
0x4c4440 ReadFile
0x4c4448 ReleaseMutex
0x4c4450 RtlAddFunctionTable
0x4c4458 RtlCaptureContext
0x4c4460 RtlLookupFunctionEntry
0x4c4468 RtlVirtualUnwind
0x4c4470 SetCommBreak
0x4c4478 SetCommMask
0x4c4480 SetCurrentDirectoryA
0x4c4488 SetEndOfFile
0x4c4490 SetEnvironmentVariableA
0x4c4498 SetEvent
0x4c44a0 SetUnhandledExceptionFilter
0x4c44a8 Sleep
0x4c44b0 TerminateProcess
0x4c44b8 TlsGetValue
0x4c44c0 UnhandledExceptionFilter
0x4c44c8 VirtualProtect
0x4c44d0 VirtualQuery
0x4c44d8 WaitForSingleObject
0x4c44e0 WaitForSingleObjectEx
0x4c44e8 WaitNamedPipeA
msvcrt.dll
0x4c44f8 __C_specific_handler
0x4c4500 __getmainargs
0x4c4508 __initenv
0x4c4510 __iob_func
0x4c4518 __lconv_init
0x4c4520 __set_app_type
0x4c4528 __setusermatherr
0x4c4530 _acmdln
0x4c4538 _amsg_exit
0x4c4540 _cexit
0x4c4548 _fmode
0x4c4550 _initterm
0x4c4558 _onexit
0x4c4560 _snprintf
0x4c4568 abort
0x4c4570 calloc
0x4c4578 exit
0x4c4580 fprintf
0x4c4588 free
0x4c4590 fwrite
0x4c4598 malloc
0x4c45a0 memcpy
0x4c45a8 signal
0x4c45b0 strlen
0x4c45b8 strncmp
0x4c45c0 vfprintf
EAT(Export Address Table) is none