ScreenShot
| Created | 2021.10.13 09:21 | Machine | s1_win7_x6402 |
| Filename | toolspab2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | bac05d4f3b1ede73d936fae7ff3cdde6 | ||
| sha256 | 68311d4bf77e6d602828dd68d901c39e084fa6c18027033cf92b9553c535d750 | ||
| ssdeep | 6144:MFODJlrhWzLoltxLpDjTNeUOfMfJyYqhT9hHPrXbmDE8z:6whWzixLhPNeUOfMfMhZhHzXMz | ||
| imphash | 4b52e566ef5b8727d87906b4623fc7d4 | ||
| impfuzzy | 48:ZJG8nX1tDzTFb089OpptAO6+fcAtLttkraRgkcIyp:S8nX1pxb08ADtA5+fcAt5tkuRBcIO | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | This executable has a PDB path |
Rules (12cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x401000 InterlockedDecrement
0x401004 CompareFileTime
0x401008 AddConsoleAliasW
0x40100c FlushViewOfFile
0x401010 CreateActCtxW
0x401014 GetSystemTimes
0x401018 GetDriveTypeA
0x40101c GlobalAlloc
0x401020 LoadLibraryW
0x401024 _hread
0x401028 GetCalendarInfoW
0x40102c GetSystemWow64DirectoryW
0x401030 SetSystemTimeAdjustment
0x401034 GetSystemWindowsDirectoryA
0x401038 GetVersionExW
0x40103c VerifyVersionInfoA
0x401040 GetModuleFileNameW
0x401044 GetEnvironmentVariableA
0x401048 lstrlenW
0x40104c SetThreadPriority
0x401050 GetStartupInfoA
0x401054 GetCPInfoExW
0x401058 OpenMutexW
0x40105c IsDBCSLeadByteEx
0x401060 GetCurrentDirectoryW
0x401064 GetLongPathNameW
0x401068 SetLastError
0x40106c GetProcAddress
0x401070 SetVolumeLabelW
0x401074 CreateTimerQueueTimer
0x401078 WriteProfileSectionA
0x40107c GetConsoleDisplayMode
0x401080 SearchPathA
0x401084 GetPrivateProfileStringA
0x401088 ProcessIdToSessionId
0x40108c RegisterWaitForSingleObject
0x401090 IsSystemResumeAutomatic
0x401094 AddAtomW
0x401098 SetCurrentDirectoryW
0x40109c SetFileApisToANSI
0x4010a0 HeapWalk
0x4010a4 GetModuleFileNameA
0x4010a8 CreateIoCompletionPort
0x4010ac GetModuleHandleA
0x4010b0 QueryMemoryResourceNotification
0x4010b4 FreeEnvironmentStringsW
0x4010b8 FillConsoleOutputAttribute
0x4010bc VirtualProtect
0x4010c0 CompareStringA
0x4010c4 OutputDebugStringA
0x4010c8 SetProcessShutdownParameters
0x4010cc GetVersionExA
0x4010d0 DeleteFileW
0x4010d4 CloseHandle
0x4010d8 CreateFileW
0x4010dc InterlockedIncrement
0x4010e0 InitializeCriticalSection
0x4010e4 DeleteCriticalSection
0x4010e8 EnterCriticalSection
0x4010ec LeaveCriticalSection
0x4010f0 DecodePointer
0x4010f4 TerminateProcess
0x4010f8 GetCurrentProcess
0x4010fc UnhandledExceptionFilter
0x401100 SetUnhandledExceptionFilter
0x401104 IsDebuggerPresent
0x401108 EncodePointer
0x40110c GetCommandLineA
0x401110 HeapSetInformation
0x401114 GetStartupInfoW
0x401118 RaiseException
0x40111c GetModuleHandleW
0x401120 ExitProcess
0x401124 GetLastError
0x401128 WriteFile
0x40112c GetStdHandle
0x401130 IsProcessorFeaturePresent
0x401134 InitializeCriticalSectionAndSpinCount
0x401138 HeapValidate
0x40113c IsBadReadPtr
0x401140 TlsAlloc
0x401144 TlsGetValue
0x401148 TlsSetValue
0x40114c GetCurrentThreadId
0x401150 TlsFree
0x401154 WriteConsoleW
0x401158 GetFileType
0x40115c OutputDebugStringW
0x401160 QueryPerformanceCounter
0x401164 GetTickCount
0x401168 GetCurrentProcessId
0x40116c GetSystemTimeAsFileTime
0x401170 WideCharToMultiByte
0x401174 GetEnvironmentStringsW
0x401178 SetHandleCount
0x40117c HeapCreate
0x401180 GetACP
0x401184 GetOEMCP
0x401188 GetCPInfo
0x40118c IsValidCodePage
0x401190 RtlUnwind
0x401194 HeapAlloc
0x401198 HeapReAlloc
0x40119c HeapSize
