ScreenShot
| Created | 2021.08.24 16:53 | Machine | s1_win7_x6402 |
| Filename | toolspab2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 28 detected (malicious, high confidence, Artemis, Unsafe, Save, Kryptik, Eldorado, Attribute, HighConfidence, Mokes, FileRepMalware, HPGen, Emotet, A + Troj, Krypt, Sabsik, score, ZexaF, jq0@aSImrbeG, MachineLearning, Anomalous, CLASSIC, Static AI, Malicious PE, confidence, 100%) | ||
| md5 | eb7b5911cfc0a95a5066f39ed22aee0a | ||
| sha256 | 67ebaa4e613b155a8584614552de369a48d854f8b38e9c6f6319d71f287ea0f9 | ||
| ssdeep | 1536:Bey+wOZJm7ekxQG/UGbikmE7befYGwGYO49UDP95w9ZV8lP2JATEL+hItC3nf:2m7UVGeHfYGmO9P95weP2JQKt | ||
| imphash | 02fed18d5788c3d9bcc1897631bb2a01 | ||
| impfuzzy | 48:kJp8Z1Xe5BdH1miOMrJtdVGjUc9HvWNd6:yc1XurVmBMrJtzGjUctvWNo | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 28 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x413000 GetConsoleAliasesLengthW
0x413004 WriteConsoleOutputCharacterA
0x413008 BuildCommDCBAndTimeoutsA
0x41300c WriteConsoleOutputW
0x413010 EndUpdateResourceW
0x413014 InterlockedIncrement
0x413018 InterlockedDecrement
0x41301c GetCurrentProcess
0x413020 GetSystemWindowsDirectoryW
0x413024 SetEnvironmentVariableW
0x413028 WaitForSingleObject
0x41302c GetSystemDefaultLCID
0x413030 GetModuleHandleW
0x413034 EnumCalendarInfoExW
0x413038 SetThreadUILanguage
0x41303c GetConsoleAliasesLengthA
0x413040 GetConsoleTitleA
0x413044 GetEnvironmentStrings
0x413048 GetConsoleCP
0x41304c ReadConsoleInputA
0x413050 SetVolumeMountPointA
0x413054 lstrcpynW
0x413058 SetConsoleCursorPosition
0x41305c GetFileAttributesW
0x413060 SetTimeZoneInformation
0x413064 WriteConsoleW
0x413068 IsBadWritePtr
0x41306c GetMailslotInfo
0x413070 lstrcatA
0x413074 lstrlenW
0x413078 FlushFileBuffers
0x41307c InterlockedExchange
0x413080 FillConsoleOutputCharacterW
0x413084 ChangeTimerQueueTimer
0x413088 SetLastError
0x41308c GetProcAddress
0x413090 PeekConsoleInputW
0x413094 EnumDateFormatsExA
0x413098 CreateTimerQueueTimer
0x41309c LocalLock
0x4130a0 EnterCriticalSection
0x4130a4 GlobalGetAtomNameA
0x4130a8 ResetEvent
0x4130ac GetLocalTime
0x4130b0 LoadLibraryA
0x4130b4 LocalAlloc
0x4130b8 SetConsoleOutputCP
0x4130bc SetFileApisToANSI
0x4130c0 GetOEMCP
0x4130c4 GetModuleHandleA
0x4130c8 HeapSetInformation
0x4130cc GetCPInfoExA
0x4130d0 FindFirstVolumeA
0x4130d4 DeleteTimerQueueTimer
0x4130d8 GetCurrentProcessId
0x4130dc GetConsoleProcessList
0x4130e0 GetModuleFileNameW
0x4130e4 GetSystemDefaultLangID
0x4130e8 UnhandledExceptionFilter
0x4130ec SetUnhandledExceptionFilter
0x4130f0 HeapAlloc
0x4130f4 GetCommandLineA
0x4130f8 GetStartupInfoA
0x4130fc RaiseException
0x413100 RtlUnwind
0x413104 Sleep
0x413108 ExitProcess
0x41310c GetLastError
0x413110 WriteFile
0x413114 GetStdHandle
0x413118 GetModuleFileNameA
0x41311c TerminateProcess
0x413120 IsDebuggerPresent
0x413124 HeapFree
0x413128 DeleteCriticalSection
0x41312c LeaveCriticalSection
0x413130 VirtualFree
0x413134 VirtualAlloc
0x413138 HeapReAlloc
0x41313c HeapCreate
0x413140 FreeEnvironmentStringsA
0x413144 FreeEnvironmentStringsW
0x413148 WideCharToMultiByte
0x41314c GetEnvironmentStringsW
0x413150 SetHandleCount
0x413154 GetFileType
0x413158 TlsGetValue
0x41315c TlsAlloc
0x413160 TlsSetValue
0x413164 TlsFree
0x413168 GetCurrentThreadId
