ScreenShot
| Created | 2021.08.15 12:39 | Machine | s1_win7_x6402 |
| Filename | toolspab2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 24 detected (AIDetect, malware2, malicious, high confidence, Unsafe, Save, Hacktool, ZexaF, lq0@amWtVZhG, Attribute, HighConfidence, Blocker, HPGen, Emotet, Static AI, Malicious PE, Sabsik, score, BScope, Kryptik, CLASSIC, QVM10, confidence, 100%) | ||
| md5 | ea15500c87c5662e58d8539b47ff988c | ||
| sha256 | 2a14baae0f80b79402bf2f114f0937fa2af5da3f9ea150479610dde04ddf7a58 | ||
| ssdeep | 3072:XLKj98VzeJoI7fggZAK+YQUtn9jHBN4SLORyoWJfPuHtNGSfPH+:XLPUootZAK+KRJh9XoWdPAiSHe | ||
| imphash | 6b22ece31495fe337ab5b098b4e30ca3 | ||
| impfuzzy | 48:k5ZXEUg/XdljM+RFxrWt/7suD+cnU5nemU:kDaVljMwrWt/7l+cnU5nep | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 24 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | This executable has a PDB path |
Rules (12cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x415000 EnumDateFormatsExW
0x415004 MoveFileExA
0x415008 EndUpdateResourceW
0x41500c InterlockedIncrement
0x415010 InterlockedDecrement
0x415014 ReadConsoleOutputAttribute
0x415018 GetSystemWindowsDirectoryW
0x41501c GetEnvironmentStringsW
0x415020 GetUserDefaultLCID
0x415024 WaitForSingleObject
0x415028 SetConsoleScreenBufferSize
0x41502c GetComputerNameW
0x415030 SetEvent
0x415034 GetConsoleAliasesLengthA
0x415038 CreateActCtxW
0x41503c GetConsoleCP
0x415040 LocalShrink
0x415044 ReadConsoleOutputW
0x415048 GetVersionExW
0x41504c GetFileAttributesA
0x415050 lstrcpynW
0x415054 GetConsoleAliasW
0x415058 VerifyVersionInfoA
0x41505c WriteConsoleW
0x415060 WritePrivateProfileSectionW
0x415064 IsBadWritePtr
0x415068 ReadFile
0x41506c GetModuleFileNameW
0x415070 GetCompressedFileSizeA
0x415074 GetSystemDirectoryA
0x415078 CreateFileW
0x41507c lstrcatA
0x415080 GetACP
0x415084 GetVolumePathNameA
0x415088 lstrlenW
0x41508c SetConsoleTitleA
0x415090 VerifyVersionInfoW
0x415094 InterlockedExchange
0x415098 GetLastError
0x41509c GetProcAddress
0x4150a0 EnterCriticalSection
0x4150a4 GetLocalTime
0x4150a8 GetProcessId
0x4150ac LocalAlloc
0x4150b0 SetCalendarInfoW
0x4150b4 DnsHostnameToComputerNameA
0x4150b8 CreateTapePartition
0x4150bc SetConsoleDisplayMode
0x4150c0 SetFileApisToANSI
0x4150c4 GlobalGetAtomNameW
0x4150c8 SetEnvironmentVariableA
0x4150cc GetModuleHandleA
0x4150d0 UpdateResourceW
0x4150d4 CancelTimerQueueTimer
0x4150d8 GetConsoleTitleW
0x4150dc BuildCommDCBA
0x4150e0 VirtualProtect
0x4150e4 PeekConsoleInputA
0x4150e8 FindFirstVolumeW
0x4150ec GetSystemDefaultLangID
0x4150f0 GetStartupInfoW
0x4150f4 HeapAlloc
0x4150f8 UnhandledExceptionFilter
0x4150fc SetUnhandledExceptionFilter
0x415100 GetModuleHandleW
0x415104 TlsGetValue
0x415108 TlsAlloc
0x41510c TlsSetValue
0x415110 TlsFree
0x415114 SetLastError
0x415118 GetCurrentThreadId
0x41511c Sleep
0x415120 ExitProcess
0x415124 WriteFile
0x415128 GetStdHandle
0x41512c GetModuleFileNameA
0x415130 FreeEnvironmentStringsW
0x415134 GetCommandLineW
0x415138 SetHandleCount
0x41513c GetFileType
0x415140 GetStartupInfoA
0x415144 DeleteCriticalSection
0x415148 HeapCreate
0x41514c VirtualFree
0x415150 HeapFree
0x415154 QueryPerformanceCounter
0x415158 GetTickCount
0x41515c GetCurrentProcessId
0x415160 GetSystemTimeAsFileTime
0x415164 RaiseException
0x415168 TerminateProcess
0x41516c GetCurrentProcess
0x415170 IsDebuggerPresent
0x415174 LeaveCriticalSection
