ScreenShot
| Created | 2021.10.21 08:38 | Machine | s1_win7_x6401 |
| Filename | toolspab2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 0aa9e41d45a609dae2f9e507f38f24bb | ||
| sha256 | 5743870c3cc40d625db01f8c58874ec0b5d65682e20f9a93a6e82a709c398814 | ||
| ssdeep | 6144:kXDBpNzdsgtBHrzvz3vIpqX7tNfVXVHQLIiu8c:kXvNzFtN3wpwZGEX8c | ||
| imphash | df9601abec2416ae7ecc0dd0d7272e84 | ||
| impfuzzy | 24:p0D1YLAJcDpOut62d3lDY8LO4tjhJK0dcdYIlyv9H9OT43jMeYAgKQ:yMXnDH64ttXcJK9McLYAw | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (12cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x417008 EndUpdateResourceW
0x41700c GetEnvironmentStringsW
0x417010 SetEvent
0x417014 FlushViewOfFile
0x417018 ReadConsoleW
0x41701c GlobalAlloc
0x417020 Sleep
0x417024 InitAtomTable
0x417028 HeapCreate
0x41702c WriteConsoleW
0x417030 GetAtomNameW
0x417034 GetModuleFileNameW
0x417038 CreateActCtxA
0x41703c SetConsoleTitleA
0x417040 SetProcessAffinityMask
0x417044 DeactivateActCtx
0x417048 SetLastError
0x41704c GetProcAddress
0x417050 VirtualAlloc
0x417054 BeginUpdateResourceW
0x417058 LoadLibraryA
0x41705c SetEnvironmentVariableA
0x417060 GetModuleFileNameA
0x417064 GetOEMCP
0x417068 CreateIoCompletionPort
0x41706c GetCPInfoExA
0x417070 SetProcessShutdownParameters
0x417074 Module32Next
0x417078 ReleaseMutex
0x41707c GetVersionExA
0x417080 FindNextVolumeA
0x417084 lstrcpyW
0x417088 LCMapStringW
0x41708c SetTapePosition
0x417090 HeapReAlloc
0x417094 IsProcessorFeaturePresent
0x417098 RaiseException
0x41709c EncodePointer
0x4170a0 DecodePointer
0x4170a4 GetModuleHandleW
0x4170a8 ExitProcess
0x4170ac GetCommandLineW
0x4170b0 HeapSetInformation
0x4170b4 GetStartupInfoW
0x4170b8 UnhandledExceptionFilter
0x4170bc SetUnhandledExceptionFilter
0x4170c0 IsDebuggerPresent
0x4170c4 TerminateProcess
0x4170c8 GetCurrentProcess
0x4170cc TlsAlloc
0x4170d0 TlsGetValue
0x4170d4 TlsSetValue
0x4170d8 TlsFree
0x4170dc InterlockedIncrement
0x4170e0 GetCurrentThreadId
0x4170e4 GetLastError
0x4170e8 InterlockedDecrement
0x4170ec HeapAlloc
0x4170f0 ReadFile
0x4170f4 EnterCriticalSection
0x4170f8 LeaveCriticalSection
0x4170fc HeapFree
0x417100 SetHandleCount
0x417104 GetStdHandle
0x417108 InitializeCriticalSectionAndSpinCount
0x41710c GetFileType
0x417110 DeleteCriticalSection
0x417114 SetFilePointer
0x417118 GetCPInfo
0x41711c GetACP
0x417120 IsValidCodePage
0x417124 CloseHandle
0x417128 LoadLibraryW
0x41712c WriteFile
0x417130 FreeEnvironmentStringsW
0x417134 QueryPerformanceCounter
0x417138 GetTickCount
0x41713c GetCurrentProcessId
0x417140 GetSystemTimeAsFileTime
0x417144 WideCharToMultiByte
0x417148 GetConsoleCP
0x41714c GetConsoleMode
