ScreenShot
| Created | 2021.10.01 09:28 | Machine | s1_win7_x6402 |
| Filename | toolspab2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 22 detected (AIDetect, malware2, malicious, high confidence, Unsafe, Save, ZexaF, qq0@aCRgwxgO, Kryptik, Eldorado, Attribute, HighConfidence, Mokes, FileRepMalware, Generic@ML, RDML, dHV3LUF1OY4HWnOePVZ9Ug, Emotet, Score, CryptInject, Static AI, Malicious PE, confidence, 100%) | ||
| md5 | 9bdd14001733628651187797c3619b23 | ||
| sha256 | a9877fb2c01ad04c5c878037ce89b3ad158878212ba9be1db7191fa04d181fa6 | ||
| ssdeep | 6144:z3j9vwkJKDb0qJL6RYnOOhxxdeTr/ekI:HKpL6yzxd6L | ||
| imphash | 7fd6de8b7ac14820eae90d7350ac48ac | ||
| impfuzzy | 24:Xi0Z9oOovbKwdv8hDok7Prv2+fjlnt2M+uJqJ36yvEFQOTl5l9wjMlH:bZZ7+q7Py+fRt2M+wKjcTV | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 22 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x419000 GlobalDeleteAtom
0x419004 GetLocaleInfoA
0x419008 HeapAlloc
0x41900c InterlockedDecrement
0x419010 GetEnvironmentStringsW
0x419014 GetUserDefaultLCID
0x419018 AddConsoleAliasW
0x41901c SetEvent
0x419020 GetCommandLineA
0x419024 ReadFileScatter
0x419028 LeaveCriticalSection
0x41902c GetFileAttributesA
0x419030 FindNextVolumeW
0x419034 WriteConsoleW
0x419038 CreateActCtxA
0x41903c GetDevicePowerState
0x419040 ReleaseSemaphore
0x419044 GetProcAddress
0x419048 VerLanguageNameA
0x41904c GetProcessId
0x419050 LocalAlloc
0x419054 CreateTapePartition
0x419058 RemoveDirectoryW
0x41905c EnumResourceTypesW
0x419060 GetModuleFileNameA
0x419064 GetModuleHandleA
0x419068 FindFirstVolumeA
0x41906c EndUpdateResourceA
0x419070 GetCurrentProcessId
0x419074 FindNextVolumeA
0x419078 lstrcpyA
0x41907c InterlockedIncrement
0x419080 Sleep
0x419084 InitializeCriticalSection
0x419088 DeleteCriticalSection
0x41908c EnterCriticalSection
0x419090 GetLastError
0x419094 HeapFree
0x419098 TerminateProcess
0x41909c GetCurrentProcess
0x4190a0 UnhandledExceptionFilter
0x4190a4 SetUnhandledExceptionFilter
0x4190a8 IsDebuggerPresent
0x4190ac GetStartupInfoA
0x4190b0 RtlUnwind
0x4190b4 RaiseException
0x4190b8 LCMapStringA
0x4190bc WideCharToMultiByte
0x4190c0 MultiByteToWideChar
0x4190c4 LCMapStringW
0x4190c8 GetCPInfo
0x4190cc HeapCreate
0x4190d0 VirtualFree
0x4190d4 VirtualAlloc
0x4190d8 HeapReAlloc
0x4190dc GetModuleHandleW
0x4190e0 ExitProcess
0x4190e4 WriteFile
0x4190e8 GetStdHandle
0x4190ec TlsGetValue
0x4190f0 TlsAlloc
0x4190f4 TlsSetValue
0x4190f8 TlsFree
0x4190fc SetLastError
0x419100 GetCurrentThreadId
0x419104 SetHandleCount
0x419108 GetFileType
0x41910c SetFilePointer
0x419110 FreeEnvironmentStringsA
0x419114 GetEnvironmentStrings
0x419118 FreeEnvironmentStringsW
0x41911c QueryPerformanceCounter
0x419120 GetTickCount
0x419124 GetSystemTimeAsFileTime
0x419128 HeapSize
0x41912c GetACP
0x419130 GetOEMCP
0x419134 IsValidCodePage
