ScreenShot
| Created | 2021.06.16 10:04 | Machine | s1_win7_x6401 |
| Filename | Winvoke.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 49 detected (Siggen13, 274944L, NukeSped, Lazarus, Razy, malicious, AVEE, score, xahodw, Crat, DropperX, Malware@#3ryquvlqv8obx, 0NA103DT21, fsmds, ai score=100, ASMalwS, NukeSpeed, Akdoor, Generic Dropper, Unsafe, susgen, confidence, 100%) | ||
| md5 | f4d46629ca15313b94992f3798718df7 | ||
| sha256 | 0996a8e5ec1a41645309e2ca395d3a6b766a7c52784c974c776f258c1b25a76c | ||
| ssdeep | 6144:w33Tn+SJX6hDGRPJNJyPhkK1228jVdXRHZPJwQC8O:w36qRbJyZH1228j/TPu0 | ||
| imphash | 0e15d4b92e4de8ce71e3c186bb853030 | ||
| impfuzzy | 48:5+vCqSs/3c5fz80thcjLECDGAnf49RhgTFoXVz:5+vNSs/3c5r80th4qz | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 49 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a shortcut to an executable file |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Lazarus_Zero | Lazarus Generic Malware | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | Lnk_Format_Zero | LNK Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (6cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140011020 CloseHandle
0x140011028 GetTickCount
0x140011030 Sleep
0x140011038 CreateProcessA
0x140011040 VirtualFree
0x140011048 LoadResource
0x140011050 SizeofResource
0x140011058 VirtualAlloc
0x140011060 LockResource
0x140011068 CreateFileA
0x140011070 GetFileSize
0x140011078 FindResourceExW
0x140011080 FindResourceW
0x140011088 WriteFile
0x140011090 WideCharToMultiByte
0x140011098 ReadFile
0x1400110a0 GetModuleFileNameA
0x1400110a8 GetProcAddress
0x1400110b0 LoadLibraryA
0x1400110b8 GetLogicalDrives
0x1400110c0 GetSystemTimeAsFileTime
0x1400110c8 GetLocalTime
0x1400110d0 LocalFileTimeToFileTime
0x1400110d8 GetModuleHandleA
0x1400110e0 WriteConsoleW
0x1400110e8 SetFilePointerEx
0x1400110f0 FlushFileBuffers
0x1400110f8 SetStdHandle
0x140011100 GetConsoleMode
0x140011108 GetConsoleCP
0x140011110 GetStringTypeW
0x140011118 LCMapStringW
0x140011120 FreeEnvironmentStringsW
0x140011128 GetEnvironmentStringsW
0x140011130 GetCurrentProcessId
0x140011138 QueryPerformanceCounter
0x140011140 GetFileType
0x140011148 GetCurrentThreadId
0x140011150 GetCPInfo
0x140011158 GetOEMCP
0x140011160 GetACP
0x140011168 IsValidCodePage
0x140011170 LoadLibraryExW
0x140011178 GetModuleFileNameW
0x140011180 GetStdHandle
0x140011188 GetModuleHandleW
0x140011190 GetStartupInfoW
0x140011198 DeleteCriticalSection
0x1400111a0 DecodePointer
0x1400111a8 HeapSize
0x1400111b0 GetLastError
0x1400111b8 RaiseException
0x1400111c0 InitializeCriticalSectionEx
0x1400111c8 HeapDestroy
0x1400111d0 GetProcessHeap
0x1400111d8 HeapFree
0x1400111e0 HeapAlloc
0x1400111e8 CreateFileW
0x1400111f0 HeapReAlloc
0x1400111f8 IsDebuggerPresent
0x140011200 OutputDebugStringW
0x140011208 EnterCriticalSection
0x140011210 LeaveCriticalSection
0x140011218 EncodePointer
0x140011220 ExitProcess
0x140011228 GetModuleHandleExW
0x140011230 MultiByteToWideChar
0x140011238 GetCommandLineA
0x140011240 RtlPcToFileHeader
0x140011248 RtlLookupFunctionEntry
0x140011250 RtlUnwindEx
0x140011258 IsProcessorFeaturePresent
0x140011260 RtlCaptureContext
0x140011268 RtlVirtualUnwind
0x140011270 UnhandledExceptionFilter
0x140011278 SetUnhandledExceptionFilter
0x140011280 SetLastError
0x140011288 InitializeCriticalSectionAndSpinCount
0x140011290 GetCurrentProcess
0x140011298 TerminateProcess
0x1400112a0 TlsAlloc
