ScreenShot
Created | 2021.06.29 10:31 | Machine | s1_win7_x6401 |
Filename | 9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.exe | ||
Type | PE32 executable (console) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 59 detected (AIDetect, malware1, malicious, high confidence, Stantinko, NetFilter, Redcap, Razy, GXDA, score, Dwju, Malware@#wv4raa3b2g59, DownLoader38, FETNILTER, Gorf, dfmd, npxau, ai score=88, ASMalwS, kcloud, Ransomware, Unsafe, CLASSIC, Hl39d0P, Static AI, Suspicious PE, InvalidSig, GdSda, confidence, 100%, susgen) | ||
md5 | 145e3c224e4ecaf26d4638efb9d622a7 | ||
sha256 | 9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89 | ||
ssdeep | 6144:+zhRwaGlf2ofbRuNPMxJZWWXR6UVUmxTOdbRnveIks9HRizWtlJVv:+zLE3TRuNP8cU0UVUCINWns9QW/JVv | ||
imphash | 70621d2ef55d2dd65a1fa41928fe3d0f | ||
impfuzzy | 48:Uk1pXOeCKx361AlhHOGcJOugpZqTE+GgVhre:53XTCKI1+hHOGcguAmfC |
Network IP location
Signature (13cnts)
Level | Description |
---|---|
danger | File has been identified by 59 AntiVirus engines on VirusTotal as malicious |
warning | Stops Windows services |
watch | Communicates with host for which no DNS query was performed |
watch | Installs itself for autorun at Windows startup |
watch | Loads a driver |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
notice | A process created a hidden window |
notice | An executable file was downloaded by the process 9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.exe |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Yara rule detected in process memory |
info | Command line console output was observed |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (17cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | MAL_Netfilter_Dropper_Jun_2021_1 | Detect the dropper of Netfilter rootkit | binaries (download) |
danger | MAL_Netfilter_Dropper_Jun_2021_1 | Detect the dropper of Netfilter rootkit | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerException__SetConsoleCtrl | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE32 | (no description) | binaries (upload) |
info | IsPE64 | (no description) | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Network (2cnts) ?
Suricata ids
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x4850d0 CloseHandle
0x4850d4 CompareStringW
0x4850d8 CreateFileA
0x4850dc CreateFileW
0x4850e0 CreateWaitableTimerA
0x4850e4 DecodePointer
0x4850e8 DeleteCriticalSection
0x4850ec DeleteFileA
0x4850f0 EnterCriticalSection
0x4850f4 ExitProcess
0x4850f8 FindClose
0x4850fc FindFirstFileExW
0x485100 FindNextFileW
0x485104 FlushFileBuffers
0x485108 FreeEnvironmentStringsW
0x48510c FreeLibrary
0x485110 GetACP
0x485114 GetCPInfo
0x485118 GetCommandLineA
0x48511c GetCommandLineW
0x485120 GetConsoleMode
0x485124 GetConsoleOutputCP
0x485128 GetCurrentProcess
0x48512c GetCurrentProcessId
0x485130 GetCurrentThreadId
0x485134 GetEnvironmentStringsW
0x485138 GetFileType
0x48513c GetLastError
0x485140 GetModuleFileNameW
0x485144 GetModuleHandleA
0x485148 GetModuleHandleExW
0x48514c GetModuleHandleW
0x485150 GetOEMCP
0x485154 GetProcAddress
0x485158 GetProcessHeap
0x48515c GetStartupInfoW
0x485160 GetStdHandle
0x485164 GetStringTypeW
0x485168 GetSystemTimeAsFileTime
0x48516c HeapAlloc
0x485170 HeapFree
0x485174 HeapReAlloc
0x485178 HeapSize
0x48517c InitializeCriticalSectionAndSpinCount
0x485180 InitializeSListHead
0x485184 IsDebuggerPresent
0x485188 IsProcessorFeaturePresent
0x48518c IsValidCodePage
0x485190 LCMapStringW
0x485194 LeaveCriticalSection
0x485198 LoadLibraryExW
0x48519c MultiByteToWideChar
0x4851a0 OpenFile
0x4851a4 QueryPerformanceCounter
0x4851a8 RaiseException