0x417150 MultiByteToWideChar
0x417154 RtlUnwind
0x417158 SetStdHandle
0x41715c FlushFileBuffers
0x417160 GetStringTypeW
0x417164 HeapSize
0x417168 CreateFileW
USER32.dll
0x417170 ClientToScreen
GDI32.dll
0x417000 GetBitmapBits
WINHTTP.dll
0x417178 WinHttpQueryOption
EAT(Export Address Table) is none
KERNEL32.dll
0x417008 EndUpdateResourceW
0x41700c GetEnvironmentStringsW
0x417010 SetEvent
0x417014 FlushViewOfFile
0x417018 ReadConsoleW
0x41701c GlobalAlloc
0x417020 Sleep
0x417024 InitAtomTable
0x417028 HeapCreate
0x41702c WriteConsoleW
0x417030 GetAtomNameW
0x417034 GetModuleFileNameW
0x417038 CreateActCtxA
0x41703c SetConsoleTitleA
0x417040 SetProcessAffinityMask
0x417044 DeactivateActCtx
0x417048 SetLastError
0x41704c GetProcAddress
0x417050 VirtualAlloc
0x417054 BeginUpdateResourceW
0x417058 LoadLibraryA
0x41705c SetEnvironmentVariableA
0x417060 GetModuleFileNameA
0x417064 GetOEMCP
0x417068 CreateIoCompletionPort
0x41706c GetCPInfoExA
0x417070 SetProcessShutdownParameters
0x417074 Module32Next
0x417078 ReleaseMutex
0x41707c GetVersionExA
0x417080 FindNextVolumeA
0x417084 lstrcpyW
0x417088 LCMapStringW
0x41708c SetTapePosition
0x417090 HeapReAlloc
0x417094 IsProcessorFeaturePresent
0x417098 RaiseException
0x41709c EncodePointer
0x4170a0 DecodePointer
0x4170a4 GetModuleHandleW
0x4170a8 ExitProcess
0x4170ac GetCommandLineW
0x4170b0 HeapSetInformation
0x4170b4 GetStartupInfoW
0x4170b8 UnhandledExceptionFilter
0x4170bc SetUnhandledExceptionFilter
0x4170c0 IsDebuggerPresent
0x4170c4 TerminateProcess
0x4170c8 GetCurrentProcess
0x4170cc TlsAlloc
0x4170d0 TlsGetValue
0x4170d4 TlsSetValue
0x4170d8 TlsFree
0x4170dc InterlockedIncrement
0x4170e0 GetCurrentThreadId
0x4170e4 GetLastError
0x4170e8 InterlockedDecrement
0x4170ec HeapAlloc
0x4170f0 ReadFile
0x4170f4 EnterCriticalSection
0x4170f8 LeaveCriticalSection
0x4170fc HeapFree
0x417100 SetHandleCount
0x417104 GetStdHandle
0x417108 InitializeCriticalSectionAndSpinCount
0x41710c GetFileType
0x417110 DeleteCriticalSection
0x417114 SetFilePointer
0x417118 GetCPInfo
0x41711c GetACP
0x417120 IsValidCodePage
0x417124 CloseHandle
0x417128 LoadLibraryW
0x41712c WriteFile
0x417130 FreeEnvironmentStringsW
0x417134 QueryPerformanceCounter
0x417138 GetTickCount
0x41713c GetCurrentProcessId
0x417140 GetSystemTimeAsFileTime
0x417144 WideCharToMultiByte
0x417148 GetConsoleCP
0x41714c GetConsoleMode
0x417150 MultiByteToWideChar
0x417154 RtlUnwind
0x417158 SetStdHandle
0x41715c FlushFileBuffers
0x417160 GetStringTypeW
0x417164 HeapSize
0x417168 CreateFileW
USER32.dll
0x417170 ClientToScreen
GDI32.dll
0x417000 GetBitmapBits
WINHTTP.dll
0x417178 WinHttpQueryOption
EAT(Export Address Table) is none