ScreenShot
| Created | 2021.08.17 09:54 | Machine | s1_win7_x6402 |
| Filename | bHiq3IZ1xoLA.php | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | ffc642eb82de920453e88f647fb4c246 | ||
| sha256 | 2cee38ee68188bda0f3d7a0e5ccab31cd2512c1b4d1ab4c67030ee6c5e597f8d | ||
| ssdeep | 3072:mhYiCQXKgH7xFjsDlyk+AZ6cGdgwQDDu15/aE8tvgrkVCuLnT:g7xFGlyfAZ5DDuLyHzT | ||
| imphash | 8fb9c33d660a73e17ccb39e76d1e6039 | ||
| impfuzzy | 12:omUw5TyQKFEkMyWdg9FHwwfmNJBCLXvBpfAtb+:FUwSkg3HwlJBy5pfKb+ | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| watch | Tries to unhook Windows functions monitored by Cuckoo |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x10008000 RegLoadAppKeyA
0x10008004 RegisterServiceCtrlHandlerA
CRYPT32.dll
0x1000800c CryptFreeOIDFunctionAddress
GDI32.dll
0x10008014 CreateColorSpaceA
WINMM.dll
0x10008068 waveOutGetPitch
SETUPAPI.dll
0x10008054 SetupCloseInfFile
MPRAPI.dll
0x10008038 MprAdminMIBEntryGetNext
msvcrt.dll
0x10008070 memset
0x10008074 strlen
NTDSAPI.dll
0x10008040 DsBindWithCredW
OLEAUT32.dll
0x10008048 VarR8FromCy
0x1000804c VarDecFromR8
USER32.dll
0x1000805c UnionRect
0x10008060 ShowOwnedPopups
KERNEL32.dll
0x1000801c GetModuleHandleW
0x10008020 LoadLibraryExA
0x10008024 GetModuleFileNameA
0x10008028 FindActCtxSectionGuid
0x1000802c GetGeoInfoW
0x10008030 Sleep
EAT(Export Address Table) Library
0x100261fe WeprmcFosller
ADVAPI32.dll
0x10008000 RegLoadAppKeyA
0x10008004 RegisterServiceCtrlHandlerA
CRYPT32.dll
0x1000800c CryptFreeOIDFunctionAddress
GDI32.dll
0x10008014 CreateColorSpaceA
WINMM.dll
0x10008068 waveOutGetPitch
SETUPAPI.dll
0x10008054 SetupCloseInfFile
MPRAPI.dll
0x10008038 MprAdminMIBEntryGetNext
msvcrt.dll
0x10008070 memset
0x10008074 strlen
NTDSAPI.dll
0x10008040 DsBindWithCredW
OLEAUT32.dll
0x10008048 VarR8FromCy
0x1000804c VarDecFromR8
USER32.dll
0x1000805c UnionRect
0x10008060 ShowOwnedPopups
KERNEL32.dll
0x1000801c GetModuleHandleW
0x10008020 LoadLibraryExA
0x10008024 GetModuleFileNameA
0x10008028 FindActCtxSectionGuid
0x1000802c GetGeoInfoW
0x10008030 Sleep
EAT(Export Address Table) Library
0x100261fe WeprmcFosller