0x4011a0 HeapQueryInformation
0x4011a4 HeapFree
0x4011a8 MultiByteToWideChar
0x4011ac LCMapStringW
0x4011b0 GetStringTypeW
0x4011b4 SetFilePointer
0x4011b8 GetConsoleCP
0x4011bc GetConsoleMode
0x4011c0 SetStdHandle
0x4011c4 FlushFileBuffers
USER32.dll
0x4011cc GetMessageTime
EAT(Export Address Table) is none
KERNEL32.dll
0x401000 InterlockedDecrement
0x401004 CompareFileTime
0x401008 AddConsoleAliasW
0x40100c FlushViewOfFile
0x401010 CreateActCtxW
0x401014 GetSystemTimes
0x401018 GetDriveTypeA
0x40101c GlobalAlloc
0x401020 LoadLibraryW
0x401024 _hread
0x401028 GetCalendarInfoW
0x40102c GetSystemWow64DirectoryW
0x401030 SetSystemTimeAdjustment
0x401034 GetSystemWindowsDirectoryA
0x401038 GetVersionExW
0x40103c VerifyVersionInfoA
0x401040 GetModuleFileNameW
0x401044 GetEnvironmentVariableA
0x401048 lstrlenW
0x40104c SetThreadPriority
0x401050 GetStartupInfoA
0x401054 GetCPInfoExW
0x401058 OpenMutexW
0x40105c IsDBCSLeadByteEx
0x401060 GetCurrentDirectoryW
0x401064 GetLongPathNameW
0x401068 SetLastError
0x40106c GetProcAddress
0x401070 SetVolumeLabelW
0x401074 CreateTimerQueueTimer
0x401078 WriteProfileSectionA
0x40107c GetConsoleDisplayMode
0x401080 SearchPathA
0x401084 GetPrivateProfileStringA
0x401088 ProcessIdToSessionId
0x40108c RegisterWaitForSingleObject
0x401090 IsSystemResumeAutomatic
0x401094 AddAtomW
0x401098 SetCurrentDirectoryW
0x40109c SetFileApisToANSI
0x4010a0 HeapWalk
0x4010a4 GetModuleFileNameA
0x4010a8 CreateIoCompletionPort
0x4010ac GetModuleHandleA
0x4010b0 QueryMemoryResourceNotification
0x4010b4 FreeEnvironmentStringsW
0x4010b8 FillConsoleOutputAttribute
0x4010bc VirtualProtect
0x4010c0 CompareStringA
0x4010c4 OutputDebugStringA
0x4010c8 SetProcessShutdownParameters
0x4010cc GetVersionExA
0x4010d0 DeleteFileW
0x4010d4 CloseHandle
0x4010d8 CreateFileW
0x4010dc InterlockedIncrement
0x4010e0 InitializeCriticalSection
0x4010e4 DeleteCriticalSection
0x4010e8 EnterCriticalSection
0x4010ec LeaveCriticalSection
0x4010f0 DecodePointer
0x4010f4 TerminateProcess
0x4010f8 GetCurrentProcess
0x4010fc UnhandledExceptionFilter
0x401100 SetUnhandledExceptionFilter
0x401104 IsDebuggerPresent
0x401108 EncodePointer
0x40110c GetCommandLineA
0x401110 HeapSetInformation
0x401114 GetStartupInfoW
0x401118 RaiseException
0x40111c GetModuleHandleW
0x401120 ExitProcess
0x401124 GetLastError
0x401128 WriteFile
0x40112c GetStdHandle
0x401130 IsProcessorFeaturePresent
0x401134 InitializeCriticalSectionAndSpinCount
0x401138 HeapValidate
0x40113c IsBadReadPtr
0x401140 TlsAlloc
0x401144 TlsGetValue
0x401148 TlsSetValue
0x40114c GetCurrentThreadId
0x401150 TlsFree
0x401154 WriteConsoleW
0x401158 GetFileType
0x40115c OutputDebugStringW
0x401160 QueryPerformanceCounter
0x401164 GetTickCount
0x401168 GetCurrentProcessId
0x40116c GetSystemTimeAsFileTime
0x401170 WideCharToMultiByte
0x401174 GetEnvironmentStringsW
0x401178 SetHandleCount
0x40117c HeapCreate
0x401180 GetACP
0x401184 GetOEMCP
0x401188 GetCPInfo
0x40118c IsValidCodePage
0x401190 RtlUnwind
0x401194 HeapAlloc
0x401198 HeapReAlloc
0x40119c HeapSize
0x4011a0 HeapQueryInformation
0x4011a4 HeapFree
0x4011a8 MultiByteToWideChar
0x4011ac LCMapStringW
0x4011b0 GetStringTypeW
0x4011b4 SetFilePointer
0x4011b8 GetConsoleCP
0x4011bc GetConsoleMode
0x4011c0 SetStdHandle
0x4011c4 FlushFileBuffers
USER32.dll
0x4011cc GetMessageTime
EAT(Export Address Table) is none