ScreenShot
Created | 2021.06.02 11:19 | Machine | s1_win7_x6402 |
Filename | DOCUMENT.exe | ||
Type | PE32+ executable (DLL) (GUI) x86-64, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 47 detected (Malicious, score, Khalesi, CobaltStrike, confidence, 100%, NativeZone, Eldorado, Cobalt, Rozena, COBEACON, jaqc, Malware@#nhkruipfa8c3, Artemis, S + Troj, apzn, susgen, kphbb, ai score=100, kcloud, R423201, FTRB, Unsafe, CobaltLoader, CLASSIC) | ||
md5 | 1c3b8ae594cb4ce24c2680b47cebf808 | ||
sha256 | ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330 | ||
ssdeep | 6144:GBv2rCsfI34JBE8LCiohg05tnCCRem/V9FkkKdKb+/++9GIyRv9QTaq+D/aYndvj:GBurzfI2B9roDtVcKb+/+EzD+7aJ | ||
imphash | 844c8136867966b00afa26206439e6ff | ||
impfuzzy | 24:Ryn02tMS1JVlJnc+pl3eDoTTsoppvJ+MPJOovbOPZDJ28O:EDtMS1JFc+pp/gAs3xfO |
Network IP location
Signature (12cnts)
Level | Description |
---|---|
danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
danger | File has been identified by 47 AntiVirus engines on VirusTotal as malicious |
watch | Communicates with host for which no DNS query was performed |
watch | Detects VirtualBox through the presence of a file |
watch | Detects VirtualBox through the presence of a registry key |
watch | Detects VMWare through the presence of a registry key |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
info | Checks if process is being debugged by a debugger |
info | Queries for the computername |
info | This executable has a PDB path |
Rules (5cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | APT_APT29_Win_FlipFlop_LDR | A loader for the CobaltStrike malware family | binaries (upload) |
info | IsDLL | (no description) | binaries (upload) |
info | IsPE64 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x180018028 LocalFree
0x180018030 LocalAlloc
0x180018038 VirtualProtect
0x180018040 VirtualAlloc
0x180018048 OutputDebugStringA
0x180018050 IsDebuggerPresent
0x180018058 GetFileAttributesA
0x180018060 GetStdHandle
0x180018068 RtlCaptureContext
0x180018070 RtlLookupFunctionEntry
0x180018078 RtlVirtualUnwind
0x180018080 UnhandledExceptionFilter
0x180018088 SetUnhandledExceptionFilter
0x180018090 GetCurrentProcess
0x180018098 TerminateProcess
0x1800180a0 IsProcessorFeaturePresent
0x1800180a8 QueryPerformanceCounter
0x1800180b0 GetCurrentProcessId
0x1800180b8 GetCurrentThreadId
0x1800180c0 GetSystemTimeAsFileTime
0x1800180c8 InitializeSListHead
0x1800180d0 GetStartupInfoW
0x1800180d8 GetModuleHandleW
0x1800180e0 RtlUnwindEx
0x1800180e8 InterlockedFlushSList
0x1800180f0 GetLastError
0x1800180f8 SetLastError
0x180018100 EnterCriticalSection
0x180018108 LeaveCriticalSection
0x180018110 DeleteCriticalSection
0x180018118 InitializeCriticalSectionAndSpinCount
0x180018120 TlsAlloc
0x180018128 TlsGetValue
0x180018130 TlsSetValue
0x180018138 TlsFree
0x180018140 FreeLibrary
0x180018148 GetProcAddress
0x180018150 LoadLibraryExW
0x180018158 RaiseException
0x180018160 ReadFile
0x180018168 ExitProcess
0x180018170 GetModuleHandleExW
0x180018178 FindClose
0x180018180 FindFirstFileExW
0x180018188 FindNextFileW
0x180018190 CreateFileW
0x180018198 GetFileType
0x1800181a0 CloseHandle
0x1800181a8 GetModuleFileNameW
