ScreenShot
| Created | 2021.10.13 10:53 | Machine | s1_win7_x6402 |
| Filename | 1.dll | ||
| Type | PE32+ executable (DLL) (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 8 detected (malicious, confidence, AGen, Sabsik, score, BazarLoader) | ||
| md5 | a3dfaa6badd480c93af825510e7cd1d2 | ||
| sha256 | 97be7d572ed4a9720561ae03829477ef20ae0a7977499b230962eb234b14d73a | ||
| ssdeep | 6144:1GLKdwISTscw67YvbSg1nNrGB48sEDyrSAO5oJYPGEL3DdyvO2TBCohKVIMdCTT9:QK7rROZ3BcO2T8oDhTT9 | ||
| imphash | 96648a80f87674f33231a051834f8945 | ||
| impfuzzy | 24:0DofcpVWjD02tMS1lgGVlJBl39roCOZXvAGMAIpOovbOPZu1:VcpVwHtMS1lgGbpZgZ/h301 | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| watch | Attempts to identify installed AV products by registry key |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | File has been identified by 8 AntiVirus engines on VirusTotal as malicious |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x180036000 VirtualAlloc
0x180036008 VirtualProtect
0x180036010 GetProcAddress
0x180036018 LoadLibraryA
0x180036020 EnterCriticalSection
0x180036028 LeaveCriticalSection
0x180036030 InitializeCriticalSectionEx
0x180036038 DeleteCriticalSection
0x180036040 EncodePointer
0x180036048 DecodePointer
0x180036050 MultiByteToWideChar
0x180036058 WideCharToMultiByte
0x180036060 LCMapStringEx
0x180036068 GetStringTypeW
0x180036070 GetCPInfo
0x180036078 RtlCaptureContext
0x180036080 RtlLookupFunctionEntry
0x180036088 RtlVirtualUnwind
0x180036090 UnhandledExceptionFilter
0x180036098 SetUnhandledExceptionFilter
0x1800360a0 GetCurrentProcess
0x1800360a8 TerminateProcess
0x1800360b0 IsProcessorFeaturePresent
0x1800360b8 QueryPerformanceCounter
0x1800360c0 GetCurrentProcessId
0x1800360c8 GetCurrentThreadId
0x1800360d0 GetSystemTimeAsFileTime
0x1800360d8 InitializeSListHead
0x1800360e0 IsDebuggerPresent
0x1800360e8 GetStartupInfoW
0x1800360f0 GetModuleHandleW
0x1800360f8 RtlPcToFileHeader
0x180036100 RaiseException
0x180036108 RtlUnwindEx
0x180036110 InterlockedFlushSList
0x180036118 GetLastError
0x180036120 SetLastError
0x180036128 InitializeCriticalSectionAndSpinCount
0x180036130 TlsAlloc
0x180036138 TlsGetValue
0x180036140 TlsSetValue
0x180036148 TlsFree
0x180036150 FreeLibrary
0x180036158 LoadLibraryExW
0x180036160 ExitProcess
0x180036168 GetModuleHandleExW
0x180036170 GetModuleFileNameW
0x180036178 HeapFree
0x180036180 HeapAlloc
0x180036188 HeapReAlloc
0x180036190 LCMapStringW
0x180036198 GetLocaleInfoW
0x1800361a0 IsValidLocale
0x1800361a8 GetUserDefaultLCID
0x1800361b0 EnumSystemLocalesW
0x1800361b8 GetStdHandle
0x1800361c0 GetFileType
0x1800361c8 CloseHandle
0x1800361d0 FlushFileBuffers
0x1800361d8 WriteFile
0x1800361e0 GetConsoleOutputCP
0x1800361e8 GetConsoleMode
0x1800361f0 ReadFile
0x1800361f8 GetFileSizeEx
0x180036200 SetFilePointerEx
0x180036208 ReadConsoleW
0x180036210 FindClose
