ScreenShot
| Created | 2021.11.12 08:08 | Machine | s1_win7_x6403 |
| Filename | %e9%87%8d%e8%a6%81%e9%80%9a%e7%9f%a5%e9%99%84%e4%bb%b6-%e6%96%87%e4%bb%b6%e9%98%b2%e6%b3%84%e5%af%86%e8%87%aa%e6%9f%a5%e6%89%8b%e5%86%8c.doc.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 5 detected (Artemis, Malicious, cobra, TrojanVeil, Abnores, R194594) | ||
| md5 | c1e722db229bd6dd596663f6f08aa654 | ||
| sha256 | 6b88286b240db5630c98d895fd188d079b4a88790dee601645afab7ae28cc578 | ||
| ssdeep | 98304:Laj1Fpo79rrN12R6qyBQPnRNJe1B+XK6bFfVJ9FevDYMeBFh5iFIRv2Vb81+KpI:Gpo7Rv2R67GRNJpHnedeR5U81+5 | ||
| imphash | a2c1f4d5eeaf95bdec6a6d4cd9f09091 | ||
| impfuzzy | 24:Ifr/2O9YOD1Eu97hDqncLLP8a0pu9denjcH95XGPxsZunE5d5oHqNKnZEw+:IfrZ93D1wcnLewJGpuunE5d5yqDH | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | File has been identified by 5 AntiVirus engines on VirusTotal as malicious |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | One or more processes crashed |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | Is_DotNET_DLL | (no description) | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x421404 CreateProcessW
0x42140c DeleteCriticalSection
0x421414 EnterCriticalSection
0x42141c ExpandEnvironmentStringsW
0x421424 FormatMessageA
0x42142c GetCommandLineW
0x421434 GetCurrentProcess
0x42143c GetCurrentProcessId
0x421444 GetCurrentThreadId
0x42144c GetEnvironmentVariableW
0x421454 GetExitCodeProcess
0x42145c GetLastError
0x421464 GetModuleFileNameW
0x42146c GetModuleHandleA
0x421474 GetProcAddress
0x42147c GetShortPathNameW
0x421484 GetStartupInfoW
0x42148c GetSystemTimeAsFileTime
0x421494 GetTempPathW
0x42149c GetTickCount
0x4214a4 InitializeCriticalSection
0x4214ac LeaveCriticalSection
0x4214b4 LoadLibraryA
0x4214bc LoadLibraryExW
0x4214c4 MultiByteToWideChar
0x4214cc QueryPerformanceCounter
0x4214d4 RtlAddFunctionTable
0x4214dc RtlCaptureContext
0x4214e4 RtlLookupFunctionEntry
0x4214ec RtlVirtualUnwind
0x4214f4 SetDllDirectoryW
0x4214fc SetEnvironmentVariableW
0x421504 SetUnhandledExceptionFilter
0x42150c Sleep
0x421514 TerminateProcess
0x42151c TlsGetValue
0x421524 UnhandledExceptionFilter
0x42152c VirtualProtect
0x421534 VirtualQuery
0x42153c WaitForSingleObject
0x421544 WideCharToMultiByte
0x42154c __C_specific_handler
msvcrt.dll
0x42155c __argc
0x421564 __dllonexit
0x42156c __iob_func
0x421574 __lconv_init
0x42157c __set_app_type
0x421584 __setusermatherr
0x42158c __wargv
0x421594 __wgetmainargs
0x42159c __winitenv
0x4215a4 _amsg_exit
0x4215ac _cexit
0x4215b4 _fileno
0x4215bc _findclose
0x4215c4 _findfirst64
0x4215cc _findnext64
0x4215d4 _fmode
0x4215dc _fullpath
0x4215e4 _get_osfhandle
0x4215ec _getpid
0x4215f4 _initterm
0x4215fc _lock
0x421604 _mkdir
0x42160c _onexit
0x421614 _rmdir
0x42161c _setmode
0x421624 _stat64
0x42162c _strdup
0x421634 _tempnam
0x42163c _unlock
0x421644 _vsnprintf
0x42164c _wcmdln
0x421654 _wfopen
0x42165c abort
0x421664 calloc
0x42166c clearerr
0x421674 exit
0x42167c fclose
0x421684 feof
0x42168c ferror
0x421694 fflush
