ScreenShot
| Created | 2021.05.20 09:40 | Machine | s1_win7_x6401 |
| Filename | rets.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 6 detected (malicious, confidence, Phonzy, score) | ||
| md5 | c344e0908b85d5fda0f5c51e815d977e | ||
| sha256 | 353bb0de2e0c9f16d17f74e81708c2cd7cbf07cf5845a8652f0f27f97d8a3161 | ||
| ssdeep | 6144:kI1Fscig7jAE0g6n3rPB4b569ncFqea9Z/2TB+ZAqIU4YA6SPhnAcX+4Jt+x9EEN:Yb1R2TIGqIU4YJSpt+4JUB | ||
| imphash | f141510b7f0f89c34de124db5eae649a | ||
| impfuzzy | 24:R6xyDW1m7S1o0qtUgGmlJeDc+pl39bfEvRSOovbO9ZHGM3:R6SS1YtUgG1c+ppdmj31 | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| watch | A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | File has been identified by 6 AntiVirus engines on VirusTotal as malicious |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ole32.dll
0x14001f270 CoInitializeEx
USER32.dll
0x14001f258 GetMenu
0x14001f260 ShowWindow
KERNEL32.dll
0x14001f000 GetModuleHandleExW
0x14001f008 WriteConsoleW
0x14001f010 CreateFileW
0x14001f018 GetModuleHandleA
0x14001f020 GetProcAddress
0x14001f028 LoadResource
0x14001f030 LockResource
0x14001f038 SizeofResource
0x14001f040 LoadLibraryA
0x14001f048 FindResourceA
0x14001f050 QueryPerformanceCounter
0x14001f058 GetCurrentProcessId
0x14001f060 GetCurrentThreadId
0x14001f068 GetSystemTimeAsFileTime
0x14001f070 InitializeSListHead
0x14001f078 RtlCaptureContext
0x14001f080 RtlLookupFunctionEntry
0x14001f088 RtlVirtualUnwind
0x14001f090 IsDebuggerPresent
0x14001f098 UnhandledExceptionFilter
0x14001f0a0 SetUnhandledExceptionFilter
0x14001f0a8 GetStartupInfoW
0x14001f0b0 IsProcessorFeaturePresent
0x14001f0b8 GetModuleHandleW
0x14001f0c0 CloseHandle
0x14001f0c8 RtlPcToFileHeader
0x14001f0d0 RaiseException
0x14001f0d8 RtlUnwindEx
0x14001f0e0 GetLastError
0x14001f0e8 SetLastError
0x14001f0f0 EncodePointer
0x14001f0f8 EnterCriticalSection
0x14001f100 LeaveCriticalSection
0x14001f108 DeleteCriticalSection
0x14001f110 InitializeCriticalSectionAndSpinCount
0x14001f118 TlsAlloc
0x14001f120 TlsGetValue
0x14001f128 TlsSetValue
0x14001f130 TlsFree
0x14001f138 FreeLibrary
0x14001f140 LoadLibraryExW
0x14001f148 GetCurrentProcess
0x14001f150 ExitProcess
0x14001f158 TerminateProcess
0x14001f160 GetStdHandle
0x14001f168 WriteFile
0x14001f170 GetModuleFileNameW
0x14001f178 HeapFree
0x14001f180 HeapAlloc
0x14001f188 LCMapStringW
0x14001f190 GetFileType
0x14001f198 FindClose
0x14001f1a0 FindFirstFileExW
0x14001f1a8 FindNextFileW
0x14001f1b0 IsValidCodePage
0x14001f1b8 GetACP
0x14001f1c0 GetOEMCP
0x14001f1c8 GetCPInfo
0x14001f1d0 GetCommandLineA
0x14001f1d8 GetCommandLineW
0x14001f1e0 MultiByteToWideChar