0x1400112a8 TlsGetValue
0x1400112b0 TlsSetValue
0x1400112b8 TlsFree
USER32.dll
0x1400112c8 GetClassNameA
0x1400112d0 GetWindowRect
0x1400112d8 GetWindowTextA
0x1400112e0 GetCursorPos
0x1400112e8 GetSysColorBrush
0x1400112f0 GetCursor
0x1400112f8 LoadImageA
0x140011300 LoadCursorA
0x140011308 ChangeDisplaySettingsA
0x140011310 GetWindow
0x140011318 LoadCursorFromFileA
0x140011320 DispatchMessageA
0x140011328 GetRawInputDeviceList
GDI32.dll
0x140011000 GetFontLanguageInfo
0x140011008 CreateBitmap
0x140011010 GetFontUnicodeRanges
EAT(Export Address Table) is none
KERNEL32.dll
0x140011020 CloseHandle
0x140011028 GetTickCount
0x140011030 Sleep
0x140011038 CreateProcessA
0x140011040 VirtualFree
0x140011048 LoadResource
0x140011050 SizeofResource
0x140011058 VirtualAlloc
0x140011060 LockResource
0x140011068 CreateFileA
0x140011070 GetFileSize
0x140011078 FindResourceExW
0x140011080 FindResourceW
0x140011088 WriteFile
0x140011090 WideCharToMultiByte
0x140011098 ReadFile
0x1400110a0 GetModuleFileNameA
0x1400110a8 GetProcAddress
0x1400110b0 LoadLibraryA
0x1400110b8 GetLogicalDrives
0x1400110c0 GetSystemTimeAsFileTime
0x1400110c8 GetLocalTime
0x1400110d0 LocalFileTimeToFileTime
0x1400110d8 GetModuleHandleA
0x1400110e0 WriteConsoleW
0x1400110e8 SetFilePointerEx
0x1400110f0 FlushFileBuffers
0x1400110f8 SetStdHandle
0x140011100 GetConsoleMode
0x140011108 GetConsoleCP
0x140011110 GetStringTypeW
0x140011118 LCMapStringW
0x140011120 FreeEnvironmentStringsW
0x140011128 GetEnvironmentStringsW
0x140011130 GetCurrentProcessId
0x140011138 QueryPerformanceCounter
0x140011140 GetFileType
0x140011148 GetCurrentThreadId
0x140011150 GetCPInfo
0x140011158 GetOEMCP
0x140011160 GetACP
0x140011168 IsValidCodePage
0x140011170 LoadLibraryExW
0x140011178 GetModuleFileNameW
0x140011180 GetStdHandle
0x140011188 GetModuleHandleW
0x140011190 GetStartupInfoW
0x140011198 DeleteCriticalSection
0x1400111a0 DecodePointer
0x1400111a8 HeapSize
0x1400111b0 GetLastError
0x1400111b8 RaiseException
0x1400111c0 InitializeCriticalSectionEx
0x1400111c8 HeapDestroy
0x1400111d0 GetProcessHeap
0x1400111d8 HeapFree
0x1400111e0 HeapAlloc
0x1400111e8 CreateFileW
0x1400111f0 HeapReAlloc
0x1400111f8 IsDebuggerPresent
0x140011200 OutputDebugStringW
0x140011208 EnterCriticalSection
0x140011210 LeaveCriticalSection
0x140011218 EncodePointer
0x140011220 ExitProcess
0x140011228 GetModuleHandleExW
0x140011230 MultiByteToWideChar
0x140011238 GetCommandLineA
0x140011240 RtlPcToFileHeader
0x140011248 RtlLookupFunctionEntry
0x140011250 RtlUnwindEx
0x140011258 IsProcessorFeaturePresent
0x140011260 RtlCaptureContext
0x140011268 RtlVirtualUnwind
0x140011270 UnhandledExceptionFilter
0x140011278 SetUnhandledExceptionFilter
0x140011280 SetLastError
0x140011288 InitializeCriticalSectionAndSpinCount
0x140011290 GetCurrentProcess
0x140011298 TerminateProcess
0x1400112a0 TlsAlloc
0x1400112a8 TlsGetValue
0x1400112b0 TlsSetValue
0x1400112b8 TlsFree
USER32.dll
0x1400112c8 GetClassNameA
0x1400112d0 GetWindowRect
0x1400112d8 GetWindowTextA
0x1400112e0 GetCursorPos
0x1400112e8 GetSysColorBrush
0x1400112f0 GetCursor
0x1400112f8 LoadImageA
0x140011300 LoadCursorA
0x140011308 ChangeDisplaySettingsA
0x140011310 GetWindow
0x140011318 LoadCursorFromFileA
0x140011320 DispatchMessageA
0x140011328 GetRawInputDeviceList
GDI32.dll
0x140011000 GetFontLanguageInfo
0x140011008 CreateBitmap
0x140011010 GetFontUnicodeRanges
EAT(Export Address Table) is none