ScreenShot
| Created | 2021.05.06 10:49 | Machine | s1_win7_x6402 |
| Filename | presentation.dll | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 10 detected (malicious, high confidence, GenKryptik, FEWM, CLOUD, Generic PUA NA, Artemis, Wacapew, BScope, TrojanBanker, Cridex, FileRepMalware) | ||
| md5 | 9debcd929765390555ca123c0076eea4 | ||
| sha256 | 9969cfd81612d1efbc5e983b57ff2fa2a69a3f6a6812c6da8382bf0c22014cf4 | ||
| ssdeep | 6144:ZUQrm4xMOQVFUy/kLYFnEaynGFa7ygc8eY:ZUelqO0REa2G0egJ | ||
| imphash | 28e501612900311a5e5c7fed3dd79d00 | ||
| impfuzzy | 24:UtVep1lgPOov+2cxOaGDRZ/JKryv5FQ8OT4nZtjlurTcKdbSNZrlpkujMbI1Dy:UtVep0macvKRIcnZtjsEKdWNZBpzG | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | File has been identified by 10 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | This executable has a PDB path |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1001014 OpenMutexW
0x1001018 VirtualProtectEx
0x100101c CreateProcessW
0x1001020 GetCurrentDirectoryW
0x1001024 GetFileAttributesW
0x1001028 CompareStringW
0x100102c CompareStringA
0x1001030 GetLastError
0x1001034 HeapFree
0x1001038 HeapAlloc
0x100103c GetCurrentThreadId
0x1001040 GetCommandLineA
0x1001044 HeapCreate
0x1001048 HeapDestroy
0x100104c VirtualFree
0x1001050 DeleteCriticalSection
0x1001054 LeaveCriticalSection
0x1001058 FatalAppExitA
0x100105c EnterCriticalSection
0x1001060 VirtualAlloc
0x1001064 HeapReAlloc
0x1001068 GetModuleHandleW
0x100106c Sleep
0x1001070 GetProcAddress
0x1001074 ExitProcess
0x1001078 WriteFile
0x100107c GetStdHandle
0x1001080 GetModuleFileNameA
0x1001084 TlsGetValue
0x1001088 TlsAlloc
0x100108c TlsSetValue
0x1001090 TlsFree
0x1001094 InterlockedIncrement
0x1001098 SetLastError
0x100109c InterlockedDecrement
0x10010a0 GetCurrentThread
0x10010a4 SetHandleCount
0x10010a8 GetFileType
0x10010ac GetStartupInfoA
0x10010b0 FreeEnvironmentStringsA
0x10010b4 GetEnvironmentStrings
0x10010b8 FreeEnvironmentStringsW
0x10010bc WideCharToMultiByte
0x10010c0 GetEnvironmentStringsW
0x10010c4 QueryPerformanceCounter
0x10010c8 GetTickCount
0x10010cc GetCurrentProcessId
0x10010d0 GetSystemTimeAsFileTime
0x10010d4 RaiseException
0x10010d8 TerminateProcess
0x10010dc GetCurrentProcess
0x10010e0 UnhandledExceptionFilter
0x10010e4 SetUnhandledExceptionFilter
0x10010e8 IsDebuggerPresent
0x10010ec InitializeCriticalSectionAndSpinCount
0x10010f0 RtlUnwind
0x10010f4 SetConsoleCtrlHandler
0x10010f8 FreeLibrary
0x10010fc InterlockedExchange
0x1001100 LoadLibraryA
0x1001104 GetCPInfo
0x1001108 GetACP
0x100110c GetOEMCP
0x1001110 IsValidCodePage
0x1001114 HeapSize
0x1001118 GetLocaleInfoW
0x100111c GetLocaleInfoA
0x1001120 GetTimeFormatA
0x1001124 GetDateFormatA
0x1001128 GetUserDefaultLCID
