ScreenShot
| Created | 2021.09.23 08:57 | Machine | s1_win7_x6402 |
| Filename | toolspab2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | b17b3e448ea6c4904e9bb92ffb544d5e | ||
| sha256 | 71fd73396d9fc7c010183f0881742828a3d8306391b93c950c658c4bc3c13f08 | ||
| ssdeep | 3072:+0dBHqG2d1RRt+oWGoytUw/5eIcr93NexX:jk/vt+xnyb0px3Q | ||
| imphash | b423274974f58a1d1a63a5242c6dcf99 | ||
| impfuzzy | 24:Qd4BrjrZWbOov26dv8e5DoYYvmur5rAKG1tD2wA+yvEFQh/J3vT42l9wjMynNp1G:ldZWqfUDYOIr3G1tSPH5vc2enhG | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x418008 GetLocaleInfoA
0x41800c LoadResource
0x418010 EndUpdateResourceW
0x418014 InterlockedDecrement
0x418018 GlobalSize
0x41801c GetEnvironmentStringsW
0x418020 WaitForSingleObject
0x418024 SetEvent
0x418028 GetSystemDefaultLCID
0x41802c ReadConsoleW
0x418030 FindActCtxSectionStringA
0x418034 GetCommandLineA
0x418038 GlobalAlloc
0x41803c LeaveCriticalSection
0x418040 GetModuleFileNameW
0x418044 GetDevicePowerState
0x418048 ReleaseSemaphore
0x41804c GetConsoleOutputCP
0x418050 GetProcAddress
0x418054 VerLanguageNameA
0x418058 EnterCriticalSection
0x41805c WriteConsoleA
0x418060 GetProcessId
0x418064 LockResource
0x418068 BeginUpdateResourceA
0x41806c GlobalGetAtomNameW
0x418070 SetSystemTime
0x418074 EnumResourceTypesW
0x418078 GetModuleFileNameA
0x41807c GetModuleHandleA
0x418080 EraseTape
0x418084 FindFirstVolumeW
0x418088 AddConsoleAliasA
0x41808c lstrcpyA
0x418090 GetSystemDefaultLangID
0x418094 HeapAlloc
0x418098 GetLastError
0x41809c HeapReAlloc
0x4180a0 GetStartupInfoA
0x4180a4 RaiseException
0x4180a8 RtlUnwind
0x4180ac TerminateProcess
0x4180b0 GetCurrentProcess
0x4180b4 UnhandledExceptionFilter
0x4180b8 SetUnhandledExceptionFilter
0x4180bc IsDebuggerPresent
0x4180c0 HeapFree
0x4180c4 DeleteCriticalSection
0x4180c8 VirtualFree
0x4180cc VirtualAlloc
0x4180d0 HeapCreate
0x4180d4 GetModuleHandleW
0x4180d8 Sleep
0x4180dc ExitProcess
0x4180e0 WriteFile
0x4180e4 GetStdHandle
0x4180e8 SetHandleCount
0x4180ec GetFileType
0x4180f0 SetFilePointer
0x4180f4 FreeEnvironmentStringsA
0x4180f8 GetEnvironmentStrings
0x4180fc FreeEnvironmentStringsW
0x418100 WideCharToMultiByte
0x418104 TlsGetValue
0x418108 TlsAlloc
0x41810c TlsSetValue
0x418110 TlsFree
0x418114 InterlockedIncrement
0x418118 SetLastError
0x41811c GetCurrentThreadId
0x418120 QueryPerformanceCounter
0x418124 GetTickCount
0x418128 GetCurrentProcessId
0x41812c GetSystemTimeAsFileTime
0x418130 InitializeCriticalSectionAndSpinCount
0x418134 LoadLibraryA
0x418138 SetStdHandle
0x41813c GetConsoleCP
0x418140 GetConsoleMode
0x418144 FlushFileBuffers
0x418148 HeapSize
0x41814c GetCPInfo
0x418150 GetACP
0x418154 GetOEMCP
0x418158 IsValidCodePage
0x41815c WriteConsoleW