0x14001f1e8 WideCharToMultiByte
0x14001f1f0 GetEnvironmentStringsW
0x14001f1f8 FreeEnvironmentStringsW
0x14001f200 SetStdHandle
0x14001f208 GetStringTypeW
0x14001f210 GetProcessHeap
0x14001f218 FlushFileBuffers
0x14001f220 GetConsoleOutputCP
0x14001f228 GetConsoleMode
0x14001f230 GetFileSizeEx
0x14001f238 SetFilePointerEx
0x14001f240 HeapSize
0x14001f248 HeapReAlloc
EAT(Export Address Table) is none
ole32.dll
0x14001f270 CoInitializeEx
USER32.dll
0x14001f258 GetMenu
0x14001f260 ShowWindow
KERNEL32.dll
0x14001f000 GetModuleHandleExW
0x14001f008 WriteConsoleW
0x14001f010 CreateFileW
0x14001f018 GetModuleHandleA
0x14001f020 GetProcAddress
0x14001f028 LoadResource
0x14001f030 LockResource
0x14001f038 SizeofResource
0x14001f040 LoadLibraryA
0x14001f048 FindResourceA
0x14001f050 QueryPerformanceCounter
0x14001f058 GetCurrentProcessId
0x14001f060 GetCurrentThreadId
0x14001f068 GetSystemTimeAsFileTime
0x14001f070 InitializeSListHead
0x14001f078 RtlCaptureContext
0x14001f080 RtlLookupFunctionEntry
0x14001f088 RtlVirtualUnwind
0x14001f090 IsDebuggerPresent
0x14001f098 UnhandledExceptionFilter
0x14001f0a0 SetUnhandledExceptionFilter
0x14001f0a8 GetStartupInfoW
0x14001f0b0 IsProcessorFeaturePresent
0x14001f0b8 GetModuleHandleW
0x14001f0c0 CloseHandle
0x14001f0c8 RtlPcToFileHeader
0x14001f0d0 RaiseException
0x14001f0d8 RtlUnwindEx
0x14001f0e0 GetLastError
0x14001f0e8 SetLastError
0x14001f0f0 EncodePointer
0x14001f0f8 EnterCriticalSection
0x14001f100 LeaveCriticalSection
0x14001f108 DeleteCriticalSection
0x14001f110 InitializeCriticalSectionAndSpinCount
0x14001f118 TlsAlloc
0x14001f120 TlsGetValue
0x14001f128 TlsSetValue
0x14001f130 TlsFree
0x14001f138 FreeLibrary
0x14001f140 LoadLibraryExW
0x14001f148 GetCurrentProcess
0x14001f150 ExitProcess
0x14001f158 TerminateProcess
0x14001f160 GetStdHandle
0x14001f168 WriteFile
0x14001f170 GetModuleFileNameW
0x14001f178 HeapFree
0x14001f180 HeapAlloc
0x14001f188 LCMapStringW
0x14001f190 GetFileType
0x14001f198 FindClose
0x14001f1a0 FindFirstFileExW
0x14001f1a8 FindNextFileW
0x14001f1b0 IsValidCodePage
0x14001f1b8 GetACP
0x14001f1c0 GetOEMCP
0x14001f1c8 GetCPInfo
0x14001f1d0 GetCommandLineA
0x14001f1d8 GetCommandLineW
0x14001f1e0 MultiByteToWideChar
0x14001f1e8 WideCharToMultiByte
0x14001f1f0 GetEnvironmentStringsW
0x14001f1f8 FreeEnvironmentStringsW
0x14001f200 SetStdHandle
0x14001f208 GetStringTypeW
0x14001f210 GetProcessHeap
0x14001f218 FlushFileBuffers
0x14001f220 GetConsoleOutputCP
0x14001f228 GetConsoleMode
0x14001f230 GetFileSizeEx
0x14001f238 SetFilePointerEx
0x14001f240 HeapSize
0x14001f248 HeapReAlloc
EAT(Export Address Table) is none