ScreenShot
| Created | 2021.09.10 09:14 | Machine | s1_win7_x6402 |
| Filename | falsh%20update!.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 8 detected (Malicious, score, MdeClass, Artemis) | ||
| md5 | 8562340b6ba907f77a6beb7b3a297fd5 | ||
| sha256 | e51fac7b628d87ce19590c1915ecf3ab3d678fd1ccdf2b94ff80991bf1f9718c | ||
| ssdeep | 24576:s6ZpTAzGUh6cXIbEhZKjMbWIENTvVb4oQ:s6sSUhUEhZKgbsN7SZ | ||
| imphash | 8e158cd264227930367fac7e3fb1cb2d | ||
| impfuzzy | 96:Y7QTplRy4GuGmqzKcpVvVgzVOEpnQ4Btqfbd:lpS86z/ScHbd | ||
Network IP location
Signature (10cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| notice | A process created a hidden window |
| notice | File has been identified by 8 AntiVirus engines on VirusTotal as malicious |
| notice | Foreign language identified in PE resource |
| notice | Starts servers listening |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
PE API
IAT(Import Address Table) Library
WS2_32.dll
0x14008d578 send
0x14008d580 recv
0x14008d588 WSAEventSelect
0x14008d590 WSAGetLastError
0x14008d598 ind
0x14008d5a0 ntohl
0x14008d5a8 gethostname
0x14008d5b0 sendto
0x14008d5b8 recvfrom
0x14008d5c0 closesocket
0x14008d5c8 WSAEnumNetworkEvents
0x14008d5d0 WSACreateEvent
0x14008d5d8 WSACloseEvent
0x14008d5e0 freeaddrinfo
0x14008d5e8 getaddrinfo
0x14008d5f0 select
0x14008d5f8 __WSAFDIsSet
0x14008d600 ioctlsocket
0x14008d608 listen
0x14008d610 htonl
0x14008d618 accept
0x14008d620 WSACleanup
0x14008d628 WSAStartup
0x14008d630 WSAIoctl
0x14008d638 WSASetLastError
0x14008d640 socket
0x14008d648 setsockopt
0x14008d650 ntohs
0x14008d658 htons
0x14008d660 getsockopt
0x14008d668 getsockname
0x14008d670 getpeername
0x14008d678 connect
WLDAP32.dll
0x14008d4e0 None
0x14008d4e8 None
0x14008d4f0 None
0x14008d4f8 None
0x14008d500 None
0x14008d508 None
0x14008d510 None
0x14008d518 None
0x14008d520 None
0x14008d528 None
0x14008d530 None
0x14008d538 None
0x14008d540 None
0x14008d548 None
0x14008d550 None
0x14008d558 None
0x14008d560 None
0x14008d568 None
CRYPT32.dll
0x14008d058 CertFreeCertificateChain
0x14008d060 CertGetCertificateChain
0x14008d068 CertFreeCertificateChainEngine
0x14008d070 CertCreateCertificateChainEngine
0x14008d078 CryptQueryObject
0x14008d080 CertGetNameStringW
0x14008d088 CertFindExtension
0x14008d090 CertAddCertificateContextToStore
0x14008d098 CryptDecodeObjectEx
0x14008d0a0 PFXImportCertStore
0x14008d0a8 CryptStringToBinaryW
0x14008d0b0 CertFreeCertificateContext
0x14008d0b8 CertFindCertificateInStore
0x14008d0c0 CertEnumCertificatesInStore
0x14008d0c8 CertCloseStore
0x14008d0d0 CertOpenStore
KERNEL32.dll
0x14008d0e0 HeapFree
0x14008d0e8 HeapAlloc
0x14008d0f0 GetConsoleOutputCP
0x14008d0f8 ReadConsoleW
0x14008d100 GetConsoleMode
0x14008d108 WriteFile
0x14008d110 FreeLibraryAndExitThread
0x14008d118 ExitThread
0x14008d120 CreateThread
0x14008d128 FileTimeToSystemTime
0x14008d130 SystemTimeToTzSpecificLocalTime
0x14008d138 GetDriveTypeW
0x14008d140 GetModuleHandleExW
0x14008d148 LoadLibraryExW
0x14008d150 TlsFree
0x14008d158 TlsSetValue
0x14008d160 TlsGetValue
0x14008d168 TlsAlloc
