ScreenShot
| Created | 2021.11.09 10:23 | Machine | s1_win7_x6403 |
| Filename | soccer.png | ||
| Type | PE32 executable (DLL) (native) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 292276fb4e37646aeca245bffb21ef21 | ||
| sha256 | 3ebc7d218c7d0d201d79fd4dc01e42364772370b0cc5aaf93ff40fae1dd7e641 | ||
| ssdeep | 6144:1uNDZo15/Lb175yZhtHQqPm52aYYiHx/874uQYKJHD4YdYrde7:qDSHL575qLP0tKJHZ1 | ||
| imphash | 17cd9f87fbb27686b2cd8f8d33695e92 | ||
| impfuzzy | 6:/87mRxn5XobPbmRxGZRHmRxaj7bCmRxVUAo:kqRJJobiRgARQj7pRdo | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Terminates another process |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
ET CNC Feodo Tracker Reported CnC Server group 8
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 17
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 17
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x100a5000 CreateFileA
0x100a5004 LeaveCriticalSection
0x100a5008 GetLastError
0x100a500c WaitForMultipleObjects
0x100a5010 EnterCriticalSection
0x100a5014 InitializeCriticalSection
0x100a5018 WaitForSingleObject
0x100a501c WideCharToMultiByte
0x100a5020 DeleteCriticalSection
0x100a5024 GetCurrentThread
EAT(Export Address Table) Library
0x1006d0f0 TyreDokgW
KERNEL32.dll
0x100a5000 CreateFileA
0x100a5004 LeaveCriticalSection
0x100a5008 GetLastError
0x100a500c WaitForMultipleObjects
0x100a5010 EnterCriticalSection
0x100a5014 InitializeCriticalSection
0x100a5018 WaitForSingleObject
0x100a501c WideCharToMultiByte
0x100a5020 DeleteCriticalSection
0x100a5024 GetCurrentThread
EAT(Export Address Table) Library
0x1006d0f0 TyreDokgW