ScreenShot
| Created | 2021.08.13 10:19 | Machine | s1_win7_x6401 |
| Filename | b4cfc49d647ebeffb99579dbd4be2a4ca779e3d36b60656aaa9d616ac343e991 | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 19 detected (Shelma, Malicious, FileRepMetagen, UMal, ziapx@0, Artemis, Outbreak, PatchedWinSwrort, njyhr, kcloud, Sabsik, score, susgen) | ||
| md5 | b594afc619b7f19b04c125b093ddb099 | ||
| sha256 | b4cfc49d647ebeffb99579dbd4be2a4ca779e3d36b60656aaa9d616ac343e991 | ||
| ssdeep | 24576:lR5N5YQjiT5MEiIoSFfxnqq+/BIBRo/OWhUpH/f0HLa8q16:dH1jMJiIoMJnqq+/BIztx8He8q1 | ||
| imphash | 4035d2883e01d64f3e7a9dccb1d63af5 | ||
| impfuzzy | 24:UbVjhN5O+VuT2oLtXOr6kwmDruMztxdEr6UP:K5O+VAXOmGx0nP | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| watch | Detects the presence of Wine emulator |
| watch | File has been identified by 19 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | CobaltStrike_IN | CobaltStrike | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x63d020 WriteFile
0x63d028 WriteConsoleW
0x63d030 WaitForMultipleObjects
0x63d038 WaitForSingleObject
0x63d040 VirtualQuery
0x63d048 VirtualFree
0x63d050 VirtualAlloc
0x63d058 SwitchToThread
0x63d060 SuspendThread
0x63d068 Sleep
0x63d070 SetWaitableTimer
0x63d078 SetUnhandledExceptionFilter
0x63d080 SetProcessPriorityBoost
0x63d088 SetEvent
0x63d090 SetErrorMode
0x63d098 SetConsoleCtrlHandler
0x63d0a0 ResumeThread
0x63d0a8 PostQueuedCompletionStatus
0x63d0b0 LoadLibraryA
0x63d0b8 LoadLibraryW
0x63d0c0 SetThreadContext
0x63d0c8 GetThreadContext
0x63d0d0 GetSystemInfo
0x63d0d8 GetSystemDirectoryA
0x63d0e0 GetStdHandle
0x63d0e8 GetQueuedCompletionStatusEx
0x63d0f0 GetProcessAffinityMask
0x63d0f8 GetProcAddress
0x63d100 GetEnvironmentStringsW
0x63d108 GetConsoleMode
0x63d110 FreeEnvironmentStringsW
0x63d118 ExitProcess
0x63d120 DuplicateHandle
0x63d128 CreateWaitableTimerExW
0x63d130 CreateThread
0x63d138 CreateIoCompletionPort
0x63d140 CreateEventA
0x63d148 CloseHandle
0x63d150 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x63d020 WriteFile
0x63d028 WriteConsoleW
0x63d030 WaitForMultipleObjects
0x63d038 WaitForSingleObject
0x63d040 VirtualQuery
0x63d048 VirtualFree
0x63d050 VirtualAlloc
0x63d058 SwitchToThread
0x63d060 SuspendThread
0x63d068 Sleep
0x63d070 SetWaitableTimer
0x63d078 SetUnhandledExceptionFilter
0x63d080 SetProcessPriorityBoost
0x63d088 SetEvent
0x63d090 SetErrorMode
0x63d098 SetConsoleCtrlHandler
0x63d0a0 ResumeThread
0x63d0a8 PostQueuedCompletionStatus
0x63d0b0 LoadLibraryA
0x63d0b8 LoadLibraryW
0x63d0c0 SetThreadContext
0x63d0c8 GetThreadContext
0x63d0d0 GetSystemInfo
0x63d0d8 GetSystemDirectoryA
0x63d0e0 GetStdHandle
0x63d0e8 GetQueuedCompletionStatusEx
0x63d0f0 GetProcessAffinityMask
0x63d0f8 GetProcAddress
0x63d100 GetEnvironmentStringsW
0x63d108 GetConsoleMode
0x63d110 FreeEnvironmentStringsW
0x63d118 ExitProcess
0x63d120 DuplicateHandle
0x63d128 CreateWaitableTimerExW
0x63d130 CreateThread
0x63d138 CreateIoCompletionPort
0x63d140 CreateEventA
0x63d148 CloseHandle
0x63d150 AddVectoredExceptionHandler
EAT(Export Address Table) is none