ScreenShot
| Created | 2022.01.16 22:29 | Machine | s1_win7_x6403 |
| Filename | 1.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | ad95832fa72da070fe465948cdf54f40 | ||
| sha256 | dac434ec87d2d83b5426f13247201e8d8826133fc445a4468f4fdc49b19eea2c | ||
| ssdeep | 49152:nZb84h8ohujx7Tf4bN/OPHW6Fxiz8lVHTIioOFZQ+:Zb8FF1f4bN/OPH5FxiqZ7 | ||
| imphash | ce92706925e359aa40f23197a9743843 | ||
| impfuzzy | 96:dtf6bOHcDhwks4+ycPVsXp546rnkwwb4qqC/yFaeXXAGSmo:Lf6bOkKSZfnkwwb4ZC/mXXNJo | ||
Network IP location
Signature (23cnts)
| Level | Description |
|---|---|
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Drops a binary and executes it |
| watch | Harvests credentials from local FTP client softwares |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (52cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | NPKI_Zero | File included NPKI | binaries (download) |
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| watch | Win32_Trojan_PWS_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (download) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | Is_DotNET_EXE | (no description) | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | TESTYARA | (no description) | binaries (upload) |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
PE API
IAT(Import Address Table) Library
COMCTL32.dll
0x140021020 None
SHELL32.dll
0x1400213c0 ShellExecuteW
0x1400213c8 SHBrowseForFolderW
0x1400213d0 SHGetSpecialFolderPathW
0x1400213d8 SHGetPathFromIDListW
0x1400213e0 SHGetFileInfoW
0x1400213e8 ShellExecuteExW
0x1400213f0 SHGetMalloc
GDI32.dll
0x140021030 CreateCompatibleDC
0x140021038 CreateFontIndirectW
0x140021040 DeleteObject
0x140021048 DeleteDC
0x140021050 GetCurrentObject
0x140021058 StretchBlt
0x140021060 GetDeviceCaps
0x140021068 CreateCompatibleBitmap
0x140021070 SelectObject
0x140021078 SetStretchBltMode
0x140021080 GetObjectW
ADVAPI32.dll
0x140021000 FreeSid
0x140021008 AllocateAndInitializeSid
0x140021010 CheckTokenMembership
USER32.dll
0x140021400 wvsprintfW
0x140021408 GetSystemMenu
0x140021410 EnableMenuItem
0x140021418 IsWindow
0x140021420 EnableWindow
0x140021428 MessageBeep
0x140021430 LoadIconW
0x140021438 LoadImageW
0x140021440 SetWindowsHookExW
0x140021448 PtInRect
0x140021450 CallNextHookEx
0x140021458 DefWindowProcW
0x140021460 CallWindowProcW
0x140021468 DrawIconEx
0x140021470 DialogBoxIndirectParamW
0x140021478 GetWindow
0x140021480 ClientToScreen
0x140021488 GetDC
0x140021490 DrawTextW
0x140021498 ShowWindow
0x1400214a0 SystemParametersInfoW
0x1400214a8 GetSystemMetrics
0x1400214b0 SetFocus
0x1400214b8 UnhookWindowsHookEx
0x1400214c0 GetWindowLongPtrW
0x1400214c8 GetClientRect
0x1400214d0 GetDlgItem
0x1400214d8 GetKeyState
0x1400214e0 MessageBoxA
0x1400214e8 SetWindowTextW
0x1400214f0 wsprintfA
0x1400214f8 GetSysColor
0x140021500 GetWindowTextLengthW
0x140021508 GetWindowTextW
0x140021510 GetClassNameA
0x140021518 GetWindowLongW
0x140021520 GetMenu
0x140021528 SetWindowPos
0x140021530 GetWindowDC
0x140021538 ReleaseDC
0x140021540 CopyImage
0x140021548 GetParent
0x140021550 GetWindowRect
0x140021558 CharUpperW
0x140021560 CreateWindowExW
0x140021568 SetTimer
0x140021570 ScreenToClient
0x140021578 DispatchMessageW
0x140021580 KillTimer
0x140021588 DestroyWindow
0x140021590 EndDialog
0x140021598 SendMessageW
