ScreenShot
| Created | 2021.09.02 10:24 | Machine | s1_win7_x6401 |
| Filename | FileTracker.dll | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 20 detected (Convagent, malicious, high confidence, Unsafe, Save, confidence, 100%, ZedlaF, lu8@aOdaKVki, Dridex, Eldorado, Cridex, A + Mal, EncPk, Sabsik, score, GenericRXAA, Generic@ML, RDML, 7q8c6mW067FilKsflQ, Static AI, Malicious PE) | ||
| md5 | 367d76d749d9e45fa68a22d0034d98ae | ||
| sha256 | 2192dab0759dc41ca820edcf34e8ae786db983458d8cc9ba7dd23348c6027a68 | ||
| ssdeep | 3072:vteMq7hp/YIzA6BZvlWnTDN2GL9L8NLXWruiuUCzTOwwc0cIz99qM:3q7fYIHBZkTB6DWruUCOwjt | ||
| imphash | 186f1499d3d5ae3e8092b83cefdeeba0 | ||
| impfuzzy | 12:7hPzYuVF1G2NGryRXneWTgoNpzBmBb2FrDi5phin:hYuVbG2lleMpzBmUFa5W | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 20 AntiVirus engines on VirusTotal as malicious |
| watch | Tries to unhook Windows functions monitored by Cuckoo |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x10008020 TransactNamedPipe
0x10008024 GetModuleHandleA
0x10008028 GetModuleFileNameW
0x1000802c EndUpdateResourceA
0x10008030 DebugBreak
0x10008034 GetTempPathA
0x10008038 VirtualFree
0x1000803c WriteFile
0x10008040 SetDefaultCommConfigA
0x10008044 GetModuleHandleW
GDI32.dll
0x10008018 StretchBlt
WINTRUST.dll
0x10008090 CryptSIPCreateIndirectData
OLEAUT32.dll
0x10008054 VarUdateFromDate
0x10008058 BSTR_UserFree
MPRAPI.dll
0x1000804c MprAdminGetErrorString
USER32.dll
0x1000807c ImpersonateDdeClientWindow
0x10008080 ShowOwnedPopups
ADVAPI32.dll
0x10008000 CreateServiceA
0x10008004 RegLoadAppKeyA
0x10008008 FreeSid
msvcrt.dll
0x10008098 iswlower
0x1000809c memset
WINMM.dll
0x10008088 waveOutGetNumDevs
ESENT.dll
0x10008010 JetEndSession
SETUPAPI.dll
0x10008068 SetupLogErrorW
RASAPI32.dll
0x10008060 RasDeleteEntryW
SHLWAPI.dll
0x10008070 StrCmpNW
0x10008074 ChrCmpIA
EAT(Export Address Table) Library
0x100280ce EgppeRmclooss
KERNEL32.dll
0x10008020 TransactNamedPipe
0x10008024 GetModuleHandleA
0x10008028 GetModuleFileNameW
0x1000802c EndUpdateResourceA
0x10008030 DebugBreak
0x10008034 GetTempPathA
0x10008038 VirtualFree
0x1000803c WriteFile
0x10008040 SetDefaultCommConfigA
0x10008044 GetModuleHandleW
GDI32.dll
0x10008018 StretchBlt
WINTRUST.dll
0x10008090 CryptSIPCreateIndirectData
OLEAUT32.dll
0x10008054 VarUdateFromDate
0x10008058 BSTR_UserFree
MPRAPI.dll
0x1000804c MprAdminGetErrorString
USER32.dll
0x1000807c ImpersonateDdeClientWindow
0x10008080 ShowOwnedPopups
ADVAPI32.dll
0x10008000 CreateServiceA
0x10008004 RegLoadAppKeyA
0x10008008 FreeSid
msvcrt.dll
0x10008098 iswlower
0x1000809c memset
WINMM.dll
0x10008088 waveOutGetNumDevs
ESENT.dll
0x10008010 JetEndSession
SETUPAPI.dll
0x10008068 SetupLogErrorW
RASAPI32.dll
0x10008060 RasDeleteEntryW
SHLWAPI.dll
0x10008070 StrCmpNW
0x10008074 ChrCmpIA
EAT(Export Address Table) Library
0x100280ce EgppeRmclooss