ScreenShot
| Created | 2021.07.31 13:43 | Machine | s1_win7_x6403 |
| Filename | 07-20-21INVOICES.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 26 detected (AIDetect, malware1, malicious, high confidence, score, Unsafe, Save, confidence, Emotet, Eldorado, Kryptik, HLWV, Convagent, PWSX, susgen, Azorult, CLASSIC, Static AI, Malicious PE, ZexaF, TvW@a05AFodG, QVM10) | ||
| md5 | bdcdb05af6a2ac95bb13857ab6b6debc | ||
| sha256 | 09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767 | ||
| ssdeep | 49152:7jr8QuQLqpb0/udMUNPlam4t1Uyru4YNsbN:7nhuQWb0/uWUNPlL4t1dNYUN | ||
| imphash | 39acbbcf6426a89e2dc936bbf317bfd5 | ||
| impfuzzy | 48:hVPBHkQ8VdPYEQIIsOSYhKaEBcU9ft3Uc+LbXpU:hsP/pIsmREBcCft3Uc+LbXpU | ||
Network IP location
Signature (21cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Executed a process and injected code into it |
| warning | File has been identified by 26 AntiVirus engines on VirusTotal as malicious |
| watch | A process attempted to delay the analysis task. |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Creates a windows hook that monitors keyboard input (keylogger) |
| watch | Installs an hook procedure to monitor for mouse events |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Connects to a Dynamic DNS Domain |
| notice | Foreign language identified in PE resource |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | This executable has a PDB path |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x421008 UnregisterWait
0x42100c GetFileSize
0x421010 GetNativeSystemInfo
0x421014 SetFilePointer
0x421018 GetConsoleAliasesLengthW
0x42101c CopyFileExW
0x421020 SetLocalTime
0x421024 InterlockedIncrement
0x421028 VerSetConditionMask
0x42102c InterlockedDecrement
0x421030 ZombifyActCtx
0x421034 CompareFileTime
0x421038 GetSystemWindowsDirectoryW
0x42103c SetEnvironmentVariableW
0x421040 GlobalLock
0x421044 SetConsoleScreenBufferSize
0x421048 WriteConsoleInputA
0x42104c SetComputerNameW
0x421050 FreeEnvironmentStringsA
0x421054 VirtualFree
0x421058 SetProcessPriorityBoost
0x42105c ActivateActCtx
0x421060 FindResourceExA
0x421064 LoadLibraryW
0x421068 GetConsoleAliasExesLengthW
0x42106c GetComputerNameExA
0x421070 CreateSemaphoreA
0x421074 GetFileAttributesW
0x421078 GetBinaryTypeA
0x42107c EnumResourceNamesW
0x421080 GetOverlappedResult
0x421084 CompareStringW
0x421088 lstrlenW
0x42108c InterlockedExchange
0x421090 SetCurrentDirectoryA
0x421094 GetStartupInfoA
0x421098 GetCPInfoExW
0x42109c OpenMutexW
0x4210a0 GetCurrentDirectoryW
0x4210a4 GetProcAddress
0x4210a8 CreateNamedPipeA
0x4210ac WriteProfileSectionA
0x4210b0 ReadFileEx
0x4210b4 SetStdHandle
0x4210b8 DisableThreadLibraryCalls
0x4210bc GetPrivateProfileStringA
0x4210c0 LoadLibraryA
0x4210c4 GetConsoleScreenBufferInfo
0x4210c8 LocalAlloc
0x4210cc PostQueuedCompletionStatus
0x4210d0 FindAtomA
0x4210d4 WriteProfileStringW
0x4210d8 FatalAppExitA
0x4210dc GetVersionExA
0x4210e0 TlsAlloc
0x4210e4 DeleteFileW
0x4210e8 LCMapStringW
0x4210ec AreFileApisANSI
0x4210f0 ReadFile
0x4210f4 GetComputerNameA
0x4210f8 GetLastError
0x4210fc MoveFileA
0x421100 GetCommandLineA
0x421104 HeapValidate
0x421108 IsBadReadPtr
0x42110c RaiseException
0x421110 EnterCriticalSection
0x421114 LeaveCriticalSection
0x421118 SetHandleCount
0x42111c GetStdHandle
0x421120 GetFileType
0x421124 DeleteCriticalSection
0x421128 TerminateProcess
0x42112c GetCurrentProcess
0x421130 UnhandledExceptionFilter
0x421134 SetUnhandledExceptionFilter
0x421138 IsDebuggerPresent
0x42113c GetModuleFileNameW
0x421140 GetACP
0x421144 GetOEMCP
0x421148 GetCPInfo
0x42114c IsValidCodePage
0x421150 TlsGetValue
0x421154 GetModuleHandleW
0x421158 TlsSetValue
0x42115c GetCurrentThreadId
0x421160 TlsFree
0x421164 SetLastError
0x421168 QueryPerformanceCounter
0x42116c GetTickCount
0x421170 GetCurrentProcessId
0x421174 GetSystemTimeAsFileTime
0x421178 Sleep
0x42117c ExitProcess
0x421180 GetModuleFileNameA
0x421184 GetEnvironmentStrings
0x421188 FreeEnvironmentStringsW
0x42118c WideCharToMultiByte
0x421190 GetEnvironmentStringsW
