ScreenShot
| Created | 2021.06.24 23:46 | Machine | s1_win7_x6402 |
| Filename | csrrs.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 32 detected (Gibon, Dridex, malicious, Attribute, HighConfidence, R011C0PFL21, susgen, ai score=81, score, ET#83%, RDMK, cmRtazoyxUVkqsyQNiqrTy+JKRx5, Unsafe, PossibleThreat, ZexaF, guW@aasZ44ni, GdSda, confidence) | ||
| md5 | f07ce87fb0fee1ccc330e07141be91f9 | ||
| sha256 | af8d689527c8f558062465791525d862a6a68b0f2b51596d2509a70d3120cd5a | ||
| ssdeep | 3072:U0oyTwRNNYzYQMvKnz06K+JDz+W8M4EaJG0e4/131roJ:9kmzYQM402DzP4vjkJ | ||
| imphash | 0e43491088f941a4fc3b2a6a6fff516b | ||
| impfuzzy | 24:o54/tMS17bJnc+pl3eDoTyoEOovbO3kPvNjvRZHu9oGMsSL:FtMS17lc+pp/yc30nsSL | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 32 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Creates a suspicious process |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| info | Command line console output was observed |
| info | This executable has a PDB path |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x413000 CreateMutexW
0x413004 CreateToolhelp32Snapshot
0x413008 Sleep
0x41300c GetLastError
0x413010 Process32NextW
0x413014 Process32FirstW
0x413018 CloseHandle
0x41301c WriteConsoleW
0x413020 CreateFileW
0x413024 UnhandledExceptionFilter
0x413028 SetUnhandledExceptionFilter
0x41302c GetCurrentProcess
0x413030 TerminateProcess
0x413034 IsProcessorFeaturePresent
0x413038 QueryPerformanceCounter
0x41303c GetCurrentProcessId
0x413040 GetCurrentThreadId
0x413044 GetSystemTimeAsFileTime
0x413048 InitializeSListHead
0x41304c IsDebuggerPresent
0x413050 GetStartupInfoW
0x413054 GetModuleHandleW
0x413058 RtlUnwind
0x41305c SetLastError
0x413060 EnterCriticalSection
0x413064 LeaveCriticalSection
0x413068 DeleteCriticalSection
0x41306c InitializeCriticalSectionAndSpinCount
0x413070 TlsAlloc
0x413074 TlsGetValue
0x413078 TlsSetValue
0x41307c TlsFree
0x413080 FreeLibrary
0x413084 GetProcAddress
0x413088 LoadLibraryExW
0x41308c RaiseException
0x413090 GetStdHandle
0x413094 WriteFile
0x413098 GetModuleFileNameW
0x41309c ExitProcess
0x4130a0 GetModuleHandleExW
0x4130a4 GetCommandLineA
0x4130a8 GetCommandLineW
0x4130ac HeapAlloc
0x4130b0 HeapFree
0x4130b4 CompareStringW
0x4130b8 LCMapStringW
0x4130bc GetFileType
0x4130c0 WaitForSingleObject
0x4130c4 GetExitCodeProcess
0x4130c8 CreateProcessW
0x4130cc GetFileAttributesExW
0x4130d0 FindClose
0x4130d4 FindFirstFileExW
0x4130d8 FindNextFileW
0x4130dc IsValidCodePage
0x4130e0 GetACP
0x4130e4 GetOEMCP
0x4130e8 GetCPInfo
0x4130ec MultiByteToWideChar
0x4130f0 WideCharToMultiByte
0x4130f4 GetEnvironmentStringsW
0x4130f8 FreeEnvironmentStringsW
0x4130fc SetEnvironmentVariableW
0x413100 SetStdHandle
0x413104 GetStringTypeW
0x413108 GetProcessHeap
0x41310c FlushFileBuffers
0x413110 GetConsoleOutputCP
0x413114 GetConsoleMode
0x413118 GetFileSizeEx
0x41311c SetFilePointerEx
0x413120 HeapSize
0x413124 HeapReAlloc
0x413128 DecodePointer
USER32.dll
0x413130 CharLowerBuffW
0x413134 wsprintfW
EAT(Export Address Table) is none
KERNEL32.dll
0x413000 CreateMutexW
0x413004 CreateToolhelp32Snapshot
0x413008 Sleep
0x41300c GetLastError
0x413010 Process32NextW
0x413014 Process32FirstW
0x413018 CloseHandle
0x41301c WriteConsoleW
0x413020 CreateFileW
0x413024 UnhandledExceptionFilter
0x413028 SetUnhandledExceptionFilter
0x41302c GetCurrentProcess
0x413030 TerminateProcess
0x413034 IsProcessorFeaturePresent
0x413038 QueryPerformanceCounter
0x41303c GetCurrentProcessId
0x413040 GetCurrentThreadId
0x413044 GetSystemTimeAsFileTime
0x413048 InitializeSListHead
0x41304c IsDebuggerPresent
0x413050 GetStartupInfoW
0x413054 GetModuleHandleW
0x413058 RtlUnwind
0x41305c SetLastError
0x413060 EnterCriticalSection
0x413064 LeaveCriticalSection
0x413068 DeleteCriticalSection
0x41306c InitializeCriticalSectionAndSpinCount
0x413070 TlsAlloc
0x413074 TlsGetValue
0x413078 TlsSetValue
0x41307c TlsFree
0x413080 FreeLibrary
0x413084 GetProcAddress
0x413088 LoadLibraryExW
0x41308c RaiseException
0x413090 GetStdHandle
0x413094 WriteFile
0x413098 GetModuleFileNameW
0x41309c ExitProcess
0x4130a0 GetModuleHandleExW
0x4130a4 GetCommandLineA
0x4130a8 GetCommandLineW
0x4130ac HeapAlloc
0x4130b0 HeapFree
0x4130b4 CompareStringW
0x4130b8 LCMapStringW
0x4130bc GetFileType
0x4130c0 WaitForSingleObject
0x4130c4 GetExitCodeProcess
0x4130c8 CreateProcessW
0x4130cc GetFileAttributesExW
0x4130d0 FindClose
0x4130d4 FindFirstFileExW
0x4130d8 FindNextFileW
0x4130dc IsValidCodePage
0x4130e0 GetACP
0x4130e4 GetOEMCP
0x4130e8 GetCPInfo
0x4130ec MultiByteToWideChar
0x4130f0 WideCharToMultiByte
0x4130f4 GetEnvironmentStringsW
0x4130f8 FreeEnvironmentStringsW
0x4130fc SetEnvironmentVariableW
0x413100 SetStdHandle
0x413104 GetStringTypeW
0x413108 GetProcessHeap
0x41310c FlushFileBuffers
0x413110 GetConsoleOutputCP
0x413114 GetConsoleMode
0x413118 GetFileSizeEx
0x41311c SetFilePointerEx
0x413120 HeapSize
0x413124 HeapReAlloc
0x413128 DecodePointer
USER32.dll
0x413130 CharLowerBuffW
0x413134 wsprintfW
EAT(Export Address Table) is none