ScreenShot
Created | 2021.06.09 09:54 | Machine | s1_win7_x6402 |
Filename | al.exe | ||
Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 26 detected (malicious, high confidence, DownLoad4, Artemis, Unsafe, confidence, GoCLR, a variant of WinGo, Bulz, FileRepMalware, TrojanVeil, Wacatac, score, R002H0DF821, CobaltStrike, 100%, susgen) | ||
md5 | 20f307c716a689f4afa3a76b7143db22 | ||
sha256 | 3647e2dc4336b2eeb828371821c706a329dce645cb16f9c1c31c3faeae8f56dd | ||
ssdeep | 49152:gJZm5w1U7yC5Y59whp6IRNCjm78jBtrUQWT6726n4lMZLr5jJTMVmiKpN+UL7Jmw:gG5w1Cyh | ||
imphash | 4035d2883e01d64f3e7a9dccb1d63af5 | ||
impfuzzy | 24:UbVjhN5O+VuT2oLtXOr6kwmDruMztxdEr6UP:K5O+VAXOmGx0nP |
Network IP location
Signature (24cnts)
Level | Description |
---|---|
danger | Executed a process and injected code into it |
warning | File has been identified by 26 AntiVirus engines on VirusTotal as malicious |
watch | Communicates with host for which no DNS query was performed |
watch | Creates a suspicious Powershell process |
watch | Deletes executed files from disk |
watch | Detects the presence of Wine emulator |
watch | One or more non-whitelisted processes were created |
watch | The process powershell.exe wrote an executable file to disk |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates a shortcut to an executable file |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | One or more potentially interesting buffers were extracted |
notice | Uses Windows utilities for basic Windows functionality |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Collects information to fingerprint the system (MachineGuid |
info | One or more processes crashed |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | Uses Windows APIs to generate a cryptographic key |
Rules (9cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | NPKI_Zero | File included NPKI | binaries (download) |
danger | NPKI_Zero | File included NPKI | binaries (upload) |
watch | Antivirus | Contains references to security software | binaries (download) |
info | Is_DotNET_DLL | (no description) | binaries (download) |
info | IsDLL | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE64 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x9ea020 WriteFile
0x9ea028 WriteConsoleW
0x9ea030 WaitForMultipleObjects
0x9ea038 WaitForSingleObject
0x9ea040 VirtualQuery
0x9ea048 VirtualFree
0x9ea050 VirtualAlloc
0x9ea058 SwitchToThread
0x9ea060 SuspendThread
0x9ea068 Sleep
0x9ea070 SetWaitableTimer
0x9ea078 SetUnhandledExceptionFilter
0x9ea080 SetProcessPriorityBoost
0x9ea088 SetEvent
0x9ea090 SetErrorMode
0x9ea098 SetConsoleCtrlHandler
0x9ea0a0 ResumeThread
0x9ea0a8 PostQueuedCompletionStatus
0x9ea0b0 LoadLibraryA
0x9ea0b8 LoadLibraryW
0x9ea0c0 SetThreadContext
0x9ea0c8 GetThreadContext
0x9ea0d0 GetSystemInfo
0x9ea0d8 GetSystemDirectoryA
0x9ea0e0 GetStdHandle
0x9ea0e8 GetQueuedCompletionStatusEx
0x9ea0f0 GetProcessAffinityMask
0x9ea0f8 GetProcAddress
0x9ea100 GetEnvironmentStringsW
0x9ea108 GetConsoleMode
0x9ea110 FreeEnvironmentStringsW
0x9ea118 ExitProcess
0x9ea120 DuplicateHandle
0x9ea128 CreateWaitableTimerExW
0x9ea130 CreateThread
0x9ea138 CreateIoCompletionPort
0x9ea140 CreateEventA
0x9ea148 CloseHandle
0x9ea150 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x9ea020 WriteFile
0x9ea028 WriteConsoleW
0x9ea030 WaitForMultipleObjects
0x9ea038 WaitForSingleObject
0x9ea040 VirtualQuery
0x9ea048 VirtualFree
0x9ea050 VirtualAlloc
0x9ea058 SwitchToThread
0x9ea060 SuspendThread
0x9ea068 Sleep
0x9ea070 SetWaitableTimer
0x9ea078 SetUnhandledExceptionFilter
0x9ea080 SetProcessPriorityBoost
0x9ea088 SetEvent
0x9ea090 SetErrorMode
0x9ea098 SetConsoleCtrlHandler
0x9ea0a0 ResumeThread
0x9ea0a8 PostQueuedCompletionStatus
0x9ea0b0 LoadLibraryA
0x9ea0b8 LoadLibraryW
0x9ea0c0 SetThreadContext
0x9ea0c8 GetThreadContext
0x9ea0d0 GetSystemInfo
0x9ea0d8 GetSystemDirectoryA
0x9ea0e0 GetStdHandle
0x9ea0e8 GetQueuedCompletionStatusEx
0x9ea0f0 GetProcessAffinityMask
0x9ea0f8 GetProcAddress
0x9ea100 GetEnvironmentStringsW
0x9ea108 GetConsoleMode
0x9ea110 FreeEnvironmentStringsW
0x9ea118 ExitProcess
0x9ea120 DuplicateHandle
0x9ea128 CreateWaitableTimerExW
0x9ea130 CreateThread
0x9ea138 CreateIoCompletionPort
0x9ea140 CreateEventA
0x9ea148 CloseHandle
0x9ea150 AddVectoredExceptionHandler
EAT(Export Address Table) is none