popup

Report - 2_api-ms-win-downlevel-normaliz-l1-1-0.dll

Malicious Library PE File PE32 DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.10.22 09:06 Machine s1_win7_x6403
Filename 2_api-ms-win-downlevel-normaliz-l1-1-0.dll
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
AI Score
4
 Behavior Score
1.0
ZERO API file : clean
VT API (file) 15 detected (malicious, high confidence, Unsafe, Save, confidence, 100%, ZedlaF, lu8@aWnQsui, Cridex, EncPk, Drixed, Static AI, Suspicious PE, score, Generic@ML, RDML, ytJtLhsyDMwVKCL, 1fRLAw)
md5 00752a06db0eacfd3b09e36d3a3d29c6
sha256 e8291c194029eedc2117c099b3089a252dfb940160530409df4b9ea85efc9033
ssdeep 3072:BGp0m9FOGDv64TOvqdjR91E404PUW6bKHJZK0Bzb5Hea:BGp0bG6q7040aBfK0db5
imphash badb3d94d7a44189a7eeb5528a733e61
impfuzzy 6:CuDS8cA9jVaML+5Zf31XYBVdBJAMGmwDWU0:PDSFApVo/1XY3VAOYc
  Network IP location

Signature (2cnts)

Level Description
watch File has been identified by 15 AntiVirus engines on VirusTotal as malicious
notice The binary likely contains encrypted or compressed data indicative of a packer

Rules (4cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

SHELL32.dll
 0x1000702c SHGetDesktopFolder
USER32.dll
 0x10007034 ShowOwnedPopups
SETUPAPI.dll
 0x10007024 SetupDiEnumDeviceInfo
IPHLPAPI.DLL
 0x10007008 GetIfTable
ADVAPI32.dll
 0x10007000 RegOverridePredefKey
KERNEL32.dll
 0x10007010 GetModuleFileNameW
 0x10007014 LoadLibraryExA
OLEAUT32.dll
 0x1000701c VarR4FromI2
msvcrt.dll
 0x1000703c memset

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure