ScreenShot
Created | 2021.05.12 09:39 | Machine | s1_win7_x6401 |
Filename | wd10dale.exe | ||
Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 48 detected (Cobalt, Unsafe, malicious, LQEW, a variant of Generik, GPUEYBA, score, Razy, iugrnq, CobaltStrike, YzY0Ot1miiwpnqQ9, Malware@#3fcl3pg6s8cgg, DownLoader38, Tool, R002C0DCU21, jrruf, ASMalwS, ai score=80, LCi3TYmEVxI, PossibleThreat, confidence) | ||
md5 | 01fbd69aa44b75f2948a817f340d599b | ||
sha256 | 18b056a1951f2e7c4ab96095d25e015da4e456493d0591c94584a9063c399025 | ||
ssdeep | 6144:oQoY7z0MVihidNhYkQRKUJTB4a4svREAHGz8xA4XgPwhparyyb49tTFDbEA38i7:kY7xYidNhYjwvsRHo8xnXQ2B28FvEzi | ||
imphash | e65a95c59aa483750033184c186e4f9b | ||
impfuzzy | 24:YyScplE5jVZD50qt8S1ygGUJe99R+hvRSOovbO9ZrjM7:YRcpe9t8S1ygGz4j34 |
Network IP location
Signature (15cnts)
Level | Description |
---|---|
danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
danger | Executed a process and injected code into it |
warning | Generates some ICMP traffic |
watch | Communicates with host for which no DNS query was performed |
watch | One or more of the buffers contains an embedded PE file |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
notice | One or more potentially interesting buffers were extracted |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Yara rule detected in process memory |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (18cnts)
Level | Name | Description | Collection |
---|---|---|---|
notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
notice | Escalate_priviledges | Escalate priviledges | memory |
notice | KeyLogger | Run a KeyLogger | memory |
notice | Network_HTTP | Communications over HTTP | memory |
notice | ScreenShot | Take ScreenShot | memory |
notice | Str_Win32_Http_API | Match Windows Http API call | memory |
notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE64 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140016000 ExitProcess
0x140016008 lstrcmpiW
0x140016010 GetLastError
0x140016018 WriteConsoleW
0x140016020 CloseHandle
0x140016028 EnterCriticalSection
0x140016030 LeaveCriticalSection
0x140016038 InitializeCriticalSectionAndSpinCount
0x140016040 DeleteCriticalSection
0x140016048 SetEvent
0x140016050 ResetEvent
0x140016058 WaitForSingleObjectEx
0x140016060 CreateEventW
0x140016068 GetModuleHandleW
0x140016070 GetProcAddress
0x140016078 RtlCaptureContext
0x140016080 RtlLookupFunctionEntry
0x140016088 RtlVirtualUnwind
0x140016090 IsDebuggerPresent
0x140016098 UnhandledExceptionFilter
0x1400160a0 SetUnhandledExceptionFilter
0x1400160a8 GetStartupInfoW
0x1400160b0 IsProcessorFeaturePresent
0x1400160b8 GetCurrentProcess
0x1400160c0 TerminateProcess
0x1400160c8 QueryPerformanceCounter
0x1400160d0 GetCurrentProcessId
0x1400160d8 GetCurrentThreadId
0x1400160e0 GetSystemTimeAsFileTime
0x1400160e8 InitializeSListHead
0x1400160f0 RtlPcToFileHeader
0x1400160f8 RaiseException
0x140016100 RtlUnwindEx
0x140016108 SetLastError
0x140016110 EncodePointer
0x140016118 TlsAlloc