0x415178 VirtualAlloc
0x41517c HeapReAlloc
0x415180 GetCPInfo
0x415184 GetOEMCP
0x415188 IsValidCodePage
0x41518c RtlUnwind
0x415190 LoadLibraryA
0x415194 InitializeCriticalSectionAndSpinCount
0x415198 GetLocaleInfoA
0x41519c GetStringTypeA
0x4151a0 MultiByteToWideChar
0x4151a4 GetStringTypeW
0x4151a8 LCMapStringA
0x4151ac WideCharToMultiByte
0x4151b0 LCMapStringW
0x4151b4 HeapSize
USER32.dll
0x4151bc RealGetWindowClassA
EAT(Export Address Table) is none
KERNEL32.dll
0x415000 EnumDateFormatsExW
0x415004 MoveFileExA
0x415008 EndUpdateResourceW
0x41500c InterlockedIncrement
0x415010 InterlockedDecrement
0x415014 ReadConsoleOutputAttribute
0x415018 GetSystemWindowsDirectoryW
0x41501c GetEnvironmentStringsW
0x415020 GetUserDefaultLCID
0x415024 WaitForSingleObject
0x415028 SetConsoleScreenBufferSize
0x41502c GetComputerNameW
0x415030 SetEvent
0x415034 GetConsoleAliasesLengthA
0x415038 CreateActCtxW
0x41503c GetConsoleCP
0x415040 LocalShrink
0x415044 ReadConsoleOutputW
0x415048 GetVersionExW
0x41504c GetFileAttributesA
0x415050 lstrcpynW
0x415054 GetConsoleAliasW
0x415058 VerifyVersionInfoA
0x41505c WriteConsoleW
0x415060 WritePrivateProfileSectionW
0x415064 IsBadWritePtr
0x415068 ReadFile
0x41506c GetModuleFileNameW
0x415070 GetCompressedFileSizeA
0x415074 GetSystemDirectoryA
0x415078 CreateFileW
0x41507c lstrcatA
0x415080 GetACP
0x415084 GetVolumePathNameA
0x415088 lstrlenW
0x41508c SetConsoleTitleA
0x415090 VerifyVersionInfoW
0x415094 InterlockedExchange
0x415098 GetLastError
0x41509c GetProcAddress
0x4150a0 EnterCriticalSection
0x4150a4 GetLocalTime
0x4150a8 GetProcessId
0x4150ac LocalAlloc
0x4150b0 SetCalendarInfoW
0x4150b4 DnsHostnameToComputerNameA
0x4150b8 CreateTapePartition
0x4150bc SetConsoleDisplayMode
0x4150c0 SetFileApisToANSI
0x4150c4 GlobalGetAtomNameW
0x4150c8 SetEnvironmentVariableA
0x4150cc GetModuleHandleA
0x4150d0 UpdateResourceW
0x4150d4 CancelTimerQueueTimer
0x4150d8 GetConsoleTitleW
0x4150dc BuildCommDCBA
0x4150e0 VirtualProtect
0x4150e4 PeekConsoleInputA
0x4150e8 FindFirstVolumeW
0x4150ec GetSystemDefaultLangID
0x4150f0 GetStartupInfoW
0x4150f4 HeapAlloc
0x4150f8 UnhandledExceptionFilter
0x4150fc SetUnhandledExceptionFilter
0x415100 GetModuleHandleW
0x415104 TlsGetValue
0x415108 TlsAlloc
0x41510c TlsSetValue
0x415110 TlsFree
0x415114 SetLastError
0x415118 GetCurrentThreadId
0x41511c Sleep
0x415120 ExitProcess
0x415124 WriteFile
0x415128 GetStdHandle
0x41512c GetModuleFileNameA
0x415130 FreeEnvironmentStringsW
0x415134 GetCommandLineW
0x415138 SetHandleCount
0x41513c GetFileType
0x415140 GetStartupInfoA
0x415144 DeleteCriticalSection
0x415148 HeapCreate
0x41514c VirtualFree
0x415150 HeapFree
0x415154 QueryPerformanceCounter
0x415158 GetTickCount
0x41515c GetCurrentProcessId
0x415160 GetSystemTimeAsFileTime
0x415164 RaiseException
0x415168 TerminateProcess
0x41516c GetCurrentProcess
0x415170 IsDebuggerPresent
0x415174 LeaveCriticalSection
0x415178 VirtualAlloc
0x41517c HeapReAlloc
0x415180 GetCPInfo
0x415184 GetOEMCP
0x415188 IsValidCodePage
0x41518c RtlUnwind
0x415190 LoadLibraryA
0x415194 InitializeCriticalSectionAndSpinCount
0x415198 GetLocaleInfoA
0x41519c GetStringTypeA
0x4151a0 MultiByteToWideChar
0x4151a4 GetStringTypeW
0x4151a8 LCMapStringA
0x4151ac WideCharToMultiByte
0x4151b0 LCMapStringW
0x4151b4 HeapSize
USER32.dll
0x4151bc RealGetWindowClassA
EAT(Export Address Table) is none