0x42169c fprintf
0x4216a4 fread
0x4216ac free
0x4216b4 fseek
0x4216bc ftell
0x4216c4 fwrite
0x4216cc getenv
0x4216d4 malloc
0x4216dc mbstowcs
0x4216e4 memcpy
0x4216ec memset
0x4216f4 remove
0x4216fc setbuf
0x421704 setlocale
0x42170c signal
0x421714 sprintf
0x42171c strcat
0x421724 strchr
0x42172c strcmp
0x421734 strcpy
0x42173c strlen
0x421744 strncat
0x42174c strncmp
0x421754 strncpy
0x42175c strrchr
0x421764 strtok
0x42176c vfprintf
0x421774 wcslen
USER32.dll
0x421784 MessageBoxA
WS2_32.dll
0x421794 ntohl
EAT(Export Address Table) is none
KERNEL32.dll
0x421404 CreateProcessW
0x42140c DeleteCriticalSection
0x421414 EnterCriticalSection
0x42141c ExpandEnvironmentStringsW
0x421424 FormatMessageA
0x42142c GetCommandLineW
0x421434 GetCurrentProcess
0x42143c GetCurrentProcessId
0x421444 GetCurrentThreadId
0x42144c GetEnvironmentVariableW
0x421454 GetExitCodeProcess
0x42145c GetLastError
0x421464 GetModuleFileNameW
0x42146c GetModuleHandleA
0x421474 GetProcAddress
0x42147c GetShortPathNameW
0x421484 GetStartupInfoW
0x42148c GetSystemTimeAsFileTime
0x421494 GetTempPathW
0x42149c GetTickCount
0x4214a4 InitializeCriticalSection
0x4214ac LeaveCriticalSection
0x4214b4 LoadLibraryA
0x4214bc LoadLibraryExW
0x4214c4 MultiByteToWideChar
0x4214cc QueryPerformanceCounter
0x4214d4 RtlAddFunctionTable
0x4214dc RtlCaptureContext
0x4214e4 RtlLookupFunctionEntry
0x4214ec RtlVirtualUnwind
0x4214f4 SetDllDirectoryW
0x4214fc SetEnvironmentVariableW
0x421504 SetUnhandledExceptionFilter
0x42150c Sleep
0x421514 TerminateProcess
0x42151c TlsGetValue
0x421524 UnhandledExceptionFilter
0x42152c VirtualProtect
0x421534 VirtualQuery
0x42153c WaitForSingleObject
0x421544 WideCharToMultiByte
0x42154c __C_specific_handler
msvcrt.dll
0x42155c __argc
0x421564 __dllonexit
0x42156c __iob_func
0x421574 __lconv_init
0x42157c __set_app_type
0x421584 __setusermatherr
0x42158c __wargv
0x421594 __wgetmainargs
0x42159c __winitenv
0x4215a4 _amsg_exit
0x4215ac _cexit
0x4215b4 _fileno
0x4215bc _findclose
0x4215c4 _findfirst64
0x4215cc _findnext64
0x4215d4 _fmode
0x4215dc _fullpath
0x4215e4 _get_osfhandle
0x4215ec _getpid
0x4215f4 _initterm
0x4215fc _lock
0x421604 _mkdir
0x42160c _onexit
0x421614 _rmdir
0x42161c _setmode
0x421624 _stat64
0x42162c _strdup
0x421634 _tempnam
0x42163c _unlock
0x421644 _vsnprintf
0x42164c _wcmdln
0x421654 _wfopen
0x42165c abort
0x421664 calloc
0x42166c clearerr
0x421674 exit
0x42167c fclose
0x421684 feof
0x42168c ferror
0x421694 fflush
0x42169c fprintf
0x4216a4 fread
0x4216ac free
0x4216b4 fseek
0x4216bc ftell
0x4216c4 fwrite
0x4216cc getenv
0x4216d4 malloc
0x4216dc mbstowcs
0x4216e4 memcpy
0x4216ec memset
0x4216f4 remove
0x4216fc setbuf
0x421704 setlocale
0x42170c signal
0x421714 sprintf
0x42171c strcat
0x421724 strchr
0x42172c strcmp
0x421734 strcpy
0x42173c strlen
0x421744 strncat
0x42174c strncmp
0x421754 strncpy
0x42175c strrchr
0x421764 strtok
0x42176c vfprintf
0x421774 wcslen
USER32.dll
0x421784 MessageBoxA
WS2_32.dll
0x421794 ntohl
EAT(Export Address Table) is none