ScreenShot
| Created | 2021.07.13 09:51 | Machine | s1_win7_x6402 |
| Filename | BIOPASS RAT.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 35 detected (GenericKD, Unsafe, Starter, Save, ZexaF, c0Y@aeKsmzk, Attribute, HighConfidence, a variant of Python, Malicious, Malware@#1sjf5b5dnwfmg, Artemis, Ymacco, score, ai score=89, BScope, Wacatac, R002H0CDN21, Outbreak, susgen) | ||
| md5 | eb66dcd416436e0589a4e4db48c6deaf | ||
| sha256 | b5a16fb25a6b38547680cbfd3a21cc29621c28c3929e4552bb37834655456977 | ||
| ssdeep | 768:71j+R1sS3tYjiCYSEqbKXUFfBj78vXe8Nl:5yBDCYSz2Xcqvx | ||
| imphash | 7b18bad21b02595a7ab1d21c0a96eaf4 | ||
| impfuzzy | 12:YRJRxr5TZnJCWiiARZqRJhPPXJNiXJcqVzJGX5XGXKYIk6lTpJqJiZC5S:8fx91JmncJ9enEX5XGKkoDqoZCM | ||
Network IP location
Signature (3cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 35 AntiVirus engines on VirusTotal as malicious |
| notice | A process created a hidden window |
| info | Checks amount of memory in system |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40612c DeleteCriticalSection
0x406130 EnterCriticalSection
0x406134 GetConsoleWindow
0x406138 GetCurrentProcess
0x40613c GetCurrentProcessId
0x406140 GetCurrentThreadId
0x406144 GetLastError
0x406148 GetStartupInfoA
0x40614c GetSystemTimeAsFileTime
0x406150 GetTickCount
0x406154 InitializeCriticalSection
0x406158 LeaveCriticalSection
0x40615c QueryPerformanceCounter
0x406160 SetUnhandledExceptionFilter
0x406164 Sleep
0x406168 TerminateProcess
0x40616c TlsGetValue
0x406170 UnhandledExceptionFilter
0x406174 VirtualProtect
0x406178 VirtualQuery
msvcrt.dll
0x406180 __getmainargs
0x406184 __initenv
0x406188 __lconv_init
0x40618c __p__acmdln
0x406190 __p__fmode
0x406194 __set_app_type
0x406198 __setusermatherr
0x40619c _amsg_exit
0x4061a0 _cexit
0x4061a4 _initterm
0x4061a8 _iob
0x4061ac _onexit
0x4061b0 abort
0x4061b4 calloc
0x4061b8 exit
0x4061bc fprintf
0x4061c0 free
0x4061c4 fwrite
0x4061c8 malloc
0x4061cc memcpy
0x4061d0 signal
0x4061d4 strlen
0x4061d8 strncmp
0x4061dc vfprintf
SHELL32.dll
0x4061e4 ShellExecuteA
USER32.dll
0x4061ec ShowWindow
EAT(Export Address Table) is none
KERNEL32.dll
0x40612c DeleteCriticalSection
0x406130 EnterCriticalSection
0x406134 GetConsoleWindow
0x406138 GetCurrentProcess
0x40613c GetCurrentProcessId
0x406140 GetCurrentThreadId
0x406144 GetLastError
0x406148 GetStartupInfoA
0x40614c GetSystemTimeAsFileTime
0x406150 GetTickCount
0x406154 InitializeCriticalSection
0x406158 LeaveCriticalSection
0x40615c QueryPerformanceCounter
0x406160 SetUnhandledExceptionFilter
0x406164 Sleep
0x406168 TerminateProcess
0x40616c TlsGetValue
0x406170 UnhandledExceptionFilter
0x406174 VirtualProtect
0x406178 VirtualQuery
msvcrt.dll
0x406180 __getmainargs
0x406184 __initenv
0x406188 __lconv_init
0x40618c __p__acmdln
0x406190 __p__fmode
0x406194 __set_app_type
0x406198 __setusermatherr
0x40619c _amsg_exit
0x4061a0 _cexit
0x4061a4 _initterm
0x4061a8 _iob
0x4061ac _onexit
0x4061b0 abort
0x4061b4 calloc
0x4061b8 exit
0x4061bc fprintf
0x4061c0 free
0x4061c4 fwrite
0x4061c8 malloc
0x4061cc memcpy
0x4061d0 signal
0x4061d4 strlen
0x4061d8 strncmp
0x4061dc vfprintf
SHELL32.dll
0x4061e4 ShellExecuteA
USER32.dll
0x4061ec ShowWindow
EAT(Export Address Table) is none