ScreenShot
| Created | 2021.10.07 18:18 | Machine | s1_win7_x6401 |
| Filename | installer_2021-09-21_16-31.bmp | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 6204c8a17955659856af5a12899414f5 | ||
| sha256 | 26e0eb57ab2dc03ff47708030f2d08aa7f0e49be7e186fa5a36d43e3f9a8ae15 | ||
| ssdeep | 3072:IlWGTR++Ux28ud9U5OSSm9TdJy2kIxAwjtqAk:xQ8SzSSATe2kBwjt | ||
| imphash | b4a5f131bf57e0871ab3cda52113b279 | ||
| impfuzzy | 24:Qd4Brjp9bOovgJbe5DYRTPvmJrAKG1tD2wA+yvEFQh/J3vT42l9wjMynNp1G:lZqVLhPOJr3G1tSPH5vc2enhG | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (12cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x415008 GetLocaleInfoA
0x41500c LoadResource
0x415010 EndUpdateResourceW
0x415014 InterlockedDecrement
0x415018 GlobalSize
0x41501c GetEnvironmentStringsW
0x415020 WaitForSingleObject
0x415024 AddConsoleAliasW
0x415028 SetEvent
0x41502c ReadConsoleW
0x415030 FindActCtxSectionStringA
0x415034 GetCommandLineA
0x415038 GlobalAlloc
0x41503c GetSystemWindowsDirectoryA
0x415040 LeaveCriticalSection
0x415044 GetModuleFileNameW
0x415048 ReleaseSemaphore
0x41504c GetConsoleOutputCP
0x415050 GetProcAddress
0x415054 EnterCriticalSection
0x415058 VerLanguageNameW
0x41505c WriteConsoleA
0x415060 GetProcessId
0x415064 ProcessIdToSessionId
0x415068 LockResource
0x41506c BeginUpdateResourceA
0x415070 GlobalGetAtomNameW
0x415074 SetSystemTime
0x415078 EnumResourceTypesW
0x41507c GetModuleFileNameA
0x415080 GetModuleHandleA
0x415084 EraseTape
0x415088 FindFirstVolumeW
0x41508c GetSystemDefaultLangID
0x415090 HeapAlloc
0x415094 GetLastError
0x415098 HeapReAlloc
0x41509c GetStartupInfoA
0x4150a0 RaiseException
0x4150a4 RtlUnwind
0x4150a8 TerminateProcess
0x4150ac GetCurrentProcess
0x4150b0 UnhandledExceptionFilter
0x4150b4 SetUnhandledExceptionFilter
0x4150b8 IsDebuggerPresent
0x4150bc HeapFree
0x4150c0 DeleteCriticalSection
0x4150c4 VirtualFree
0x4150c8 VirtualAlloc
0x4150cc HeapCreate
0x4150d0 GetModuleHandleW
0x4150d4 Sleep
0x4150d8 ExitProcess
0x4150dc WriteFile
0x4150e0 GetStdHandle
0x4150e4 SetHandleCount
0x4150e8 GetFileType
0x4150ec SetFilePointer
0x4150f0 FreeEnvironmentStringsA
0x4150f4 GetEnvironmentStrings
0x4150f8 FreeEnvironmentStringsW
0x4150fc WideCharToMultiByte
0x415100 TlsGetValue
0x415104 TlsAlloc
0x415108 TlsSetValue
0x41510c TlsFree
0x415110 InterlockedIncrement
0x415114 SetLastError
0x415118 GetCurrentThreadId
0x41511c QueryPerformanceCounter
0x415120 GetTickCount
0x415124 GetCurrentProcessId
0x415128 GetSystemTimeAsFileTime
0x41512c InitializeCriticalSectionAndSpinCount
0x415130 LoadLibraryA
0x415134 SetStdHandle
0x415138 GetConsoleCP
0x41513c GetConsoleMode
0x415140 FlushFileBuffers
0x415144 HeapSize
0x415148 GetCPInfo
0x41514c GetACP
0x415150 GetOEMCP
0x415154 IsValidCodePage
