ScreenShot
| Created | 2021.11.07 10:41 | Machine | s1_win7_x6401 |
| Filename | toolspab2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 32 detected (malicious, high confidence, Fragtor, GenericRXQC, Unsafe, Save, Hacktool, ZexaF, mq0@aipFmipI, Kryptik, Eldorado, score, Convagent, Generic@ML, RDML, p922nxcxpjfpicRTwY1VqA, Emotet, Static AI, Malicious PE, ai score=80, Sabsik, R448947, susgen, confidence) | ||
| md5 | b9e5185e5dc7a5403ac864d41ca32e73 | ||
| sha256 | f4f3615381360275a09da4194604720a7ee6e752679c97b6a6f8628b7db2ecd7 | ||
| ssdeep | 3072:davKSMG26qZ+qcCfrMq/Q56Wrxpzbgqru+sxkgaBChXhUr4ZWkia:dL8RqYqVBLuzbgwu7igakUkWk | ||
| imphash | 80ba2861c278646549335a754dc96d41 | ||
| impfuzzy | 24:AbG2SRFEIaNuvtI4XA9KcDpclllroOovVtUwcpluiyv92/J3I+6nujMfK318n:j1RPXAihn2tbcpsb98unkF8 | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 32 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | This executable has a PDB path |
Rules (12cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x417008 GetDefaultCommConfigW
0x41700c QueryPerformanceCounter
0x417010 HeapFree
0x417014 GetEnvironmentStringsW
0x417018 AddConsoleAliasW
0x41701c BackupSeek
0x417020 GetTickCount
0x417024 GlobalAlloc
0x417028 GetFirmwareEnvironmentVariableA
0x41702c LoadLibraryW
0x417030 SizeofResource
0x417034 SetConsoleCursorPosition
0x417038 SetThreadContext
0x41703c GetAtomNameW
0x417040 LCMapStringA
0x417044 FillConsoleOutputCharacterW
0x417048 GetLastError
0x41704c GetProcAddress
0x417050 VirtualAlloc
0x417054 BeginUpdateResourceW
0x417058 LoadLibraryA
0x41705c WriteConsoleA
0x417060 GetModuleFileNameA
0x417064 SetConsoleCursorInfo
0x417068 UpdateResourceW
0x41706c SetFileValidData
0x417070 FindNextVolumeA
0x417074 lstrcpyW
0x417078 WriteConsoleW
0x41707c SetProcessAffinityMask
0x417080 CreateFileW
0x417084 GetStringTypeW
0x417088 HeapAlloc
0x41708c GetModuleHandleW
0x417090 ExitProcess
0x417094 DecodePointer
0x417098 GetCommandLineA
0x41709c HeapSetInformation
0x4170a0 GetStartupInfoW
0x4170a4 UnhandledExceptionFilter
0x4170a8 SetUnhandledExceptionFilter
0x4170ac IsDebuggerPresent
0x4170b0 EncodePointer
0x4170b4 TerminateProcess
0x4170b8 GetCurrentProcess
0x4170bc IsProcessorFeaturePresent
0x4170c0 WriteFile
0x4170c4 GetStdHandle
0x4170c8 GetModuleFileNameW
0x4170cc HeapCreate
0x4170d0 EnterCriticalSection
0x4170d4 LeaveCriticalSection
0x4170d8 InitializeCriticalSectionAndSpinCount
0x4170dc RtlUnwind
0x4170e0 SetHandleCount
0x4170e4 GetFileType
0x4170e8 DeleteCriticalSection
0x4170ec SetFilePointer
0x4170f0 CloseHandle
0x4170f4 TlsAlloc
0x4170f8 TlsGetValue
0x4170fc TlsSetValue
0x417100 TlsFree
0x417104 InterlockedIncrement
0x417108 SetLastError
0x41710c GetCurrentThreadId
0x417110 InterlockedDecrement
0x417114 FreeEnvironmentStringsW
0x417118 WideCharToMultiByte
0x41711c GetCurrentProcessId
0x417120 GetSystemTimeAsFileTime