0x140016120 TlsGetValue
0x140016128 TlsSetValue
0x140016130 TlsFree
0x140016138 FreeLibrary
0x140016140 LoadLibraryExW
0x140016148 GetModuleHandleExW
0x140016150 GetModuleFileNameW
0x140016158 GetStdHandle
0x140016160 WriteFile
0x140016168 HeapFree
0x140016170 HeapAlloc
0x140016178 GetFileType
0x140016180 FindClose
0x140016188 FindFirstFileExW
0x140016190 FindNextFileW
0x140016198 IsValidCodePage
0x1400161a0 GetACP
0x1400161a8 GetOEMCP
0x1400161b0 GetCPInfo
0x1400161b8 GetCommandLineA
0x1400161c0 GetCommandLineW
0x1400161c8 MultiByteToWideChar
0x1400161d0 WideCharToMultiByte
0x1400161d8 GetEnvironmentStringsW
0x1400161e0 FreeEnvironmentStringsW
0x1400161e8 LCMapStringW
0x1400161f0 GetProcessHeap
0x1400161f8 SetStdHandle
0x140016200 GetStringTypeW
0x140016208 SetFilePointerEx
0x140016210 HeapSize
0x140016218 HeapReAlloc
0x140016220 FlushFileBuffers
0x140016228 GetConsoleCP
0x140016230 GetConsoleMode
0x140016238 CreateFileW
EAT(Export Address Table) is none
KERNEL32.dll
0x140016000 ExitProcess
0x140016008 lstrcmpiW
0x140016010 GetLastError
0x140016018 WriteConsoleW
0x140016020 CloseHandle
0x140016028 EnterCriticalSection
0x140016030 LeaveCriticalSection
0x140016038 InitializeCriticalSectionAndSpinCount
0x140016040 DeleteCriticalSection
0x140016048 SetEvent
0x140016050 ResetEvent
0x140016058 WaitForSingleObjectEx
0x140016060 CreateEventW
0x140016068 GetModuleHandleW
0x140016070 GetProcAddress
0x140016078 RtlCaptureContext
0x140016080 RtlLookupFunctionEntry
0x140016088 RtlVirtualUnwind
0x140016090 IsDebuggerPresent
0x140016098 UnhandledExceptionFilter
0x1400160a0 SetUnhandledExceptionFilter
0x1400160a8 GetStartupInfoW
0x1400160b0 IsProcessorFeaturePresent
0x1400160b8 GetCurrentProcess
0x1400160c0 TerminateProcess
0x1400160c8 QueryPerformanceCounter
0x1400160d0 GetCurrentProcessId
0x1400160d8 GetCurrentThreadId
0x1400160e0 GetSystemTimeAsFileTime
0x1400160e8 InitializeSListHead
0x1400160f0 RtlPcToFileHeader
0x1400160f8 RaiseException
0x140016100 RtlUnwindEx
0x140016108 SetLastError
0x140016110 EncodePointer
0x140016118 TlsAlloc
0x140016120 TlsGetValue
0x140016128 TlsSetValue
0x140016130 TlsFree
0x140016138 FreeLibrary
0x140016140 LoadLibraryExW
0x140016148 GetModuleHandleExW
0x140016150 GetModuleFileNameW
0x140016158 GetStdHandle
0x140016160 WriteFile
0x140016168 HeapFree
0x140016170 HeapAlloc
0x140016178 GetFileType
0x140016180 FindClose
0x140016188 FindFirstFileExW
0x140016190 FindNextFileW
0x140016198 IsValidCodePage
0x1400161a0 GetACP
0x1400161a8 GetOEMCP
0x1400161b0 GetCPInfo
0x1400161b8 GetCommandLineA
0x1400161c0 GetCommandLineW
0x1400161c8 MultiByteToWideChar
0x1400161d0 WideCharToMultiByte
0x1400161d8 GetEnvironmentStringsW
0x1400161e0 FreeEnvironmentStringsW
0x1400161e8 LCMapStringW
0x1400161f0 GetProcessHeap
0x1400161f8 SetStdHandle
0x140016200 GetStringTypeW
0x140016208 SetFilePointerEx
0x140016210 HeapSize
0x140016218 HeapReAlloc
0x140016220 FlushFileBuffers
0x140016228 GetConsoleCP
0x140016230 GetConsoleMode
0x140016238 CreateFileW
EAT(Export Address Table) is none