ScreenShot
| Created | 2021.09.30 09:34 | Machine | s1_win7_x6402 |
| Filename | toolspab2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 539cd7419efcd8142d20462511e931d3 | ||
| sha256 | 4ba939154ee9df1004629da3aee541a36eb4faabe421190ddbbbf1ccd195e03a | ||
| ssdeep | 3072:mJQdbhMYkPCgnnpTzaHWg7XqeF0w2Uyo4HXg819qtlEVFBTwAcERZKnL+DCH38ix:fdlsLnnNWHZXqaYQ89qmFBTw+Mym8i | ||
| imphash | a9e1103bbc08b87eea5d7311fb0b7c3e | ||
| impfuzzy | 48:UXODOH3xXyyd64FvOqz1PxtliavcPK9bcUrxYJ:UeU3xXNY4FvZVxtlvvcPQbcUrx4 | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41900c FreeLibrary
0x419010 InterlockedIncrement
0x419014 GetCommState
0x419018 GetProfileStringW
0x41901c CallNamedPipeW
0x419020 GetNumberFormatA
0x419024 GetCommandLineA
0x419028 FindResourceExA
0x41902c GlobalAlloc
0x419030 GetPrivateProfileIntA
0x419034 GetVolumeInformationA
0x419038 GetSystemWow64DirectoryW
0x41903c GetSystemWindowsDirectoryA
0x419040 HeapDestroy
0x419044 GetCompressedFileSizeA
0x419048 GetSystemDirectoryA
0x41904c CreateActCtxA
0x419050 GetBinaryTypeW
0x419054 WritePrivateProfileStringW
0x419058 LCMapStringA
0x41905c GetStartupInfoA
0x419060 SetThreadLocale
0x419064 GetStdHandle
0x419068 CopyFileExW
0x41906c GetLastError
0x419070 SetLastError
0x419074 GetProcAddress
0x419078 CreateNamedPipeA
0x41907c SearchPathA
0x419080 LoadLibraryA
0x419084 OpenMutexA
0x419088 CreateSemaphoreW
0x41908c FindAtomA
0x419090 SetSystemTime
0x419094 GetModuleFileNameA
0x419098 CreateIoCompletionPort
0x41909c FindFirstChangeNotificationA
0x4190a0 HeapSetInformation
0x4190a4 FreeEnvironmentStringsW
0x4190a8 FindNextFileW
0x4190ac GetCurrentDirectoryA
0x4190b0 SetFileShortNameA
0x4190b4 TerminateJobObject
0x4190b8 FindAtomW
0x4190bc UnregisterWaitEx
0x4190c0 DeleteFileA
0x4190c4 lstrlenA
0x4190c8 GetCPInfoExW
0x4190cc GetThreadContext
0x4190d0 CloseHandle
0x4190d4 CreateFileW
0x4190d8 WideCharToMultiByte
0x4190dc EncodePointer
0x4190e0 DecodePointer
0x4190e4 GetCommandLineW
0x4190e8 GetStartupInfoW
0x4190ec InterlockedDecrement
0x4190f0 GetModuleHandleW
0x4190f4 ExitProcess
0x4190f8 TerminateProcess
0x4190fc GetCurrentProcess
0x419100 UnhandledExceptionFilter
0x419104 SetUnhandledExceptionFilter
0x419108 IsDebuggerPresent
0x41910c GetModuleFileNameW
0x419110 WriteFile
0x419114 GetACP
0x419118 GetOEMCP
0x41911c GetCPInfo
0x419120 IsValidCodePage
0x419124 TlsAlloc
0x419128 TlsGetValue
0x41912c TlsSetValue
0x419130 GetCurrentThreadId
0x419134 TlsFree
0x419138 HeapValidate
0x41913c IsBadReadPtr
0x419140 QueryPerformanceCounter
0x419144 GetTickCount
0x419148 GetCurrentProcessId
0x41914c GetSystemTimeAsFileTime
0x419150 GetEnvironmentStringsW
0x419154 SetHandleCount
0x419158 InitializeCriticalSectionAndSpinCount
0x41915c GetFileType
0x419160 DeleteCriticalSection
0x419164 HeapCreate
0x419168 EnterCriticalSection
0x41916c LeaveCriticalSection
0x419170 LoadLibraryW
0x419174 IsProcessorFeaturePresent
0x419178 OutputDebugStringA
0x41917c WriteConsoleW
0x419180 OutputDebugStringW
0x419184 RtlUnwind
0x419188 LCMapStringW
0x41918c MultiByteToWideChar
0x419190 GetStringTypeW
0x419194 HeapAlloc
0x419198 HeapReAlloc
0x41919c HeapSize
0x4191a0 HeapQueryInformation
0x4191a4 HeapFree
