ScreenShot
| Created | 2021.12.13 10:17 | Machine | s1_win7_x6401 |
| Filename | 1557_1639251835_3189.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 32 detected (AIDetect, malware1, malicious, high confidence, score, Unsafe, Save, Hacktool, Kryptik, Eldorado, HNQP, Injuke, Fragtor, CrypterX, A + Mal, Static AI, Malicious PE, ai score=88, Azorult, ZexaF, qu0@a8Wn5pMG, ET#93%, RDMK, cmRtazrKBfxsVbTU9jFpVQhjzT5r, StopCrypt, Genetic, confidence, 100%, susgen) | ||
| md5 | 2ef6fe31e93909b0fd17c05b0ed5d7d4 | ||
| sha256 | fc60164d3da978e1140d70085a511d9862c946b6a02e9dc4202c8155de14b682 | ||
| ssdeep | 3072:ZICoZ86rTUPiwf16rlVBupx3Nx04yUW82qFDZ5RyYNjNeQmFhsZVggjcGkNIVqIk:Zk860P3N6rlhqjyE8/Ab7ITsqn | ||
| imphash | 307bfa2331726fa806b2240a5641cf4e | ||
| impfuzzy | 24:CMkRjwkrFBrkwMYADqSH3KOovEG1tQlG/J3ISQv8Ryv9kRT4RfalNV:WLduVG1txji9gcRfarV | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 32 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x42c000 GetLocaleInfoA
0x42c004 SetLocalTime
0x42c008 ConvertThreadToFiber
0x42c00c GlobalAddAtomA
0x42c010 EndUpdateResourceW
0x42c014 GetConsoleAliasA
0x42c018 WaitForSingleObject
0x42c01c WriteConsoleInputA
0x42c020 SetEvent
0x42c024 GetConsoleAliasesA
0x42c028 GetEnvironmentStrings
0x42c02c SizeofResource
0x42c030 GetProcessHandleCount
0x42c034 GetConsoleAliasW
0x42c038 HeapValidate
0x42c03c GetWriteWatch
0x42c040 FileTimeToSystemTime
0x42c044 GetHandleInformation
0x42c048 GetProcAddress
0x42c04c VirtualAlloc
0x42c050 LoadLibraryA
0x42c054 LocalAlloc
0x42c058 CreateHardLinkW
0x42c05c GetCurrentConsoleFont
0x42c060 VirtualProtect
0x42c064 GetVersionExA
0x42c068 EnumCalendarInfoExA
0x42c06c GetCommandLineA
0x42c070 GetStartupInfoA
0x42c074 RaiseException
0x42c078 RtlUnwind
0x42c07c TerminateProcess
0x42c080 GetCurrentProcess
0x42c084 UnhandledExceptionFilter
0x42c088 SetUnhandledExceptionFilter
0x42c08c IsDebuggerPresent
0x42c090 HeapAlloc
0x42c094 GetLastError
0x42c098 HeapFree
0x42c09c GetModuleHandleW
0x42c0a0 TlsGetValue
0x42c0a4 TlsAlloc
0x42c0a8 TlsSetValue
0x42c0ac TlsFree
0x42c0b0 InterlockedIncrement
0x42c0b4 SetLastError
0x42c0b8 GetCurrentThreadId
0x42c0bc InterlockedDecrement
0x42c0c0 Sleep
0x42c0c4 HeapSize
0x42c0c8 ExitProcess
0x42c0cc WriteFile
0x42c0d0 GetStdHandle
0x42c0d4 GetModuleFileNameA
0x42c0d8 FreeEnvironmentStringsA
0x42c0dc FreeEnvironmentStringsW
0x42c0e0 WideCharToMultiByte
0x42c0e4 GetEnvironmentStringsW
0x42c0e8 SetHandleCount
0x42c0ec GetFileType
0x42c0f0 DeleteCriticalSection
0x42c0f4 HeapCreate
0x42c0f8 VirtualFree
0x42c0fc QueryPerformanceCounter