0x14008d170 InitializeCriticalSectionAndSpinCount
0x14008d178 RaiseException
0x14008d180 RtlPcToFileHeader
0x14008d188 RtlUnwindEx
0x14008d190 GetDateFormatW
0x14008d198 GetTimeFormatW
0x14008d1a0 CompareStringW
0x14008d1a8 LCMapStringW
0x14008d1b0 GetLocaleInfoW
0x14008d1b8 IsValidLocale
0x14008d1c0 GetUserDefaultLCID
0x14008d1c8 EnumSystemLocalesW
0x14008d1d0 FlushFileBuffers
0x14008d1d8 HeapReAlloc
0x14008d1e0 SetStdHandle
0x14008d1e8 GetTimeZoneInformation
0x14008d1f0 IsValidCodePage
0x14008d1f8 GetACP
0x14008d200 GetOEMCP
0x14008d208 GetShortPathNameW
0x14008d210 GetModuleFileNameW
0x14008d218 GetEnvironmentVariableW
0x14008d220 LoadLibraryA
0x14008d228 lstrcatW
0x14008d230 GetProcAddress
0x14008d238 ExitProcess
0x14008d240 lstrcpyW
0x14008d248 GetLastError
0x14008d250 SetLastError
0x14008d258 FormatMessageW
0x14008d260 EnterCriticalSection
0x14008d268 LeaveCriticalSection
0x14008d270 InitializeCriticalSectionEx
0x14008d278 DeleteCriticalSection
0x14008d280 SleepEx
0x14008d288 QueryPerformanceFrequency
0x14008d290 GetSystemDirectoryW
0x14008d298 FreeLibrary
0x14008d2a0 GetModuleHandleW
0x14008d2a8 LoadLibraryW
0x14008d2b0 QueryPerformanceCounter
0x14008d2b8 GetTickCount
0x14008d2c0 Sleep
0x14008d2c8 MultiByteToWideChar
0x14008d2d0 WideCharToMultiByte
0x14008d2d8 MoveFileExW
0x14008d2e0 CloseHandle
0x14008d2e8 WaitForSingleObjectEx
0x14008d2f0 GetEnvironmentVariableA
0x14008d2f8 GetStdHandle
0x14008d300 GetFileType
0x14008d308 ReadFile
0x14008d310 PeekNamedPipe
0x14008d318 WaitForMultipleObjects
0x14008d320 VerSetConditionMask
0x14008d328 VerifyVersionInfoW
0x14008d330 CreateFileW
0x14008d338 GetFileSizeEx
0x14008d340 InitializeSListHead
0x14008d348 GetCommandLineA
0x14008d350 GetCommandLineW
0x14008d358 GetEnvironmentStringsW
0x14008d360 FreeEnvironmentStringsW
0x14008d368 SetEnvironmentVariableW
0x14008d370 GetProcessHeap
0x14008d378 DeleteFileW
0x14008d380 HeapSize
0x14008d388 WriteConsoleW
0x14008d390 FindClose
0x14008d398 GetCurrentProcessId
0x14008d3a0 GetStartupInfoW
0x14008d3a8 IsDebuggerPresent
0x14008d3b0 IsProcessorFeaturePresent
0x14008d3b8 FormatMessageA
0x14008d3c0 GetCurrentDirectoryW
0x14008d3c8 CreateDirectoryW
0x14008d3d0 RtlUnwind
0x14008d3d8 FindFirstFileExW
0x14008d3e0 FindNextFileW
0x14008d3e8 GetFileAttributesExW
0x14008d3f0 GetFileInformationByHandle
0x14008d3f8 GetFullPathNameW
0x14008d400 SetEndOfFile
0x14008d408 SetFilePointerEx
0x14008d410 AreFileApisANSI
0x14008d418 DeviceIoControl
0x14008d420 CopyFileW
0x14008d428 CreateHardLinkW
0x14008d430 GetFileInformationByHandleEx
0x14008d438 CreateSymbolicLinkW
0x14008d440 LocalFree
0x14008d448 GetCurrentThreadId
0x14008d450 EncodePointer
0x14008d458 DecodePointer
0x14008d460 LCMapStringEx
0x14008d468 FlsAlloc
0x14008d470 FlsGetValue
0x14008d478 FlsSetValue
0x14008d480 FlsFree
0x14008d488 GetSystemTimeAsFileTime
0x14008d490 GetStringTypeW
0x14008d498 GetCPInfo
0x14008d4a0 RtlCaptureContext
0x14008d4a8 RtlLookupFunctionEntry
0x14008d4b0 RtlVirtualUnwind
0x14008d4b8 UnhandledExceptionFilter
0x14008d4c0 SetUnhandledExceptionFilter
