ScreenShot
| Created | 2021.05.06 10:40 | Machine | s1_win7_x6402 |
| Filename | rest.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 8 detected (Malicious, score, Artemis, PossibleThreat, PALLAS, confidence) | ||
| md5 | 96764a0a62e66a147a3d4db0e59a6e34 | ||
| sha256 | 9663dc275239aa93ceccedae7a0d54e10def18dd177d231264a323a4175a23d4 | ||
| ssdeep | 12288:Kas/PVuNmL/dJ4OrQS+Q/F+Dgn91ZmkNE+yp:tNmhJ4OrQSfdwU9PmkNE+y | ||
| imphash | b7e261648ff26be2ffdbd713600ad55d | ||
| impfuzzy | 24:DzK6IMUscD602tMS17mlJnc+pl395oX8OovbOPZiv7BQppS7Nbaw77edqLY:9tMS17kc+ppfk3a7BQpc7NGMecLY | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| watch | A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | File has been identified by 8 AntiVirus engines on VirusTotal as malicious |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140050028 HeapReAlloc
0x140050030 HeapFree
0x140050038 HeapSize
0x140050040 GetDurationFormat
0x140050048 UnlockFile
0x140050050 GetSystemWindowsDirectoryW
0x140050058 ReleaseSRWLockExclusive
0x140050060 UpdateResourceW
0x140050068 LoadLibraryA
0x140050070 GetProcessHeap
0x140050078 VirtualProtect
0x140050080 WriteConsoleW
0x140050088 CreateFileW
0x140050090 CloseHandle
0x140050098 SetFilePointerEx
0x1400500a0 GetConsoleMode
0x1400500a8 GetConsoleCP
0x1400500b0 FlushFileBuffers
0x1400500b8 HeapAlloc
0x1400500c0 VirtualAlloc
0x1400500c8 VirtualFree
0x1400500d0 GetProcAddress
0x1400500d8 LCMapStringW
0x1400500e0 RtlCaptureContext
0x1400500e8 RtlLookupFunctionEntry
0x1400500f0 RtlVirtualUnwind
0x1400500f8 UnhandledExceptionFilter
0x140050100 SetUnhandledExceptionFilter
0x140050108 GetCurrentProcess
0x140050110 TerminateProcess
0x140050118 IsProcessorFeaturePresent
0x140050120 QueryPerformanceCounter
0x140050128 GetCurrentProcessId
0x140050130 GetCurrentThreadId
0x140050138 GetSystemTimeAsFileTime
0x140050140 InitializeSListHead
0x140050148 IsDebuggerPresent
0x140050150 GetStartupInfoW
0x140050158 GetModuleHandleW
0x140050160 RtlUnwindEx
0x140050168 GetLastError
0x140050170 SetLastError
0x140050178 EnterCriticalSection
0x140050180 LeaveCriticalSection
0x140050188 DeleteCriticalSection
0x140050190 InitializeCriticalSectionAndSpinCount
0x140050198 TlsAlloc
0x1400501a0 TlsGetValue
0x1400501a8 TlsSetValue
0x1400501b0 TlsFree
0x1400501b8 FreeLibrary
0x1400501c0 LoadLibraryExW
0x1400501c8 GetStdHandle
0x1400501d0 WriteFile
0x1400501d8 GetModuleFileNameW
0x1400501e0 MultiByteToWideChar
0x1400501e8 WideCharToMultiByte
0x1400501f0 ExitProcess
0x1400501f8 GetModuleHandleExW
0x140050200 GetACP
0x140050208 FindClose
0x140050210 FindFirstFileExW
0x140050218 FindNextFileW
0x140050220 IsValidCodePage
0x140050228 GetOEMCP
0x140050230 GetCPInfo
0x140050238 GetCommandLineA
0x140050240 GetCommandLineW
0x140050248 GetEnvironmentStringsW
0x140050250 FreeEnvironmentStringsW
0x140050258 SetStdHandle
0x140050260 GetFileType
0x140050268 GetStringTypeW
0x140050270 RaiseException
USER32.dll
0x1400502a0 BroadcastSystemMessageExW
