ScreenShot
| Created | 2021.04.30 17:56 | Machine | s1_win7_x6401 |
| Filename | Project Korvus.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 52 detected (malicious, high confidence, DeepScan, IGENERIC, Unsafe, Save, Agentb, confidence, Antiav, INDT, Attribute, HighConfidence, AveMaria, jiad, fljpfv, Gencirc, Maria, MOCRT, Static AI, Malicious PE, Redcap, ghjpt, Remcos, trG2, Invader, score, R357760, GenericRXLJ, ai score=85, CLOUD, GenAsa, ++8lN4UW0KE, Razy, ZexaF, xyW@a4OWhGii) | ||
| md5 | e4cb6177f54802a8eb50817353622056 | ||
| sha256 | 41601d433de93abdc49ac8f470c2d558ff5858616dc095fb099b1f0b8b2cb0cc | ||
| ssdeep | 6144:Q5xnE0WoM2Mwa+qUiINY1qZxFUGhEmDBZuKYXuarjl+CNMJTS:CxTWoMuSpn | ||
| imphash | 51a1d638436da72d7fa5fb524e02d427 | ||
| impfuzzy | 96:VVm8R4U0nscp+0zGXeMCDH2Vl76BmmncGKJziH9/I2K:V90nRceMCDH2V9R9Q5K | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 52 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to remove evidence of file being downloaded from the Internet |
| watch | Creates an Alternate Data Stream (ADS) |
| watch | Installs itself for autorun at Windows startup |
| watch | Potential code injection by writing to the memory of another process |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Foreign language identified in PE resource |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Ave_Maria_Zero | Remote Access Trojan that is also called WARZONE RAT | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
crypt.dll
0x414330 BCryptSetProperty
0x414334 BCryptGenerateSymmetricKey
0x414338 BCryptOpenAlgorithmProvider
0x41433c BCryptDecrypt
KERNEL32.dll
0x41408c HeapFree
0x414090 VirtualAlloc
0x414094 HeapReAlloc
0x414098 VirtualQuery
0x41409c TerminateThread
0x4140a0 CreateThread
0x4140a4 WriteProcessMemory
0x4140a8 GetCurrentProcess
0x4140ac OpenProcess
0x4140b0 GetWindowsDirectoryA
0x4140b4 VirtualProtectEx
0x4140b8 VirtualAllocEx
0x4140bc CreateRemoteThread
0x4140c0 CreateProcessA
0x4140c4 GetModuleHandleW
0x4140c8 IsWow64Process
0x4140cc WriteFile
0x4140d0 CreateFileW
0x4140d4 LoadLibraryW
0x4140d8 GetLocalTime
0x4140dc GetCurrentThreadId
0x4140e0 GetCurrentProcessId
0x4140e4 ReadFile
0x4140e8 FindFirstFileA
0x4140ec GetBinaryTypeW
0x4140f0 FindNextFileA
0x4140f4 GetFullPathNameA
0x4140f8 GetTempPathW
0x4140fc GetPrivateProfileStringW
0x414100 CreateFileA
0x414104 GlobalAlloc
0x414108 GetCurrentDirectoryW
0x41410c SetCurrentDirectoryW
0x414110 GetFileSize
0x414114 FreeLibrary
0x414118 SetDllDirectoryW
0x41411c GetFileSizeEx
0x414120 LoadLibraryA
0x414124 LocalFree
0x414128 WaitForSingleObject
0x41412c WaitForMultipleObjects
0x414130 CreatePipe
0x414134 PeekNamedPipe
0x414138 DuplicateHandle
0x41413c SetEvent
0x414140 GetStartupInfoA
0x414144 CreateEventA
0x414148 GetModuleFileNameW
0x41414c LoadResource
0x414150 FindResourceW
0x414154 GetComputerNameW
0x414158 GlobalMemoryStatusEx
0x41415c LoadLibraryExW
0x414160 FindFirstFileW