0x14008d4c8 GetCurrentProcess
0x14008d4d0 TerminateProcess
ADVAPI32.dll
0x14008d000 CryptHashData
0x14008d008 CryptEncrypt
0x14008d010 CryptImportKey
0x14008d018 CryptDestroyKey
0x14008d020 CryptDestroyHash
0x14008d028 CryptAcquireContextW
0x14008d030 CryptCreateHash
0x14008d038 CryptGenRandom
0x14008d040 CryptGetHashParam
0x14008d048 CryptReleaseContext
ole32.dll
0x14008d688 CoUninitialize
0x14008d690 CoCreateInstance
0x14008d698 CoInitialize
EAT(Export Address Table) is none
WS2_32.dll
0x14008d578 send
0x14008d580 recv
0x14008d588 WSAEventSelect
0x14008d590 WSAGetLastError
0x14008d598 ind
0x14008d5a0 ntohl
0x14008d5a8 gethostname
0x14008d5b0 sendto
0x14008d5b8 recvfrom
0x14008d5c0 closesocket
0x14008d5c8 WSAEnumNetworkEvents
0x14008d5d0 WSACreateEvent
0x14008d5d8 WSACloseEvent
0x14008d5e0 freeaddrinfo
0x14008d5e8 getaddrinfo
0x14008d5f0 select
0x14008d5f8 __WSAFDIsSet
0x14008d600 ioctlsocket
0x14008d608 listen
0x14008d610 htonl
0x14008d618 accept
0x14008d620 WSACleanup
0x14008d628 WSAStartup
0x14008d630 WSAIoctl
0x14008d638 WSASetLastError
0x14008d640 socket
0x14008d648 setsockopt
0x14008d650 ntohs
0x14008d658 htons
0x14008d660 getsockopt
0x14008d668 getsockname
0x14008d670 getpeername
0x14008d678 connect
WLDAP32.dll
0x14008d4e0 None
0x14008d4e8 None
0x14008d4f0 None
0x14008d4f8 None
0x14008d500 None
0x14008d508 None
0x14008d510 None
0x14008d518 None
0x14008d520 None
0x14008d528 None
0x14008d530 None
0x14008d538 None
0x14008d540 None
0x14008d548 None
0x14008d550 None
0x14008d558 None
0x14008d560 None
0x14008d568 None
CRYPT32.dll
0x14008d058 CertFreeCertificateChain
0x14008d060 CertGetCertificateChain
0x14008d068 CertFreeCertificateChainEngine
0x14008d070 CertCreateCertificateChainEngine
0x14008d078 CryptQueryObject
0x14008d080 CertGetNameStringW
0x14008d088 CertFindExtension
0x14008d090 CertAddCertificateContextToStore
0x14008d098 CryptDecodeObjectEx
0x14008d0a0 PFXImportCertStore
0x14008d0a8 CryptStringToBinaryW
0x14008d0b0 CertFreeCertificateContext
0x14008d0b8 CertFindCertificateInStore
0x14008d0c0 CertEnumCertificatesInStore
0x14008d0c8 CertCloseStore
0x14008d0d0 CertOpenStore
KERNEL32.dll
0x14008d0e0 HeapFree
0x14008d0e8 HeapAlloc
0x14008d0f0 GetConsoleOutputCP
0x14008d0f8 ReadConsoleW
0x14008d100 GetConsoleMode
0x14008d108 WriteFile
0x14008d110 FreeLibraryAndExitThread
0x14008d118 ExitThread
0x14008d120 CreateThread
0x14008d128 FileTimeToSystemTime
0x14008d130 SystemTimeToTzSpecificLocalTime
0x14008d138 GetDriveTypeW
0x14008d140 GetModuleHandleExW
0x14008d148 LoadLibraryExW
0x14008d150 TlsFree
0x14008d158 TlsSetValue
0x14008d160 TlsGetValue
0x14008d168 TlsAlloc
0x14008d170 InitializeCriticalSectionAndSpinCount
0x14008d178 RaiseException
0x14008d180 RtlPcToFileHeader
0x14008d188 RtlUnwindEx
0x14008d190 GetDateFormatW
0x14008d198 GetTimeFormatW
0x14008d1a0 CompareStringW
0x14008d1a8 LCMapStringW
0x14008d1b0 GetLocaleInfoW
0x14008d1b8 IsValidLocale
0x14008d1c0 GetUserDefaultLCID
0x14008d1c8 EnumSystemLocalesW
0x14008d1d0 FlushFileBuffers
0x14008d1d8 HeapReAlloc
0x14008d1e0 SetStdHandle
0x14008d1e8 GetTimeZoneInformation
