ScreenShot
| Created | 2021.11.13 11:14 | Machine | s1_win7_x6401 |
| Filename | toolspab2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | bc4940fd19fe5e89a56a42833a39ef68 | ||
| sha256 | 8b1b49880e4daadc092e99a9aa5d70f9c657de50aedfc4f14a447d9280fdbcb6 | ||
| ssdeep | 6144:a+OF1EPim3A/XL+q0hqweQFZXm1vfoh/U9HYiv:sXQA/Xqq0hqweQFZXm1vj94 | ||
| imphash | ea99ca467492cc4d133feba5a83ca2ae | ||
| impfuzzy | 48:kpfxgRG7buvKzmNAGJ9GRY8OuNYcHK9ftfcczVJlyAD:P4jWAGJwK8RYcHQftfcczVJlr | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | This executable has a PDB path |
Rules (12cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x401008 GetConsoleAliasesLengthW
0x40100c TlsGetValue
0x401010 CommConfigDialogA
0x401014 LoadResource
0x401018 SetDllDirectoryW
0x40101c InterlockedIncrement
0x401020 _lwrite
0x401024 ZombifyActCtx
0x401028 GetSystemWindowsDirectoryW
0x40102c GetNamedPipeHandleStateA
0x401030 SetConsoleScreenBufferSize
0x401034 FreeEnvironmentStringsA
0x401038 CreateNamedPipeW
0x40103c GetSystemTimeAsFileTime
0x401040 ReadConsoleW
0x401044 GetWindowsDirectoryA
0x401048 GetSystemWow64DirectoryA
0x40104c QueryActCtxW
0x401050 GetSystemTimes
0x401054 GetDriveTypeA
0x401058 GetSystemDirectoryW
0x40105c GlobalFindAtomA
0x401060 GetConsoleMode
0x401064 CopyFileW
0x401068 SetVolumeMountPointA
0x40106c GetVersionExW
0x401070 HeapValidate
0x401074 GetVolumePathNamesForVolumeNameW
0x401078 GetModuleFileNameW
0x40107c CreateActCtxA
0x401080 CompareStringW
0x401084 GetACP
0x401088 lstrlenW
0x40108c VerifyVersionInfoW
0x401090 GetStartupInfoA
0x401094 FindFirstFileExA
0x401098 SearchPathW
0x40109c GetLastError
0x4010a0 IsDBCSLeadByteEx
0x4010a4 GetCurrentDirectoryW
0x4010a8 SetLastError
0x4010ac GetProcAddress
0x4010b0 GetLongPathNameA
0x4010b4 SetFirmwareEnvironmentVariableW
0x4010b8 CopyFileA
0x4010bc GetConsoleDisplayMode
0x4010c0 GlobalGetAtomNameA
0x4010c4 BuildCommDCBW
0x4010c8 GetPrivateProfileStringA
0x4010cc LoadLibraryA
0x4010d0 OpenWaitableTimerW
0x4010d4 LocalAlloc
0x4010d8 IsWow64Process
0x4010dc WritePrivateProfileStringA
0x4010e0 SetCurrentDirectoryW
0x4010e4 SetFileApisToANSI
0x4010e8 QueryDosDeviceW
0x4010ec GetModuleFileNameA
0x4010f0 WriteProfileStringA
0x4010f4 GetModuleHandleA
0x4010f8 FindFirstChangeNotificationA
0x4010fc CreateWaitableTimerW
0x401100 GetFileTime
0x401104 GetConsoleCursorInfo
0x401108 SetProcessShutdownParameters
0x40110c ReadConsoleInputW
0x401110 FileTimeToLocalFileTime
0x401114 TlsFree
0x401118 GetProfileSectionW
0x40111c CloseHandle
0x401120 SetStdHandle
0x401124 GetHandleInformation
0x401128 GetComputerNameA
0x40112c DeleteFileA
0x401130 MultiByteToWideChar
0x401134 GetCommandLineA
0x401138 HeapSetInformation
0x40113c GetStartupInfoW
0x401140 IsProcessorFeaturePresent
0x401144 EncodePointer
0x401148 DecodePointer
0x40114c InterlockedDecrement
0x401150 GetOEMCP
0x401154 GetCPInfo
0x401158 IsValidCodePage
0x40115c TlsAlloc
0x401160 TlsSetValue
0x401164 GetCurrentThreadId
0x401168 GetModuleHandleW
0x40116c EnterCriticalSection
0x401170 LeaveCriticalSection
0x401174 SetHandleCount
0x401178 GetStdHandle
0x40117c InitializeCriticalSectionAndSpinCount
0x401180 GetFileType
0x401184 DeleteCriticalSection
0x401188 TerminateProcess
0x40118c GetCurrentProcess
0x401190 UnhandledExceptionFilter
0x401194 SetUnhandledExceptionFilter
0x401198 IsDebuggerPresent
0x40119c QueryPerformanceCounter
0x4011a0 GetTickCount
0x4011a4 GetCurrentProcessId
0x4011a8 ExitProcess
0x4011ac FreeEnvironmentStringsW
0x4011b0 WideCharToMultiByte
0x4011b4 GetEnvironmentStringsW
0x4011b8 IsBadReadPtr
0x4011bc HeapCreate
0x4011c0 WriteFile
0x4011c4 RaiseException
0x4011c8 GetStringTypeW
0x4011cc OutputDebugStringA
0x4011d0 WriteConsoleW
0x4011d4 OutputDebugStringW
0x4011d8 LoadLibraryW
0x4011dc RtlUnwind
0x4011e0 LCMapStringW
