ScreenShot
| Created | 2021.06.25 10:25 | Machine | s1_win7_x6401 |
| Filename | nj.exe | ||
| Type | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 41 detected (malicious, high confidence, GenericKD, Unsafe, Save, TrojanPSW, Agensla, ZemsilF, muW@aybGCPaO, Attribute, HighConfidence, Razy, SpyBotNET, R002C0PFL21, TrojanAitInject, rlhhg, Tiggre, score, ai score=84, GdSda, Static AI, Suspicious PE, RATX, confidence, 100%) | ||
| md5 | c2655295212060ebffe2e90b4f85e7fe | ||
| sha256 | 25252dc64356eeac34d104ce0527404eb133cb01cb15d0e5c45faa9a78ae5388 | ||
| ssdeep | 6144:+g+x/uTy3KtOYmytpGW4txSxg9eDlYNBOUXHzk:+g+xWTy3K1mVtxSxg9eDkk | ||
| imphash | 8577e14dc855f7c118af900af77a1ea6 | ||
| impfuzzy | 96:Un7jGnUA0O5ta17tahV8+zmTz0wQcoVgDTIuTg4coTpPbNaYpm2:Un7kUzOHa+VKTg4cupNaYP | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 41 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | Network_SMTP_dotNet | Communications smtp | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | Is_DotNET_EXE | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
MSVCR90.dll
0x4200fc fwrite
0x420100 __CxxExceptionFilter
0x420104 __CxxRegisterExceptionObject
0x420108 __CxxDetectRethrow
0x42010c __CxxUnregisterExceptionObject
0x420110 memmove_s
0x420114 ??2@YAPAXI@Z
0x420118 _invalid_parameter_noinfo
0x42011c _CxxThrowException
0x420120 __CxxQueryExceptionSize
0x420124 calloc
0x420128 fclose
0x42012c _crt_debugger_hook
0x420130 _controlfp_s
0x420134 _invoke_watson
0x420138 _except_handler4_common
0x42013c _decode_pointer
0x420140 _onexit
0x420144 _lock
0x420148 __dllonexit
0x42014c _unlock
0x420150 ?_type_info_dtor_internal_method@type_info@@QAEXXZ
0x420154 ?terminate@@YAXXZ
0x420158 __set_app_type
0x42015c ??0exception@std@@QAE@XZ
0x420160 ??_V@YAXPAX@Z
0x420164 _encode_pointer
0x420168 __p__fmode
0x42016c __p__commode
0x420170 _adjust_fdiv
0x420174 __setusermatherr
0x420178 _encoded_null
0x42017c __FrameUnwindFilter
0x420180 sprintf
0x420184 free
0x420188 fread
0x42018c _configthreadlocale
0x420190 _initterm_e
0x420194 _initterm
0x420198 _wcmdln
0x42019c exit
0x4201a0 _XcptFilter
0x4201a4 _exit
0x4201a8 _cexit
0x4201ac __wgetmainargs
0x4201b0 _amsg_exit
0x4201b4 ??3@YAXPAX@Z
0x4201b8 ??0exception@std@@QAE@ABV01@@Z
0x4201bc ?what@exception@std@@UBEPBDXZ
0x4201c0 ??1exception@std@@UAE@XZ
0x4201c4 ??0exception@std@@QAE@ABQBD@Z
KERNEL32.dll
0x420048 CompareFileTime
0x42004c FileTimeToSystemTime
0x420050 GetSystemTimes
0x420054 GetSystemRegistryQuota
0x420058 ExitThread
0x42005c VirtualProtect
0x420060 GetModuleHandleA
0x420064 GetLastError
0x420068 LocalAlloc
0x42006c GetModuleHandleW
0x420070 SetLastError
0x420074 GetFileType
0x420078 LocalFileTimeToFileTime
0x42007c InterlockedExchange
0x420080 Sleep
0x420084 InterlockedCompareExchange
0x420088 GetStartupInfoW
0x42008c SetUnhandledExceptionFilter
0x420090 QueryPerformanceCounter
0x420094 GetTickCount
0x420098 GetCurrentThreadId
0x42009c GetCurrentProcessId
0x4200a0 GetSystemTimeAsFileTime
