ScreenShot
| Created | 2021.09.28 14:05 | Machine | s1_win7_x6402 |
| Filename | build2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 52 detected (AIDetect, malware1, Malicious, high confidence, Stop, GenericKD, Unsafe, Save, ZexaF, Su0@aq0MEFfO, Kryptik, Eldorado, Attribute, HighConfidence, HMOS, score, Glupteba, CLASSIC, Emotet, Static AI, Malicious PE, MalwareCrypter, hcfyl, ai score=81, kcloud, MalPE, R442437, Genetic, R03FC0DIR21, Gencirc, GenKryptik, VMFuG5CeYcg, HMOO, PWSX, confidence) | ||
| md5 | 7c48019f424bbd08de9d0c7d66e0ea7c | ||
| sha256 | 33d15dacd2b4951517f39aa2e12afa747ddc5785b0ef3c2d78c3db16cae97d7c | ||
| ssdeep | 12288:cncY5ozinnbUiFGMWR9wWmrJdLI05xzFlcNQyVp9uGjOL6N3nd:QozYbhW5mrzk05xzFlcRjuzc3d | ||
| imphash | f74a0f3da1e112835a6ac32552c0a4d2 | ||
| impfuzzy | 48:tXdDjODy96d20oqQvFXYGTOa1aftfV8hK9RKArX:tXg02RjQvFXYCvcftfV8hQRKArX | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 52 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_PWS_Loki_Zero | Win32 PWS Loki | memory |
| warning | infoStealer_browser_Zero | browser info stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | Win_Trojan_agentTesla_Zero | Win.Trojan.agentTesla | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41a000 SetThreadContext
0x41a004 SetLocalTime
0x41a008 GetConsoleAliasExesLengthA
0x41a00c InterlockedIncrement
0x41a010 GetQueuedCompletionStatus
0x41a014 UnlockFile
0x41a018 SetEvent
0x41a01c CallNamedPipeW
0x41a020 FreeEnvironmentStringsA
0x41a024 GetModuleHandleW
0x41a028 CreateNamedPipeW
0x41a02c GetConsoleAliasesLengthA
0x41a030 SetCommState
0x41a034 GetCommandLineA
0x41a038 GetPrivateProfileIntA
0x41a03c GetSystemDirectoryW
0x41a040 HeapDestroy
0x41a044 CreateSemaphoreA
0x41a048 TerminateProcess
0x41a04c FileTimeToSystemTime
0x41a050 lstrlenW
0x41a054 LCMapStringA
0x41a058 InterlockedExchange
0x41a05c GetStartupInfoA
0x41a060 FreeLibraryAndExitThread
0x41a064 OpenMutexW
0x41a068 GetLastError
0x41a06c GetCurrentDirectoryW
0x41a070 GetThreadLocale
0x41a074 GetProcAddress
0x41a078 SetStdHandle
0x41a07c EnterCriticalSection
0x41a080 LoadLibraryA
0x41a084 LocalAlloc
0x41a088 WritePrivateProfileStringA
0x41a08c GetNumberFormatW
0x41a090 GetProfileStringA
0x41a094 SetThreadIdealProcessor
0x41a098 HeapWalk
0x41a09c FindAtomA
0x41a0a0 GlobalWire
0x41a0a4 GetModuleFileNameA
0x41a0a8 FindFirstChangeNotificationA
0x41a0ac FreeEnvironmentStringsW
0x41a0b0 FindNextFileW
0x41a0b4 WriteProfileStringW
0x41a0b8 GetCPInfoExA
0x41a0bc SetFileShortNameA
0x41a0c0 TlsAlloc
0x41a0c4 EnumResourceLanguagesW
0x41a0c8 GetSystemTime
0x41a0cc CopyFileExA
0x41a0d0 DeleteFileA
0x41a0d4 GetVolumeInformationW
0x41a0d8 FlushFileBuffers
0x41a0dc CloseHandle
0x41a0e0 MoveFileA
0x41a0e4 EncodePointer
0x41a0e8 DecodePointer
0x41a0ec HeapSetInformation
0x41a0f0 GetStartupInfoW
0x41a0f4 InterlockedDecrement
0x41a0f8 ExitProcess
0x41a0fc HeapValidate
0x41a100 IsBadReadPtr
0x41a104 GetCurrentProcess
0x41a108 UnhandledExceptionFilter
0x41a10c SetUnhandledExceptionFilter
0x41a110 IsDebuggerPresent
0x41a114 GetModuleFileNameW
0x41a118 QueryPerformanceCounter
0x41a11c GetTickCount
0x41a120 GetCurrentThreadId
0x41a124 GetCurrentProcessId
0x41a128 GetSystemTimeAsFileTime
0x41a12c WideCharToMultiByte
0x41a130 GetEnvironmentStringsW
0x41a134 SetHandleCount
0x41a138 GetStdHandle
0x41a13c InitializeCriticalSectionAndSpinCount
0x41a140 GetFileType
0x41a144 DeleteCriticalSection
0x41a148 TlsGetValue
0x41a14c TlsSetValue
0x41a150 TlsFree
0x41a154 SetLastError
0x41a158 HeapCreate
0x41a15c WriteFile
0x41a160 GetACP
