ScreenShot
| Created | 2021.07.16 09:30 | Machine | s1_win7_x6401 |
| Filename | cl.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 45 detected (AIDetect, malware2, malicious, high confidence, GenericKD, Unsafe, Tasker, aqff, EXOG, GenKryptik, FHLB, PWSX, Siggen14, Generic PWS, Krypt, Kryptik, sldev, Emotet, score, ai score=82, BScope, R002H07GA21, Mokes, CLASSIC, Static AI, Malicious PE, susgen, PossibleThreat, ZexaF, vyZ@ai2l@8ic, GdSda, confidence, HgIASYIA) | ||
| md5 | fb2fac4f3eab460c3cc7096625cf57d5 | ||
| sha256 | 878635996053b9013c9bcd849e18d33ea040ac7f47c6a1a2e62548e22328ae6f | ||
| ssdeep | 3072:0C5DVBGUN7ekuEE7ssgDDLRIgYj4X3Od4NzTUiiPlEfZKlYdkaiSP2eiLe8/Gq2F:0QBf2tALRhYMudfhtY3dkaiSP2Re8J2F | ||
| imphash | b8b2b78a5f013a637512b9c6c69edc79 | ||
| impfuzzy | 24:eDo+OovuPfheRd9iFQjERRvvEuUWyMsddT0TR8B4X:d1ZeRd9E8uyJduV8B4X | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 45 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | One or more potentially interesting buffers were extracted |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
Rules (12cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x4521c8 GetLocalTime
0x4521cc GetSystemTime
0x4521d0 GetProcAddress
0x4521d4 LoadLibraryA
0x4521d8 SetStdHandle
0x4521dc GetLocaleInfoA
0x4521e0 GetModuleHandleA
0x4521e4 GetStartupInfoA
0x4521e8 GetCommandLineA
0x4521ec GetVersionExA
0x4521f0 DebugBreak
0x4521f4 RaiseException
0x4521f8 HeapFree
0x4521fc IsBadWritePtr
0x452200 IsBadReadPtr
0x452204 HeapValidate
0x452208 HeapAlloc
0x45220c TerminateProcess
0x452210 GetCurrentProcess
0x452214 ExitProcess
0x452218 UnhandledExceptionFilter
0x45221c GetModuleFileNameA
0x452220 FreeEnvironmentStringsA
0x452224 GetEnvironmentStrings
0x452228 FreeEnvironmentStringsW
0x45222c WideCharToMultiByte
0x452230 GetLastError
0x452234 GetEnvironmentStringsW
0x452238 SetHandleCount
0x45223c GetStdHandle
0x452240 GetFileType
0x452244 HeapDestroy
0x452248 HeapCreate
0x45224c VirtualFree
0x452250 RtlUnwind
0x452254 WriteFile
0x452258 GetProcessHeap
0x45225c CloseHandle
0x452260 FreeLibrary
0x452264 InterlockedDecrement
0x452268 OutputDebugStringA
0x45226c InterlockedIncrement
0x452270 VirtualAlloc
0x452274 HeapReAlloc
0x452278 GetCPInfo
0x45227c GetACP
0x452280 GetOEMCP
0x452284 VirtualQuery
0x452288 InterlockedExchange
0x45228c SetConsoleCtrlHandler
0x452290 MultiByteToWideChar
0x452294 GetStringTypeA
0x452298 GetStringTypeW
0x45229c QueryPerformanceCounter
0x4522a0 GetTickCount
0x4522a4 GetCurrentThreadId
0x4522a8 GetCurrentProcessId
0x4522ac GetSystemTimeAsFileTime
0x4522b0 LCMapStringA
0x4522b4 LCMapStringW
0x4522b8 SetFilePointer
0x4522bc VirtualProtect
0x4522c0 GetSystemInfo
0x4522c4 FlushFileBuffers
OLEAUT32.dll
0x452324 SysAllocStringByteLen
EAT(Export Address Table) is none
KERNEL32.dll
0x4521c8 GetLocalTime
0x4521cc GetSystemTime
0x4521d0 GetProcAddress
0x4521d4 LoadLibraryA
0x4521d8 SetStdHandle
0x4521dc GetLocaleInfoA
0x4521e0 GetModuleHandleA
0x4521e4 GetStartupInfoA
0x4521e8 GetCommandLineA
0x4521ec GetVersionExA
0x4521f0 DebugBreak
0x4521f4 RaiseException
0x4521f8 HeapFree
0x4521fc IsBadWritePtr
0x452200 IsBadReadPtr
0x452204 HeapValidate
0x452208 HeapAlloc
0x45220c TerminateProcess
0x452210 GetCurrentProcess
0x452214 ExitProcess
0x452218 UnhandledExceptionFilter
0x45221c GetModuleFileNameA
0x452220 FreeEnvironmentStringsA
0x452224 GetEnvironmentStrings
0x452228 FreeEnvironmentStringsW
0x45222c WideCharToMultiByte
0x452230 GetLastError
0x452234 GetEnvironmentStringsW
0x452238 SetHandleCount
0x45223c GetStdHandle
0x452240 GetFileType
0x452244 HeapDestroy
0x452248 HeapCreate
0x45224c VirtualFree
0x452250 RtlUnwind
0x452254 WriteFile
0x452258 GetProcessHeap
0x45225c CloseHandle
0x452260 FreeLibrary
0x452264 InterlockedDecrement
0x452268 OutputDebugStringA
0x45226c InterlockedIncrement
0x452270 VirtualAlloc
0x452274 HeapReAlloc
0x452278 GetCPInfo
0x45227c GetACP
0x452280 GetOEMCP
0x452284 VirtualQuery
0x452288 InterlockedExchange
0x45228c SetConsoleCtrlHandler
0x452290 MultiByteToWideChar
0x452294 GetStringTypeA
0x452298 GetStringTypeW
0x45229c QueryPerformanceCounter
0x4522a0 GetTickCount
0x4522a4 GetCurrentThreadId
0x4522a8 GetCurrentProcessId
0x4522ac GetSystemTimeAsFileTime
0x4522b0 LCMapStringA
0x4522b4 LCMapStringW
0x4522b8 SetFilePointer
0x4522bc VirtualProtect
0x4522c0 GetSystemInfo
0x4522c4 FlushFileBuffers
OLEAUT32.dll
0x452324 SysAllocStringByteLen
EAT(Export Address Table) is none