ScreenShot
| Created | 2021.05.04 09:33 | Machine | s1_win7_x6402 |
| Filename | presentation.dll | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 9 detected (malicious, high confidence, FileRepMetagen, Cridex, Undefined, CLOUD, BScope, Wacatac) | ||
| md5 | 5a7c87dab250cee78ce63ac34117012b | ||
| sha256 | 8a26c32848c9ea085505359f67927d1a744ec07303ed0013e592eca6b4df4790 | ||
| ssdeep | 6144:92dsJtFrYUZZqrS6HtYP612U8ZIbBmWMOzWb/0:9SsJtFrYJS6NYy123IMWLz5 | ||
| imphash | 1b129b745ed786ce1fe8186651a3c22d | ||
| impfuzzy | 48:kepLvZqSmGcUDfttCc2sjKdtDYcHFxqsDx115tT1vN/9:vNxzcifttCc2sjGt8i | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | File has been identified by 9 AntiVirus engines on VirusTotal as malicious |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | This executable has a PDB path |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1001000 TlsAlloc
0x1001004 TlsSetValue
0x1001008 VirtualProtectEx
0x100100c FindFirstChangeNotificationW
0x1001010 CompareStringW
0x1001014 CompareStringA
0x1001018 CreateFileA
0x100101c GetTimeZoneInformation
0x1001020 SetStdHandle
0x1001024 WriteConsoleW
0x1001028 GetConsoleOutputCP
0x100102c WriteConsoleA
0x1001030 CloseHandle
0x1001034 GetLocaleInfoW
0x1001038 HeapSize
0x100103c SetFilePointer
0x1001040 IsValidLocale
0x1001044 EnumSystemLocalesA
0x1001048 GetLocaleInfoA
0x100104c GetUserDefaultLCID
0x1001050 GetDateFormatA
0x1001054 GetTimeFormatA
0x1001058 GetStringTypeW
0x100105c GetStringTypeA
0x1001060 HeapAlloc
0x1001064 GetCurrentThreadId
0x1001068 GetCommandLineA
0x100106c EnterCriticalSection
0x1001070 LeaveCriticalSection
0x1001074 SetHandleCount
0x1001078 GetStdHandle
0x100107c GetFileType
0x1001080 GetStartupInfoA
0x1001084 DeleteCriticalSection
0x1001088 TerminateProcess
0x100108c GetCurrentProcess
0x1001090 UnhandledExceptionFilter
0x1001094 SetUnhandledExceptionFilter
0x1001098 IsDebuggerPresent
0x100109c FatalAppExitA
0x10010a0 HeapFree
0x10010a4 VirtualFree
0x10010a8 VirtualAlloc
0x10010ac HeapReAlloc
0x10010b0 HeapCreate
0x10010b4 HeapDestroy
0x10010b8 GetModuleHandleW
0x10010bc Sleep
0x10010c0 GetProcAddress
0x10010c4 ExitProcess
0x10010c8 WriteFile
0x10010cc GetModuleFileNameA
0x10010d0 TlsGetValue
0x10010d4 TlsFree
0x10010d8 InterlockedIncrement
0x10010dc SetLastError
0x10010e0 GetLastError
0x10010e4 InterlockedDecrement
0x10010e8 GetCurrentThread
0x10010ec FreeEnvironmentStringsA
0x10010f0 GetEnvironmentStrings
0x10010f4 FreeEnvironmentStringsW
0x10010f8 WideCharToMultiByte
0x10010fc GetEnvironmentStringsW
0x1001100 QueryPerformanceCounter
0x1001104 GetTickCount
0x1001108 GetCurrentProcessId
0x100110c GetSystemTimeAsFileTime
0x1001110 InitializeCriticalSectionAndSpinCount
0x1001114 RtlUnwind
0x1001118 GetCPInfo
0x100111c GetACP
0x1001120 GetOEMCP
0x1001124 IsValidCodePage
0x1001128 SetConsoleCtrlHandler
0x100112c FreeLibrary
0x1001130 InterlockedExchange
0x1001134 LoadLibraryA
0x1001138 GetConsoleCP
0x100113c GetConsoleMode
0x1001140 FlushFileBuffers
0x1001144 LCMapStringA
0x1001148 MultiByteToWideChar
0x100114c LCMapStringW
0x1001150 SetEnvironmentVariableA
snmpapi.dll
0x1001158 SnmpSvcGetUptime
0x100115c SnmpSvcSetLogLevel
0x1001160 SnmpSvcSetLogType
0x1001164 SnmpUtilAsnAnyCpy
0x1001168 SnmpUtilIdsToA
0x100116c SnmpUtilMemAlloc