0x1400502a8 ShowOwnedPopups
0x1400502b0 GetCaretBlinkTime
ole32.dll
0x1400502c0 StgConvertPropertyToVariant
0x1400502c8 NdrProxyForwardingFunction22
0x1400502d0 CoGetObjectContext
GDI32.dll
0x140050000 GetBitmapDimensionEx
0x140050008 StartDocA
0x140050010 GetColorSpace
0x140050018 SetViewportExtEx
SHELL32.dll
0x140050280 SHLoadInProc
0x140050288 None
0x140050290 SHParseDisplayName
EAT(Export Address Table) Library
KERNEL32.dll
0x140050028 HeapReAlloc
0x140050030 HeapFree
0x140050038 HeapSize
0x140050040 GetDurationFormat
0x140050048 UnlockFile
0x140050050 GetSystemWindowsDirectoryW
0x140050058 ReleaseSRWLockExclusive
0x140050060 UpdateResourceW
0x140050068 LoadLibraryA
0x140050070 GetProcessHeap
0x140050078 VirtualProtect
0x140050080 WriteConsoleW
0x140050088 CreateFileW
0x140050090 CloseHandle
0x140050098 SetFilePointerEx
0x1400500a0 GetConsoleMode
0x1400500a8 GetConsoleCP
0x1400500b0 FlushFileBuffers
0x1400500b8 HeapAlloc
0x1400500c0 VirtualAlloc
0x1400500c8 VirtualFree
0x1400500d0 GetProcAddress
0x1400500d8 LCMapStringW
0x1400500e0 RtlCaptureContext
0x1400500e8 RtlLookupFunctionEntry
0x1400500f0 RtlVirtualUnwind
0x1400500f8 UnhandledExceptionFilter
0x140050100 SetUnhandledExceptionFilter
0x140050108 GetCurrentProcess
0x140050110 TerminateProcess
0x140050118 IsProcessorFeaturePresent
0x140050120 QueryPerformanceCounter
0x140050128 GetCurrentProcessId
0x140050130 GetCurrentThreadId
0x140050138 GetSystemTimeAsFileTime
0x140050140 InitializeSListHead
0x140050148 IsDebuggerPresent
0x140050150 GetStartupInfoW
0x140050158 GetModuleHandleW
0x140050160 RtlUnwindEx
0x140050168 GetLastError
0x140050170 SetLastError
0x140050178 EnterCriticalSection
0x140050180 LeaveCriticalSection
0x140050188 DeleteCriticalSection
0x140050190 InitializeCriticalSectionAndSpinCount
0x140050198 TlsAlloc
0x1400501a0 TlsGetValue
0x1400501a8 TlsSetValue
0x1400501b0 TlsFree
0x1400501b8 FreeLibrary
0x1400501c0 LoadLibraryExW
0x1400501c8 GetStdHandle
0x1400501d0 WriteFile
0x1400501d8 GetModuleFileNameW
0x1400501e0 MultiByteToWideChar
0x1400501e8 WideCharToMultiByte
0x1400501f0 ExitProcess
0x1400501f8 GetModuleHandleExW
0x140050200 GetACP
0x140050208 FindClose
0x140050210 FindFirstFileExW
0x140050218 FindNextFileW
0x140050220 IsValidCodePage
0x140050228 GetOEMCP
0x140050230 GetCPInfo
0x140050238 GetCommandLineA
0x140050240 GetCommandLineW
0x140050248 GetEnvironmentStringsW
0x140050250 FreeEnvironmentStringsW
0x140050258 SetStdHandle
0x140050260 GetFileType
0x140050268 GetStringTypeW
0x140050270 RaiseException
USER32.dll
0x1400502a0 BroadcastSystemMessageExW
0x1400502a8 ShowOwnedPopups
0x1400502b0 GetCaretBlinkTime
ole32.dll
0x1400502c0 StgConvertPropertyToVariant
0x1400502c8 NdrProxyForwardingFunction22
0x1400502d0 CoGetObjectContext
GDI32.dll
0x140050000 GetBitmapDimensionEx
0x140050008 StartDocA
0x140050010 GetColorSpace
0x140050018 SetViewportExtEx
SHELL32.dll
0x140050280 SHLoadInProc
0x140050288 None
0x140050290 SHParseDisplayName
EAT(Export Address Table) Library