0x415158 WriteConsoleW
0x41515c MultiByteToWideChar
0x415160 LCMapStringA
0x415164 LCMapStringW
0x415168 GetStringTypeA
0x41516c GetStringTypeW
0x415170 CloseHandle
0x415174 CreateFileA
USER32.dll
0x41517c RealChildWindowFromPoint
GDI32.dll
0x415000 GetCharWidth32A
EAT(Export Address Table) is none
KERNEL32.dll
0x415008 GetLocaleInfoA
0x41500c LoadResource
0x415010 EndUpdateResourceW
0x415014 InterlockedDecrement
0x415018 GlobalSize
0x41501c GetEnvironmentStringsW
0x415020 WaitForSingleObject
0x415024 AddConsoleAliasW
0x415028 SetEvent
0x41502c ReadConsoleW
0x415030 FindActCtxSectionStringA
0x415034 GetCommandLineA
0x415038 GlobalAlloc
0x41503c GetSystemWindowsDirectoryA
0x415040 LeaveCriticalSection
0x415044 GetModuleFileNameW
0x415048 ReleaseSemaphore
0x41504c GetConsoleOutputCP
0x415050 GetProcAddress
0x415054 EnterCriticalSection
0x415058 VerLanguageNameW
0x41505c WriteConsoleA
0x415060 GetProcessId
0x415064 ProcessIdToSessionId
0x415068 LockResource
0x41506c BeginUpdateResourceA
0x415070 GlobalGetAtomNameW
0x415074 SetSystemTime
0x415078 EnumResourceTypesW
0x41507c GetModuleFileNameA
0x415080 GetModuleHandleA
0x415084 EraseTape
0x415088 FindFirstVolumeW
0x41508c GetSystemDefaultLangID
0x415090 HeapAlloc
0x415094 GetLastError
0x415098 HeapReAlloc
0x41509c GetStartupInfoA
0x4150a0 RaiseException
0x4150a4 RtlUnwind
0x4150a8 TerminateProcess
0x4150ac GetCurrentProcess
0x4150b0 UnhandledExceptionFilter
0x4150b4 SetUnhandledExceptionFilter
0x4150b8 IsDebuggerPresent
0x4150bc HeapFree
0x4150c0 DeleteCriticalSection
0x4150c4 VirtualFree
0x4150c8 VirtualAlloc
0x4150cc HeapCreate
0x4150d0 GetModuleHandleW
0x4150d4 Sleep
0x4150d8 ExitProcess
0x4150dc WriteFile
0x4150e0 GetStdHandle
0x4150e4 SetHandleCount
0x4150e8 GetFileType
0x4150ec SetFilePointer
0x4150f0 FreeEnvironmentStringsA
0x4150f4 GetEnvironmentStrings
0x4150f8 FreeEnvironmentStringsW
0x4150fc WideCharToMultiByte
0x415100 TlsGetValue
0x415104 TlsAlloc
0x415108 TlsSetValue
0x41510c TlsFree
0x415110 InterlockedIncrement
0x415114 SetLastError
0x415118 GetCurrentThreadId
0x41511c QueryPerformanceCounter
0x415120 GetTickCount
0x415124 GetCurrentProcessId
0x415128 GetSystemTimeAsFileTime
0x41512c InitializeCriticalSectionAndSpinCount
0x415130 LoadLibraryA
0x415134 SetStdHandle
0x415138 GetConsoleCP
0x41513c GetConsoleMode
0x415140 FlushFileBuffers
0x415144 HeapSize
0x415148 GetCPInfo
0x41514c GetACP
0x415150 GetOEMCP
0x415154 IsValidCodePage
0x415158 WriteConsoleW
0x41515c MultiByteToWideChar
0x415160 LCMapStringA
0x415164 LCMapStringW
0x415168 GetStringTypeA
0x41516c GetStringTypeW
0x415170 CloseHandle
0x415174 CreateFileA
USER32.dll
0x41517c RealChildWindowFromPoint
GDI32.dll
0x415000 GetCharWidth32A
EAT(Export Address Table) is none