ScreenShot
| Created | 2021.06.17 17:55 | Machine | s1_win7_x6402 |
| Filename | TRVSz8V0 | ||
| Type | PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 30 detected (malicious, high confidence, rK4@InjxnMe, Save, confidence, Cobalt, CobaltStrike, Artifact, Countermeasure, LoaderWinGeneric, LOADER, score, ai score=87, BScope, Swrort, Feye, Static AI, Suspicious PE, GdSda) | ||
| md5 | 928163504cf073fe38f6e9cc0f91251c | ||
| sha256 | f00c2f5474bdcd89606221ce0d29f8e8e6b0cca150433286bcd3ab8b8e7e832e | ||
| ssdeep | 3072:TSEQw/mIOfSAAmLGGxR1pB0lxZ0J9FIRKmj8q2Jclf3tcw:TSEQ8IXqOR3B0lxqJ9oK08q2+pCw | ||
| imphash | db502765cff159e5db66145a73cb6cd7 | ||
| impfuzzy | 12:twRJR+5TZnJbiiARZqRJhPPXJNiXJGqViRC91KpJqi0iZz+n9XsY:tkfg1JWncJ9eB/91OqiLZz+n1V | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 30 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x6bb090ec CreateThread
0x6bb090f0 DeleteCriticalSection
0x6bb090f4 EnterCriticalSection
0x6bb090f8 GetCurrentProcess
0x6bb090fc GetCurrentProcessId
0x6bb09100 GetCurrentThreadId
0x6bb09104 GetLastError
0x6bb09108 GetSystemTimeAsFileTime
0x6bb0910c GetTickCount
0x6bb09110 InitializeCriticalSection
0x6bb09114 LeaveCriticalSection
0x6bb09118 QueryPerformanceCounter
0x6bb0911c SetUnhandledExceptionFilter
0x6bb09120 Sleep
0x6bb09124 TerminateProcess
0x6bb09128 TlsGetValue
0x6bb0912c UnhandledExceptionFilter
0x6bb09130 VirtualAlloc
0x6bb09134 VirtualProtect
0x6bb09138 VirtualQuery
msvcrt.dll
0x6bb09140 _amsg_exit
0x6bb09144 _initterm
0x6bb09148 _iob
0x6bb0914c _lock
0x6bb09150 _unlock
0x6bb09154 abort
0x6bb09158 calloc
0x6bb0915c free
0x6bb09160 fwrite
0x6bb09164 malloc
0x6bb09168 realloc
0x6bb0916c strlen
0x6bb09170 strncmp
0x6bb09174 vfprintf
USER32.dll
0x6bb0917c PeekMessageA
0x6bb09180 PostThreadMessageA
EAT(Export Address Table) Library
0x6bac15a2 DllGetClassObject
0x6bac1547 DllMain
0x6bac159c DllRegisterServer
0x6bac159f DllUnregisterServer
0x6bac15af StartW
KERNEL32.dll
0x6bb090ec CreateThread
0x6bb090f0 DeleteCriticalSection
0x6bb090f4 EnterCriticalSection
0x6bb090f8 GetCurrentProcess
0x6bb090fc GetCurrentProcessId
0x6bb09100 GetCurrentThreadId
0x6bb09104 GetLastError
0x6bb09108 GetSystemTimeAsFileTime
0x6bb0910c GetTickCount
0x6bb09110 InitializeCriticalSection
0x6bb09114 LeaveCriticalSection
0x6bb09118 QueryPerformanceCounter
0x6bb0911c SetUnhandledExceptionFilter
0x6bb09120 Sleep
0x6bb09124 TerminateProcess
0x6bb09128 TlsGetValue
0x6bb0912c UnhandledExceptionFilter
0x6bb09130 VirtualAlloc
0x6bb09134 VirtualProtect
0x6bb09138 VirtualQuery
msvcrt.dll
0x6bb09140 _amsg_exit
0x6bb09144 _initterm
0x6bb09148 _iob
0x6bb0914c _lock
0x6bb09150 _unlock
0x6bb09154 abort
0x6bb09158 calloc
0x6bb0915c free
0x6bb09160 fwrite
0x6bb09164 malloc
0x6bb09168 realloc
0x6bb0916c strlen
0x6bb09170 strncmp
0x6bb09174 vfprintf
USER32.dll
0x6bb0917c PeekMessageA
0x6bb09180 PostThreadMessageA
EAT(Export Address Table) Library
0x6bac15a2 DllGetClassObject
0x6bac1547 DllMain
0x6bac159c DllRegisterServer
0x6bac159f DllUnregisterServer
0x6bac15af StartW