0x4191a8 SetFilePointer
0x4191ac GetConsoleCP
0x4191b0 GetConsoleMode
0x4191b4 RaiseException
0x4191b8 SetStdHandle
0x4191bc FlushFileBuffers
ADVAPI32.dll
0x419000 InitiateSystemShutdownA
0x419004 AbortSystemShutdownA
WINHTTP.dll
0x4191c4 WinHttpOpen
EAT(Export Address Table) is none
KERNEL32.dll
0x41900c FreeLibrary
0x419010 InterlockedIncrement
0x419014 GetCommState
0x419018 GetProfileStringW
0x41901c CallNamedPipeW
0x419020 GetNumberFormatA
0x419024 GetCommandLineA
0x419028 FindResourceExA
0x41902c GlobalAlloc
0x419030 GetPrivateProfileIntA
0x419034 GetVolumeInformationA
0x419038 GetSystemWow64DirectoryW
0x41903c GetSystemWindowsDirectoryA
0x419040 HeapDestroy
0x419044 GetCompressedFileSizeA
0x419048 GetSystemDirectoryA
0x41904c CreateActCtxA
0x419050 GetBinaryTypeW
0x419054 WritePrivateProfileStringW
0x419058 LCMapStringA
0x41905c GetStartupInfoA
0x419060 SetThreadLocale
0x419064 GetStdHandle
0x419068 CopyFileExW
0x41906c GetLastError
0x419070 SetLastError
0x419074 GetProcAddress
0x419078 CreateNamedPipeA
0x41907c SearchPathA
0x419080 LoadLibraryA
0x419084 OpenMutexA
0x419088 CreateSemaphoreW
0x41908c FindAtomA
0x419090 SetSystemTime
0x419094 GetModuleFileNameA
0x419098 CreateIoCompletionPort
0x41909c FindFirstChangeNotificationA
0x4190a0 HeapSetInformation
0x4190a4 FreeEnvironmentStringsW
0x4190a8 FindNextFileW
0x4190ac GetCurrentDirectoryA
0x4190b0 SetFileShortNameA
0x4190b4 TerminateJobObject
0x4190b8 FindAtomW
0x4190bc UnregisterWaitEx
0x4190c0 DeleteFileA
0x4190c4 lstrlenA
0x4190c8 GetCPInfoExW
0x4190cc GetThreadContext
0x4190d0 CloseHandle
0x4190d4 CreateFileW
0x4190d8 WideCharToMultiByte
0x4190dc EncodePointer
0x4190e0 DecodePointer
0x4190e4 GetCommandLineW
0x4190e8 GetStartupInfoW
0x4190ec InterlockedDecrement
0x4190f0 GetModuleHandleW
0x4190f4 ExitProcess
0x4190f8 TerminateProcess
0x4190fc GetCurrentProcess
0x419100 UnhandledExceptionFilter
0x419104 SetUnhandledExceptionFilter
0x419108 IsDebuggerPresent
0x41910c GetModuleFileNameW
0x419110 WriteFile
0x419114 GetACP
0x419118 GetOEMCP
0x41911c GetCPInfo
0x419120 IsValidCodePage
0x419124 TlsAlloc
0x419128 TlsGetValue
0x41912c TlsSetValue
0x419130 GetCurrentThreadId
0x419134 TlsFree
0x419138 HeapValidate
0x41913c IsBadReadPtr
0x419140 QueryPerformanceCounter
0x419144 GetTickCount
0x419148 GetCurrentProcessId
0x41914c GetSystemTimeAsFileTime
0x419150 GetEnvironmentStringsW
0x419154 SetHandleCount
0x419158 InitializeCriticalSectionAndSpinCount
0x41915c GetFileType
0x419160 DeleteCriticalSection
0x419164 HeapCreate
0x419168 EnterCriticalSection
0x41916c LeaveCriticalSection
0x419170 LoadLibraryW
0x419174 IsProcessorFeaturePresent
0x419178 OutputDebugStringA
0x41917c WriteConsoleW
0x419180 OutputDebugStringW
0x419184 RtlUnwind
0x419188 LCMapStringW
0x41918c MultiByteToWideChar
0x419190 GetStringTypeW
0x419194 HeapAlloc
0x419198 HeapReAlloc
0x41919c HeapSize
0x4191a0 HeapQueryInformation
0x4191a4 HeapFree
0x4191a8 SetFilePointer
0x4191ac GetConsoleCP
0x4191b0 GetConsoleMode
0x4191b4 RaiseException
0x4191b8 SetStdHandle
0x4191bc FlushFileBuffers
ADVAPI32.dll
0x419000 InitiateSystemShutdownA
0x419004 AbortSystemShutdownA
WINHTTP.dll
0x4191c4 WinHttpOpen
EAT(Export Address Table) is none