0x414164 FindNextFileW
0x414168 SetFilePointer
0x41416c GetLogicalDriveStringsW
0x414170 DeleteFileW
0x414174 CopyFileW
0x414178 GetDriveTypeW
0x41417c EnterCriticalSection
0x414180 LeaveCriticalSection
0x414184 InitializeCriticalSection
0x414188 DeleteCriticalSection
0x41418c GetProcessHeap
0x414190 ReleaseMutex
0x414194 TerminateProcess
0x414198 CreateToolhelp32Snapshot
0x41419c Process32NextW
0x4141a0 Process32FirstW
0x4141a4 SizeofResource
0x4141a8 VirtualProtect
0x4141ac GetSystemDirectoryW
0x4141b0 LockResource
0x4141b4 GetWindowsDirectoryW
0x4141b8 Process32First
0x4141bc Process32Next
0x4141c0 WinExec
0x4141c4 GetTempPathA
0x4141c8 HeapAlloc
0x4141cc lstrcmpW
0x4141d0 GetTickCount
0x4141d4 lstrcpyW
0x4141d8 WideCharToMultiByte
0x4141dc lstrcpyA
0x4141e0 Sleep
0x4141e4 MultiByteToWideChar
0x4141e8 GetCommandLineA
0x4141ec GetModuleHandleA
0x4141f0 ExitProcess
0x4141f4 CreateProcessW
0x4141f8 lstrcatA
0x4141fc lstrcmpA
0x414200 lstrlenA
0x414204 ExpandEnvironmentStringsW
0x414208 lstrlenW
0x41420c CloseHandle
0x414210 lstrcatW
0x414214 GetLastError
0x414218 VirtualFree
0x41421c GetProcAddress
0x414220 SetLastError
0x414224 GetModuleFileNameA
0x414228 CreateDirectoryW
0x41422c LocalAlloc
0x414230 CreateMutexA
USER32.dll
0x414298 GetKeyState
0x41429c GetMessageA
0x4142a0 DispatchMessageA
0x4142a4 CreateWindowExW
0x4142a8 CallNextHookEx
0x4142ac GetAsyncKeyState
0x4142b0 RegisterClassW
0x4142b4 GetRawInputData
0x4142b8 MapVirtualKeyA
0x4142bc DefWindowProcA
0x4142c0 RegisterRawInputDevices
0x4142c4 TranslateMessage
0x4142c8 GetForegroundWindow
0x4142cc GetKeyNameTextW
0x4142d0 PostQuitMessage
0x4142d4 MessageBoxA
0x4142d8 GetLastInputInfo
0x4142dc wsprintfW
0x4142e0 GetWindowTextW
0x4142e4 wsprintfA
0x4142e8 ToUnicode
ADVAPI32.dll
0x414000 RegDeleteKeyW
0x414004 RegCreateKeyExW
0x414008 RegSetValueExA
0x41400c RegDeleteValueW
0x414010 LookupPrivilegeValueW
0x414014 AdjustTokenPrivileges
0x414018 AllocateAndInitializeSid
0x41401c OpenProcessToken
0x414020 InitializeSecurityDescriptor
0x414024 RegDeleteKeyA
0x414028 SetSecurityDescriptorDacl
0x41402c RegOpenKeyExW
0x414030 RegOpenKeyExA
0x414034 RegEnumKeyExW
0x414038 RegQueryValueExA
0x41403c RegQueryInfoKeyW
0x414040 RegCloseKey
0x414044 OpenServiceW
0x414048 ChangeServiceConfigW
0x41404c QueryServiceConfigW
0x414050 EnumServicesStatusExW
0x414054 StartServiceW
0x414058 RegSetValueExW
0x41405c RegCreateKeyExA
0x414060 OpenSCManagerW
0x414064 CloseServiceHandle
0x414068 GetTokenInformation
0x41406c LookupAccountSidW
0x414070 FreeSid
0x414074 RegQueryValueExW
SHELL32.dll
0x414254 ShellExecuteExA
0x414258 ShellExecuteExW
0x41425c None
0x414260 SHGetSpecialFolderPathW
0x414264 SHCreateDirectoryExW
0x414268 ShellExecuteW
0x41426c SHGetFolderPathW
0x414270 SHGetKnownFolderPath
urlmon.dll
0x41435c URLDownloadToFileW
WS2_32.dll
0x4142f0 htons
0x4142f4 recv
0x4142f8 connect
0x4142fc socket
0x414300 send
0x414304 WSAStartup
0x414308 shutdown
0x41430c closesocket