0x180036218 FindFirstFileExW
0x180036220 FindNextFileW
0x180036228 IsValidCodePage
0x180036230 GetACP
0x180036238 GetOEMCP
0x180036240 GetCommandLineA
0x180036248 GetCommandLineW
0x180036250 GetEnvironmentStringsW
0x180036258 FreeEnvironmentStringsW
0x180036260 GetProcessHeap
0x180036268 SetStdHandle
0x180036270 HeapSize
0x180036278 CreateFileW
0x180036280 WriteConsoleW
0x180036288 RtlUnwind
EAT(Export Address Table) Library
0x180001210 EnterDll
KERNEL32.dll
0x180036000 VirtualAlloc
0x180036008 VirtualProtect
0x180036010 GetProcAddress
0x180036018 LoadLibraryA
0x180036020 EnterCriticalSection
0x180036028 LeaveCriticalSection
0x180036030 InitializeCriticalSectionEx
0x180036038 DeleteCriticalSection
0x180036040 EncodePointer
0x180036048 DecodePointer
0x180036050 MultiByteToWideChar
0x180036058 WideCharToMultiByte
0x180036060 LCMapStringEx
0x180036068 GetStringTypeW
0x180036070 GetCPInfo
0x180036078 RtlCaptureContext
0x180036080 RtlLookupFunctionEntry
0x180036088 RtlVirtualUnwind
0x180036090 UnhandledExceptionFilter
0x180036098 SetUnhandledExceptionFilter
0x1800360a0 GetCurrentProcess
0x1800360a8 TerminateProcess
0x1800360b0 IsProcessorFeaturePresent
0x1800360b8 QueryPerformanceCounter
0x1800360c0 GetCurrentProcessId
0x1800360c8 GetCurrentThreadId
0x1800360d0 GetSystemTimeAsFileTime
0x1800360d8 InitializeSListHead
0x1800360e0 IsDebuggerPresent
0x1800360e8 GetStartupInfoW
0x1800360f0 GetModuleHandleW
0x1800360f8 RtlPcToFileHeader
0x180036100 RaiseException
0x180036108 RtlUnwindEx
0x180036110 InterlockedFlushSList
0x180036118 GetLastError
0x180036120 SetLastError
0x180036128 InitializeCriticalSectionAndSpinCount
0x180036130 TlsAlloc
0x180036138 TlsGetValue
0x180036140 TlsSetValue
0x180036148 TlsFree
0x180036150 FreeLibrary
0x180036158 LoadLibraryExW
0x180036160 ExitProcess
0x180036168 GetModuleHandleExW
0x180036170 GetModuleFileNameW
0x180036178 HeapFree
0x180036180 HeapAlloc
0x180036188 HeapReAlloc
0x180036190 LCMapStringW
0x180036198 GetLocaleInfoW
0x1800361a0 IsValidLocale
0x1800361a8 GetUserDefaultLCID
0x1800361b0 EnumSystemLocalesW
0x1800361b8 GetStdHandle
0x1800361c0 GetFileType
0x1800361c8 CloseHandle
0x1800361d0 FlushFileBuffers
0x1800361d8 WriteFile
0x1800361e0 GetConsoleOutputCP
0x1800361e8 GetConsoleMode
0x1800361f0 ReadFile
0x1800361f8 GetFileSizeEx
0x180036200 SetFilePointerEx
0x180036208 ReadConsoleW
0x180036210 FindClose
0x180036218 FindFirstFileExW
0x180036220 FindNextFileW
0x180036228 IsValidCodePage
0x180036230 GetACP
0x180036238 GetOEMCP
0x180036240 GetCommandLineA
0x180036248 GetCommandLineW
0x180036250 GetEnvironmentStringsW
0x180036258 FreeEnvironmentStringsW
0x180036260 GetProcessHeap
0x180036268 SetStdHandle
0x180036270 HeapSize
0x180036278 CreateFileW
0x180036280 WriteConsoleW
0x180036288 RtlUnwind
EAT(Export Address Table) Library
0x180001210 EnterDll