ScreenShot
| Created | 2021.11.05 09:27 | Machine | s1_win7_x6403 |
| Filename | socks.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 48 detected (malicious, high confidence, Siggen13, Doina, GenericRXAA, Unsafe, Coroxy, Threat, HLLSI, based, Maximus, SystemBC, Convagent, ivgrxs, TrojanX, CLASSIC, SMYXBC3A, susgen, AGEN, ai score=87, ASMalwS, score, R366856, BScope, Wacatac, Gencirc, bg8rBBaYKs0, Static AI, Malicious PE, GdSda, confidence) | ||
| md5 | 177f3023ad736fa45c52b45259175e70 | ||
| sha256 | 45b9e820b3ab997c498a28d59601b1b72fbbf3b9415f8c75843ff24c2b250193 | ||
| ssdeep | 192:C2WjQTbZ1eBppvfj/j2+cPM3P+Q/tCvwSw3uM76V9bhHOkrUNOA:C2jTbZ0pj/vcqP+ctCYSw3GV9bhrUNO | ||
| imphash | 801793b2be29822524e8824fc3c47535 | ||
| impfuzzy | 24:rt0QSLC+SQjK3dAhkKQjkQEUT/1EIzkHj+ulOTHOovbOD4eDqOIznKwZG8VRjss5:B0QSe4jK3GCKQj/lT/1E0kFOTu3D460v | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates hidden or system file |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | SystemBC_IN | SystemBC | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
user32.dll
0x4040b8 SendMessageA
0x4040bc RegisterClassA
0x4040c0 LoadIconA
0x4040c4 LoadCursorA
0x4040c8 GetWindowThreadProcessId
0x4040cc ShowWindow
0x4040d0 GetMessageA
0x4040d4 TranslateMessage
0x4040d8 UpdateWindow
0x4040dc wsprintfA
0x4040e0 GetClassNameA
0x4040e4 EnumWindows
0x4040e8 CreateWindowExA
0x4040ec DispatchMessageA
0x4040f0 DefWindowProcA
0x4040f4 GetWindowTextA
kernel32.dll
0x404010 LocalAlloc
0x404014 OpenProcess
0x404018 SetEvent
0x40401c LocalFree
0x404020 OpenMutexA
0x404024 GetModuleHandleA
0x404028 WriteFile
0x40402c WaitForSingleObject
0x404030 VirtualFree
0x404034 VirtualAlloc
0x404038 SystemTimeToFileTime
0x40403c Sleep
0x404040 CloseHandle
0x404044 CreateEventA
0x404048 CreateFileA
0x40404c CreateMutexA
0x404050 CreateThread
0x404054 DeleteFileA
0x404058 ExitProcess
0x40405c FileTimeToSystemTime
0x404060 GetCommandLineA
0x404064 GetCommandLineW
0x404068 GetCurrentProcess
0x40406c GetCurrentProcessId
0x404070 GetLocalTime
0x404074 GetModuleFileNameA
0x404078 GetVolumeInformationA
0x40407c GetProcAddress
0x404080 GetTempPathA
0x404084 SetFilePointer
advapi32.dll
0x404000 GetSidSubAuthority
0x404004 OpenProcessToken
0x404008 GetTokenInformation
wsock32.dll
0x40410c WSAStartup
0x404110 closesocket
0x404114 connect
0x404118 htons
0x40411c ioctlsocket
0x404120 recv
0x404124 select
0x404128 send
0x40412c setsockopt
0x404130 shutdown
0x404134 socket
0x404138 WSACleanup
shell32.dll
0x4040b0 CommandLineToArgvW
ws2_32.dll
0x4040fc freeaddrinfo
0x404100 WSAIoctl
0x404104 getaddrinfo
ole32.dll
0x40408c CoUninitialize
0x404090 CoInitialize
0x404094 CoCreateInstance
secur32.dll
0x4040a4 GetUserNameExA
0x4040a8 GetUserNameExW
psapi.dll
0x40409c GetModuleFileNameExA
EAT(Export Address Table) is none
user32.dll
0x4040b8 SendMessageA
0x4040bc RegisterClassA
0x4040c0 LoadIconA
0x4040c4 LoadCursorA
0x4040c8 GetWindowThreadProcessId
0x4040cc ShowWindow
0x4040d0 GetMessageA
0x4040d4 TranslateMessage
0x4040d8 UpdateWindow
0x4040dc wsprintfA
0x4040e0 GetClassNameA
0x4040e4 EnumWindows
0x4040e8 CreateWindowExA
0x4040ec DispatchMessageA
0x4040f0 DefWindowProcA
0x4040f4 GetWindowTextA
kernel32.dll
0x404010 LocalAlloc
0x404014 OpenProcess
0x404018 SetEvent
0x40401c LocalFree
0x404020 OpenMutexA
0x404024 GetModuleHandleA
0x404028 WriteFile
0x40402c WaitForSingleObject
0x404030 VirtualFree
0x404034 VirtualAlloc
0x404038 SystemTimeToFileTime
0x40403c Sleep
0x404040 CloseHandle
0x404044 CreateEventA
0x404048 CreateFileA
0x40404c CreateMutexA
0x404050 CreateThread
0x404054 DeleteFileA
0x404058 ExitProcess
0x40405c FileTimeToSystemTime
0x404060 GetCommandLineA
0x404064 GetCommandLineW
0x404068 GetCurrentProcess
0x40406c GetCurrentProcessId
0x404070 GetLocalTime
0x404074 GetModuleFileNameA
0x404078 GetVolumeInformationA
0x40407c GetProcAddress
0x404080 GetTempPathA
0x404084 SetFilePointer
advapi32.dll
0x404000 GetSidSubAuthority
0x404004 OpenProcessToken
0x404008 GetTokenInformation
wsock32.dll
0x40410c WSAStartup
0x404110 closesocket
0x404114 connect
0x404118 htons
0x40411c ioctlsocket
0x404120 recv
0x404124 select
0x404128 send
0x40412c setsockopt
0x404130 shutdown
0x404134 socket
0x404138 WSACleanup
shell32.dll
0x4040b0 CommandLineToArgvW
ws2_32.dll
0x4040fc freeaddrinfo
0x404100 WSAIoctl
0x404104 getaddrinfo
ole32.dll
0x40408c CoUninitialize
0x404090 CoInitialize
0x404094 CoCreateInstance
secur32.dll
0x4040a4 GetUserNameExA
0x4040a8 GetUserNameExW
psapi.dll
0x40409c GetModuleFileNameExA
EAT(Export Address Table) is none