ScreenShot
| Created | 2021.09.02 18:00 | Machine | s1_win7_x6401 |
| Filename | al.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 25 detected (malicious, high confidence, GenericKD, Artemis, confidence, a variant of WinGo, GoCLR, Bulz, tetrjq, PowerShell, Static AI, Suspicious PE, gzxxe, ai score=82, Sabsik, score, HackTool, CLASSIC) | ||
| md5 | 06e4385a4ba6f66a4674cd1445470aea | ||
| sha256 | fd8f5bd06d288207635503abf28da66ec823359d18c6f887750831035d51e9d6 | ||
| ssdeep | 49152:JLP+Pfrb/TkvO90dL3BmAFd4A64nsfJ9AD5fFn0NLVu8dBCoFE1TNi9vIIa+jQh2:JLUhAQmAQQQQQQQQQQQQQ | ||
| imphash | c7269d59926fa4252270f407e4dab043 | ||
| impfuzzy | 24:UbVjhN5O+VuT2oLtXOr6kwmDruMztxdEr6tP:K5O+VAXOmGx0oP | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 25 AntiVirus engines on VirusTotal as malicious |
| watch | Detects the presence of Wine emulator |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | NPKI_Zero | File included NPKI | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x9aa020 WriteFile
0x9aa028 WriteConsoleW
0x9aa030 WaitForMultipleObjects
0x9aa038 WaitForSingleObject
0x9aa040 VirtualQuery
0x9aa048 VirtualFree
0x9aa050 VirtualAlloc
0x9aa058 SwitchToThread
0x9aa060 SuspendThread
0x9aa068 Sleep
0x9aa070 SetWaitableTimer
0x9aa078 SetUnhandledExceptionFilter
0x9aa080 SetProcessPriorityBoost
0x9aa088 SetEvent
0x9aa090 SetErrorMode
0x9aa098 SetConsoleCtrlHandler
0x9aa0a0 ResumeThread
0x9aa0a8 PostQueuedCompletionStatus
0x9aa0b0 LoadLibraryA
0x9aa0b8 LoadLibraryW
0x9aa0c0 SetThreadContext
0x9aa0c8 GetThreadContext
0x9aa0d0 GetSystemInfo
0x9aa0d8 GetSystemDirectoryA
0x9aa0e0 GetStdHandle
0x9aa0e8 GetQueuedCompletionStatusEx
0x9aa0f0 GetProcessAffinityMask
0x9aa0f8 GetProcAddress
0x9aa100 GetEnvironmentStringsW
0x9aa108 GetConsoleMode
0x9aa110 FreeEnvironmentStringsW
0x9aa118 ExitProcess
0x9aa120 DuplicateHandle
0x9aa128 CreateWaitableTimerExW
0x9aa130 CreateThread
0x9aa138 CreateIoCompletionPort
0x9aa140 CreateFileA
0x9aa148 CreateEventA
0x9aa150 CloseHandle
0x9aa158 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x9aa020 WriteFile
0x9aa028 WriteConsoleW
0x9aa030 WaitForMultipleObjects
0x9aa038 WaitForSingleObject
0x9aa040 VirtualQuery
0x9aa048 VirtualFree
0x9aa050 VirtualAlloc
0x9aa058 SwitchToThread
0x9aa060 SuspendThread
0x9aa068 Sleep
0x9aa070 SetWaitableTimer
0x9aa078 SetUnhandledExceptionFilter
0x9aa080 SetProcessPriorityBoost
0x9aa088 SetEvent
0x9aa090 SetErrorMode
0x9aa098 SetConsoleCtrlHandler
0x9aa0a0 ResumeThread
0x9aa0a8 PostQueuedCompletionStatus
0x9aa0b0 LoadLibraryA
0x9aa0b8 LoadLibraryW
0x9aa0c0 SetThreadContext
0x9aa0c8 GetThreadContext
0x9aa0d0 GetSystemInfo
0x9aa0d8 GetSystemDirectoryA
0x9aa0e0 GetStdHandle
0x9aa0e8 GetQueuedCompletionStatusEx
0x9aa0f0 GetProcessAffinityMask
0x9aa0f8 GetProcAddress
0x9aa100 GetEnvironmentStringsW
0x9aa108 GetConsoleMode
0x9aa110 FreeEnvironmentStringsW
0x9aa118 ExitProcess
0x9aa120 DuplicateHandle
0x9aa128 CreateWaitableTimerExW
0x9aa130 CreateThread
0x9aa138 CreateIoCompletionPort
0x9aa140 CreateFileA
0x9aa148 CreateEventA
0x9aa150 CloseHandle
0x9aa158 AddVectoredExceptionHandler
EAT(Export Address Table) is none