0x414310 WSACleanup
0x414314 InetNtopW
0x414318 gethostbyname
0x41431c inet_addr
0x414320 getaddrinfo
0x414324 setsockopt
0x414328 freeaddrinfo
ole32.dll
0x414344 CoInitializeSecurity
0x414348 CoCreateInstance
0x41434c CoInitialize
0x414350 CoUninitialize
0x414354 CoTaskMemFree
SHLWAPI.dll
0x414278 StrStrW
0x41427c PathRemoveFileSpecA
0x414280 StrStrA
0x414284 PathCombineA
0x414288 PathFindFileNameW
0x41428c PathFileExistsW
0x414290 PathFindExtensionW
NETAPI32.dll
0x414238 NetLocalGroupAddMembers
0x41423c NetUserAdd
OLEAUT32.dll
0x414244 VariantInit
CRYPT32.dll
0x41407c CryptUnprotectData
0x414080 CryptStringToBinaryA
0x414084 CryptStringToBinaryW
PSAPI.DLL
0x41424c GetModuleFileNameExW
EAT(Export Address Table) is none
crypt.dll
0x414330 BCryptSetProperty
0x414334 BCryptGenerateSymmetricKey
0x414338 BCryptOpenAlgorithmProvider
0x41433c BCryptDecrypt
KERNEL32.dll
0x41408c HeapFree
0x414090 VirtualAlloc
0x414094 HeapReAlloc
0x414098 VirtualQuery
0x41409c TerminateThread
0x4140a0 CreateThread
0x4140a4 WriteProcessMemory
0x4140a8 GetCurrentProcess
0x4140ac OpenProcess
0x4140b0 GetWindowsDirectoryA
0x4140b4 VirtualProtectEx
0x4140b8 VirtualAllocEx
0x4140bc CreateRemoteThread
0x4140c0 CreateProcessA
0x4140c4 GetModuleHandleW
0x4140c8 IsWow64Process
0x4140cc WriteFile
0x4140d0 CreateFileW
0x4140d4 LoadLibraryW
0x4140d8 GetLocalTime
0x4140dc GetCurrentThreadId
0x4140e0 GetCurrentProcessId
0x4140e4 ReadFile
0x4140e8 FindFirstFileA
0x4140ec GetBinaryTypeW
0x4140f0 FindNextFileA
0x4140f4 GetFullPathNameA
0x4140f8 GetTempPathW
0x4140fc GetPrivateProfileStringW
0x414100 CreateFileA
0x414104 GlobalAlloc
0x414108 GetCurrentDirectoryW
0x41410c SetCurrentDirectoryW
0x414110 GetFileSize
0x414114 FreeLibrary
0x414118 SetDllDirectoryW
0x41411c GetFileSizeEx
0x414120 LoadLibraryA
0x414124 LocalFree
0x414128 WaitForSingleObject
0x41412c WaitForMultipleObjects
0x414130 CreatePipe
0x414134 PeekNamedPipe
0x414138 DuplicateHandle
0x41413c SetEvent
0x414140 GetStartupInfoA
0x414144 CreateEventA
0x414148 GetModuleFileNameW
0x41414c LoadResource
0x414150 FindResourceW
0x414154 GetComputerNameW
0x414158 GlobalMemoryStatusEx
0x41415c LoadLibraryExW
0x414160 FindFirstFileW
0x414164 FindNextFileW
0x414168 SetFilePointer
0x41416c GetLogicalDriveStringsW
0x414170 DeleteFileW
0x414174 CopyFileW
0x414178 GetDriveTypeW
0x41417c EnterCriticalSection
0x414180 LeaveCriticalSection
0x414184 InitializeCriticalSection
0x414188 DeleteCriticalSection
0x41418c GetProcessHeap
0x414190 ReleaseMutex
0x414194 TerminateProcess
0x414198 CreateToolhelp32Snapshot
0x41419c Process32NextW
0x4141a0 Process32FirstW
0x4141a4 SizeofResource
0x4141a8 VirtualProtect
0x4141ac GetSystemDirectoryW
0x4141b0 LockResource
0x4141b4 GetWindowsDirectoryW
0x4141b8 Process32First
0x4141bc Process32Next
0x4141c0 WinExec
0x4141c4 GetTempPathA
0x4141c8 HeapAlloc
0x4141cc lstrcmpW
0x4141d0 GetTickCount
0x4141d4 lstrcpyW
0x4141d8 WideCharToMultiByte