0x41a164 GetOEMCP
0x41a168 GetCPInfo
0x41a16c IsValidCodePage
0x41a170 LeaveCriticalSection
0x41a174 LoadLibraryW
0x41a178 RtlUnwind
0x41a17c HeapAlloc
0x41a180 HeapReAlloc
0x41a184 HeapSize
0x41a188 HeapQueryInformation
0x41a18c HeapFree
0x41a190 SetFilePointer
0x41a194 GetConsoleCP
0x41a198 GetConsoleMode
0x41a19c OutputDebugStringA
0x41a1a0 WriteConsoleW
0x41a1a4 OutputDebugStringW
0x41a1a8 MultiByteToWideChar
0x41a1ac IsProcessorFeaturePresent
0x41a1b0 LCMapStringW
0x41a1b4 GetStringTypeW
0x41a1b8 CreateFileW
0x41a1bc RaiseException
WINHTTP.dll
0x41a1c4 WinHttpOpen
EAT(Export Address Table) is none
KERNEL32.dll
0x41a000 SetThreadContext
0x41a004 SetLocalTime
0x41a008 GetConsoleAliasExesLengthA
0x41a00c InterlockedIncrement
0x41a010 GetQueuedCompletionStatus
0x41a014 UnlockFile
0x41a018 SetEvent
0x41a01c CallNamedPipeW
0x41a020 FreeEnvironmentStringsA
0x41a024 GetModuleHandleW
0x41a028 CreateNamedPipeW
0x41a02c GetConsoleAliasesLengthA
0x41a030 SetCommState
0x41a034 GetCommandLineA
0x41a038 GetPrivateProfileIntA
0x41a03c GetSystemDirectoryW
0x41a040 HeapDestroy
0x41a044 CreateSemaphoreA
0x41a048 TerminateProcess
0x41a04c FileTimeToSystemTime
0x41a050 lstrlenW
0x41a054 LCMapStringA
0x41a058 InterlockedExchange
0x41a05c GetStartupInfoA
0x41a060 FreeLibraryAndExitThread
0x41a064 OpenMutexW
0x41a068 GetLastError
0x41a06c GetCurrentDirectoryW
0x41a070 GetThreadLocale
0x41a074 GetProcAddress
0x41a078 SetStdHandle
0x41a07c EnterCriticalSection
0x41a080 LoadLibraryA
0x41a084 LocalAlloc
0x41a088 WritePrivateProfileStringA
0x41a08c GetNumberFormatW
0x41a090 GetProfileStringA
0x41a094 SetThreadIdealProcessor
0x41a098 HeapWalk
0x41a09c FindAtomA
0x41a0a0 GlobalWire
0x41a0a4 GetModuleFileNameA
0x41a0a8 FindFirstChangeNotificationA
0x41a0ac FreeEnvironmentStringsW
0x41a0b0 FindNextFileW
0x41a0b4 WriteProfileStringW
0x41a0b8 GetCPInfoExA
0x41a0bc SetFileShortNameA
0x41a0c0 TlsAlloc
0x41a0c4 EnumResourceLanguagesW
0x41a0c8 GetSystemTime
0x41a0cc CopyFileExA
0x41a0d0 DeleteFileA
0x41a0d4 GetVolumeInformationW
0x41a0d8 FlushFileBuffers
0x41a0dc CloseHandle
0x41a0e0 MoveFileA
0x41a0e4 EncodePointer
0x41a0e8 DecodePointer
0x41a0ec HeapSetInformation
0x41a0f0 GetStartupInfoW
0x41a0f4 InterlockedDecrement
0x41a0f8 ExitProcess
0x41a0fc HeapValidate
0x41a100 IsBadReadPtr
0x41a104 GetCurrentProcess
0x41a108 UnhandledExceptionFilter
0x41a10c SetUnhandledExceptionFilter
0x41a110 IsDebuggerPresent
0x41a114 GetModuleFileNameW
0x41a118 QueryPerformanceCounter
0x41a11c GetTickCount
0x41a120 GetCurrentThreadId
0x41a124 GetCurrentProcessId
0x41a128 GetSystemTimeAsFileTime
0x41a12c WideCharToMultiByte
0x41a130 GetEnvironmentStringsW
0x41a134 SetHandleCount
0x41a138 GetStdHandle
0x41a13c InitializeCriticalSectionAndSpinCount
0x41a140 GetFileType
0x41a144 DeleteCriticalSection
0x41a148 TlsGetValue
0x41a14c TlsSetValue
0x41a150 TlsFree
0x41a154 SetLastError
0x41a158 HeapCreate
0x41a15c WriteFile
0x41a160 GetACP
0x41a164 GetOEMCP
0x41a168 GetCPInfo
0x41a16c IsValidCodePage
0x41a170 LeaveCriticalSection
0x41a174 LoadLibraryW
0x41a178 RtlUnwind
0x41a17c HeapAlloc
0x41a180 HeapReAlloc
0x41a184 HeapSize
0x41a188 HeapQueryInformation
0x41a18c HeapFree
0x41a190 SetFilePointer
0x41a194 GetConsoleCP
0x41a198 GetConsoleMode
0x41a19c OutputDebugStringA
0x41a1a0 WriteConsoleW
0x41a1a4 OutputDebugStringW
0x41a1a8 MultiByteToWideChar
0x41a1ac IsProcessorFeaturePresent
0x41a1b0 LCMapStringW
0x41a1b4 GetStringTypeW
0x41a1b8 CreateFileW
0x41a1bc RaiseException
WINHTTP.dll
0x41a1c4 WinHttpOpen
EAT(Export Address Table) is none