ScreenShot
| Created | 2021.08.24 09:41 | Machine | s1_win7_x6402 |
| Filename | ob.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 21 detected (malicious, high confidence, GenericRXAA, AgentTesla, Save, confidence, Attribute, HighConfidence, GenKryptik, FJKM, Noon, PWSX, Generic@ML, RDML, oYX0CxBomoRkxTlqKeAC9A, XPACK, Gen7, Crowti, PWSZbot, Wacatac, score, ZexaF, oqZ@aey2bIei, Unsafe) | ||
| md5 | 95fe547bbaa4db499b9d04bf7843608b | ||
| sha256 | 31feccf3da6fc04933d3ae09ff786132b5690c7f60cc8482f54b968b50a131e2 | ||
| ssdeep | 6144:0CRnvvhIRFKDPo2pPF6xhJEC4gxfAuGdQFgEnQkkMgES:0CJpIRF0ppFG/qcFlQkkMu | ||
| imphash | 6ef74f7b87fa15b6df54d064a5b8ef31 | ||
| impfuzzy | 12:SO5JExj78BZGzjgqWZhbZDoA9GScPuGA9R4QwDkM+BsfThpJqE:SOTExjCLrZDonuGA9JwQNunqE | ||
Network IP location
Signature (3cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 21 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Terminates another process |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x403000 GetStdHandle
0x403004 GetCommandLineW
0x403008 WriteFile
0x40300c GetLastError
0x403010 HeapAlloc
0x403014 HeapFree
0x403018 GetProcessHeap
0x40301c WaitForSingleObject
0x403020 GetCurrentProcess
0x403024 ExitProcess
0x403028 GetExitCodeProcess
0x40302c CreateProcessW
0x403030 GetWindowsDirectoryW
0x403034 VirtualProtect
0x403038 IsWow64Process
0x40303c FreeLibrary
0x403040 GetModuleHandleW
0x403044 GetProcAddress
0x403048 LoadLibraryExW
0x40304c LocalFree
0x403050 GetBinaryTypeW
0x403054 lstrlenW
0x403058 WideCharToMultiByte
0x40305c EnumTimeFormatsW
0x403060 GetConsoleOutputCP
0x403064 WriteConsoleW
USER32.dll
0x40307c LoadStringW
0x403080 MessageBoxW
ole32.dll
0x403088 OleInitialize
0x40308c OleUninitialize
MSVCRT.dll
0x40306c towlower
0x403070 malloc
0x403074 memset
EAT(Export Address Table) is none
KERNEL32.dll
0x403000 GetStdHandle
0x403004 GetCommandLineW
0x403008 WriteFile
0x40300c GetLastError
0x403010 HeapAlloc
0x403014 HeapFree
0x403018 GetProcessHeap
0x40301c WaitForSingleObject
0x403020 GetCurrentProcess
0x403024 ExitProcess
0x403028 GetExitCodeProcess
0x40302c CreateProcessW
0x403030 GetWindowsDirectoryW
0x403034 VirtualProtect
0x403038 IsWow64Process
0x40303c FreeLibrary
0x403040 GetModuleHandleW
0x403044 GetProcAddress
0x403048 LoadLibraryExW
0x40304c LocalFree
0x403050 GetBinaryTypeW
0x403054 lstrlenW
0x403058 WideCharToMultiByte
0x40305c EnumTimeFormatsW
0x403060 GetConsoleOutputCP
0x403064 WriteConsoleW
USER32.dll
0x40307c LoadStringW
0x403080 MessageBoxW
ole32.dll
0x403088 OleInitialize
0x40308c OleUninitialize
MSVCRT.dll
0x40306c towlower
0x403070 malloc
0x403074 memset
EAT(Export Address Table) is none