0x14008d1f0 IsValidCodePage
0x14008d1f8 GetACP
0x14008d200 GetOEMCP
0x14008d208 GetShortPathNameW
0x14008d210 GetModuleFileNameW
0x14008d218 GetEnvironmentVariableW
0x14008d220 LoadLibraryA
0x14008d228 lstrcatW
0x14008d230 GetProcAddress
0x14008d238 ExitProcess
0x14008d240 lstrcpyW
0x14008d248 GetLastError
0x14008d250 SetLastError
0x14008d258 FormatMessageW
0x14008d260 EnterCriticalSection
0x14008d268 LeaveCriticalSection
0x14008d270 InitializeCriticalSectionEx
0x14008d278 DeleteCriticalSection
0x14008d280 SleepEx
0x14008d288 QueryPerformanceFrequency
0x14008d290 GetSystemDirectoryW
0x14008d298 FreeLibrary
0x14008d2a0 GetModuleHandleW
0x14008d2a8 LoadLibraryW
0x14008d2b0 QueryPerformanceCounter
0x14008d2b8 GetTickCount
0x14008d2c0 Sleep
0x14008d2c8 MultiByteToWideChar
0x14008d2d0 WideCharToMultiByte
0x14008d2d8 MoveFileExW
0x14008d2e0 CloseHandle
0x14008d2e8 WaitForSingleObjectEx
0x14008d2f0 GetEnvironmentVariableA
0x14008d2f8 GetStdHandle
0x14008d300 GetFileType
0x14008d308 ReadFile
0x14008d310 PeekNamedPipe
0x14008d318 WaitForMultipleObjects
0x14008d320 VerSetConditionMask
0x14008d328 VerifyVersionInfoW
0x14008d330 CreateFileW
0x14008d338 GetFileSizeEx
0x14008d340 InitializeSListHead
0x14008d348 GetCommandLineA
0x14008d350 GetCommandLineW
0x14008d358 GetEnvironmentStringsW
0x14008d360 FreeEnvironmentStringsW
0x14008d368 SetEnvironmentVariableW
0x14008d370 GetProcessHeap
0x14008d378 DeleteFileW
0x14008d380 HeapSize
0x14008d388 WriteConsoleW
0x14008d390 FindClose
0x14008d398 GetCurrentProcessId
0x14008d3a0 GetStartupInfoW
0x14008d3a8 IsDebuggerPresent
0x14008d3b0 IsProcessorFeaturePresent
0x14008d3b8 FormatMessageA
0x14008d3c0 GetCurrentDirectoryW
0x14008d3c8 CreateDirectoryW
0x14008d3d0 RtlUnwind
0x14008d3d8 FindFirstFileExW
0x14008d3e0 FindNextFileW
0x14008d3e8 GetFileAttributesExW
0x14008d3f0 GetFileInformationByHandle
0x14008d3f8 GetFullPathNameW
0x14008d400 SetEndOfFile
0x14008d408 SetFilePointerEx
0x14008d410 AreFileApisANSI
0x14008d418 DeviceIoControl
0x14008d420 CopyFileW
0x14008d428 CreateHardLinkW
0x14008d430 GetFileInformationByHandleEx
0x14008d438 CreateSymbolicLinkW
0x14008d440 LocalFree
0x14008d448 GetCurrentThreadId
0x14008d450 EncodePointer
0x14008d458 DecodePointer
0x14008d460 LCMapStringEx
0x14008d468 FlsAlloc
0x14008d470 FlsGetValue
0x14008d478 FlsSetValue
0x14008d480 FlsFree
0x14008d488 GetSystemTimeAsFileTime
0x14008d490 GetStringTypeW
0x14008d498 GetCPInfo
0x14008d4a0 RtlCaptureContext
0x14008d4a8 RtlLookupFunctionEntry
0x14008d4b0 RtlVirtualUnwind
0x14008d4b8 UnhandledExceptionFilter
0x14008d4c0 SetUnhandledExceptionFilter
0x14008d4c8 GetCurrentProcess
0x14008d4d0 TerminateProcess
ADVAPI32.dll
0x14008d000 CryptHashData
0x14008d008 CryptEncrypt
0x14008d010 CryptImportKey
0x14008d018 CryptDestroyKey
0x14008d020 CryptDestroyHash
0x14008d028 CryptAcquireContextW
0x14008d030 CryptCreateHash
0x14008d038 CryptGenRandom
0x14008d040 CryptGetHashParam
0x14008d048 CryptReleaseContext
ole32.dll
0x14008d688 CoUninitialize
0x14008d690 CoCreateInstance
0x14008d698 CoInitialize
EAT(Export Address Table) is none