ScreenShot
| Created | 2021.08.04 17:31 | Machine | s1_win7_x6403 |
| Filename | student-cctv-video(private).exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 43 detected (AIDetect, malware1, NetWiredRC, malicious, high confidence, Johnnie, NetWire, HgIASZYA, Save, MDZV, Attribute, HighConfidence, TRICKBOT, nbefz, ai score=81, Woreflint, score, Artemis, BScope, Unsafe, Wvkl, Static AI, Malicious PE, ZexaF, wu0@auw5GCdi, GdSda, confidence, susgen) | ||
| md5 | dbd37b8c044a27ec8008c6489231075f | ||
| sha256 | 5226a12dc7f7b5e28732ad8b5ad6fa9a35eadfbeec122d798cd53c5ef73fe86a | ||
| ssdeep | 6144:ZlfjLIs254Cz4FatkOAOqQxM3QLylFzk8x2dQ325Y/XDzQsFv:Z9jLIs25BrxM3+yHY84dQmGzz7F | ||
| imphash | 7987728ab4833eef53b128d3c56918f3 | ||
| impfuzzy | 24:BdGBrDS2jcpVWcstrS1CMdlJBl39RUOovbOxvJkFZYjMRjiCEZHu9Kw3M:fkSQcpV5strS1CMDpD3RaFZUuM | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | This executable has a PDB path |
Rules (23cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | infoStealer_browser_Zero | browser info stealer | memory |
| warning | infoStealer_emailClients_Zero | email clients info stealer | memory |
| watch | Chrome_User_Data_Check_Zero | Google Chrome User Data Check | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | Win_Trojan_agentTesla_Zero | Win.Trojan.agentTesla | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x420000 GetModuleFileNameA
0x420004 VirtualProtect
0x420008 GetCurrentProcess
0x42000c LoadLibraryExA
0x420010 VirtualAllocExNuma
0x420014 Sleep
0x420018 GetTickCount64
0x42001c GetSystemInfo
0x420020 LoadLibraryW
0x420024 GetThreadContext
0x420028 GetProcAddress
0x42002c VirtualAllocEx
0x420030 ExitProcess
0x420034 GlobalMemoryStatusEx
0x420038 GetConsoleWindow
0x42003c WriteConsoleW
0x420040 HeapSize
0x420044 CreateFileW
0x420048 SetStdHandle
0x42004c WideCharToMultiByte
0x420050 EnterCriticalSection
0x420054 LeaveCriticalSection
0x420058 InitializeCriticalSectionEx
0x42005c DeleteCriticalSection
0x420060 EncodePointer
0x420064 DecodePointer
0x420068 MultiByteToWideChar
0x42006c LCMapStringEx
0x420070 GetStringTypeW
0x420074 GetCPInfo
0x420078 UnhandledExceptionFilter
0x42007c SetUnhandledExceptionFilter
0x420080 TerminateProcess
0x420084 IsProcessorFeaturePresent
0x420088 IsDebuggerPresent
0x42008c GetStartupInfoW
0x420090 GetModuleHandleW
0x420094 QueryPerformanceCounter
0x420098 GetCurrentProcessId
0x42009c GetCurrentThreadId
0x4200a0 GetSystemTimeAsFileTime
0x4200a4 InitializeSListHead
0x4200a8 RtlUnwind
0x4200ac RaiseException
0x4200b0 GetLastError
0x4200b4 SetLastError
0x4200b8 InitializeCriticalSectionAndSpinCount
0x4200bc TlsAlloc
0x4200c0 TlsGetValue
0x4200c4 TlsSetValue
0x4200c8 TlsFree
0x4200cc FreeLibrary
0x4200d0 LoadLibraryExW
0x4200d4 GetModuleHandleExW
0x4200d8 GetModuleFileNameW
0x4200dc GetStdHandle
0x4200e0 WriteFile
0x4200e4 GetCommandLineA
0x4200e8 GetCommandLineW
0x4200ec GetFileSizeEx
0x4200f0 SetFilePointerEx
0x4200f4 GetFileType
0x4200f8 HeapAlloc
0x4200fc HeapFree
0x420100 CompareStringW
0x420104 LCMapStringW
0x420108 GetLocaleInfoW
0x42010c IsValidLocale
