ScreenShot
| Created | 2021.07.21 09:40 | Machine | s1_win7_x6403 |
| Filename | Churner.dll | ||
| Type | PE32+ executable (DLL) (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 2 detected (malicious, confidence) | ||
| md5 | f7092de5f32c0df837fa7f947a3424af | ||
| sha256 | 97adb1700858b74f456f5cf681b0421d0be50e3aed1adea3d1b9694295723700 | ||
| ssdeep | 384:fNgTN1L4erYZRu8qq4qjcNePF1ZlhPNZ//ILIbkbzdCgyfshGXGfZNG:OOwuR/8Tm17h1ZH3Lgy0hG8NG | ||
| imphash | d217ef27b765ec22286b5aace47f044d | ||
| impfuzzy | 6:6XyWDxTlb4ETOEGDa/JG2CSdMhTQuuwizCMREcJ8iPEcJ59:ADxW/Dao27Xu2XJXPXJX | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | File has been identified by 2 AntiVirus engines on VirusTotal as malicious |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ole32.dll
0x180002070 CoIsHandlerConnected
KERNEL32.dll
0x180002000 RtlCaptureContext
0x180002008 TerminateProcess
0x180002010 GetProcAddress
0x180002018 LocalAlloc
0x180002020 ReleaseSemaphore
0x180002028 GetModuleHandleW
0x180002030 VirtualUnlock
0x180002038 IsProcessorFeaturePresent
0x180002040 RtlLookupFunctionEntry
0x180002048 RtlVirtualUnwind
0x180002050 UnhandledExceptionFilter
0x180002058 SetUnhandledExceptionFilter
0x180002060 GetCurrentProcess
EAT(Export Address Table) Library
0x180001010 biocpl
ole32.dll
0x180002070 CoIsHandlerConnected
KERNEL32.dll
0x180002000 RtlCaptureContext
0x180002008 TerminateProcess
0x180002010 GetProcAddress
0x180002018 LocalAlloc
0x180002020 ReleaseSemaphore
0x180002028 GetModuleHandleW
0x180002030 VirtualUnlock
0x180002038 IsProcessorFeaturePresent
0x180002040 RtlLookupFunctionEntry
0x180002048 RtlVirtualUnwind
0x180002050 UnhandledExceptionFilter
0x180002058 SetUnhandledExceptionFilter
0x180002060 GetCurrentProcess
EAT(Export Address Table) Library
0x180001010 biocpl