ScreenShot
| Created | 2021.09.10 09:14 | Machine | s1_win7_x6401 |
| Filename | InterviewScheduler.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 10 detected (Malicious, Cobalt, BCVC, VirRansom, Static AI, Suspicious PE, Shelma, Wovdnut, Artemis) | ||
| md5 | ee8c3bbddd0f11aed64ca4d3ae167da8 | ||
| sha256 | f252243ed9e0e86aaf137f82cc23c917f46281a351ea24e1aaaf707a3d9bf044 | ||
| ssdeep | 98304:vIdNFT0Yzjn1rguP3a/as75drcskdGfJS50Y1Qa:veNFT08n1G/9ATWa | ||
| imphash | 93a138801d9601e4c36e6274c8b9d111 | ||
| impfuzzy | 24:UbVjhNwO+VuTnvYzoLtXOr6kwmDruMztir6UP:KwO+VIc+XOmG8nP | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| watch | Detects the presence of Wine emulator |
| watch | File has been identified by 10 AntiVirus engines on VirusTotal as malicious |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x5a1020 WriteFile
0x5a1028 WriteConsoleW
0x5a1030 WaitForMultipleObjects
0x5a1038 WaitForSingleObject
0x5a1040 VirtualQuery
0x5a1048 VirtualFree
0x5a1050 VirtualAlloc
0x5a1058 SwitchToThread
0x5a1060 SuspendThread
0x5a1068 SetWaitableTimer
0x5a1070 SetUnhandledExceptionFilter
0x5a1078 SetProcessPriorityBoost
0x5a1080 SetEvent
0x5a1088 SetErrorMode
0x5a1090 SetConsoleCtrlHandler
0x5a1098 ResumeThread
0x5a10a0 QueryFullProcessImageNameA
0x5a10a8 ProcessIdToSessionId
0x5a10b0 PostQueuedCompletionStatus
0x5a10b8 OpenProcess
0x5a10c0 LoadLibraryA
0x5a10c8 LoadLibraryW
0x5a10d0 SetThreadContext
0x5a10d8 GetThreadContext
0x5a10e0 GetSystemInfo
0x5a10e8 GetSystemDirectoryA
0x5a10f0 GetStdHandle
0x5a10f8 GetQueuedCompletionStatusEx
0x5a1100 GetProcessAffinityMask
0x5a1108 GetProcAddress
0x5a1110 GetEnvironmentStringsW
0x5a1118 GetConsoleMode
0x5a1120 FreeEnvironmentStringsW
0x5a1128 ExitProcess
0x5a1130 DuplicateHandle
0x5a1138 CreateThread
0x5a1140 CreateIoCompletionPort
0x5a1148 CreateEventA
0x5a1150 CloseHandle
0x5a1158 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x5a1020 WriteFile
0x5a1028 WriteConsoleW
0x5a1030 WaitForMultipleObjects
0x5a1038 WaitForSingleObject
0x5a1040 VirtualQuery
0x5a1048 VirtualFree
0x5a1050 VirtualAlloc
0x5a1058 SwitchToThread
0x5a1060 SuspendThread
0x5a1068 SetWaitableTimer
0x5a1070 SetUnhandledExceptionFilter
0x5a1078 SetProcessPriorityBoost
0x5a1080 SetEvent
0x5a1088 SetErrorMode
0x5a1090 SetConsoleCtrlHandler
0x5a1098 ResumeThread
0x5a10a0 QueryFullProcessImageNameA
0x5a10a8 ProcessIdToSessionId
0x5a10b0 PostQueuedCompletionStatus
0x5a10b8 OpenProcess
0x5a10c0 LoadLibraryA
0x5a10c8 LoadLibraryW
0x5a10d0 SetThreadContext
0x5a10d8 GetThreadContext
0x5a10e0 GetSystemInfo
0x5a10e8 GetSystemDirectoryA
0x5a10f0 GetStdHandle
0x5a10f8 GetQueuedCompletionStatusEx
0x5a1100 GetProcessAffinityMask
0x5a1108 GetProcAddress
0x5a1110 GetEnvironmentStringsW
0x5a1118 GetConsoleMode
0x5a1120 FreeEnvironmentStringsW
0x5a1128 ExitProcess
0x5a1130 DuplicateHandle
0x5a1138 CreateThread
0x5a1140 CreateIoCompletionPort
0x5a1148 CreateEventA
0x5a1150 CloseHandle
0x5a1158 AddVectoredExceptionHandler
EAT(Export Address Table) is none