0x4200a4 TerminateProcess
0x4200a8 GetCurrentProcess
0x4200ac UnhandledExceptionFilter
0x4200b0 IsDebuggerPresent
0x4200b4 LoadLibraryW
0x4200b8 GetTapeParameters
0x4200bc IsProcessorFeaturePresent
0x4200c0 GetNativeSystemInfo
0x4200c4 GetSystemInfo
USER32.dll
0x4201d4 CreateWindowExA
0x4201d8 ShowWindow
0x4201dc UpdateWindow
0x4201e0 CreateCaret
0x4201e4 GetCursor
0x4201e8 AnyPopup
0x4201ec GetWindowTextLengthW
0x4201f0 GetWindowRect
0x4201f4 GetClientRect
0x4201f8 LoadIconW
0x4201fc AdjustWindowRect
GDI32.dll
0x420010 CreateDIBitmap
0x420014 CreateEllipticRgn
0x420018 SetPolyFillMode
0x42001c StretchBlt
0x420020 CreateDIBPatternBrush
0x420024 EndPath
0x420028 BitBlt
0x42002c PlayMetaFileRecord
0x420030 GetPath
0x420034 FillPath
0x420038 CreateDCA
0x42003c BeginPath
0x420040 CreateCompatibleBitmap
ADVAPI32.dll
0x420000 RegSetValueW
SHELL32.dll
0x4201cc DragAcceptFiles
MSIMG32.dll
0x4200cc AlphaBlend
0x4200d0 TransparentBlt
COMCTL32.dll
0x420008 None
WINHTTP.dll
0x420204 WinHttpConnect
0x420208 WinHttpOpen
0x42020c WinHttpSetOption
0x420210 WinHttpReadData
0x420214 WinHttpOpenRequest
MSVCP90.dll
0x4200d8 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
0x4200dc ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
0x4200e0 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
0x4200e4 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
0x4200e8 ??_D?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ
0x4200ec ??0?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z
0x4200f0 ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
0x4200f4 ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
msvcm90.dll
0x420224 ?RegisterModuleUninitializer@@@YAXP$AAVEventHandler@System@@@Z
0x420228 ?DoDllLanguageSupportValidation@@@YAXXZ
0x42022c ?ThrowModuleLoadException@@@YAXP$AAVString@System@@P$AAVException@3@@Z
0x420230 ?DoCallBackInDefaultDomain@@@YAXP6GJPAX@Z0@Z
0x420234 ?ThrowNestedModuleLoadException@@@YAXP$AAVException@System@@0@Z
0x420238 ?ThrowModuleLoadException@@@YAXP$AAVString@System@@@Z
mscoree.dll
0x42021c _CorExeMain
EAT(Export Address Table) is none
MSVCR90.dll
0x4200fc fwrite
0x420100 __CxxExceptionFilter
0x420104 __CxxRegisterExceptionObject
0x420108 __CxxDetectRethrow
0x42010c __CxxUnregisterExceptionObject
0x420110 memmove_s
0x420114 ??2@YAPAXI@Z
0x420118 _invalid_parameter_noinfo
0x42011c _CxxThrowException
0x420120 __CxxQueryExceptionSize
0x420124 calloc
0x420128 fclose
0x42012c _crt_debugger_hook
0x420130 _controlfp_s
0x420134 _invoke_watson
0x420138 _except_handler4_common
0x42013c _decode_pointer
0x420140 _onexit
0x420144 _lock
0x420148 __dllonexit
0x42014c _unlock
0x420150 ?_type_info_dtor_internal_method@type_info@@QAEXXZ
0x420154 ?terminate@@YAXXZ
0x420158 __set_app_type
0x42015c ??0exception@std@@QAE@XZ
0x420160 ??_V@YAXPAX@Z
0x420164 _encode_pointer
0x420168 __p__fmode
0x42016c __p__commode
0x420170 _adjust_fdiv
0x420174 __setusermatherr
0x420178 _encoded_null
0x42017c __FrameUnwindFilter