0x417124 RaiseException
0x417128 Sleep
0x41712c CreateFileA
0x417130 GetCPInfo
0x417134 GetACP
0x417138 GetOEMCP
0x41713c IsValidCodePage
0x417140 GetConsoleCP
0x417144 GetConsoleMode
0x417148 SetStdHandle
0x41714c FlushFileBuffers
0x417150 HeapSize
0x417154 HeapReAlloc
0x417158 SetEndOfFile
0x41715c GetProcessHeap
0x417160 MultiByteToWideChar
0x417164 ReadFile
0x417168 LCMapStringW
USER32.dll
0x417170 GetCursorPos
ADVAPI32.dll
0x417000 NotifyChangeEventLog
EAT(Export Address Table) is none
KERNEL32.dll
0x417008 GetDefaultCommConfigW
0x41700c QueryPerformanceCounter
0x417010 HeapFree
0x417014 GetEnvironmentStringsW
0x417018 AddConsoleAliasW
0x41701c BackupSeek
0x417020 GetTickCount
0x417024 GlobalAlloc
0x417028 GetFirmwareEnvironmentVariableA
0x41702c LoadLibraryW
0x417030 SizeofResource
0x417034 SetConsoleCursorPosition
0x417038 SetThreadContext
0x41703c GetAtomNameW
0x417040 LCMapStringA
0x417044 FillConsoleOutputCharacterW
0x417048 GetLastError
0x41704c GetProcAddress
0x417050 VirtualAlloc
0x417054 BeginUpdateResourceW
0x417058 LoadLibraryA
0x41705c WriteConsoleA
0x417060 GetModuleFileNameA
0x417064 SetConsoleCursorInfo
0x417068 UpdateResourceW
0x41706c SetFileValidData
0x417070 FindNextVolumeA
0x417074 lstrcpyW
0x417078 WriteConsoleW
0x41707c SetProcessAffinityMask
0x417080 CreateFileW
0x417084 GetStringTypeW
0x417088 HeapAlloc
0x41708c GetModuleHandleW
0x417090 ExitProcess
0x417094 DecodePointer
0x417098 GetCommandLineA
0x41709c HeapSetInformation
0x4170a0 GetStartupInfoW
0x4170a4 UnhandledExceptionFilter
0x4170a8 SetUnhandledExceptionFilter
0x4170ac IsDebuggerPresent
0x4170b0 EncodePointer
0x4170b4 TerminateProcess
0x4170b8 GetCurrentProcess
0x4170bc IsProcessorFeaturePresent
0x4170c0 WriteFile
0x4170c4 GetStdHandle
0x4170c8 GetModuleFileNameW
0x4170cc HeapCreate
0x4170d0 EnterCriticalSection
0x4170d4 LeaveCriticalSection
0x4170d8 InitializeCriticalSectionAndSpinCount
0x4170dc RtlUnwind
0x4170e0 SetHandleCount
0x4170e4 GetFileType
0x4170e8 DeleteCriticalSection
0x4170ec SetFilePointer
0x4170f0 CloseHandle
0x4170f4 TlsAlloc
0x4170f8 TlsGetValue
0x4170fc TlsSetValue
0x417100 TlsFree
0x417104 InterlockedIncrement
0x417108 SetLastError
0x41710c GetCurrentThreadId
0x417110 InterlockedDecrement
0x417114 FreeEnvironmentStringsW
0x417118 WideCharToMultiByte
0x41711c GetCurrentProcessId
0x417120 GetSystemTimeAsFileTime
0x417124 RaiseException
0x417128 Sleep
0x41712c CreateFileA
0x417130 GetCPInfo
0x417134 GetACP
0x417138 GetOEMCP
0x41713c IsValidCodePage
0x417140 GetConsoleCP
0x417144 GetConsoleMode
0x417148 SetStdHandle
0x41714c FlushFileBuffers
0x417150 HeapSize
0x417154 HeapReAlloc
0x417158 SetEndOfFile
0x41715c GetProcessHeap
0x417160 MultiByteToWideChar
0x417164 ReadFile
0x417168 LCMapStringW
USER32.dll
0x417170 GetCursorPos
ADVAPI32.dll
0x417000 NotifyChangeEventLog
EAT(Export Address Table) is none