0x1800181b0 HeapAlloc
0x1800181b8 HeapFree
0x1800181c0 LCMapStringW
0x1800181c8 GetFileSizeEx
0x1800181d0 SetFilePointerEx
0x1800181d8 GetConsoleMode
0x1800181e0 ReadConsoleW
0x1800181e8 WriteFile
0x1800181f0 GetConsoleCP
0x1800181f8 MultiByteToWideChar
0x180018200 HeapReAlloc
0x180018208 WideCharToMultiByte
0x180018210 SetStdHandle
0x180018218 IsValidCodePage
0x180018220 GetACP
0x180018228 GetOEMCP
0x180018230 GetCPInfo
0x180018238 GetCommandLineA
0x180018240 GetCommandLineW
0x180018248 GetEnvironmentStringsW
0x180018250 FreeEnvironmentStringsW
0x180018258 GetProcessHeap
0x180018260 GetStringTypeW
0x180018268 FlushFileBuffers
0x180018270 HeapSize
0x180018278 WriteConsoleW
0x180018280 RtlUnwind
ADVAPI32.dll
0x180018000 RegOpenKeyExA
0x180018008 RegCloseKey
IPHLPAPI.DLL
0x180018018 GetAdaptersAddresses
EAT(Export Address Table) Library
0x1800014e0 Open
KERNEL32.dll
0x180018028 LocalFree
0x180018030 LocalAlloc
0x180018038 VirtualProtect
0x180018040 VirtualAlloc
0x180018048 OutputDebugStringA
0x180018050 IsDebuggerPresent
0x180018058 GetFileAttributesA
0x180018060 GetStdHandle
0x180018068 RtlCaptureContext
0x180018070 RtlLookupFunctionEntry
0x180018078 RtlVirtualUnwind
0x180018080 UnhandledExceptionFilter
0x180018088 SetUnhandledExceptionFilter
0x180018090 GetCurrentProcess
0x180018098 TerminateProcess
0x1800180a0 IsProcessorFeaturePresent
0x1800180a8 QueryPerformanceCounter
0x1800180b0 GetCurrentProcessId
0x1800180b8 GetCurrentThreadId
0x1800180c0 GetSystemTimeAsFileTime
0x1800180c8 InitializeSListHead
0x1800180d0 GetStartupInfoW
0x1800180d8 GetModuleHandleW
0x1800180e0 RtlUnwindEx
0x1800180e8 InterlockedFlushSList
0x1800180f0 GetLastError
0x1800180f8 SetLastError
0x180018100 EnterCriticalSection
0x180018108 LeaveCriticalSection
0x180018110 DeleteCriticalSection
0x180018118 InitializeCriticalSectionAndSpinCount
0x180018120 TlsAlloc
0x180018128 TlsGetValue
0x180018130 TlsSetValue
0x180018138 TlsFree
0x180018140 FreeLibrary
0x180018148 GetProcAddress
0x180018150 LoadLibraryExW
0x180018158 RaiseException
0x180018160 ReadFile
0x180018168 ExitProcess
0x180018170 GetModuleHandleExW
0x180018178 FindClose
0x180018180 FindFirstFileExW
0x180018188 FindNextFileW
0x180018190 CreateFileW
0x180018198 GetFileType
0x1800181a0 CloseHandle
0x1800181a8 GetModuleFileNameW
0x1800181b0 HeapAlloc
0x1800181b8 HeapFree
0x1800181c0 LCMapStringW
0x1800181c8 GetFileSizeEx
0x1800181d0 SetFilePointerEx
0x1800181d8 GetConsoleMode
0x1800181e0 ReadConsoleW
0x1800181e8 WriteFile
0x1800181f0 GetConsoleCP
0x1800181f8 MultiByteToWideChar
0x180018200 HeapReAlloc
0x180018208 WideCharToMultiByte
0x180018210 SetStdHandle
0x180018218 IsValidCodePage
0x180018220 GetACP
0x180018228 GetOEMCP
0x180018230 GetCPInfo
0x180018238 GetCommandLineA
0x180018240 GetCommandLineW
0x180018248 GetEnvironmentStringsW
0x180018250 FreeEnvironmentStringsW
0x180018258 GetProcessHeap
0x180018260 GetStringTypeW
0x180018268 FlushFileBuffers
0x180018270 HeapSize
0x180018278 WriteConsoleW
0x180018280 RtlUnwind
ADVAPI32.dll
0x180018000 RegOpenKeyExA
0x180018008 RegCloseKey
IPHLPAPI.DLL
0x180018018 GetAdaptersAddresses
EAT(Export Address Table) Library
0x1800014e0 Open