0x418160 MultiByteToWideChar
0x418164 LCMapStringA
0x418168 LCMapStringW
0x41816c GetStringTypeA
0x418170 GetStringTypeW
0x418174 CloseHandle
0x418178 CreateFileA
USER32.dll
0x418180 RealChildWindowFromPoint
GDI32.dll
0x418000 GetCharWidth32A
EAT(Export Address Table) is none
KERNEL32.dll
0x418008 GetLocaleInfoA
0x41800c LoadResource
0x418010 EndUpdateResourceW
0x418014 InterlockedDecrement
0x418018 GlobalSize
0x41801c GetEnvironmentStringsW
0x418020 WaitForSingleObject
0x418024 SetEvent
0x418028 GetSystemDefaultLCID
0x41802c ReadConsoleW
0x418030 FindActCtxSectionStringA
0x418034 GetCommandLineA
0x418038 GlobalAlloc
0x41803c LeaveCriticalSection
0x418040 GetModuleFileNameW
0x418044 GetDevicePowerState
0x418048 ReleaseSemaphore
0x41804c GetConsoleOutputCP
0x418050 GetProcAddress
0x418054 VerLanguageNameA
0x418058 EnterCriticalSection
0x41805c WriteConsoleA
0x418060 GetProcessId
0x418064 LockResource
0x418068 BeginUpdateResourceA
0x41806c GlobalGetAtomNameW
0x418070 SetSystemTime
0x418074 EnumResourceTypesW
0x418078 GetModuleFileNameA
0x41807c GetModuleHandleA
0x418080 EraseTape
0x418084 FindFirstVolumeW
0x418088 AddConsoleAliasA
0x41808c lstrcpyA
0x418090 GetSystemDefaultLangID
0x418094 HeapAlloc
0x418098 GetLastError
0x41809c HeapReAlloc
0x4180a0 GetStartupInfoA
0x4180a4 RaiseException
0x4180a8 RtlUnwind
0x4180ac TerminateProcess
0x4180b0 GetCurrentProcess
0x4180b4 UnhandledExceptionFilter
0x4180b8 SetUnhandledExceptionFilter
0x4180bc IsDebuggerPresent
0x4180c0 HeapFree
0x4180c4 DeleteCriticalSection
0x4180c8 VirtualFree
0x4180cc VirtualAlloc
0x4180d0 HeapCreate
0x4180d4 GetModuleHandleW
0x4180d8 Sleep
0x4180dc ExitProcess
0x4180e0 WriteFile
0x4180e4 GetStdHandle
0x4180e8 SetHandleCount
0x4180ec GetFileType
0x4180f0 SetFilePointer
0x4180f4 FreeEnvironmentStringsA
0x4180f8 GetEnvironmentStrings
0x4180fc FreeEnvironmentStringsW
0x418100 WideCharToMultiByte
0x418104 TlsGetValue
0x418108 TlsAlloc
0x41810c TlsSetValue
0x418110 TlsFree
0x418114 InterlockedIncrement
0x418118 SetLastError
0x41811c GetCurrentThreadId
0x418120 QueryPerformanceCounter
0x418124 GetTickCount
0x418128 GetCurrentProcessId
0x41812c GetSystemTimeAsFileTime
0x418130 InitializeCriticalSectionAndSpinCount
0x418134 LoadLibraryA
0x418138 SetStdHandle
0x41813c GetConsoleCP
0x418140 GetConsoleMode
0x418144 FlushFileBuffers
0x418148 HeapSize
0x41814c GetCPInfo
0x418150 GetACP
0x418154 GetOEMCP
0x418158 IsValidCodePage
0x41815c WriteConsoleW
0x418160 MultiByteToWideChar
0x418164 LCMapStringA
0x418168 LCMapStringW
0x41816c GetStringTypeA
0x418170 GetStringTypeW
0x418174 CloseHandle
0x418178 CreateFileA
USER32.dll
0x418180 RealChildWindowFromPoint
GDI32.dll
0x418000 GetCharWidth32A
EAT(Export Address Table) is none