ScreenShot
| Created | 2021.09.17 10:54 | Machine | s1_win7_x6401 |
| Filename | 3_Microsoft.Office.Infopath.Client.Internal.Host.dll.dll | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 26 detected (malicious, high confidence, Zusy, Drixed, Unsafe, Save, confidence, ZedlaF, lu8@aeJAEjbi, Kryptik, HMKB, Cridex, Generic@ML, RDML, RGHExegSxU, 10ovqOPq2tA, Static AI, Malicious PE, ai score=85, Wacatac, score, Dridex, GdSda) | ||
| md5 | 1e057c393a8684cd569ad803edb08980 | ||
| sha256 | 897e25637fa64cdea321686e18d77dfeb63704bd2036e7d187b73f2ad218bba7 | ||
| ssdeep | 3072:/pGV8NX/ggu2n5z6308/H6zHENt5+ojP8LhaICmrG746ic:/gl2nc/gW+wPUhaIl6 | ||
| imphash | e2d6c63bd1fc98c4582f60ca16347983 | ||
| impfuzzy | 12:DU6wFBlaP375F1G2cupWHdjryRfdpvoNp6i/4r0:AFBs5bG2cuskfdMpQY | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 26 AntiVirus engines on VirusTotal as malicious |
| watch | Tries to unhook Windows functions monitored by Cuckoo |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
GDI32.dll
0x10008018 StretchBlt
msvcrt.dll
0x10008094 memset
0x10008098 iswlower
ADVAPI32.dll
0x10008000 RegLoadAppKeyA
0x10008004 CreateServiceA
0x10008008 FreeSid
SETUPAPI.dll
0x10008064 SetupLogErrorW
KERNEL32.dll
0x10008020 GetModuleHandleA
0x10008024 GetModuleFileNameW
0x10008028 EndUpdateResourceA
0x1000802c WriteFile
0x10008030 TransactNamedPipe
0x10008034 DebugBreak
0x10008038 SetDefaultCommConfigA
0x1000803c GetTempPathA
0x10008040 VirtualFree
MPRAPI.dll
0x10008048 MprAdminGetErrorString
OLEAUT32.dll
0x10008050 BSTR_UserFree
0x10008054 VarUdateFromDate
RASAPI32.dll
0x1000805c RasDeleteEntryW
USER32.dll
0x10008078 ImpersonateDdeClientWindow
0x1000807c ShowOwnedPopups
WINTRUST.dll
0x1000808c CryptSIPCreateIndirectData
SHLWAPI.dll
0x1000806c StrCmpNW
0x10008070 ChrCmpIA
WINMM.dll
0x10008084 waveOutGetNumDevs
ESENT.dll
0x10008010 JetEndSession
EAT(Export Address Table) Library
0x100280b6 QwmdpoyyNooldenntdef
GDI32.dll
0x10008018 StretchBlt
msvcrt.dll
0x10008094 memset
0x10008098 iswlower
ADVAPI32.dll
0x10008000 RegLoadAppKeyA
0x10008004 CreateServiceA
0x10008008 FreeSid
SETUPAPI.dll
0x10008064 SetupLogErrorW
KERNEL32.dll
0x10008020 GetModuleHandleA
0x10008024 GetModuleFileNameW
0x10008028 EndUpdateResourceA
0x1000802c WriteFile
0x10008030 TransactNamedPipe
0x10008034 DebugBreak
0x10008038 SetDefaultCommConfigA
0x1000803c GetTempPathA
0x10008040 VirtualFree
MPRAPI.dll
0x10008048 MprAdminGetErrorString
OLEAUT32.dll
0x10008050 BSTR_UserFree
0x10008054 VarUdateFromDate
RASAPI32.dll
0x1000805c RasDeleteEntryW
USER32.dll
0x10008078 ImpersonateDdeClientWindow
0x1000807c ShowOwnedPopups
WINTRUST.dll
0x1000808c CryptSIPCreateIndirectData
SHLWAPI.dll
0x1000806c StrCmpNW
0x10008070 ChrCmpIA
WINMM.dll
0x10008084 waveOutGetNumDevs
ESENT.dll
0x10008010 JetEndSession
EAT(Export Address Table) Library
0x100280b6 QwmdpoyyNooldenntdef