0x100112c EnumSystemLocalesA
0x1001130 IsValidLocale
0x1001134 GetStringTypeA
0x1001138 MultiByteToWideChar
0x100113c GetStringTypeW
0x1001140 LCMapStringA
0x1001144 LCMapStringW
0x1001148 GetTimeZoneInformation
0x100114c SetEnvironmentVariableA
ADVAPI32.dll
0x1001000 RegCloseKey
0x1001004 RegCreateKeyW
0x1001008 RegOpenKeyExW
0x100100c RegQueryValueExA
XOLEHLP.dll
0x1001154 None
EAT(Export Address Table) Library
0x1033719 Hadlaw
0x103394e Might
KERNEL32.dll
0x1001014 OpenMutexW
0x1001018 VirtualProtectEx
0x100101c CreateProcessW
0x1001020 GetCurrentDirectoryW
0x1001024 GetFileAttributesW
0x1001028 CompareStringW
0x100102c CompareStringA
0x1001030 GetLastError
0x1001034 HeapFree
0x1001038 HeapAlloc
0x100103c GetCurrentThreadId
0x1001040 GetCommandLineA
0x1001044 HeapCreate
0x1001048 HeapDestroy
0x100104c VirtualFree
0x1001050 DeleteCriticalSection
0x1001054 LeaveCriticalSection
0x1001058 FatalAppExitA
0x100105c EnterCriticalSection
0x1001060 VirtualAlloc
0x1001064 HeapReAlloc
0x1001068 GetModuleHandleW
0x100106c Sleep
0x1001070 GetProcAddress
0x1001074 ExitProcess
0x1001078 WriteFile
0x100107c GetStdHandle
0x1001080 GetModuleFileNameA
0x1001084 TlsGetValue
0x1001088 TlsAlloc
0x100108c TlsSetValue
0x1001090 TlsFree
0x1001094 InterlockedIncrement
0x1001098 SetLastError
0x100109c InterlockedDecrement
0x10010a0 GetCurrentThread
0x10010a4 SetHandleCount
0x10010a8 GetFileType
0x10010ac GetStartupInfoA
0x10010b0 FreeEnvironmentStringsA
0x10010b4 GetEnvironmentStrings
0x10010b8 FreeEnvironmentStringsW
0x10010bc WideCharToMultiByte
0x10010c0 GetEnvironmentStringsW
0x10010c4 QueryPerformanceCounter
0x10010c8 GetTickCount
0x10010cc GetCurrentProcessId
0x10010d0 GetSystemTimeAsFileTime
0x10010d4 RaiseException
0x10010d8 TerminateProcess
0x10010dc GetCurrentProcess
0x10010e0 UnhandledExceptionFilter
0x10010e4 SetUnhandledExceptionFilter
0x10010e8 IsDebuggerPresent
0x10010ec InitializeCriticalSectionAndSpinCount
0x10010f0 RtlUnwind
0x10010f4 SetConsoleCtrlHandler
0x10010f8 FreeLibrary
0x10010fc InterlockedExchange
0x1001100 LoadLibraryA
0x1001104 GetCPInfo
0x1001108 GetACP
0x100110c GetOEMCP
0x1001110 IsValidCodePage
0x1001114 HeapSize
0x1001118 GetLocaleInfoW
0x100111c GetLocaleInfoA
0x1001120 GetTimeFormatA
0x1001124 GetDateFormatA
0x1001128 GetUserDefaultLCID
0x100112c EnumSystemLocalesA
0x1001130 IsValidLocale
0x1001134 GetStringTypeA
0x1001138 MultiByteToWideChar
0x100113c GetStringTypeW
0x1001140 LCMapStringA
0x1001144 LCMapStringW
0x1001148 GetTimeZoneInformation
0x100114c SetEnvironmentVariableA
ADVAPI32.dll
0x1001000 RegCloseKey
0x1001004 RegCreateKeyW
0x1001008 RegOpenKeyExW
0x100100c RegQueryValueExA
XOLEHLP.dll
0x1001154 None
EAT(Export Address Table) Library
0x1033719 Hadlaw
0x103394e Might