ScreenShot
| Created | 2021.06.25 10:02 | Machine | s1_win7_x6402 |
| Filename | getfile.php | ||
| Type | PE32+ executable (DLL) (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 46 detected (GenericKD, Unsafe, Kryplod, malicious, confidence, BankerX, KryptLoad, iwpedv, Malware@#1n17jkwu7wnw5, sgcmb, R002C0WFL21, ai score=85, kcloud, Casdet, score, Tiggre, Bazar, HSPXSNR, susgen) | ||
| md5 | a468360f0f1955c341486915e522e4c0 | ||
| sha256 | c8284374a3dbee51211289304b73bef0c6c3d00cd1fe3585b5fb8ca384c5333e | ||
| ssdeep | 3072:4RaFivaICm87aDj3eTUGaSea1AIW2rgqE1BDa:4Ra8ibb4eUpha1AIW2Ev1Ja | ||
| imphash | 6859c1fbd5011b39e2b3c5ccd6eda491 | ||
| impfuzzy | 3:swBJAEPwS9KTXzhAXwEQaxRn:dBJAEHGDzyRn | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 46 AntiVirus engines on VirusTotal as malicious |
| warning | Generates some ICMP traffic |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (39cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x18003e080 LoadLibraryA
0x18003e088 GetProcAddress
0x18003e090 VirtualProtect
EAT(Export Address Table) Library
0x180001000 DllRegisterServer
0x180001458 StartW
0x180002471 agrktrrcp
0x1800022e0 ahbhbbhbdt
0x180001fc8 anpnjqgfbhhyu
0x18000247d bjofbxl
0x180002149 bjvmqvtdzjtjb
0x180002477 bvvdomqyt
0x180001cb7 dmnfbikwzvn
0x180002222 dpeegsmldvs
0x180001e42 eegjuaiyqzjbshtq
0x180001a57 evbyoenjy
0x180001cb1 fbqdiwzuz
0x180001efd fdcpuqbgeveg
0x180001e3c hdizgsg
0x180001cab hwiamlqv
0x180001a3f hwsfqogewea
0x180001b1e irzjroiiioag
0x180001a39 jsrlguqh
0x180002465 kfrhquse
0x180002084 kkfvppiwufxvqmd
0x180001a2d npkcnkg
0x1800023a5 ojxkiptcmwzv
0x180001d78 pdngehfzs
0x18000220a pgnpysypz
0x180001c9f pzmmuzaauw
0x180001fc2 qpmkrtgewwbb
0x180001a5d qzdqxmvcgfdy
0x180001e36 sdrijjoasuhi
0x180001a51 snfncmd
0x180001d72 sqeovzxoprdfqynx
0x180001ca5 ugpbispemn
0x180001a4b uwugwqtkejumf
0x180001be3 vfedsyyal
0x180002210 vopeqns
0x1800022e6 vtpnlyczievugj
0x180001a45 vzwysau
0x18000246b wysepjkemwckg
0x180001f03 xeqbvdimaere
0x18000221c xqtinqsafou
0x18000208a xycnwgdunhijsnl
0x180001a33 ygararjkbpixigrg
0x180002216 zlqevneqgldcsp
0x1800022da ztcwagi
KERNEL32.DLL
0x18003e080 LoadLibraryA
0x18003e088 GetProcAddress
0x18003e090 VirtualProtect
EAT(Export Address Table) Library
0x180001000 DllRegisterServer
0x180001458 StartW
0x180002471 agrktrrcp
0x1800022e0 ahbhbbhbdt
0x180001fc8 anpnjqgfbhhyu
0x18000247d bjofbxl
0x180002149 bjvmqvtdzjtjb
0x180002477 bvvdomqyt
0x180001cb7 dmnfbikwzvn
0x180002222 dpeegsmldvs
0x180001e42 eegjuaiyqzjbshtq
0x180001a57 evbyoenjy
0x180001cb1 fbqdiwzuz
0x180001efd fdcpuqbgeveg
0x180001e3c hdizgsg
0x180001cab hwiamlqv
0x180001a3f hwsfqogewea
0x180001b1e irzjroiiioag
0x180001a39 jsrlguqh
0x180002465 kfrhquse
0x180002084 kkfvppiwufxvqmd
0x180001a2d npkcnkg
0x1800023a5 ojxkiptcmwzv
0x180001d78 pdngehfzs
0x18000220a pgnpysypz
0x180001c9f pzmmuzaauw
0x180001fc2 qpmkrtgewwbb
0x180001a5d qzdqxmvcgfdy
0x180001e36 sdrijjoasuhi
0x180001a51 snfncmd
0x180001d72 sqeovzxoprdfqynx
0x180001ca5 ugpbispemn
0x180001a4b uwugwqtkejumf
0x180001be3 vfedsyyal
0x180002210 vopeqns
0x1800022e6 vtpnlyczievugj
0x180001a45 vzwysau
0x18000246b wysepjkemwckg
0x180001f03 xeqbvdimaere
0x18000221c xqtinqsafou
0x18000208a xycnwgdunhijsnl
0x180001a33 ygararjkbpixigrg
0x180002216 zlqevneqgldcsp
0x1800022da ztcwagi