0x1400215a0 wsprintfW
0x1400215a8 SetWindowLongPtrW
0x1400215b0 GetMessageW
ole32.dll
0x1400216f0 CreateStreamOnHGlobal
0x1400216f8 CoInitialize
0x140021700 CoCreateInstance
OLEAUT32.dll
0x1400213a0 SysAllocString
0x1400213a8 VariantClear
0x1400213b0 OleLoadPicture
KERNEL32.dll
0x140021090 EnterCriticalSection
0x140021098 LeaveCriticalSection
0x1400210a0 WaitForMultipleObjects
0x1400210a8 SetUnhandledExceptionFilter
0x1400210b0 QueryPerformanceCounter
0x1400210b8 GetTickCount
0x1400210c0 DeleteCriticalSection
0x1400210c8 SetEndOfFile
0x1400210d0 SetFileTime
0x1400210d8 ReadFile
0x1400210e0 SetFilePointer
0x1400210e8 GetFileSize
0x1400210f0 FormatMessageW
0x1400210f8 lstrcpyW
0x140021100 LocalFree
0x140021108 IsBadReadPtr
0x140021110 GetSystemDirectoryW
0x140021118 GetCurrentThreadId
0x140021120 SuspendThread
0x140021128 TerminateThread
0x140021130 InitializeCriticalSection
0x140021138 ResetEvent
0x140021140 SetEvent
0x140021148 CreateEventW
0x140021150 GetVersionExW
0x140021158 GetModuleFileNameW
0x140021160 GetCurrentProcess
0x140021168 SetProcessWorkingSetSize
0x140021170 SetCurrentDirectoryW
0x140021178 GetDriveTypeW
0x140021180 CreateFileW
0x140021188 GetCommandLineW
0x140021190 GetStartupInfoW
0x140021198 CreateProcessW
0x1400211a0 CreateJobObjectW
0x1400211a8 AssignProcessToJobObject
0x1400211b0 CreateIoCompletionPort
0x1400211b8 SetInformationJobObject
0x1400211c0 ResumeThread
0x1400211c8 GetQueuedCompletionStatus
0x1400211d0 GetExitCodeProcess
0x1400211d8 CloseHandle
0x1400211e0 SetEnvironmentVariableW
0x1400211e8 GetTempPathW
0x1400211f0 GetSystemTimeAsFileTime
0x1400211f8 lstrlenW
0x140021200 CompareFileTime
0x140021208 SetThreadLocale
0x140021210 FindFirstFileW
0x140021218 DeleteFileW
0x140021220 FindNextFileW
0x140021228 FindClose
0x140021230 RemoveDirectoryW
0x140021238 lstrcmpW
0x140021240 ExpandEnvironmentStringsW
0x140021248 WideCharToMultiByte
0x140021250 VirtualAlloc
0x140021258 GlobalMemoryStatusEx
0x140021260 GetEnvironmentVariableW
0x140021268 lstrcmpiW
0x140021270 lstrlenA
0x140021278 GetLocaleInfoW
0x140021280 MultiByteToWideChar
0x140021288 GetUserDefaultUILanguage
0x140021290 GetSystemDefaultUILanguage
0x140021298 GetSystemDefaultLCID
0x1400212a0 lstrcmpiA
0x1400212a8 GlobalAlloc
0x1400212b0 GlobalFree
0x1400212b8 MulDiv
0x1400212c0 FindResourceExA
0x1400212c8 SizeofResource
0x1400212d0 LoadResource
0x1400212d8 LockResource
0x1400212e0 ExitProcess
0x1400212e8 lstrcatW
0x1400212f0 AddVectoredExceptionHandler
0x1400212f8 RemoveVectoredExceptionHandler
0x140021300 GetDiskFreeSpaceExW
0x140021308 SetFileAttributesW
0x140021310 SetLastError
0x140021318 Sleep
0x140021320 GetExitCodeThread
0x140021328 WaitForSingleObject
0x140021330 CreateThread
0x140021338 GetLastError
0x140021340 SystemTimeToFileTime
0x140021348 GetLocalTime
0x140021350 GetFileAttributesW
0x140021358 CreateDirectoryW
0x140021360 WriteFile
0x140021368 GetStdHandle
0x140021370 VirtualFree
0x140021378 GetModuleHandleW
0x140021380 GetProcAddress
0x140021388 LoadLibraryA
0x140021390 GetCurrentProcessId
msvcrt.dll
0x1400215c0 __CxxFrameHandler
0x1400215c8 _purecall
0x1400215d0 ??3@YAXPEAX@Z
0x1400215d8 ??2@YAPEAX_K@Z
0x1400215e0 memcmp
0x1400215e8 free
0x1400215f0 memcpy
0x1400215f8 _wtol
0x140021600 memmove
0x140021608 malloc
0x140021610 wcsncmp
0x140021618 strncmp
