ScreenShot
| Created | 2021.09.09 09:05 | Machine | s1_win7_x6402 |
| Filename | 3_Microsoft.Windows.ApplicationServer.Applications.dll.dll | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 13 detected (malicious, high confidence, Save, confidence, 100%, score, Convagent, Generic@ML, RDML, F4ELmI1ck5NF4bKb, PiY4Q, Static AI, Suspicious PE, ZedlaF, lu8@amndmUci, Dridex) | ||
| md5 | eba153737466deaebf551beb08a4640a | ||
| sha256 | ee9006cbed4924db9f62ec7b204bd5bf3f9d976475197e3b5208e12f5fab87c7 | ||
| ssdeep | 3072:/7o4aQnV+A43RKz2f8OWa28/xB441a97hrtJ2EnP8fQ9ixQLY8u:YQn5z2f8OWv+i4C7drjEfQ9U | ||
| imphash | 440029c87a6254cbbbbf105c864ab69a | ||
| impfuzzy | 12:rDs2iZWLJEYUF1G2stAjryRLYitBewf5pvpSoI/:/isEYUbG2MHewRdpSh | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| watch | File has been identified by 13 AntiVirus engines on VirusTotal as malicious |
| watch | Tries to unhook Windows functions monitored by Cuckoo |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ESENT.dll
0x10008010 JetEndSession
SETUPAPI.dll
0x10008064 SetupLogErrorW
msvcrt.dll
0x10008094 iswlower
MPRAPI.dll
0x10008048 MprAdminGetErrorString
KERNEL32.dll
0x10008020 WriteFile
0x10008024 EndUpdateResourceA
0x10008028 VirtualFree
0x1000802c DebugBreak
0x10008030 GetTempPathA
0x10008034 SetDefaultCommConfigA
0x10008038 TransactNamedPipe
0x1000803c GetModuleFileNameW
0x10008040 GetModuleHandleA
WINTRUST.dll
0x1000808c CryptSIPCreateIndirectData
OLEAUT32.dll
0x10008050 BSTR_UserFree
0x10008054 VarUdateFromDate
SHLWAPI.dll
0x1000806c ChrCmpIA
0x10008070 StrCmpNW
GDI32.dll
0x10008018 StretchBlt
ADVAPI32.dll
0x10008000 FreeSid
0x10008004 RegLoadAppKeyA
0x10008008 CreateServiceA
RASAPI32.dll
0x1000805c RasDeleteEntryW
USER32.dll
0x10008078 ShowOwnedPopups
0x1000807c ImpersonateDdeClientWindow
WINMM.dll
0x10008084 waveOutGetNumDevs
EAT(Export Address Table) Library
0x10028206 QwmdpoyyNooldenntdef
ESENT.dll
0x10008010 JetEndSession
SETUPAPI.dll
0x10008064 SetupLogErrorW
msvcrt.dll
0x10008094 iswlower
MPRAPI.dll
0x10008048 MprAdminGetErrorString
KERNEL32.dll
0x10008020 WriteFile
0x10008024 EndUpdateResourceA
0x10008028 VirtualFree
0x1000802c DebugBreak
0x10008030 GetTempPathA
0x10008034 SetDefaultCommConfigA
0x10008038 TransactNamedPipe
0x1000803c GetModuleFileNameW
0x10008040 GetModuleHandleA
WINTRUST.dll
0x1000808c CryptSIPCreateIndirectData
OLEAUT32.dll
0x10008050 BSTR_UserFree
0x10008054 VarUdateFromDate
SHLWAPI.dll
0x1000806c ChrCmpIA
0x10008070 StrCmpNW
GDI32.dll
0x10008018 StretchBlt
ADVAPI32.dll
0x10008000 FreeSid
0x10008004 RegLoadAppKeyA
0x10008008 CreateServiceA
RASAPI32.dll
0x1000805c RasDeleteEntryW
USER32.dll
0x10008078 ShowOwnedPopups
0x1000807c ImpersonateDdeClientWindow
WINMM.dll
0x10008084 waveOutGetNumDevs
EAT(Export Address Table) Library
0x10028206 QwmdpoyyNooldenntdef