ScreenShot
| Created | 2021.10.07 17:39 | Machine | s1_win7_x6401 |
| Filename | 1.dll | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 16 detected (malicious, high confidence, Save, a variant of Generik, DIFKOLS, Trickpak, FileRepMalware, TrickBot, Z0B6HZ, kcloud, Sabsik, ZedlaF, Uq4@a8RMxYj) | ||
| md5 | 55ee6dca51e918bd51a000b0899e275a | ||
| sha256 | 72534ec2c4fc2499e1f85e9149598d240177afc8b9e7b04e1df2abcf92a7b677 | ||
| ssdeep | 6144:uxkqYmlu8xpGrCYEmAO4sYb3+KnQk+pf4RZp1BpY6z1:uuqYmE8lm+HbH1Ef4RZTsW1 | ||
| imphash | e94090a99a943b0e253b62a04e66d644 | ||
| impfuzzy | 24:0DofcpVWjstMS1+G0lJBl39roCOZXvAGMAIpOovbOPZI:VcpVwstMS1+GOpZgZ/h3S | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| watch | File has been identified by 16 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Terminates another process |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (7cnts) ?
Suricata ids
ET CNC Feodo Tracker Reported CnC Server group 10
ET CNC Feodo Tracker Reported CnC Server group 16
ET CNC Feodo Tracker Reported CnC Server group 19
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET CNC Feodo Tracker Reported CnC Server group 11
ET CNC Feodo Tracker Reported CnC Server group 16
ET CNC Feodo Tracker Reported CnC Server group 19
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET CNC Feodo Tracker Reported CnC Server group 11
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x10023000 VirtualAlloc
0x10023004 VirtualProtect
0x10023008 GetProcAddress
0x1002300c LoadLibraryA
0x10023010 EnterCriticalSection
0x10023014 LeaveCriticalSection
0x10023018 InitializeCriticalSectionEx
0x1002301c DeleteCriticalSection
0x10023020 EncodePointer
0x10023024 DecodePointer
0x10023028 MultiByteToWideChar
0x1002302c WideCharToMultiByte
0x10023030 LCMapStringEx
0x10023034 GetStringTypeW
0x10023038 GetCPInfo
0x1002303c UnhandledExceptionFilter
0x10023040 SetUnhandledExceptionFilter
0x10023044 GetCurrentProcess
0x10023048 TerminateProcess
0x1002304c IsProcessorFeaturePresent
0x10023050 QueryPerformanceCounter
0x10023054 GetCurrentProcessId
0x10023058 GetCurrentThreadId
0x1002305c GetSystemTimeAsFileTime
0x10023060 InitializeSListHead
0x10023064 IsDebuggerPresent
0x10023068 GetStartupInfoW
0x1002306c GetModuleHandleW
0x10023070 WriteConsoleW
0x10023074 RaiseException
0x10023078 RtlUnwind
0x1002307c InterlockedFlushSList
0x10023080 GetLastError
0x10023084 SetLastError
0x10023088 InitializeCriticalSectionAndSpinCount
0x1002308c TlsAlloc
0x10023090 TlsGetValue
0x10023094 TlsSetValue
0x10023098 TlsFree
0x1002309c FreeLibrary
0x100230a0 LoadLibraryExW
0x100230a4 ExitProcess
0x100230a8 GetModuleHandleExW
0x100230ac GetModuleFileNameW
0x100230b0 HeapFree
0x100230b4 HeapAlloc
0x100230b8 HeapReAlloc
0x100230bc LCMapStringW
0x100230c0 GetLocaleInfoW
0x100230c4 IsValidLocale
0x100230c8 GetUserDefaultLCID
0x100230cc EnumSystemLocalesW
