ScreenShot
| Created | 2021.06.25 10:48 | Machine | s1_win7_x6402 |
| Filename | j79.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 48 detected (AIDetect, malware1, Mikey, Trojanpws, Zbot, Unsafe, Cutwail, malicious, ZexaF, eqW@aGXG9cgi, NWZI, Attribute, HighConfidence, AXJU, Waski, R002C0DFJ21, AUID, Androm, Hacktool, ArchSMS, m1fO, Wqxj, Upatre, PWSZbot, Static AI, Malicious PE, Score, AGEN, ai score=100, Wonton, GdSda, confidence) | ||
| md5 | 6b8f35c0e97b6387f6de945afdb59a42 | ||
| sha256 | 4560cd213d514c8edbea06e666c7d0b000ed0ded3df0b2692481714573fe07b5 | ||
| ssdeep | 1536:cW/Xd0Hspd2ebsVHHj4RTh7FCVDrCvcrvE:3Fpd9sVnj4qCvcr | ||
| imphash | 898a336581ffc4ba49eac71fc5cbe4d9 | ||
| impfuzzy | 48:EnB3Tl/1uXSe445oFnL/ZA0QkuhxWqlEfcn:krtHMxBlEfcn | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Collects information to fingerprint the system (MachineGuid |
| info | The executable uses a known packer |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
USER32.dll
0x40d0d8 ShowWindow
0x40d0dc PostQuitMessage
0x40d0e0 GetMessageA
0x40d0e4 DispatchMessageA
0x40d0e8 CreateWindowExA
0x40d0ec DefWindowProcA
0x40d0f0 MessageBoxA
0x40d0f4 SendMessageA
0x40d0f8 LoadIconA
0x40d0fc LoadCursorA
0x40d100 GetDC
0x40d104 ReleaseDC
0x40d108 SetForegroundWindow
0x40d10c GetSystemMetrics
0x40d110 MonitorFromWindow
0x40d114 GetMenuState
0x40d118 IsIconic
0x40d11c RegisterClassA
0x40d120 SetWindowLongA
KERNEL32.dll
0x40d000 TlsAlloc
0x40d004 InterlockedIncrement
0x40d008 InterlockedDecrement
0x40d00c GetStringTypeW
0x40d010 GetStringTypeA
0x40d014 LCMapStringW
0x40d018 LCMapStringA
0x40d01c MultiByteToWideChar
0x40d020 LoadLibraryA
0x40d024 GetProcAddress
0x40d028 lstrcmpA
0x40d02c FindNextFileA
0x40d030 FindClose
0x40d034 FindFirstFileA
0x40d038 GetModuleHandleA
0x40d03c GetStartupInfoA
0x40d040 GetCommandLineA
0x40d044 GetVersion
0x40d048 ExitProcess
0x40d04c TerminateProcess
0x40d050 GetCurrentProcess
0x40d054 UnhandledExceptionFilter
0x40d058 GetModuleFileNameA
0x40d05c FreeEnvironmentStringsA
0x40d060 FreeEnvironmentStringsW
0x40d064 WideCharToMultiByte
0x40d068 GetEnvironmentStrings
0x40d06c GetEnvironmentStringsW
0x40d070 SetHandleCount
0x40d074 GetStdHandle
0x40d078 GetFileType
0x40d07c GetCurrentThreadId
0x40d080 TlsSetValue
0x40d084 SetLastError
0x40d088 TlsGetValue
0x40d08c GetLastError
0x40d090 GetEnvironmentVariableA
0x40d094 GetVersionExA
0x40d098 HeapDestroy
0x40d09c HeapCreate
0x40d0a0 VirtualFree
0x40d0a4 HeapFree
0x40d0a8 RtlUnwind
0x40d0ac WriteFile
0x40d0b0 InitializeCriticalSection
0x40d0b4 EnterCriticalSection
0x40d0b8 LeaveCriticalSection
0x40d0bc GetCPInfo
0x40d0c0 GetACP
0x40d0c4 GetOEMCP
0x40d0c8 HeapAlloc
0x40d0cc VirtualAlloc
0x40d0d0 HeapReAlloc
EAT(Export Address Table) is none
USER32.dll
0x40d0d8 ShowWindow
0x40d0dc PostQuitMessage
0x40d0e0 GetMessageA
0x40d0e4 DispatchMessageA
0x40d0e8 CreateWindowExA
0x40d0ec DefWindowProcA
0x40d0f0 MessageBoxA
0x40d0f4 SendMessageA
0x40d0f8 LoadIconA
0x40d0fc LoadCursorA
0x40d100 GetDC
0x40d104 ReleaseDC
0x40d108 SetForegroundWindow
0x40d10c GetSystemMetrics
0x40d110 MonitorFromWindow
0x40d114 GetMenuState
0x40d118 IsIconic
0x40d11c RegisterClassA
0x40d120 SetWindowLongA
KERNEL32.dll
0x40d000 TlsAlloc
0x40d004 InterlockedIncrement
0x40d008 InterlockedDecrement
0x40d00c GetStringTypeW
0x40d010 GetStringTypeA
0x40d014 LCMapStringW
0x40d018 LCMapStringA
0x40d01c MultiByteToWideChar
0x40d020 LoadLibraryA
0x40d024 GetProcAddress
0x40d028 lstrcmpA
0x40d02c FindNextFileA
0x40d030 FindClose
0x40d034 FindFirstFileA
0x40d038 GetModuleHandleA
0x40d03c GetStartupInfoA
0x40d040 GetCommandLineA
0x40d044 GetVersion
0x40d048 ExitProcess
0x40d04c TerminateProcess
0x40d050 GetCurrentProcess
0x40d054 UnhandledExceptionFilter
0x40d058 GetModuleFileNameA
0x40d05c FreeEnvironmentStringsA
0x40d060 FreeEnvironmentStringsW
0x40d064 WideCharToMultiByte
0x40d068 GetEnvironmentStrings
0x40d06c GetEnvironmentStringsW
0x40d070 SetHandleCount
0x40d074 GetStdHandle
0x40d078 GetFileType
0x40d07c GetCurrentThreadId
0x40d080 TlsSetValue
0x40d084 SetLastError
0x40d088 TlsGetValue
0x40d08c GetLastError
0x40d090 GetEnvironmentVariableA
0x40d094 GetVersionExA
0x40d098 HeapDestroy
0x40d09c HeapCreate
0x40d0a0 VirtualFree
0x40d0a4 HeapFree
0x40d0a8 RtlUnwind
0x40d0ac WriteFile
0x40d0b0 InitializeCriticalSection
0x40d0b4 EnterCriticalSection
0x40d0b8 LeaveCriticalSection
0x40d0bc GetCPInfo
0x40d0c0 GetACP
0x40d0c4 GetOEMCP
0x40d0c8 HeapAlloc
0x40d0cc VirtualAlloc
0x40d0d0 HeapReAlloc
EAT(Export Address Table) is none