ScreenShot
Created | 2021.04.30 09:41 | Machine | s1_win7_x6402 |
Filename | redbutton.png | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | |||
md5 | 79f0f44a27a3d1bdc7cdd7e7c248fb29 | ||
sha256 | f6f0b0eadcc57871cf048fd83e37fb5e37100b6e759ec3f93979e471fb369a66 | ||
ssdeep | 6144:sH2eaP2q0qfSH69LcUgKqGLJ13yeeaz7LHCRiLj5AZPhPy4j:qOP2q0qfG69gNK71N77v/5kpy4j | ||
imphash | ccf0ab678aa913be3883b88932847ad2 | ||
impfuzzy | 24:UeDbrv0kgQ+fcmGHOov9lqJ3JtxwHRnlyvkT4EjMZEZAhAx/B:Uyp+fcmGuZJtxUKkc+ZQAlB |
Network IP location
Signature (14cnts)
Level | Description |
---|---|
danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
warning | Generates some ICMP traffic |
watch | Communicates with host for which no DNS query was performed |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates a suspicious process |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Terminates another process |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
info | One or more processes crashed |
info | Queries for the computername |
Rules (3cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x416000 FreeLibrary
0x416004 GetProcAddress
0x416008 lstrlenW
0x41600c lstrlenA
0x416010 Sleep
0x416014 SizeofResource
0x416018 LoadResource
0x41601c FindResourceW
0x416020 VirtualAlloc
0x416024 SetStdHandle
0x416028 WriteConsoleW
0x41602c LoadLibraryW
0x416030 InterlockedIncrement
0x416034 InterlockedDecrement
0x416038 EncodePointer
0x41603c DecodePointer
0x416040 InitializeCriticalSection
0x416044 DeleteCriticalSection
0x416048 EnterCriticalSection
0x41604c LeaveCriticalSection
0x416050 RaiseException
0x416054 RtlUnwind
0x416058 GetCommandLineA
0x41605c HeapSetInformation
0x416060 GetStartupInfoW
0x416064 GetLastError
0x416068 HeapFree
0x41606c WideCharToMultiByte
0x416070 LCMapStringW
0x416074 MultiByteToWideChar
0x416078 GetCPInfo
0x41607c HeapAlloc
0x416080 TlsAlloc
0x416084 TlsGetValue
0x416088 TlsSetValue
0x41608c TlsFree
0x416090 GetModuleHandleW
0x416094 SetLastError
0x416098 GetCurrentThreadId
0x41609c UnhandledExceptionFilter
0x4160a0 SetUnhandledExceptionFilter
0x4160a4 IsDebuggerPresent
0x4160a8 TerminateProcess
0x4160ac GetCurrentProcess
0x4160b0 IsProcessorFeaturePresent
0x4160b4 ExitProcess
0x4160b8 WriteFile
0x4160bc GetStdHandle
0x4160c0 GetModuleFileNameW
0x4160c4 GetModuleFileNameA
0x4160c8 FreeEnvironmentStringsW
0x4160cc GetEnvironmentStringsW
0x4160d0 SetHandleCount
0x4160d4 InitializeCriticalSectionAndSpinCount
0x4160d8 GetFileType
0x4160dc HeapCreate
0x4160e0 QueryPerformanceCounter
0x4160e4 GetTickCount
0x4160e8 GetCurrentProcessId
0x4160ec GetSystemTimeAsFileTime
0x4160f0 GetLocaleInfoW
0x4160f4 HeapSize
0x4160f8 GetConsoleCP
0x4160fc GetConsoleMode
0x416100 FlushFileBuffers
0x416104 ReadFile
0x416108 SetFilePointer
0x41610c CloseHandle
0x416110 GetACP
0x416114 GetOEMCP
0x416118 IsValidCodePage
0x41611c GetStringTypeW
0x416120 HeapReAlloc
0x416124 GetUserDefaultLCID
0x416128 GetLocaleInfoA
0x41612c EnumSystemLocalesA
0x416130 IsValidLocale
0x416134 CreateFileW
USER32.dll
0x41613c SendMessageW
0x416140 GetClassNameW
EAT(Export Address Table) is none
KERNEL32.dll
0x416000 FreeLibrary
0x416004 GetProcAddress
0x416008 lstrlenW
0x41600c lstrlenA
0x416010 Sleep
0x416014 SizeofResource
0x416018 LoadResource
0x41601c FindResourceW
0x416020 VirtualAlloc
0x416024 SetStdHandle
0x416028 WriteConsoleW
0x41602c LoadLibraryW
0x416030 InterlockedIncrement
0x416034 InterlockedDecrement
0x416038 EncodePointer
0x41603c DecodePointer
0x416040 InitializeCriticalSection
0x416044 DeleteCriticalSection
0x416048 EnterCriticalSection
0x41604c LeaveCriticalSection
0x416050 RaiseException
0x416054 RtlUnwind
0x416058 GetCommandLineA
0x41605c HeapSetInformation
0x416060 GetStartupInfoW
0x416064 GetLastError
0x416068 HeapFree
0x41606c WideCharToMultiByte
0x416070 LCMapStringW
0x416074 MultiByteToWideChar
0x416078 GetCPInfo
0x41607c HeapAlloc
0x416080 TlsAlloc
0x416084 TlsGetValue
0x416088 TlsSetValue
0x41608c TlsFree
0x416090 GetModuleHandleW
0x416094 SetLastError
0x416098 GetCurrentThreadId
0x41609c UnhandledExceptionFilter
0x4160a0 SetUnhandledExceptionFilter
0x4160a4 IsDebuggerPresent
0x4160a8 TerminateProcess
0x4160ac GetCurrentProcess
0x4160b0 IsProcessorFeaturePresent
0x4160b4 ExitProcess
0x4160b8 WriteFile
0x4160bc GetStdHandle
0x4160c0 GetModuleFileNameW
0x4160c4 GetModuleFileNameA
0x4160c8 FreeEnvironmentStringsW
0x4160cc GetEnvironmentStringsW
0x4160d0 SetHandleCount
0x4160d4 InitializeCriticalSectionAndSpinCount
0x4160d8 GetFileType
0x4160dc HeapCreate
0x4160e0 QueryPerformanceCounter
0x4160e4 GetTickCount
0x4160e8 GetCurrentProcessId
0x4160ec GetSystemTimeAsFileTime
0x4160f0 GetLocaleInfoW
0x4160f4 HeapSize
0x4160f8 GetConsoleCP
0x4160fc GetConsoleMode
0x416100 FlushFileBuffers
0x416104 ReadFile
0x416108 SetFilePointer
0x41610c CloseHandle
0x416110 GetACP
0x416114 GetOEMCP
0x416118 IsValidCodePage
0x41611c GetStringTypeW
0x416120 HeapReAlloc
0x416124 GetUserDefaultLCID
0x416128 GetLocaleInfoA
0x41612c EnumSystemLocalesA
0x416130 IsValidLocale
0x416134 CreateFileW
USER32.dll
0x41613c SendMessageW
0x416140 GetClassNameW
EAT(Export Address Table) is none