0x4851ac RtlUnwind
0x4851b0 SetEnvironmentVariableW
0x4851b4 SetFilePointerEx
0x4851b8 SetLastError
0x4851bc SetStdHandle
0x4851c0 SetUnhandledExceptionFilter
0x4851c4 SetWaitableTimer
0x4851c8 Sleep
0x4851cc TerminateProcess
0x4851d0 TlsAlloc
0x4851d4 TlsFree
0x4851d8 TlsGetValue
0x4851dc TlsSetValue
0x4851e0 UnhandledExceptionFilter
0x4851e4 WaitForSingleObject
0x4851e8 WideCharToMultiByte
0x4851ec WriteConsoleW
0x4851f0 WriteFile
0x4851f4 lstrlenW
SHELL32.dll
0x4851fc SHGetSpecialFolderPathA
0x485200 ShellExecuteExA
ADVAPI32.dll
0x485208 AdjustTokenPrivileges
0x48520c LookupPrivilegeValueW
0x485210 OpenProcessToken
0x485214 RegCloseKey
0x485218 RegCreateKeyExW
0x48521c RegQueryValueExW
USER32.dll
0x485224 DispatchMessageA
0x485228 MsgWaitForMultipleObjects
0x48522c PeekMessageA
0x485230 TranslateMessage
0x485234 wsprintfA
ntdll.dll
0x48523c NtLoadDriver
WININET.dll
0x485244 HttpOpenRequestA
0x485248 HttpQueryInfoA
0x48524c HttpSendRequestA
0x485250 InternetCloseHandle
0x485254 InternetConnectA
0x485258 InternetCrackUrlA
0x48525c InternetOpenA
0x485260 InternetReadFile
EAT(Export Address Table) is none
KERNEL32.dll
0x4850d0 CloseHandle
0x4850d4 CompareStringW
0x4850d8 CreateFileA
0x4850dc CreateFileW
0x4850e0 CreateWaitableTimerA
0x4850e4 DecodePointer
0x4850e8 DeleteCriticalSection
0x4850ec DeleteFileA
0x4850f0 EnterCriticalSection
0x4850f4 ExitProcess
0x4850f8 FindClose
0x4850fc FindFirstFileExW
0x485100 FindNextFileW
0x485104 FlushFileBuffers
0x485108 FreeEnvironmentStringsW
0x48510c FreeLibrary
0x485110 GetACP
0x485114 GetCPInfo
0x485118 GetCommandLineA
0x48511c GetCommandLineW
0x485120 GetConsoleMode
0x485124 GetConsoleOutputCP
0x485128 GetCurrentProcess
0x48512c GetCurrentProcessId
0x485130 GetCurrentThreadId
0x485134 GetEnvironmentStringsW
0x485138 GetFileType
0x48513c GetLastError
0x485140 GetModuleFileNameW
0x485144 GetModuleHandleA
0x485148 GetModuleHandleExW
0x48514c GetModuleHandleW
0x485150 GetOEMCP
0x485154 GetProcAddress
0x485158 GetProcessHeap
0x48515c GetStartupInfoW
0x485160 GetStdHandle
0x485164 GetStringTypeW
0x485168 GetSystemTimeAsFileTime
0x48516c HeapAlloc
0x485170 HeapFree
0x485174 HeapReAlloc
0x485178 HeapSize
0x48517c InitializeCriticalSectionAndSpinCount
0x485180 InitializeSListHead
0x485184 IsDebuggerPresent
0x485188 IsProcessorFeaturePresent
0x48518c IsValidCodePage
0x485190 LCMapStringW
0x485194 LeaveCriticalSection
0x485198 LoadLibraryExW
0x48519c MultiByteToWideChar
0x4851a0 OpenFile
0x4851a4 QueryPerformanceCounter
0x4851a8 RaiseException
0x4851ac RtlUnwind
0x4851b0 SetEnvironmentVariableW
0x4851b4 SetFilePointerEx
0x4851b8 SetLastError
0x4851bc SetStdHandle
0x4851c0 SetUnhandledExceptionFilter
0x4851c4 SetWaitableTimer
0x4851c8 Sleep
0x4851cc TerminateProcess
0x4851d0 TlsAlloc
0x4851d4 TlsFree
0x4851d8 TlsGetValue
0x4851dc TlsSetValue
0x4851e0 UnhandledExceptionFilter
0x4851e4 WaitForSingleObject
0x4851e8 WideCharToMultiByte
0x4851ec WriteConsoleW
0x4851f0 WriteFile
0x4851f4 lstrlenW
SHELL32.dll
0x4851fc SHGetSpecialFolderPathA
0x485200 ShellExecuteExA
ADVAPI32.dll
0x485208 AdjustTokenPrivileges
0x48520c LookupPrivilegeValueW
0x485210 OpenProcessToken
0x485214 RegCloseKey
0x485218 RegCreateKeyExW
0x48521c RegQueryValueExW
USER32.dll
0x485224 DispatchMessageA
0x485228 MsgWaitForMultipleObjects
0x48522c PeekMessageA
0x485230 TranslateMessage
0x485234 wsprintfA
ntdll.dll
0x48523c NtLoadDriver
WININET.dll
0x485244 HttpOpenRequestA
0x485248 HttpQueryInfoA
0x48524c HttpSendRequestA
0x485250 InternetCloseHandle
0x485254 InternetConnectA
0x485258 InternetCrackUrlA
0x48525c InternetOpenA
0x485260 InternetReadFile
EAT(Export Address Table) is none