ScreenShot
| Created | 2021.08.19 19:08 | Machine | s1_win7_x6402 |
| Filename | toolspab2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | fa371744e181b2857a6038e1bca60fff | ||
| sha256 | 92e576963128d956b98f423af33a3a2395e6a16f7d44855cfc2fff71c0651329 | ||
| ssdeep | 6144:EH5wJRkIUpk/6VIxXZyls41SHX3UbsjzGlrkuM3c6:18IUy/6VIrylsy6zerN6 | ||
| imphash | 8f4452ee838d99d134cdfb5637fb01d7 | ||
| impfuzzy | 48:O9ZzCOxOD6raq8JEYIV1i5YlGXHOtaELtQkfcJSoXr/g0:0Zw+MIVk5YlGXHfELtQkfcJSur/g0 | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41d000 GetComputerNameA
0x41d004 GetThreadContext
0x41d008 FileTimeToDosDateTime
0x41d00c UnregisterWait
0x41d010 GetNativeSystemInfo
0x41d014 SetFilePointer
0x41d018 lstrlenA
0x41d01c GetConsoleAliasesLengthW
0x41d020 SetLocalTime
0x41d024 InterlockedIncrement
0x41d028 GetQueuedCompletionStatus
0x41d02c InterlockedDecrement
0x41d030 GetSystemWindowsDirectoryW
0x41d034 WaitForSingleObject
0x41d038 FreeEnvironmentStringsA
0x41d03c GetTickCount
0x41d040 WaitNamedPipeW
0x41d044 WriteFile
0x41d048 SetCommState
0x41d04c GetCommandLineA
0x41d050 TlsSetValue
0x41d054 GetPriorityClass
0x41d058 AddRefActCtx
0x41d05c LoadLibraryW
0x41d060 GetConsoleMode
0x41d064 CopyFileW
0x41d068 GetVersionExW
0x41d06c SetConsoleMode
0x41d070 GetBinaryTypeA
0x41d074 TerminateProcess
0x41d078 IsDBCSLeadByte
0x41d07c GetOverlappedResult
0x41d080 CompareStringW
0x41d084 GlobalUnlock
0x41d088 VerifyVersionInfoW
0x41d08c CreateDirectoryA
0x41d090 GetFileSizeEx
0x41d094 GetStartupInfoA
0x41d098 OpenMutexW
0x41d09c GetLastError
0x41d0a0 ReadConsoleOutputCharacterA
0x41d0a4 GetProcAddress
0x41d0a8 VirtualAlloc
0x41d0ac WriteProfileSectionA
0x41d0b0 DisableThreadLibraryCalls
0x41d0b4 GetPrivateProfileStringA
0x41d0b8 ResetEvent
0x41d0bc OpenWaitableTimerA
0x41d0c0 LoadLibraryA
0x41d0c4 CreateSemaphoreW
0x41d0c8 LocalAlloc
0x41d0cc SetCurrentDirectoryW
0x41d0d0 WriteProfileSectionW
0x41d0d4 HeapWalk
0x41d0d8 Process32NextW
0x41d0dc WriteProfileStringA
0x41d0e0 SetConsoleCursorInfo
0x41d0e4 CreateIoCompletionPort
0x41d0e8 GetModuleHandleA
0x41d0ec EnumResourceNamesA
0x41d0f0 FatalAppExitA
0x41d0f4 GetCurrentThreadId
0x41d0f8 GetCPInfoExA
0x41d0fc SetThreadAffinityMask
0x41d100 OpenSemaphoreW
0x41d104 FindAtomW
0x41d108 LCMapStringW
0x41d10c CopyFileExA
0x41d110 DeleteFileA
0x41d114 WideCharToMultiByte
0x41d118 HeapValidate
0x41d11c IsBadReadPtr
0x41d120 RaiseException
0x41d124 GetCurrentProcess
0x41d128 UnhandledExceptionFilter
0x41d12c SetUnhandledExceptionFilter
0x41d130 IsDebuggerPresent
0x41d134 GetModuleFileNameW
0x41d138 GetACP
0x41d13c GetOEMCP
0x41d140 GetCPInfo
0x41d144 IsValidCodePage
0x41d148 TlsGetValue
0x41d14c GetModuleHandleW
0x41d150 TlsAlloc
0x41d154 TlsFree
0x41d158 SetLastError
0x41d15c Sleep
0x41d160 ExitProcess
0x41d164 DeleteCriticalSection
0x41d168 EnterCriticalSection
0x41d16c LeaveCriticalSection
0x41d170 QueryPerformanceCounter
0x41d174 GetCurrentProcessId
0x41d178 GetSystemTimeAsFileTime
0x41d17c GetModuleFileNameA
0x41d180 GetEnvironmentStrings
0x41d184 FreeEnvironmentStringsW
0x41d188 GetEnvironmentStringsW
0x41d18c SetHandleCount
0x41d190 GetStdHandle
0x41d194 GetFileType
0x41d198 HeapDestroy
0x41d19c HeapCreate
0x41d1a0 HeapFree
0x41d1a4 VirtualFree
0x41d1a8 HeapAlloc
0x41d1ac HeapSize
0x41d1b0 HeapReAlloc
0x41d1b4 DebugBreak
0x41d1b8 OutputDebugStringA
0x41d1bc WriteConsoleW
0x41d1c0 OutputDebugStringW
0x41d1c4 RtlUnwind
0x41d1c8 MultiByteToWideChar
0x41d1cc LCMapStringA
0x41d1d0 GetStringTypeA
0x41d1d4 GetStringTypeW