0x140021620 _wcsnicmp
0x140021628 memset
0x140021630 ?_set_new_handler@@YAP6AH_K@ZP6AH0@Z@Z
0x140021638 _beginthreadex
0x140021640 _CxxThrowException
0x140021648 __C_specific_handler
0x140021650 _unlock
0x140021658 __dllonexit
0x140021660 _lock
0x140021668 _onexit
0x140021670 ??1type_info@@UEAA@XZ
0x140021678 __getmainargs
0x140021680 _XcptFilter
0x140021688 _exit
0x140021690 _ismbblead
0x140021698 _cexit
0x1400216a0 exit
0x1400216a8 _acmdln
0x1400216b0 _initterm
0x1400216b8 _amsg_exit
0x1400216c0 __setusermatherr
0x1400216c8 _commode
0x1400216d0 _fmode
0x1400216d8 __set_app_type
0x1400216e0 ?terminate@@YAXXZ
EAT(Export Address Table) is none
COMCTL32.dll
0x140021020 None
SHELL32.dll
0x1400213c0 ShellExecuteW
0x1400213c8 SHBrowseForFolderW
0x1400213d0 SHGetSpecialFolderPathW
0x1400213d8 SHGetPathFromIDListW
0x1400213e0 SHGetFileInfoW
0x1400213e8 ShellExecuteExW
0x1400213f0 SHGetMalloc
GDI32.dll
0x140021030 CreateCompatibleDC
0x140021038 CreateFontIndirectW
0x140021040 DeleteObject
0x140021048 DeleteDC
0x140021050 GetCurrentObject
0x140021058 StretchBlt
0x140021060 GetDeviceCaps
0x140021068 CreateCompatibleBitmap
0x140021070 SelectObject
0x140021078 SetStretchBltMode
0x140021080 GetObjectW
ADVAPI32.dll
0x140021000 FreeSid
0x140021008 AllocateAndInitializeSid
0x140021010 CheckTokenMembership
USER32.dll
0x140021400 wvsprintfW
0x140021408 GetSystemMenu
0x140021410 EnableMenuItem
0x140021418 IsWindow
0x140021420 EnableWindow
0x140021428 MessageBeep
0x140021430 LoadIconW
0x140021438 LoadImageW
0x140021440 SetWindowsHookExW
0x140021448 PtInRect
0x140021450 CallNextHookEx
0x140021458 DefWindowProcW
0x140021460 CallWindowProcW
0x140021468 DrawIconEx
0x140021470 DialogBoxIndirectParamW
0x140021478 GetWindow
0x140021480 ClientToScreen
0x140021488 GetDC
0x140021490 DrawTextW
0x140021498 ShowWindow
0x1400214a0 SystemParametersInfoW
0x1400214a8 GetSystemMetrics
0x1400214b0 SetFocus
0x1400214b8 UnhookWindowsHookEx
0x1400214c0 GetWindowLongPtrW
0x1400214c8 GetClientRect
0x1400214d0 GetDlgItem
0x1400214d8 GetKeyState
0x1400214e0 MessageBoxA
0x1400214e8 SetWindowTextW
0x1400214f0 wsprintfA
0x1400214f8 GetSysColor
0x140021500 GetWindowTextLengthW
0x140021508 GetWindowTextW
0x140021510 GetClassNameA
0x140021518 GetWindowLongW
0x140021520 GetMenu
0x140021528 SetWindowPos
0x140021530 GetWindowDC
0x140021538 ReleaseDC
0x140021540 CopyImage
0x140021548 GetParent
0x140021550 GetWindowRect
0x140021558 CharUpperW
0x140021560 CreateWindowExW
0x140021568 SetTimer
0x140021570 ScreenToClient
0x140021578 DispatchMessageW
0x140021580 KillTimer
0x140021588 DestroyWindow
0x140021590 EndDialog
0x140021598 SendMessageW
0x1400215a0 wsprintfW
0x1400215a8 SetWindowLongPtrW
0x1400215b0 GetMessageW
ole32.dll
0x1400216f0 CreateStreamOnHGlobal
0x1400216f8 CoInitialize
0x140021700 CoCreateInstance
OLEAUT32.dll
0x1400213a0 SysAllocString
0x1400213a8 VariantClear
0x1400213b0 OleLoadPicture
KERNEL32.dll
0x140021090 EnterCriticalSection
0x140021098 LeaveCriticalSection
0x1400210a0 WaitForMultipleObjects
0x1400210a8 SetUnhandledExceptionFilter
0x1400210b0 QueryPerformanceCounter
0x1400210b8 GetTickCount
0x1400210c0 DeleteCriticalSection
0x1400210c8 SetEndOfFile
0x1400210d0 SetFileTime
0x1400210d8 ReadFile
0x1400210e0 SetFilePointer
0x1400210e8 GetFileSize
0x1400210f0 FormatMessageW
