ScreenShot
| Created | 2021.10.28 17:53 | Machine | s1_win7_x6403 |
| Filename | 102110844.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 47 detected (malicious, high confidence, Artemis, Unsafe, Save, Fragtor, Eldorado, Attribute, HighConfidence, Kryptik, HNCG, score, PWSX, Wnmp, MultiPlug, R002C0WJQ21, Krypt, RedLineSteal, eozgt, Sabsik, ai score=80, PasswordStealer, Static AI, Malicious PE, ZexaF, ZK0@a8Y7TPpi, Genetic, confidence, susgen) | ||
| md5 | 673b15b93a2b99064e769b085780dfeb | ||
| sha256 | b367760b3de8efbaceb0c71acb3fe5763e164e89ec88390adb5b5a2cc85467a9 | ||
| ssdeep | 24576:Vn2cH2oi0UZEc3D8cBU3ZoAoU6PfSe7th:Vn2cH29dvrP | ||
| imphash | 682b88463c7583e0323d7851be5034d8 | ||
| impfuzzy | 24:tkfCejrOov1lDIcLVbjIX53Qr9WzOqdQGMZO:CfCCaVc54XlhzOqdQGJ | ||
Network IP location
Signature (21cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 47 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects the presence of Wine emulator |
| watch | Harvests credentials from local FTP client softwares |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | ASPack_Zero | ASPack packed file | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x70d134 CreateThread
0x70d138 DeleteCriticalSection
0x70d13c EnterCriticalSection
0x70d140 ExitProcess
0x70d144 FindClose
0x70d148 FindFirstFileA
0x70d14c FindNextFileA
0x70d150 FreeLibrary
0x70d154 GetCommandLineA
0x70d158 GetLastError
0x70d15c GetModuleHandleA
0x70d160 GetProcAddress
0x70d164 InitializeCriticalSection
0x70d168 LeaveCriticalSection
0x70d16c LoadLibraryA
0x70d170 SetUnhandledExceptionFilter
0x70d174 TlsGetValue
0x70d178 VirtualProtect
0x70d17c VirtualQuery
0x70d180 WaitForSingleObject
0x70d184 lstrlenA
msvcrt.dll
0x70d18c _strdup
0x70d190 _stricoll
msvcrt.dll
0x70d198 __getmainargs
0x70d19c __mb_cur_max
0x70d1a0 __p__environ
0x70d1a4 __p__fmode
0x70d1a8 __set_app_type
0x70d1ac _cexit
0x70d1b0 _errno
0x70d1b4 _fpreset
0x70d1b8 _fullpath
0x70d1bc _iob
0x70d1c0 _isctype
0x70d1c4 _onexit
0x70d1c8 _pctype
0x70d1cc _setmode
0x70d1d0 _strdup
0x70d1d4 abort
0x70d1d8 atexit
0x70d1dc calloc
0x70d1e0 free
0x70d1e4 fwrite
0x70d1e8 malloc
0x70d1ec mbstowcs
0x70d1f0 memcpy
0x70d1f4 realloc
0x70d1f8 setlocale
0x70d1fc signal
0x70d200 strcoll
0x70d204 strlen
0x70d208 tolower
0x70d20c vfprintf
0x70d210 wcstombs
EAT(Export Address Table) is none
KERNEL32.dll
0x70d134 CreateThread
0x70d138 DeleteCriticalSection
0x70d13c EnterCriticalSection
0x70d140 ExitProcess
0x70d144 FindClose
0x70d148 FindFirstFileA
0x70d14c FindNextFileA
0x70d150 FreeLibrary
0x70d154 GetCommandLineA
0x70d158 GetLastError
0x70d15c GetModuleHandleA
0x70d160 GetProcAddress
0x70d164 InitializeCriticalSection
0x70d168 LeaveCriticalSection
0x70d16c LoadLibraryA
0x70d170 SetUnhandledExceptionFilter
0x70d174 TlsGetValue
0x70d178 VirtualProtect
0x70d17c VirtualQuery
0x70d180 WaitForSingleObject
0x70d184 lstrlenA
msvcrt.dll
0x70d18c _strdup
0x70d190 _stricoll
msvcrt.dll
0x70d198 __getmainargs
0x70d19c __mb_cur_max
0x70d1a0 __p__environ
0x70d1a4 __p__fmode
0x70d1a8 __set_app_type
0x70d1ac _cexit
0x70d1b0 _errno
0x70d1b4 _fpreset
0x70d1b8 _fullpath
0x70d1bc _iob
0x70d1c0 _isctype
0x70d1c4 _onexit
0x70d1c8 _pctype
0x70d1cc _setmode
0x70d1d0 _strdup
0x70d1d4 abort
0x70d1d8 atexit
0x70d1dc calloc
0x70d1e0 free
0x70d1e4 fwrite
0x70d1e8 malloc
0x70d1ec mbstowcs
0x70d1f0 memcpy
0x70d1f4 realloc
0x70d1f8 setlocale
0x70d1fc signal
0x70d200 strcoll
0x70d204 strlen
0x70d208 tolower
0x70d20c vfprintf
0x70d210 wcstombs
EAT(Export Address Table) is none