0x41d1d8 GetLocaleInfoA
0x41d1dc InitializeCriticalSectionAndSpinCount
0x41d1e0 GetConsoleCP
0x41d1e4 SetStdHandle
0x41d1e8 WriteConsoleA
0x41d1ec GetConsoleOutputCP
0x41d1f0 CreateFileA
0x41d1f4 CloseHandle
0x41d1f8 FlushFileBuffers
EAT(Export Address Table) is none
KERNEL32.dll
0x41d000 GetComputerNameA
0x41d004 GetThreadContext
0x41d008 FileTimeToDosDateTime
0x41d00c UnregisterWait
0x41d010 GetNativeSystemInfo
0x41d014 SetFilePointer
0x41d018 lstrlenA
0x41d01c GetConsoleAliasesLengthW
0x41d020 SetLocalTime
0x41d024 InterlockedIncrement
0x41d028 GetQueuedCompletionStatus
0x41d02c InterlockedDecrement
0x41d030 GetSystemWindowsDirectoryW
0x41d034 WaitForSingleObject
0x41d038 FreeEnvironmentStringsA
0x41d03c GetTickCount
0x41d040 WaitNamedPipeW
0x41d044 WriteFile
0x41d048 SetCommState
0x41d04c GetCommandLineA
0x41d050 TlsSetValue
0x41d054 GetPriorityClass
0x41d058 AddRefActCtx
0x41d05c LoadLibraryW
0x41d060 GetConsoleMode
0x41d064 CopyFileW
0x41d068 GetVersionExW
0x41d06c SetConsoleMode
0x41d070 GetBinaryTypeA
0x41d074 TerminateProcess
0x41d078 IsDBCSLeadByte
0x41d07c GetOverlappedResult
0x41d080 CompareStringW
0x41d084 GlobalUnlock
0x41d088 VerifyVersionInfoW
0x41d08c CreateDirectoryA
0x41d090 GetFileSizeEx
0x41d094 GetStartupInfoA
0x41d098 OpenMutexW
0x41d09c GetLastError
0x41d0a0 ReadConsoleOutputCharacterA
0x41d0a4 GetProcAddress
0x41d0a8 VirtualAlloc
0x41d0ac WriteProfileSectionA
0x41d0b0 DisableThreadLibraryCalls
0x41d0b4 GetPrivateProfileStringA
0x41d0b8 ResetEvent
0x41d0bc OpenWaitableTimerA
0x41d0c0 LoadLibraryA
0x41d0c4 CreateSemaphoreW
0x41d0c8 LocalAlloc
0x41d0cc SetCurrentDirectoryW
0x41d0d0 WriteProfileSectionW
0x41d0d4 HeapWalk
0x41d0d8 Process32NextW
0x41d0dc WriteProfileStringA
0x41d0e0 SetConsoleCursorInfo
0x41d0e4 CreateIoCompletionPort
0x41d0e8 GetModuleHandleA
0x41d0ec EnumResourceNamesA
0x41d0f0 FatalAppExitA
0x41d0f4 GetCurrentThreadId
0x41d0f8 GetCPInfoExA
0x41d0fc SetThreadAffinityMask
0x41d100 OpenSemaphoreW
0x41d104 FindAtomW
0x41d108 LCMapStringW
0x41d10c CopyFileExA
0x41d110 DeleteFileA
0x41d114 WideCharToMultiByte
0x41d118 HeapValidate
0x41d11c IsBadReadPtr
0x41d120 RaiseException
0x41d124 GetCurrentProcess
0x41d128 UnhandledExceptionFilter
0x41d12c SetUnhandledExceptionFilter
0x41d130 IsDebuggerPresent
0x41d134 GetModuleFileNameW
0x41d138 GetACP
0x41d13c GetOEMCP
0x41d140 GetCPInfo
0x41d144 IsValidCodePage
0x41d148 TlsGetValue
0x41d14c GetModuleHandleW
0x41d150 TlsAlloc
0x41d154 TlsFree
0x41d158 SetLastError
0x41d15c Sleep
0x41d160 ExitProcess
0x41d164 DeleteCriticalSection
0x41d168 EnterCriticalSection
0x41d16c LeaveCriticalSection
0x41d170 QueryPerformanceCounter
0x41d174 GetCurrentProcessId
0x41d178 GetSystemTimeAsFileTime
0x41d17c GetModuleFileNameA
0x41d180 GetEnvironmentStrings
0x41d184 FreeEnvironmentStringsW
0x41d188 GetEnvironmentStringsW
0x41d18c SetHandleCount
0x41d190 GetStdHandle
0x41d194 GetFileType
0x41d198 HeapDestroy
0x41d19c HeapCreate
0x41d1a0 HeapFree
0x41d1a4 VirtualFree
0x41d1a8 HeapAlloc
0x41d1ac HeapSize
0x41d1b0 HeapReAlloc
0x41d1b4 DebugBreak
0x41d1b8 OutputDebugStringA
0x41d1bc WriteConsoleW
0x41d1c0 OutputDebugStringW
0x41d1c4 RtlUnwind
0x41d1c8 MultiByteToWideChar
0x41d1cc LCMapStringA
0x41d1d0 GetStringTypeA
0x41d1d4 GetStringTypeW
0x41d1d8 GetLocaleInfoA
0x41d1dc InitializeCriticalSectionAndSpinCount
0x41d1e0 GetConsoleCP
0x41d1e4 SetStdHandle
0x41d1e8 WriteConsoleA
0x41d1ec GetConsoleOutputCP
0x41d1f0 CreateFileA
0x41d1f4 CloseHandle
0x41d1f8 FlushFileBuffers
EAT(Export Address Table) is none