ScreenShot
| Created | 2021.04.30 18:01 | Machine | s1_win7_x6401 |
| Filename | winlog.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 23 detected (AIDetect, malware1, malicious, high confidence, Unsafe, Save, confidence, 100%, ZexaF, qqW@aWixXxkO, Kryptik, Eldorado, Attribute, HighConfidence, susgen, LockBit, score, ET#89%, RDMK, cmRtazr55l6Xb1QzN3Y7LHqdlgqG) | ||
| md5 | bab5165b972f2416ae964d7b79bd5ecf | ||
| sha256 | 38bf29715b8bd57e0d6fb5357eaa2385523a66ff311da4d5c3f9349468be5635 | ||
| ssdeep | 6144:iTRzvLtgHu5ulrDB4J/OQMrP6dSSHpTmdRq:YvRgHu5ypSBMrNSHpa | ||
| imphash | 7c20a0e954444db575f24504baaade54 | ||
| impfuzzy | 48:iU1Hpf5GSYID84nTFBa4yOOGVUDlgUMc2fWIXW:iiJf5GStnnaPBGVilgUMc2fnXW | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 23 AntiVirus engines on VirusTotal as malicious |
| watch | Tries to unhook Windows functions monitored by Cuckoo |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Trojan_Win32_Glupteba_1_Zero | Trojan Win32 Glupteba | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x415008 WriteConsoleInputW
0x41500c lstrlenA
0x415010 SetLocalTime
0x415014 GetDefaultCommConfigW
0x415018 BuildCommDCBAndTimeoutsA
0x41501c FreeLibrary
0x415020 LoadResource
0x415024 SetUnhandledExceptionFilter
0x415028 LoadLibraryExW
0x41502c ZombifyActCtx
0x415030 GlobalSize
0x415034 CreateJobObjectW
0x415038 HeapFree
0x41503c SetHandleInformation
0x415040 SetComputerNameW
0x415044 SetVolumeMountPointW
0x415048 ConnectNamedPipe
0x41504c CallNamedPipeW
0x415050 CreateNamedPipeW
0x415054 VirtualFree
0x415058 EnumTimeFormatsW
0x41505c TzSpecificLocalTimeToSystemTime
0x415060 SetProcessPriorityBoost
0x415064 TlsSetValue
0x415068 GetPriorityClass
0x41506c GlobalAlloc
0x415070 GetVolumeInformationA
0x415074 SizeofResource
0x415078 GetVersionExW
0x41507c CreateMutexW
0x415080 LeaveCriticalSection
0x415084 GetFileAttributesA
0x415088 SetConsoleMode
0x41508c SetConsoleCursorPosition
0x415090 VerifyVersionInfoA
0x415094 SetSystemPowerState
0x415098 TerminateProcess
0x41509c ReadFile
0x4150a0 GetTimeZoneInformation
0x4150a4 GetBinaryTypeW
0x4150a8 DeactivateActCtx
0x4150ac GetLastError
0x4150b0 GetLocalTime
0x4150b4 LoadLibraryA
0x4150b8 OpenMutexA
0x4150bc MoveFileA
0x4150c0 GetCommMask
0x4150c4 GetOEMCP
0x4150c8 DebugSetProcessKillOnExit
0x4150cc CreateIoCompletionPort
0x4150d0 VirtualProtect
0x4150d4 GetCurrentDirectoryA
0x4150d8 GetSystemTime
0x4150dc GetConsoleSelectionInfo
0x4150e0 GetProfileSectionW
0x4150e4 lstrcpyA
0x4150e8 DeleteVolumeMountPointW
0x4150ec GetCommandLineW
0x4150f0 DeleteFileA
0x4150f4 HeapReAlloc
0x4150f8 HeapAlloc
0x4150fc GetStartupInfoW
0x415100 RaiseException
0x415104 RtlUnwind
0x415108 EnterCriticalSection
0x41510c SetHandleCount
0x415110 GetStdHandle
0x415114 GetFileType
0x415118 GetStartupInfoA
0x41511c DeleteCriticalSection
0x415120 GetCurrentProcess
0x415124 UnhandledExceptionFilter
0x415128 IsDebuggerPresent
0x41512c HeapCreate
0x415130 VirtualAlloc
0x415134 GetModuleHandleW
0x415138 Sleep
0x41513c GetProcAddress
0x415140 ExitProcess
0x415144 WriteFile
0x415148 GetModuleFileNameA
0x41514c GetModuleFileNameW
0x415150 FreeEnvironmentStringsW
0x415154 GetEnvironmentStringsW
0x415158 TlsGetValue
0x41515c TlsAlloc
0x415160 TlsFree
0x415164 InterlockedIncrement
0x415168 SetLastError
0x41516c GetCurrentThreadId
0x415170 InterlockedDecrement
0x415174 QueryPerformanceCounter
0x415178 GetTickCount
0x41517c GetCurrentProcessId
0x415180 GetSystemTimeAsFileTime
0x415184 InitializeCriticalSectionAndSpinCount
0x415188 GetCPInfo
0x41518c GetACP
0x415190 IsValidCodePage
0x415194 MultiByteToWideChar
0x415198 HeapSize
0x41519c WideCharToMultiByte