0x420180 sprintf
0x420184 free
0x420188 fread
0x42018c _configthreadlocale
0x420190 _initterm_e
0x420194 _initterm
0x420198 _wcmdln
0x42019c exit
0x4201a0 _XcptFilter
0x4201a4 _exit
0x4201a8 _cexit
0x4201ac __wgetmainargs
0x4201b0 _amsg_exit
0x4201b4 ??3@YAXPAX@Z
0x4201b8 ??0exception@std@@QAE@ABV01@@Z
0x4201bc ?what@exception@std@@UBEPBDXZ
0x4201c0 ??1exception@std@@UAE@XZ
0x4201c4 ??0exception@std@@QAE@ABQBD@Z
KERNEL32.dll
0x420048 CompareFileTime
0x42004c FileTimeToSystemTime
0x420050 GetSystemTimes
0x420054 GetSystemRegistryQuota
0x420058 ExitThread
0x42005c VirtualProtect
0x420060 GetModuleHandleA
0x420064 GetLastError
0x420068 LocalAlloc
0x42006c GetModuleHandleW
0x420070 SetLastError
0x420074 GetFileType
0x420078 LocalFileTimeToFileTime
0x42007c InterlockedExchange
0x420080 Sleep
0x420084 InterlockedCompareExchange
0x420088 GetStartupInfoW
0x42008c SetUnhandledExceptionFilter
0x420090 QueryPerformanceCounter
0x420094 GetTickCount
0x420098 GetCurrentThreadId
0x42009c GetCurrentProcessId
0x4200a0 GetSystemTimeAsFileTime
0x4200a4 TerminateProcess
0x4200a8 GetCurrentProcess
0x4200ac UnhandledExceptionFilter
0x4200b0 IsDebuggerPresent
0x4200b4 LoadLibraryW
0x4200b8 GetTapeParameters
0x4200bc IsProcessorFeaturePresent
0x4200c0 GetNativeSystemInfo
0x4200c4 GetSystemInfo
USER32.dll
0x4201d4 CreateWindowExA
0x4201d8 ShowWindow
0x4201dc UpdateWindow
0x4201e0 CreateCaret
0x4201e4 GetCursor
0x4201e8 AnyPopup
0x4201ec GetWindowTextLengthW
0x4201f0 GetWindowRect
0x4201f4 GetClientRect
0x4201f8 LoadIconW
0x4201fc AdjustWindowRect
GDI32.dll
0x420010 CreateDIBitmap
0x420014 CreateEllipticRgn
0x420018 SetPolyFillMode
0x42001c StretchBlt
0x420020 CreateDIBPatternBrush
0x420024 EndPath
0x420028 BitBlt
0x42002c PlayMetaFileRecord
0x420030 GetPath
0x420034 FillPath
0x420038 CreateDCA
0x42003c BeginPath
0x420040 CreateCompatibleBitmap
ADVAPI32.dll
0x420000 RegSetValueW
SHELL32.dll
0x4201cc DragAcceptFiles
MSIMG32.dll
0x4200cc AlphaBlend
0x4200d0 TransparentBlt
COMCTL32.dll
0x420008 None
WINHTTP.dll
0x420204 WinHttpConnect
0x420208 WinHttpOpen
0x42020c WinHttpSetOption
0x420210 WinHttpReadData
0x420214 WinHttpOpenRequest
MSVCP90.dll
0x4200d8 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
0x4200dc ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
0x4200e0 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
0x4200e4 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
0x4200e8 ??_D?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ
0x4200ec ??0?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z
0x4200f0 ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
0x4200f4 ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
msvcm90.dll
0x420224 ?RegisterModuleUninitializer@
0x420228 ?DoDllLanguageSupportValidation@
0x42022c ?ThrowModuleLoadException@
0x420230 ?DoCallBackInDefaultDomain@
0x420234 ?ThrowNestedModuleLoadException@
0x420238 ?ThrowModuleLoadException@
mscoree.dll
0x42021c _CorExeMain
EAT(Export Address Table) is none