0x419138 EnumSystemLocalesA
0x41913c IsValidLocale
0x419140 GetStringTypeA
0x419144 GetStringTypeW
0x419148 InitializeCriticalSectionAndSpinCount
0x41914c LoadLibraryA
0x419150 SetStdHandle
0x419154 GetConsoleCP
0x419158 GetConsoleMode
0x41915c FlushFileBuffers
0x419160 GetLocaleInfoW
0x419164 WriteConsoleA
0x419168 GetConsoleOutputCP
0x41916c CloseHandle
0x419170 CreateFileA
EAT(Export Address Table) Library
0x401669 @SetFirstVice@8
KERNEL32.dll
0x419000 GlobalDeleteAtom
0x419004 GetLocaleInfoA
0x419008 HeapAlloc
0x41900c InterlockedDecrement
0x419010 GetEnvironmentStringsW
0x419014 GetUserDefaultLCID
0x419018 AddConsoleAliasW
0x41901c SetEvent
0x419020 GetCommandLineA
0x419024 ReadFileScatter
0x419028 LeaveCriticalSection
0x41902c GetFileAttributesA
0x419030 FindNextVolumeW
0x419034 WriteConsoleW
0x419038 CreateActCtxA
0x41903c GetDevicePowerState
0x419040 ReleaseSemaphore
0x419044 GetProcAddress
0x419048 VerLanguageNameA
0x41904c GetProcessId
0x419050 LocalAlloc
0x419054 CreateTapePartition
0x419058 RemoveDirectoryW
0x41905c EnumResourceTypesW
0x419060 GetModuleFileNameA
0x419064 GetModuleHandleA
0x419068 FindFirstVolumeA
0x41906c EndUpdateResourceA
0x419070 GetCurrentProcessId
0x419074 FindNextVolumeA
0x419078 lstrcpyA
0x41907c InterlockedIncrement
0x419080 Sleep
0x419084 InitializeCriticalSection
0x419088 DeleteCriticalSection
0x41908c EnterCriticalSection
0x419090 GetLastError
0x419094 HeapFree
0x419098 TerminateProcess
0x41909c GetCurrentProcess
0x4190a0 UnhandledExceptionFilter
0x4190a4 SetUnhandledExceptionFilter
0x4190a8 IsDebuggerPresent
0x4190ac GetStartupInfoA
0x4190b0 RtlUnwind
0x4190b4 RaiseException
0x4190b8 LCMapStringA
0x4190bc WideCharToMultiByte
0x4190c0 MultiByteToWideChar
0x4190c4 LCMapStringW
0x4190c8 GetCPInfo
0x4190cc HeapCreate
0x4190d0 VirtualFree
0x4190d4 VirtualAlloc
0x4190d8 HeapReAlloc
0x4190dc GetModuleHandleW
0x4190e0 ExitProcess
0x4190e4 WriteFile
0x4190e8 GetStdHandle
0x4190ec TlsGetValue
0x4190f0 TlsAlloc
0x4190f4 TlsSetValue
0x4190f8 TlsFree
0x4190fc SetLastError
0x419100 GetCurrentThreadId
0x419104 SetHandleCount
0x419108 GetFileType
0x41910c SetFilePointer
0x419110 FreeEnvironmentStringsA
0x419114 GetEnvironmentStrings
0x419118 FreeEnvironmentStringsW
0x41911c QueryPerformanceCounter
0x419120 GetTickCount
0x419124 GetSystemTimeAsFileTime
0x419128 HeapSize
0x41912c GetACP
0x419130 GetOEMCP
0x419134 IsValidCodePage
0x419138 EnumSystemLocalesA
0x41913c IsValidLocale
0x419140 GetStringTypeA
0x419144 GetStringTypeW
0x419148 InitializeCriticalSectionAndSpinCount
0x41914c LoadLibraryA
0x419150 SetStdHandle
0x419154 GetConsoleCP
0x419158 GetConsoleMode
0x41915c FlushFileBuffers
0x419160 GetLocaleInfoW
0x419164 WriteConsoleA
0x419168 GetConsoleOutputCP
0x41916c CloseHandle
0x419170 CreateFileA
EAT(Export Address Table) Library
0x401669 @SetFirstVice@8