ScreenShot
| Created | 2021.10.14 17:19 | Machine | s1_win7_x6401 |
| Filename | dow.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 33 detected (malicious, high confidence, InjectNET, GenericKDZ, Unsafe, Donut, Eldorado, AGen, TrojanX, Pbfo, Redcap, qhija, Artemis, Sabsik, score, R444169, ai score=81, AgentAGen) | ||
| md5 | 481cc004b81afcb1ec10bb9985cc402b | ||
| sha256 | 589dcfea6f854dbc578b8fb3a4e65217137630f93cae05e3248942821947c02a | ||
| ssdeep | 49152:utPKiXai6uqwoc8ZAgddkN9TD0GcIXfkRt2jN474os4:IB16uqwbGbduYKfWyNu4D | ||
| imphash | 27516fd8750f40bdecf52a1420a0296a | ||
| impfuzzy | 6:HbJqX0pyxYJxSBS0H5sD4sIWvFoFUAliPEcJmJctD4tCcp4tWMB4:7Jq36Y58GaPXJmmtEvOb6 | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 33 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Manipulates memory of a non-child process indicative of process injection |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x5f17a0 strlen
0x5f17a8 malloc
0x5f17b0 memset
0x5f17b8 getenv
0x5f17c0 sprintf
0x5f17c8 printf
0x5f17d0 __argc
0x5f17d8 __argv
0x5f17e0 _environ
0x5f17e8 _XcptFilter
0x5f17f0 __set_app_type
0x5f17f8 _controlfp
0x5f1800 __getmainargs
0x5f1808 exit
kernel32.dll
0x5f1818 Sleep
0x5f1820 GetModuleFileNameA
0x5f1828 CreateProcessA
0x5f1830 CloseHandle
0x5f1838 SetUnhandledExceptionFilter
ntdll.dll
0x5f1848 NtAllocateVirtualMemory
0x5f1850 NtWriteVirtualMemory
0x5f1858 NtCreateThreadEx
EAT(Export Address Table) is none
msvcrt.dll
0x5f17a0 strlen
0x5f17a8 malloc
0x5f17b0 memset
0x5f17b8 getenv
0x5f17c0 sprintf
0x5f17c8 printf
0x5f17d0 __argc
0x5f17d8 __argv
0x5f17e0 _environ
0x5f17e8 _XcptFilter
0x5f17f0 __set_app_type
0x5f17f8 _controlfp
0x5f1800 __getmainargs
0x5f1808 exit
kernel32.dll
0x5f1818 Sleep
0x5f1820 GetModuleFileNameA
0x5f1828 CreateProcessA
0x5f1830 CloseHandle
0x5f1838 SetUnhandledExceptionFilter
ntdll.dll
0x5f1848 NtAllocateVirtualMemory
0x5f1850 NtWriteVirtualMemory
0x5f1858 NtCreateThreadEx
EAT(Export Address Table) is none