ScreenShot
| Created | 2021.10.08 11:59 | Machine | s1_win7_x6402 |
| Filename | dodi.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 42 detected (InjectNET, GenericKDZ, Unsafe, malicious, Donut, Eldorado, AGen, TrojanX, Ssqt, Redcap, eidvv, ai score=82, kcloud, GenericMC, Sabsik, score, R444169, Artemis, R002C0WJ621, AgentAGen, confidence) | ||
| md5 | 514bedb49ac9d508f800035c04819bab | ||
| sha256 | de74006a23319ed5aa596ee8e047df2a6823fecdb9e0f4a5298418e665b56564 | ||
| ssdeep | 49152:PMDSmqHWKUTKciQyI8Tlpxru1/u5MJ791qlI:kSmqVUT5idI8TE1/u549CI | ||
| imphash | 27516fd8750f40bdecf52a1420a0296a | ||
| impfuzzy | 6:HbJqX0pyxYJxSBS0H5sD4sIWvFoFUAliPEcJmJctD4tCcp4tWMB4:7Jq36Y58GaPXJmmtEvOb6 | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 42 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Manipulates memory of a non-child process indicative of process injection |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x5f19a0 strlen
0x5f19a8 malloc
0x5f19b0 memset
0x5f19b8 getenv
0x5f19c0 sprintf
0x5f19c8 printf
0x5f19d0 __argc
0x5f19d8 __argv
0x5f19e0 _environ
0x5f19e8 _XcptFilter
0x5f19f0 __set_app_type
0x5f19f8 _controlfp
0x5f1a00 __getmainargs
0x5f1a08 exit
kernel32.dll
0x5f1a18 Sleep
0x5f1a20 GetModuleFileNameA
0x5f1a28 CreateProcessA
0x5f1a30 CloseHandle
0x5f1a38 SetUnhandledExceptionFilter
ntdll.dll
0x5f1a48 NtAllocateVirtualMemory
0x5f1a50 NtWriteVirtualMemory
0x5f1a58 NtCreateThreadEx
EAT(Export Address Table) is none
msvcrt.dll
0x5f19a0 strlen
0x5f19a8 malloc
0x5f19b0 memset
0x5f19b8 getenv
0x5f19c0 sprintf
0x5f19c8 printf
0x5f19d0 __argc
0x5f19d8 __argv
0x5f19e0 _environ
0x5f19e8 _XcptFilter
0x5f19f0 __set_app_type
0x5f19f8 _controlfp
0x5f1a00 __getmainargs
0x5f1a08 exit
kernel32.dll
0x5f1a18 Sleep
0x5f1a20 GetModuleFileNameA
0x5f1a28 CreateProcessA
0x5f1a30 CloseHandle
0x5f1a38 SetUnhandledExceptionFilter
ntdll.dll
0x5f1a48 NtAllocateVirtualMemory
0x5f1a50 NtWriteVirtualMemory
0x5f1a58 NtCreateThreadEx
EAT(Export Address Table) is none