ScreenShot
| Created | 2021.11.10 14:03 | Machine | s1_win7_x6402 |
| Filename | winapi32.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 39 detected (AIDetect, malware2, malicious, high confidence, GenericKD, Unsafe, Starter, ali2000005, Nymeria, Eldorado, Attribute, HighConfidence, a variant of Generik, MNNMTCX, Bingoml, cqiq, Siggen15, USMANK721, Redcap, oibly, Sabsik, QuilMiner, 46SS8S, score, Artemis, ai score=84, susgen, PossibleThreat, confidence) | ||
| md5 | 5f20b46e52c413a9a4d79b1fb7a85b18 | ||
| sha256 | 6e454ecf5c2f73905e82ab278f57ad49170fded322b5abb568f0a0721a12ff86 | ||
| ssdeep | 24576:kBXu9HGaVHXYLF7GToj1tD5TIYDoSBiA:kw9VHXYLQ8JtD5MY0Z | ||
| imphash | fc6683d30d9f25244a50fd5357825e79 | ||
| impfuzzy | 12:VA/DzqYOZkKDHLB78r4B3ExjLAkcOaiTQQnd3mxCHH:V0DBaPHLB7PxExjLAkcOV2kn | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 39 AntiVirus engines on VirusTotal as malicious |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Moves the original executable to a new location |
| notice | Performs some HTTP requests |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x63010c LoadLibraryA
0x630110 GetProcAddress
0x630114 VirtualProtect
0x630118 VirtualAlloc
0x63011c VirtualFree
0x630120 ExitProcess
ADVAPI32.dll
0x630128 GetAce
COMCTL32.dll
0x630130 ImageList_Remove
COMDLG32.dll
0x630138 GetOpenFileNameW
GDI32.dll
0x630140 LineTo
IPHLPAPI.DLL
0x630148 IcmpSendEcho
MPR.dll
0x630150 WNetUseConnectionW
ole32.dll
0x630158 CoGetObject
OLEAUT32.dll
0x630160 VariantInit
PSAPI.DLL
0x630168 GetProcessMemoryInfo
SHELL32.dll
0x630170 DragFinish
USER32.dll
0x630178 GetDC
USERENV.dll
0x630180 LoadUserProfileW
UxTheme.dll
0x630188 IsThemeActive
VERSION.dll
0x630190 VerQueryValueW
WININET.dll
0x630198 FtpOpenFileW
WINMM.dll
0x6301a0 timeGetTime
WSOCK32.dll
0x6301a8 connect
EAT(Export Address Table) is none
KERNEL32.DLL
0x63010c LoadLibraryA
0x630110 GetProcAddress
0x630114 VirtualProtect
0x630118 VirtualAlloc
0x63011c VirtualFree
0x630120 ExitProcess
ADVAPI32.dll
0x630128 GetAce
COMCTL32.dll
0x630130 ImageList_Remove
COMDLG32.dll
0x630138 GetOpenFileNameW
GDI32.dll
0x630140 LineTo
IPHLPAPI.DLL
0x630148 IcmpSendEcho
MPR.dll
0x630150 WNetUseConnectionW
ole32.dll
0x630158 CoGetObject
OLEAUT32.dll
0x630160 VariantInit
PSAPI.DLL
0x630168 GetProcessMemoryInfo
SHELL32.dll
0x630170 DragFinish
USER32.dll
0x630178 GetDC
USERENV.dll
0x630180 LoadUserProfileW
UxTheme.dll
0x630188 IsThemeActive
VERSION.dll
0x630190 VerQueryValueW
WININET.dll
0x630198 FtpOpenFileW
WINMM.dll
0x6301a0 timeGetTime
WSOCK32.dll
0x6301a8 connect
EAT(Export Address Table) is none