0x4151a0 GetConsoleCP
0x4151a4 GetConsoleMode
0x4151a8 FlushFileBuffers
0x4151ac LCMapStringA
0x4151b0 LCMapStringW
0x4151b4 GetStringTypeA
0x4151b8 GetStringTypeW
0x4151bc GetLocaleInfoA
0x4151c0 CloseHandle
0x4151c4 WriteConsoleA
0x4151c8 GetConsoleOutputCP
0x4151cc WriteConsoleW
0x4151d0 SetFilePointer
0x4151d4 SetStdHandle
0x4151d8 CreateFileA
0x4151dc GetModuleHandleA
USER32.dll
0x4151e4 GetTitleBarInfo
ADVAPI32.dll
0x415000 SetThreadToken
EAT(Export Address Table) Library
0x40e1d0 _go@4
0x40e1e0 _kir@8
KERNEL32.dll
0x415008 WriteConsoleInputW
0x41500c lstrlenA
0x415010 SetLocalTime
0x415014 GetDefaultCommConfigW
0x415018 BuildCommDCBAndTimeoutsA
0x41501c FreeLibrary
0x415020 LoadResource
0x415024 SetUnhandledExceptionFilter
0x415028 LoadLibraryExW
0x41502c ZombifyActCtx
0x415030 GlobalSize
0x415034 CreateJobObjectW
0x415038 HeapFree
0x41503c SetHandleInformation
0x415040 SetComputerNameW
0x415044 SetVolumeMountPointW
0x415048 ConnectNamedPipe
0x41504c CallNamedPipeW
0x415050 CreateNamedPipeW
0x415054 VirtualFree
0x415058 EnumTimeFormatsW
0x41505c TzSpecificLocalTimeToSystemTime
0x415060 SetProcessPriorityBoost
0x415064 TlsSetValue
0x415068 GetPriorityClass
0x41506c GlobalAlloc
0x415070 GetVolumeInformationA
0x415074 SizeofResource
0x415078 GetVersionExW
0x41507c CreateMutexW
0x415080 LeaveCriticalSection
0x415084 GetFileAttributesA
0x415088 SetConsoleMode
0x41508c SetConsoleCursorPosition
0x415090 VerifyVersionInfoA
0x415094 SetSystemPowerState
0x415098 TerminateProcess
0x41509c ReadFile
0x4150a0 GetTimeZoneInformation
0x4150a4 GetBinaryTypeW
0x4150a8 DeactivateActCtx
0x4150ac GetLastError
0x4150b0 GetLocalTime
0x4150b4 LoadLibraryA
0x4150b8 OpenMutexA
0x4150bc MoveFileA
0x4150c0 GetCommMask
0x4150c4 GetOEMCP
0x4150c8 DebugSetProcessKillOnExit
0x4150cc CreateIoCompletionPort
0x4150d0 VirtualProtect
0x4150d4 GetCurrentDirectoryA
0x4150d8 GetSystemTime
0x4150dc GetConsoleSelectionInfo
0x4150e0 GetProfileSectionW
0x4150e4 lstrcpyA
0x4150e8 DeleteVolumeMountPointW
0x4150ec GetCommandLineW
0x4150f0 DeleteFileA
0x4150f4 HeapReAlloc
0x4150f8 HeapAlloc
0x4150fc GetStartupInfoW
0x415100 RaiseException
0x415104 RtlUnwind
0x415108 EnterCriticalSection
0x41510c SetHandleCount
0x415110 GetStdHandle
0x415114 GetFileType
0x415118 GetStartupInfoA
0x41511c DeleteCriticalSection
0x415120 GetCurrentProcess
0x415124 UnhandledExceptionFilter
0x415128 IsDebuggerPresent
0x41512c HeapCreate
0x415130 VirtualAlloc
0x415134 GetModuleHandleW
0x415138 Sleep
0x41513c GetProcAddress
0x415140 ExitProcess
0x415144 WriteFile
0x415148 GetModuleFileNameA
0x41514c GetModuleFileNameW
0x415150 FreeEnvironmentStringsW
0x415154 GetEnvironmentStringsW
0x415158 TlsGetValue
0x41515c TlsAlloc
0x415160 TlsFree
0x415164 InterlockedIncrement
0x415168 SetLastError
0x41516c GetCurrentThreadId
0x415170 InterlockedDecrement
0x415174 QueryPerformanceCounter
0x415178 GetTickCount
0x41517c GetCurrentProcessId
0x415180 GetSystemTimeAsFileTime
0x415184 InitializeCriticalSectionAndSpinCount
0x415188 GetCPInfo
0x41518c GetACP
0x415190 IsValidCodePage
0x415194 MultiByteToWideChar
0x415198 HeapSize
0x41519c WideCharToMultiByte
0x4151a0 GetConsoleCP
0x4151a4 GetConsoleMode
0x4151a8 FlushFileBuffers
0x4151ac LCMapStringA
0x4151b0 LCMapStringW
0x4151b4 GetStringTypeA
0x4151b8 GetStringTypeW
0x4151bc GetLocaleInfoA
0x4151c0 CloseHandle
0x4151c4 WriteConsoleA
0x4151c8 GetConsoleOutputCP
0x4151cc WriteConsoleW
0x4151d0 SetFilePointer
0x4151d4 SetStdHandle
0x4151d8 CreateFileA
0x4151dc GetModuleHandleA
USER32.dll
0x4151e4 GetTitleBarInfo
ADVAPI32.dll
0x415000 SetThreadToken
EAT(Export Address Table) Library
0x40e1d0 _go@4
0x40e1e0 _kir@8