0x1001170 SnmpUtilMemFree
0x1001174 SnmpUtilMemReAlloc
0x1001178 SnmpUtilAsnAnyFree
0x100117c SnmpUtilDbgPrint
0x1001180 SnmpUtilOctetsCmp
0x1001184 SnmpUtilOctetsNCmp
0x1001188 SnmpUtilOidAppend
0x100118c SnmpUtilOidCmp
0x1001190 SnmpUtilOidCpy
0x1001194 SnmpUtilOidFree
0x1001198 SnmpUtilVarBindFree
0x100119c SnmpUtilVarBindListCpy
0x10011a0 SnmpUtilVarBindListFree
EAT(Export Address Table) Library
0x103343e Pape1
0x103328b Riverslow
KERNEL32.dll
0x1001000 TlsAlloc
0x1001004 TlsSetValue
0x1001008 VirtualProtectEx
0x100100c FindFirstChangeNotificationW
0x1001010 CompareStringW
0x1001014 CompareStringA
0x1001018 CreateFileA
0x100101c GetTimeZoneInformation
0x1001020 SetStdHandle
0x1001024 WriteConsoleW
0x1001028 GetConsoleOutputCP
0x100102c WriteConsoleA
0x1001030 CloseHandle
0x1001034 GetLocaleInfoW
0x1001038 HeapSize
0x100103c SetFilePointer
0x1001040 IsValidLocale
0x1001044 EnumSystemLocalesA
0x1001048 GetLocaleInfoA
0x100104c GetUserDefaultLCID
0x1001050 GetDateFormatA
0x1001054 GetTimeFormatA
0x1001058 GetStringTypeW
0x100105c GetStringTypeA
0x1001060 HeapAlloc
0x1001064 GetCurrentThreadId
0x1001068 GetCommandLineA
0x100106c EnterCriticalSection
0x1001070 LeaveCriticalSection
0x1001074 SetHandleCount
0x1001078 GetStdHandle
0x100107c GetFileType
0x1001080 GetStartupInfoA
0x1001084 DeleteCriticalSection
0x1001088 TerminateProcess
0x100108c GetCurrentProcess
0x1001090 UnhandledExceptionFilter
0x1001094 SetUnhandledExceptionFilter
0x1001098 IsDebuggerPresent
0x100109c FatalAppExitA
0x10010a0 HeapFree
0x10010a4 VirtualFree
0x10010a8 VirtualAlloc
0x10010ac HeapReAlloc
0x10010b0 HeapCreate
0x10010b4 HeapDestroy
0x10010b8 GetModuleHandleW
0x10010bc Sleep
0x10010c0 GetProcAddress
0x10010c4 ExitProcess
0x10010c8 WriteFile
0x10010cc GetModuleFileNameA
0x10010d0 TlsGetValue
0x10010d4 TlsFree
0x10010d8 InterlockedIncrement
0x10010dc SetLastError
0x10010e0 GetLastError
0x10010e4 InterlockedDecrement
0x10010e8 GetCurrentThread
0x10010ec FreeEnvironmentStringsA
0x10010f0 GetEnvironmentStrings
0x10010f4 FreeEnvironmentStringsW
0x10010f8 WideCharToMultiByte
0x10010fc GetEnvironmentStringsW
0x1001100 QueryPerformanceCounter
0x1001104 GetTickCount
0x1001108 GetCurrentProcessId
0x100110c GetSystemTimeAsFileTime
0x1001110 InitializeCriticalSectionAndSpinCount
0x1001114 RtlUnwind
0x1001118 GetCPInfo
0x100111c GetACP
0x1001120 GetOEMCP
0x1001124 IsValidCodePage
0x1001128 SetConsoleCtrlHandler
0x100112c FreeLibrary
0x1001130 InterlockedExchange
0x1001134 LoadLibraryA
0x1001138 GetConsoleCP
0x100113c GetConsoleMode
0x1001140 FlushFileBuffers
0x1001144 LCMapStringA
0x1001148 MultiByteToWideChar
0x100114c LCMapStringW
0x1001150 SetEnvironmentVariableA
snmpapi.dll
0x1001158 SnmpSvcGetUptime
0x100115c SnmpSvcSetLogLevel
0x1001160 SnmpSvcSetLogType
0x1001164 SnmpUtilAsnAnyCpy
0x1001168 SnmpUtilIdsToA
0x100116c SnmpUtilMemAlloc
0x1001170 SnmpUtilMemFree
0x1001174 SnmpUtilMemReAlloc
0x1001178 SnmpUtilAsnAnyFree
0x100117c SnmpUtilDbgPrint
0x1001180 SnmpUtilOctetsCmp
0x1001184 SnmpUtilOctetsNCmp
0x1001188 SnmpUtilOidAppend
0x100118c SnmpUtilOidCmp
0x1001190 SnmpUtilOidCpy
0x1001194 SnmpUtilOidFree
0x1001198 SnmpUtilVarBindFree
0x100119c SnmpUtilVarBindListCpy
0x10011a0 SnmpUtilVarBindListFree
EAT(Export Address Table) Library
0x103343e Pape1
0x103328b Riverslow