0x421194 HeapDestroy
0x421198 HeapCreate
0x42119c HeapFree
0x4211a0 WriteFile
0x4211a4 HeapAlloc
0x4211a8 HeapSize
0x4211ac HeapReAlloc
0x4211b0 VirtualAlloc
0x4211b4 RtlUnwind
0x4211b8 GetConsoleCP
0x4211bc GetConsoleMode
0x4211c0 InitializeCriticalSectionAndSpinCount
0x4211c4 DebugBreak
0x4211c8 OutputDebugStringA
0x4211cc WriteConsoleW
0x4211d0 OutputDebugStringW
0x4211d4 MultiByteToWideChar
0x4211d8 GetStringTypeA
0x4211dc GetStringTypeW
0x4211e0 GetModuleHandleA
0x4211e4 LCMapStringA
0x4211e8 GetLocaleInfoA
0x4211ec FlushFileBuffers
0x4211f0 WriteConsoleA
0x4211f4 GetConsoleOutputCP
0x4211f8 CloseHandle
0x4211fc CreateFileA
GDI32.dll
0x421000 GetBoundsRect
WINHTTP.dll
0x421204 WinHttpOpen
EAT(Export Address Table) is none
KERNEL32.dll
0x421008 UnregisterWait
0x42100c GetFileSize
0x421010 GetNativeSystemInfo
0x421014 SetFilePointer
0x421018 GetConsoleAliasesLengthW
0x42101c CopyFileExW
0x421020 SetLocalTime
0x421024 InterlockedIncrement
0x421028 VerSetConditionMask
0x42102c InterlockedDecrement
0x421030 ZombifyActCtx
0x421034 CompareFileTime
0x421038 GetSystemWindowsDirectoryW
0x42103c SetEnvironmentVariableW
0x421040 GlobalLock
0x421044 SetConsoleScreenBufferSize
0x421048 WriteConsoleInputA
0x42104c SetComputerNameW
0x421050 FreeEnvironmentStringsA
0x421054 VirtualFree
0x421058 SetProcessPriorityBoost
0x42105c ActivateActCtx
0x421060 FindResourceExA
0x421064 LoadLibraryW
0x421068 GetConsoleAliasExesLengthW
0x42106c GetComputerNameExA
0x421070 CreateSemaphoreA
0x421074 GetFileAttributesW
0x421078 GetBinaryTypeA
0x42107c EnumResourceNamesW
0x421080 GetOverlappedResult
0x421084 CompareStringW
0x421088 lstrlenW
0x42108c InterlockedExchange
0x421090 SetCurrentDirectoryA
0x421094 GetStartupInfoA
0x421098 GetCPInfoExW
0x42109c OpenMutexW
0x4210a0 GetCurrentDirectoryW
0x4210a4 GetProcAddress
0x4210a8 CreateNamedPipeA
0x4210ac WriteProfileSectionA
0x4210b0 ReadFileEx
0x4210b4 SetStdHandle
0x4210b8 DisableThreadLibraryCalls
0x4210bc GetPrivateProfileStringA
0x4210c0 LoadLibraryA
0x4210c4 GetConsoleScreenBufferInfo
0x4210c8 LocalAlloc
0x4210cc PostQueuedCompletionStatus
0x4210d0 FindAtomA
0x4210d4 WriteProfileStringW
0x4210d8 FatalAppExitA
0x4210dc GetVersionExA
0x4210e0 TlsAlloc
0x4210e4 DeleteFileW
0x4210e8 LCMapStringW
0x4210ec AreFileApisANSI
0x4210f0 ReadFile
0x4210f4 GetComputerNameA
0x4210f8 GetLastError
0x4210fc MoveFileA
0x421100 GetCommandLineA
0x421104 HeapValidate
0x421108 IsBadReadPtr
0x42110c RaiseException
0x421110 EnterCriticalSection
0x421114 LeaveCriticalSection
0x421118 SetHandleCount
0x42111c GetStdHandle
0x421120 GetFileType
0x421124 DeleteCriticalSection
0x421128 TerminateProcess
0x42112c GetCurrentProcess
0x421130 UnhandledExceptionFilter
0x421134 SetUnhandledExceptionFilter
0x421138 IsDebuggerPresent
0x42113c GetModuleFileNameW
0x421140 GetACP
0x421144 GetOEMCP
0x421148 GetCPInfo
0x42114c IsValidCodePage
0x421150 TlsGetValue
0x421154 GetModuleHandleW
0x421158 TlsSetValue
0x42115c GetCurrentThreadId
0x421160 TlsFree
0x421164 SetLastError
0x421168 QueryPerformanceCounter
0x42116c GetTickCount
0x421170 GetCurrentProcessId
0x421174 GetSystemTimeAsFileTime
0x421178 Sleep
0x42117c ExitProcess
0x421180 GetModuleFileNameA
0x421184 GetEnvironmentStrings
0x421188 FreeEnvironmentStringsW
0x42118c WideCharToMultiByte
0x421190 GetEnvironmentStringsW
0x421194 HeapDestroy
0x421198 HeapCreate
0x42119c HeapFree
0x4211a0 WriteFile
0x4211a4 HeapAlloc
0x4211a8 HeapSize
0x4211ac HeapReAlloc
0x4211b0 VirtualAlloc
0x4211b4 RtlUnwind
0x4211b8 GetConsoleCP
0x4211bc GetConsoleMode
0x4211c0 InitializeCriticalSectionAndSpinCount
0x4211c4 DebugBreak
0x4211c8 OutputDebugStringA
0x4211cc WriteConsoleW
0x4211d0 OutputDebugStringW
0x4211d4 MultiByteToWideChar
0x4211d8 GetStringTypeA
0x4211dc GetStringTypeW
0x4211e0 GetModuleHandleA
0x4211e4 LCMapStringA
0x4211e8 GetLocaleInfoA
0x4211ec FlushFileBuffers
0x4211f0 WriteConsoleA
0x4211f4 GetConsoleOutputCP
0x4211f8 CloseHandle
0x4211fc CreateFileA
GDI32.dll
0x421000 GetBoundsRect
WINHTTP.dll
0x421204 WinHttpOpen
EAT(Export Address Table) is none