0x42c100 GetTickCount
0x42c104 GetCurrentProcessId
0x42c108 GetSystemTimeAsFileTime
0x42c10c LeaveCriticalSection
0x42c110 EnterCriticalSection
0x42c114 HeapReAlloc
0x42c118 GetCPInfo
0x42c11c GetACP
0x42c120 GetOEMCP
0x42c124 IsValidCodePage
0x42c128 InitializeCriticalSectionAndSpinCount
0x42c12c GetModuleHandleA
0x42c130 LCMapStringA
0x42c134 MultiByteToWideChar
0x42c138 LCMapStringW
0x42c13c GetStringTypeA
0x42c140 GetStringTypeW
EAT(Export Address Table) is none
KERNEL32.dll
0x42c000 GetLocaleInfoA
0x42c004 SetLocalTime
0x42c008 ConvertThreadToFiber
0x42c00c GlobalAddAtomA
0x42c010 EndUpdateResourceW
0x42c014 GetConsoleAliasA
0x42c018 WaitForSingleObject
0x42c01c WriteConsoleInputA
0x42c020 SetEvent
0x42c024 GetConsoleAliasesA
0x42c028 GetEnvironmentStrings
0x42c02c SizeofResource
0x42c030 GetProcessHandleCount
0x42c034 GetConsoleAliasW
0x42c038 HeapValidate
0x42c03c GetWriteWatch
0x42c040 FileTimeToSystemTime
0x42c044 GetHandleInformation
0x42c048 GetProcAddress
0x42c04c VirtualAlloc
0x42c050 LoadLibraryA
0x42c054 LocalAlloc
0x42c058 CreateHardLinkW
0x42c05c GetCurrentConsoleFont
0x42c060 VirtualProtect
0x42c064 GetVersionExA
0x42c068 EnumCalendarInfoExA
0x42c06c GetCommandLineA
0x42c070 GetStartupInfoA
0x42c074 RaiseException
0x42c078 RtlUnwind
0x42c07c TerminateProcess
0x42c080 GetCurrentProcess
0x42c084 UnhandledExceptionFilter
0x42c088 SetUnhandledExceptionFilter
0x42c08c IsDebuggerPresent
0x42c090 HeapAlloc
0x42c094 GetLastError
0x42c098 HeapFree
0x42c09c GetModuleHandleW
0x42c0a0 TlsGetValue
0x42c0a4 TlsAlloc
0x42c0a8 TlsSetValue
0x42c0ac TlsFree
0x42c0b0 InterlockedIncrement
0x42c0b4 SetLastError
0x42c0b8 GetCurrentThreadId
0x42c0bc InterlockedDecrement
0x42c0c0 Sleep
0x42c0c4 HeapSize
0x42c0c8 ExitProcess
0x42c0cc WriteFile
0x42c0d0 GetStdHandle
0x42c0d4 GetModuleFileNameA
0x42c0d8 FreeEnvironmentStringsA
0x42c0dc FreeEnvironmentStringsW
0x42c0e0 WideCharToMultiByte
0x42c0e4 GetEnvironmentStringsW
0x42c0e8 SetHandleCount
0x42c0ec GetFileType
0x42c0f0 DeleteCriticalSection
0x42c0f4 HeapCreate
0x42c0f8 VirtualFree
0x42c0fc QueryPerformanceCounter
0x42c100 GetTickCount
0x42c104 GetCurrentProcessId
0x42c108 GetSystemTimeAsFileTime
0x42c10c LeaveCriticalSection
0x42c110 EnterCriticalSection
0x42c114 HeapReAlloc
0x42c118 GetCPInfo
0x42c11c GetACP
0x42c120 GetOEMCP
0x42c124 IsValidCodePage
0x42c128 InitializeCriticalSectionAndSpinCount
0x42c12c GetModuleHandleA
0x42c130 LCMapStringA
0x42c134 MultiByteToWideChar
0x42c138 LCMapStringW
0x42c13c GetStringTypeA
0x42c140 GetStringTypeW
EAT(Export Address Table) is none