ScreenShot
Created | 2021.07.20 20:43 | Machine | s1_win7_x6401 |
Filename | neww.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 28 detected (AIDetect, malware1, malicious, high confidence, Ulise, Unsafe, ZexaF, qiZ@aqLTLFg, Kryptik, Eldorado, Attribute, HighConfidence, GenKryptik, FHSC, Noon, PWSX, Generic@ML, RDML, jVijBh6+yscG94Eks4HMnw, Static AI, Suspicious PE, Wacatac, score, ai score=82, General, HIBR, confidence, 100%, QVM20) | ||
md5 | 928ec247e6f6cd246851bfab7a7154fb | ||
sha256 | ebcb11c34621fb23b52cd1525f932bf3eb550359547518805b6db9da1698a6da | ||
ssdeep | 6144:SQbSnYgZbTL1QNCVQAE12yeFwtLQgJlugDRe4JlTQBUrtr:SKSY8TL20+AQ2y/t9ugDRe4JliC | ||
imphash | f45f4bccd20f0a7ca0fccc38d235a8f2 | ||
impfuzzy | 24:XjbG0+ehu2LHbAak7IXblgmVqBbkEDXcrsZlE4f9wMKYFWKJr+Rjrbeu9B3LN4qe:HG0+ehuudk8L6ioIr2rf+Mn+LTrp4JH |
Network IP location
Signature (11cnts)
Level | Description |
---|---|
danger | Executed a process and injected code into it |
warning | File has been identified by 28 AntiVirus engines on VirusTotal as malicious |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | One or more potentially interesting buffers were extracted |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | One or more processes crashed |
info | Queries for the computername |
Rules (11cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
---|
Suricata ids
PE API
IAT(Import Address Table) Library
ole32.dll
0x4030b8 CoInstall
urlmon.dll
0x4030c0 CreateFormatEnumerator
0x4030c4 RevokeBindStatusCallback
0x4030c8 ObtainUserAgentString
0x4030cc CreateAsyncBindCtxEx
0x4030d0 FindMediaTypeClass
0x4030d4 CoInternetCombineUrl
0x4030d8 CreateURLMoniker
0x4030dc RegisterMediaTypeClass
0x4030e0 CoInternetCompareUrl
0x4030e4 MkParseDisplayNameEx
0x4030e8 CoInternetGetSecurityUrl
WINMM.dll
0x403054 mixerGetLineControlsW
0x403058 DriverCallback
0x40305c joySetCapture
0x403060 mixerGetDevCapsW
0x403064 midiOutGetID
0x403068 mmioRenameW
0x40306c mmioGetInfo
0x403070 midiOutSetVolume
WINSPOOL.DRV
0x403078 GetPrinterA
0x40307c EnumPrintProcessorDatatypesA
0x403080 None
0x403084 AddPrintProvidorW
0x403088 DeletePrinterDriverExA
0x40308c OpenPrinterA
0x403090 AddPrinterConnectionA
dbghelp.dll
0x4030b0 SymLoadModule64
MSVFW32.dll
0x403010 DrawDibChangePalette
0x403014 DrawDibGetPalette
0x403018 ICOpenFunction
AVIFIL32.dll
0x403000 AVIFileRelease
0x403004 IID_IAVIStream
0x403008 EditStreamClone
WS2_32.dll
0x403098 WSAAsyncGetHostByName
0x40309c accept
0x4030a0 WSAGetLastError
0x4030a4 recv
0x4030a8 connect
RPCRT4.dll
0x403020 NdrMesSimpleTypeEncode
0x403024 NdrClientInitializeNew
0x403028 UuidIsNil
0x40302c RpcEpResolveBinding
0x403030 RpcMgmtInqStats
0x403034 RpcEpUnregister
0x403038 NdrXmitOrRepAsUnmarshall
0x40303c NdrMesProcEncodeDecode
0x403040 I_RpcReallocPipeBuffer
0x403044 I_RpcTransConnectionReallocPacket
0x403048 NdrEncapsulatedUnionFree
0x40304c I_RpcTransDatagramAllocate2
EAT(Export Address Table) is none
ole32.dll
0x4030b8 CoInstall
urlmon.dll
0x4030c0 CreateFormatEnumerator
0x4030c4 RevokeBindStatusCallback
0x4030c8 ObtainUserAgentString
0x4030cc CreateAsyncBindCtxEx
0x4030d0 FindMediaTypeClass
0x4030d4 CoInternetCombineUrl
0x4030d8 CreateURLMoniker
0x4030dc RegisterMediaTypeClass
0x4030e0 CoInternetCompareUrl
0x4030e4 MkParseDisplayNameEx
0x4030e8 CoInternetGetSecurityUrl
WINMM.dll
0x403054 mixerGetLineControlsW
0x403058 DriverCallback
0x40305c joySetCapture
0x403060 mixerGetDevCapsW
0x403064 midiOutGetID
0x403068 mmioRenameW
0x40306c mmioGetInfo
0x403070 midiOutSetVolume
WINSPOOL.DRV
0x403078 GetPrinterA
0x40307c EnumPrintProcessorDatatypesA
0x403080 None
0x403084 AddPrintProvidorW
0x403088 DeletePrinterDriverExA
0x40308c OpenPrinterA
0x403090 AddPrinterConnectionA
dbghelp.dll
0x4030b0 SymLoadModule64
MSVFW32.dll
0x403010 DrawDibChangePalette
0x403014 DrawDibGetPalette
0x403018 ICOpenFunction
AVIFIL32.dll
0x403000 AVIFileRelease
0x403004 IID_IAVIStream
0x403008 EditStreamClone
WS2_32.dll
0x403098 WSAAsyncGetHostByName
0x40309c accept
0x4030a0 WSAGetLastError
0x4030a4 recv
0x4030a8 connect
RPCRT4.dll
0x403020 NdrMesSimpleTypeEncode
0x403024 NdrClientInitializeNew
0x403028 UuidIsNil
0x40302c RpcEpResolveBinding
0x403030 RpcMgmtInqStats
0x403034 RpcEpUnregister
0x403038 NdrXmitOrRepAsUnmarshall
0x40303c NdrMesProcEncodeDecode
0x403040 I_RpcReallocPipeBuffer
0x403044 I_RpcTransConnectionReallocPacket
0x403048 NdrEncapsulatedUnionFree
0x40304c I_RpcTransDatagramAllocate2
EAT(Export Address Table) is none