0x420110 GetUserDefaultLCID
0x420114 EnumSystemLocalesW
0x420118 FlushFileBuffers
0x42011c GetConsoleCP
0x420120 GetConsoleMode
0x420124 CloseHandle
0x420128 WaitForSingleObject
0x42012c GetExitCodeProcess
0x420130 CreateProcessW
0x420134 GetFileAttributesExW
0x420138 ReadFile
0x42013c ReadConsoleW
0x420140 HeapReAlloc
0x420144 FindClose
0x420148 FindFirstFileExW
0x42014c FindNextFileW
0x420150 IsValidCodePage
0x420154 GetACP
0x420158 GetOEMCP
0x42015c GetEnvironmentStringsW
0x420160 FreeEnvironmentStringsW
0x420164 SetEnvironmentVariableW
0x420168 GetProcessHeap
0x42016c SetEndOfFile
USER32.dll
0x420174 MessageBoxA
0x420178 ShowWindow
EAT(Export Address Table) is none
KERNEL32.dll
0x420000 GetModuleFileNameA
0x420004 VirtualProtect
0x420008 GetCurrentProcess
0x42000c LoadLibraryExA
0x420010 VirtualAllocExNuma
0x420014 Sleep
0x420018 GetTickCount64
0x42001c GetSystemInfo
0x420020 LoadLibraryW
0x420024 GetThreadContext
0x420028 GetProcAddress
0x42002c VirtualAllocEx
0x420030 ExitProcess
0x420034 GlobalMemoryStatusEx
0x420038 GetConsoleWindow
0x42003c WriteConsoleW
0x420040 HeapSize
0x420044 CreateFileW
0x420048 SetStdHandle
0x42004c WideCharToMultiByte
0x420050 EnterCriticalSection
0x420054 LeaveCriticalSection
0x420058 InitializeCriticalSectionEx
0x42005c DeleteCriticalSection
0x420060 EncodePointer
0x420064 DecodePointer
0x420068 MultiByteToWideChar
0x42006c LCMapStringEx
0x420070 GetStringTypeW
0x420074 GetCPInfo
0x420078 UnhandledExceptionFilter
0x42007c SetUnhandledExceptionFilter
0x420080 TerminateProcess
0x420084 IsProcessorFeaturePresent
0x420088 IsDebuggerPresent
0x42008c GetStartupInfoW
0x420090 GetModuleHandleW
0x420094 QueryPerformanceCounter
0x420098 GetCurrentProcessId
0x42009c GetCurrentThreadId
0x4200a0 GetSystemTimeAsFileTime
0x4200a4 InitializeSListHead
0x4200a8 RtlUnwind
0x4200ac RaiseException
0x4200b0 GetLastError
0x4200b4 SetLastError
0x4200b8 InitializeCriticalSectionAndSpinCount
0x4200bc TlsAlloc
0x4200c0 TlsGetValue
0x4200c4 TlsSetValue
0x4200c8 TlsFree
0x4200cc FreeLibrary
0x4200d0 LoadLibraryExW
0x4200d4 GetModuleHandleExW
0x4200d8 GetModuleFileNameW
0x4200dc GetStdHandle
0x4200e0 WriteFile
0x4200e4 GetCommandLineA
0x4200e8 GetCommandLineW
0x4200ec GetFileSizeEx
0x4200f0 SetFilePointerEx
0x4200f4 GetFileType
0x4200f8 HeapAlloc
0x4200fc HeapFree
0x420100 CompareStringW
0x420104 LCMapStringW
0x420108 GetLocaleInfoW
0x42010c IsValidLocale
0x420110 GetUserDefaultLCID
0x420114 EnumSystemLocalesW
0x420118 FlushFileBuffers
0x42011c GetConsoleCP
0x420120 GetConsoleMode
0x420124 CloseHandle
0x420128 WaitForSingleObject
0x42012c GetExitCodeProcess
0x420130 CreateProcessW
0x420134 GetFileAttributesExW
0x420138 ReadFile
0x42013c ReadConsoleW
0x420140 HeapReAlloc
0x420144 FindClose
0x420148 FindFirstFileExW
0x42014c FindNextFileW
0x420150 IsValidCodePage
0x420154 GetACP
0x420158 GetOEMCP
0x42015c GetEnvironmentStringsW
0x420160 FreeEnvironmentStringsW
0x420164 SetEnvironmentVariableW
0x420168 GetProcessHeap
0x42016c SetEndOfFile
USER32.dll
0x420174 MessageBoxA
0x420178 ShowWindow
EAT(Export Address Table) is none