0x4141dc lstrcpyA
0x4141e0 Sleep
0x4141e4 MultiByteToWideChar
0x4141e8 GetCommandLineA
0x4141ec GetModuleHandleA
0x4141f0 ExitProcess
0x4141f4 CreateProcessW
0x4141f8 lstrcatA
0x4141fc lstrcmpA
0x414200 lstrlenA
0x414204 ExpandEnvironmentStringsW
0x414208 lstrlenW
0x41420c CloseHandle
0x414210 lstrcatW
0x414214 GetLastError
0x414218 VirtualFree
0x41421c GetProcAddress
0x414220 SetLastError
0x414224 GetModuleFileNameA
0x414228 CreateDirectoryW
0x41422c LocalAlloc
0x414230 CreateMutexA
USER32.dll
0x414298 GetKeyState
0x41429c GetMessageA
0x4142a0 DispatchMessageA
0x4142a4 CreateWindowExW
0x4142a8 CallNextHookEx
0x4142ac GetAsyncKeyState
0x4142b0 RegisterClassW
0x4142b4 GetRawInputData
0x4142b8 MapVirtualKeyA
0x4142bc DefWindowProcA
0x4142c0 RegisterRawInputDevices
0x4142c4 TranslateMessage
0x4142c8 GetForegroundWindow
0x4142cc GetKeyNameTextW
0x4142d0 PostQuitMessage
0x4142d4 MessageBoxA
0x4142d8 GetLastInputInfo
0x4142dc wsprintfW
0x4142e0 GetWindowTextW
0x4142e4 wsprintfA
0x4142e8 ToUnicode
ADVAPI32.dll
0x414000 RegDeleteKeyW
0x414004 RegCreateKeyExW
0x414008 RegSetValueExA
0x41400c RegDeleteValueW
0x414010 LookupPrivilegeValueW
0x414014 AdjustTokenPrivileges
0x414018 AllocateAndInitializeSid
0x41401c OpenProcessToken
0x414020 InitializeSecurityDescriptor
0x414024 RegDeleteKeyA
0x414028 SetSecurityDescriptorDacl
0x41402c RegOpenKeyExW
0x414030 RegOpenKeyExA
0x414034 RegEnumKeyExW
0x414038 RegQueryValueExA
0x41403c RegQueryInfoKeyW
0x414040 RegCloseKey
0x414044 OpenServiceW
0x414048 ChangeServiceConfigW
0x41404c QueryServiceConfigW
0x414050 EnumServicesStatusExW
0x414054 StartServiceW
0x414058 RegSetValueExW
0x41405c RegCreateKeyExA
0x414060 OpenSCManagerW
0x414064 CloseServiceHandle
0x414068 GetTokenInformation
0x41406c LookupAccountSidW
0x414070 FreeSid
0x414074 RegQueryValueExW
SHELL32.dll
0x414254 ShellExecuteExA
0x414258 ShellExecuteExW
0x41425c None
0x414260 SHGetSpecialFolderPathW
0x414264 SHCreateDirectoryExW
0x414268 ShellExecuteW
0x41426c SHGetFolderPathW
0x414270 SHGetKnownFolderPath
urlmon.dll
0x41435c URLDownloadToFileW
WS2_32.dll
0x4142f0 htons
0x4142f4 recv
0x4142f8 connect
0x4142fc socket
0x414300 send
0x414304 WSAStartup
0x414308 shutdown
0x41430c closesocket
0x414310 WSACleanup
0x414314 InetNtopW
0x414318 gethostbyname
0x41431c inet_addr
0x414320 getaddrinfo
0x414324 setsockopt
0x414328 freeaddrinfo
ole32.dll
0x414344 CoInitializeSecurity
0x414348 CoCreateInstance
0x41434c CoInitialize
0x414350 CoUninitialize
0x414354 CoTaskMemFree
SHLWAPI.dll
0x414278 StrStrW
0x41427c PathRemoveFileSpecA
0x414280 StrStrA
0x414284 PathCombineA
0x414288 PathFindFileNameW
0x41428c PathFileExistsW
0x414290 PathFindExtensionW
NETAPI32.dll
0x414238 NetLocalGroupAddMembers
0x41423c NetUserAdd
OLEAUT32.dll
0x414244 VariantInit
CRYPT32.dll
0x41407c CryptUnprotectData
0x414080 CryptStringToBinaryA
0x414084 CryptStringToBinaryW
PSAPI.DLL
0x41424c GetModuleFileNameExW
EAT(Export Address Table) is none