0x4011e4 SetFilePointer
0x4011e8 GetConsoleCP
0x4011ec HeapAlloc
0x4011f0 HeapReAlloc
0x4011f4 HeapSize
0x4011f8 HeapQueryInformation
0x4011fc HeapFree
0x401200 FlushFileBuffers
0x401204 CreateFileW
USER32.dll
0x40120c GetMessageTime
GDI32.dll
0x401000 GetBitmapBits
EAT(Export Address Table) is none
KERNEL32.dll
0x401008 GetConsoleAliasesLengthW
0x40100c TlsGetValue
0x401010 CommConfigDialogA
0x401014 LoadResource
0x401018 SetDllDirectoryW
0x40101c InterlockedIncrement
0x401020 _lwrite
0x401024 ZombifyActCtx
0x401028 GetSystemWindowsDirectoryW
0x40102c GetNamedPipeHandleStateA
0x401030 SetConsoleScreenBufferSize
0x401034 FreeEnvironmentStringsA
0x401038 CreateNamedPipeW
0x40103c GetSystemTimeAsFileTime
0x401040 ReadConsoleW
0x401044 GetWindowsDirectoryA
0x401048 GetSystemWow64DirectoryA
0x40104c QueryActCtxW
0x401050 GetSystemTimes
0x401054 GetDriveTypeA
0x401058 GetSystemDirectoryW
0x40105c GlobalFindAtomA
0x401060 GetConsoleMode
0x401064 CopyFileW
0x401068 SetVolumeMountPointA
0x40106c GetVersionExW
0x401070 HeapValidate
0x401074 GetVolumePathNamesForVolumeNameW
0x401078 GetModuleFileNameW
0x40107c CreateActCtxA
0x401080 CompareStringW
0x401084 GetACP
0x401088 lstrlenW
0x40108c VerifyVersionInfoW
0x401090 GetStartupInfoA
0x401094 FindFirstFileExA
0x401098 SearchPathW
0x40109c GetLastError
0x4010a0 IsDBCSLeadByteEx
0x4010a4 GetCurrentDirectoryW
0x4010a8 SetLastError
0x4010ac GetProcAddress
0x4010b0 GetLongPathNameA
0x4010b4 SetFirmwareEnvironmentVariableW
0x4010b8 CopyFileA
0x4010bc GetConsoleDisplayMode
0x4010c0 GlobalGetAtomNameA
0x4010c4 BuildCommDCBW
0x4010c8 GetPrivateProfileStringA
0x4010cc LoadLibraryA
0x4010d0 OpenWaitableTimerW
0x4010d4 LocalAlloc
0x4010d8 IsWow64Process
0x4010dc WritePrivateProfileStringA
0x4010e0 SetCurrentDirectoryW
0x4010e4 SetFileApisToANSI
0x4010e8 QueryDosDeviceW
0x4010ec GetModuleFileNameA
0x4010f0 WriteProfileStringA
0x4010f4 GetModuleHandleA
0x4010f8 FindFirstChangeNotificationA
0x4010fc CreateWaitableTimerW
0x401100 GetFileTime
0x401104 GetConsoleCursorInfo
0x401108 SetProcessShutdownParameters
0x40110c ReadConsoleInputW
0x401110 FileTimeToLocalFileTime
0x401114 TlsFree
0x401118 GetProfileSectionW
0x40111c CloseHandle
0x401120 SetStdHandle
0x401124 GetHandleInformation
0x401128 GetComputerNameA
0x40112c DeleteFileA
0x401130 MultiByteToWideChar
0x401134 GetCommandLineA
0x401138 HeapSetInformation
0x40113c GetStartupInfoW
0x401140 IsProcessorFeaturePresent
0x401144 EncodePointer
0x401148 DecodePointer
0x40114c InterlockedDecrement
0x401150 GetOEMCP
0x401154 GetCPInfo
0x401158 IsValidCodePage
0x40115c TlsAlloc
0x401160 TlsSetValue
0x401164 GetCurrentThreadId
0x401168 GetModuleHandleW
0x40116c EnterCriticalSection
0x401170 LeaveCriticalSection
0x401174 SetHandleCount
0x401178 GetStdHandle
0x40117c InitializeCriticalSectionAndSpinCount
0x401180 GetFileType
0x401184 DeleteCriticalSection
0x401188 TerminateProcess
0x40118c GetCurrentProcess
0x401190 UnhandledExceptionFilter
0x401194 SetUnhandledExceptionFilter
0x401198 IsDebuggerPresent
0x40119c QueryPerformanceCounter
0x4011a0 GetTickCount
0x4011a4 GetCurrentProcessId
0x4011a8 ExitProcess
0x4011ac FreeEnvironmentStringsW
0x4011b0 WideCharToMultiByte
0x4011b4 GetEnvironmentStringsW
0x4011b8 IsBadReadPtr
0x4011bc HeapCreate
0x4011c0 WriteFile
0x4011c4 RaiseException
0x4011c8 GetStringTypeW
0x4011cc OutputDebugStringA
0x4011d0 WriteConsoleW
0x4011d4 OutputDebugStringW
0x4011d8 LoadLibraryW
0x4011dc RtlUnwind
0x4011e0 LCMapStringW
0x4011e4 SetFilePointer
0x4011e8 GetConsoleCP
0x4011ec HeapAlloc
0x4011f0 HeapReAlloc
0x4011f4 HeapSize
0x4011f8 HeapQueryInformation
0x4011fc HeapFree
0x401200 FlushFileBuffers
0x401204 CreateFileW
USER32.dll
0x40120c GetMessageTime
GDI32.dll
0x401000 GetBitmapBits
EAT(Export Address Table) is none