0x41316c QueryPerformanceCounter
0x413170 GetTickCount
0x413174 GetSystemTimeAsFileTime
0x413178 InitializeCriticalSectionAndSpinCount
0x41317c HeapSize
0x413180 GetCPInfo
0x413184 GetACP
0x413188 IsValidCodePage
0x41318c GetLocaleInfoA
0x413190 LCMapStringA
0x413194 MultiByteToWideChar
0x413198 LCMapStringW
0x41319c GetStringTypeA
0x4131a0 GetStringTypeW
USER32.dll
0x4131a8 GetAltTabInfoW
EAT(Export Address Table) Library
0x401065 @SetFirstEverVice@8
KERNEL32.dll
0x413000 GetConsoleAliasesLengthW
0x413004 WriteConsoleOutputCharacterA
0x413008 BuildCommDCBAndTimeoutsA
0x41300c WriteConsoleOutputW
0x413010 EndUpdateResourceW
0x413014 InterlockedIncrement
0x413018 InterlockedDecrement
0x41301c GetCurrentProcess
0x413020 GetSystemWindowsDirectoryW
0x413024 SetEnvironmentVariableW
0x413028 WaitForSingleObject
0x41302c GetSystemDefaultLCID
0x413030 GetModuleHandleW
0x413034 EnumCalendarInfoExW
0x413038 SetThreadUILanguage
0x41303c GetConsoleAliasesLengthA
0x413040 GetConsoleTitleA
0x413044 GetEnvironmentStrings
0x413048 GetConsoleCP
0x41304c ReadConsoleInputA
0x413050 SetVolumeMountPointA
0x413054 lstrcpynW
0x413058 SetConsoleCursorPosition
0x41305c GetFileAttributesW
0x413060 SetTimeZoneInformation
0x413064 WriteConsoleW
0x413068 IsBadWritePtr
0x41306c GetMailslotInfo
0x413070 lstrcatA
0x413074 lstrlenW
0x413078 FlushFileBuffers
0x41307c InterlockedExchange
0x413080 FillConsoleOutputCharacterW
0x413084 ChangeTimerQueueTimer
0x413088 SetLastError
0x41308c GetProcAddress
0x413090 PeekConsoleInputW
0x413094 EnumDateFormatsExA
0x413098 CreateTimerQueueTimer
0x41309c LocalLock
0x4130a0 EnterCriticalSection
0x4130a4 GlobalGetAtomNameA
0x4130a8 ResetEvent
0x4130ac GetLocalTime
0x4130b0 LoadLibraryA
0x4130b4 LocalAlloc
0x4130b8 SetConsoleOutputCP
0x4130bc SetFileApisToANSI
0x4130c0 GetOEMCP
0x4130c4 GetModuleHandleA
0x4130c8 HeapSetInformation
0x4130cc GetCPInfoExA
0x4130d0 FindFirstVolumeA
0x4130d4 DeleteTimerQueueTimer
0x4130d8 GetCurrentProcessId
0x4130dc GetConsoleProcessList
0x4130e0 GetModuleFileNameW
0x4130e4 GetSystemDefaultLangID
0x4130e8 UnhandledExceptionFilter
0x4130ec SetUnhandledExceptionFilter
0x4130f0 HeapAlloc
0x4130f4 GetCommandLineA
0x4130f8 GetStartupInfoA
0x4130fc RaiseException
0x413100 RtlUnwind
0x413104 Sleep
0x413108 ExitProcess
0x41310c GetLastError
0x413110 WriteFile
0x413114 GetStdHandle
0x413118 GetModuleFileNameA
0x41311c TerminateProcess
0x413120 IsDebuggerPresent
0x413124 HeapFree
0x413128 DeleteCriticalSection
0x41312c LeaveCriticalSection
0x413130 VirtualFree
0x413134 VirtualAlloc
0x413138 HeapReAlloc
0x41313c HeapCreate
0x413140 FreeEnvironmentStringsA
0x413144 FreeEnvironmentStringsW
0x413148 WideCharToMultiByte
0x41314c GetEnvironmentStringsW
0x413150 SetHandleCount
0x413154 GetFileType
0x413158 TlsGetValue
0x41315c TlsAlloc
0x413160 TlsSetValue
0x413164 TlsFree
0x413168 GetCurrentThreadId
0x41316c QueryPerformanceCounter
0x413170 GetTickCount
0x413174 GetSystemTimeAsFileTime
0x413178 InitializeCriticalSectionAndSpinCount
0x41317c HeapSize
0x413180 GetCPInfo
0x413184 GetACP
0x413188 IsValidCodePage
0x41318c GetLocaleInfoA
0x413190 LCMapStringA
0x413194 MultiByteToWideChar
0x413198 LCMapStringW
0x41319c GetStringTypeA
0x4131a0 GetStringTypeW
USER32.dll
0x4131a8 GetAltTabInfoW
EAT(Export Address Table) Library
0x401065 @SetFirstEverVice@8