ScreenShot
| Created | 2021.10.28 11:24 | Machine | s1_win7_x6403 |
| Filename | qYznSw.png | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 14 detected (malicious, high confidence, Drixed, Unsafe, Save, confidence, 100%, Attribute, HighConfidence, ccmw, Static AI, Suspicious PE, score, ZedlaF, cv8@ambxa0c) | ||
| md5 | e53a16bea7918b1f7d4c0e659febc766 | ||
| sha256 | 212cae7b05ecbc938b3a1fda4753d119f69360165955937b836fdbc7a6d514eb | ||
| ssdeep | 24576:ljsXggYiykQsMy2GSuCAaimSQws2yyq+YoWEUK6ES0wOyeSGwswWquEQq2GiMciL:+ | ||
| imphash | ae858e1bcf44b240b65263bbd6945db2 | ||
| impfuzzy | 3:tgW6fKVDS8UNQZfXKBTd9C9XXPQBADgIWTBWwzmqXNF7ae0JSxqyQuVMLhAYKJBK:CuDS8UNQZf31XYBVAfwF2xaML+z9jU | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| watch | File has been identified by 14 AntiVirus engines on VirusTotal as malicious |
| watch | Tries to unhook Windows functions monitored by Cuckoo |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
SHELL32.dll
0x1000702c SHGetDesktopFolder
IPHLPAPI.DLL
0x10007008 GetIfTable
ADVAPI32.dll
0x10007000 RegOverridePredefKey
msvcrt.dll
0x1000703c memset
OLEAUT32.dll
0x1000701c VarR4FromI2
KERNEL32.dll
0x10007010 CreateFileW
0x10007014 GetModuleFileNameW
SETUPAPI.dll
0x10007024 SetupDiEnumDeviceInfo
USER32.dll
0x10007034 ShowOwnedPopups
EAT(Export Address Table) Library
0x100fadb0 FFRgpmdlwwWde
SHELL32.dll
0x1000702c SHGetDesktopFolder
IPHLPAPI.DLL
0x10007008 GetIfTable
ADVAPI32.dll
0x10007000 RegOverridePredefKey
msvcrt.dll
0x1000703c memset
OLEAUT32.dll
0x1000701c VarR4FromI2
KERNEL32.dll
0x10007010 CreateFileW
0x10007014 GetModuleFileNameW
SETUPAPI.dll
0x10007024 SetupDiEnumDeviceInfo
USER32.dll
0x10007034 ShowOwnedPopups
EAT(Export Address Table) Library
0x100fadb0 FFRgpmdlwwWde