0x100230d0 GetStdHandle
0x100230d4 GetFileType
0x100230d8 CloseHandle
0x100230dc FlushFileBuffers
0x100230e0 WriteFile
0x100230e4 GetConsoleOutputCP
0x100230e8 GetConsoleMode
0x100230ec ReadFile
0x100230f0 GetFileSizeEx
0x100230f4 SetFilePointerEx
0x100230f8 ReadConsoleW
0x100230fc FindClose
0x10023100 FindFirstFileExW
0x10023104 FindNextFileW
0x10023108 IsValidCodePage
0x1002310c GetACP
0x10023110 GetOEMCP
0x10023114 GetCommandLineA
0x10023118 GetCommandLineW
0x1002311c GetEnvironmentStringsW
0x10023120 FreeEnvironmentStringsW
0x10023124 GetProcessHeap
0x10023128 SetStdHandle
0x1002312c HeapSize
0x10023130 CreateFileW
EAT(Export Address Table) Library
0x10001180 DllRegisterServer
KERNEL32.dll
0x10023000 VirtualAlloc
0x10023004 VirtualProtect
0x10023008 GetProcAddress
0x1002300c LoadLibraryA
0x10023010 EnterCriticalSection
0x10023014 LeaveCriticalSection
0x10023018 InitializeCriticalSectionEx
0x1002301c DeleteCriticalSection
0x10023020 EncodePointer
0x10023024 DecodePointer
0x10023028 MultiByteToWideChar
0x1002302c WideCharToMultiByte
0x10023030 LCMapStringEx
0x10023034 GetStringTypeW
0x10023038 GetCPInfo
0x1002303c UnhandledExceptionFilter
0x10023040 SetUnhandledExceptionFilter
0x10023044 GetCurrentProcess
0x10023048 TerminateProcess
0x1002304c IsProcessorFeaturePresent
0x10023050 QueryPerformanceCounter
0x10023054 GetCurrentProcessId
0x10023058 GetCurrentThreadId
0x1002305c GetSystemTimeAsFileTime
0x10023060 InitializeSListHead
0x10023064 IsDebuggerPresent
0x10023068 GetStartupInfoW
0x1002306c GetModuleHandleW
0x10023070 WriteConsoleW
0x10023074 RaiseException
0x10023078 RtlUnwind
0x1002307c InterlockedFlushSList
0x10023080 GetLastError
0x10023084 SetLastError
0x10023088 InitializeCriticalSectionAndSpinCount
0x1002308c TlsAlloc
0x10023090 TlsGetValue
0x10023094 TlsSetValue
0x10023098 TlsFree
0x1002309c FreeLibrary
0x100230a0 LoadLibraryExW
0x100230a4 ExitProcess
0x100230a8 GetModuleHandleExW
0x100230ac GetModuleFileNameW
0x100230b0 HeapFree
0x100230b4 HeapAlloc
0x100230b8 HeapReAlloc
0x100230bc LCMapStringW
0x100230c0 GetLocaleInfoW
0x100230c4 IsValidLocale
0x100230c8 GetUserDefaultLCID
0x100230cc EnumSystemLocalesW
0x100230d0 GetStdHandle
0x100230d4 GetFileType
0x100230d8 CloseHandle
0x100230dc FlushFileBuffers
0x100230e0 WriteFile
0x100230e4 GetConsoleOutputCP
0x100230e8 GetConsoleMode
0x100230ec ReadFile
0x100230f0 GetFileSizeEx
0x100230f4 SetFilePointerEx
0x100230f8 ReadConsoleW
0x100230fc FindClose
0x10023100 FindFirstFileExW
0x10023104 FindNextFileW
0x10023108 IsValidCodePage
0x1002310c GetACP
0x10023110 GetOEMCP
0x10023114 GetCommandLineA
0x10023118 GetCommandLineW
0x1002311c GetEnvironmentStringsW
0x10023120 FreeEnvironmentStringsW
0x10023124 GetProcessHeap
0x10023128 SetStdHandle
0x1002312c HeapSize
0x10023130 CreateFileW
EAT(Export Address Table) Library
0x10001180 DllRegisterServer