0x1400210f8 lstrcpyW
0x140021100 LocalFree
0x140021108 IsBadReadPtr
0x140021110 GetSystemDirectoryW
0x140021118 GetCurrentThreadId
0x140021120 SuspendThread
0x140021128 TerminateThread
0x140021130 InitializeCriticalSection
0x140021138 ResetEvent
0x140021140 SetEvent
0x140021148 CreateEventW
0x140021150 GetVersionExW
0x140021158 GetModuleFileNameW
0x140021160 GetCurrentProcess
0x140021168 SetProcessWorkingSetSize
0x140021170 SetCurrentDirectoryW
0x140021178 GetDriveTypeW
0x140021180 CreateFileW
0x140021188 GetCommandLineW
0x140021190 GetStartupInfoW
0x140021198 CreateProcessW
0x1400211a0 CreateJobObjectW
0x1400211a8 AssignProcessToJobObject
0x1400211b0 CreateIoCompletionPort
0x1400211b8 SetInformationJobObject
0x1400211c0 ResumeThread
0x1400211c8 GetQueuedCompletionStatus
0x1400211d0 GetExitCodeProcess
0x1400211d8 CloseHandle
0x1400211e0 SetEnvironmentVariableW
0x1400211e8 GetTempPathW
0x1400211f0 GetSystemTimeAsFileTime
0x1400211f8 lstrlenW
0x140021200 CompareFileTime
0x140021208 SetThreadLocale
0x140021210 FindFirstFileW
0x140021218 DeleteFileW
0x140021220 FindNextFileW
0x140021228 FindClose
0x140021230 RemoveDirectoryW
0x140021238 lstrcmpW
0x140021240 ExpandEnvironmentStringsW
0x140021248 WideCharToMultiByte
0x140021250 VirtualAlloc
0x140021258 GlobalMemoryStatusEx
0x140021260 GetEnvironmentVariableW
0x140021268 lstrcmpiW
0x140021270 lstrlenA
0x140021278 GetLocaleInfoW
0x140021280 MultiByteToWideChar
0x140021288 GetUserDefaultUILanguage
0x140021290 GetSystemDefaultUILanguage
0x140021298 GetSystemDefaultLCID
0x1400212a0 lstrcmpiA
0x1400212a8 GlobalAlloc
0x1400212b0 GlobalFree
0x1400212b8 MulDiv
0x1400212c0 FindResourceExA
0x1400212c8 SizeofResource
0x1400212d0 LoadResource
0x1400212d8 LockResource
0x1400212e0 ExitProcess
0x1400212e8 lstrcatW
0x1400212f0 AddVectoredExceptionHandler
0x1400212f8 RemoveVectoredExceptionHandler
0x140021300 GetDiskFreeSpaceExW
0x140021308 SetFileAttributesW
0x140021310 SetLastError
0x140021318 Sleep
0x140021320 GetExitCodeThread
0x140021328 WaitForSingleObject
0x140021330 CreateThread
0x140021338 GetLastError
0x140021340 SystemTimeToFileTime
0x140021348 GetLocalTime
0x140021350 GetFileAttributesW
0x140021358 CreateDirectoryW
0x140021360 WriteFile
0x140021368 GetStdHandle
0x140021370 VirtualFree
0x140021378 GetModuleHandleW
0x140021380 GetProcAddress
0x140021388 LoadLibraryA
0x140021390 GetCurrentProcessId
msvcrt.dll
0x1400215c0 __CxxFrameHandler
0x1400215c8 _purecall
0x1400215d0 ??3@YAXPEAX@Z
0x1400215d8 ??2@YAPEAX_K@Z
0x1400215e0 memcmp
0x1400215e8 free
0x1400215f0 memcpy
0x1400215f8 _wtol
0x140021600 memmove
0x140021608 malloc
0x140021610 wcsncmp
0x140021618 strncmp
0x140021620 _wcsnicmp
0x140021628 memset
0x140021630 ?_set_new_handler@@YAP6AH_K@ZP6AH0@Z@Z
0x140021638 _beginthreadex
0x140021640 _CxxThrowException
0x140021648 __C_specific_handler
0x140021650 _unlock
0x140021658 __dllonexit
0x140021660 _lock
0x140021668 _onexit
0x140021670 ??1type_info@@UEAA@XZ
0x140021678 __getmainargs
0x140021680 _XcptFilter
0x140021688 _exit
0x140021690 _ismbblead
0x140021698 _cexit
0x1400216a0 exit
0x1400216a8 _acmdln
0x1400216b0 _initterm
0x1400216b8 _amsg_exit
0x1400216c0 __setusermatherr
0x1400216c8 _commode
0x1400216d0 _fmode
0x1400216d8 __set_app_type
0x1400216e0 ?terminate@@YAXXZ
EAT(Export Address Table) is none