ScreenShot
| Created | 2022.01.18 10:19 | Machine | s1_win7_x6401 |
| Filename | Service.bmp | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 47 detected (AIDetect, malware2, malicious, high confidence, Zusy, GenericRI, S25215857, GenericRXMT, Unsafe, Sabsik, TrojanPSW, Disbuk, confidence, 100%, ZexaF, yuW@aWwunpji, Attribute, HighConfidence, Xpiro, DropperX, Wuhe, R002C0PAH22, AGEN, ai score=83, PSWTroj, kcloud, score, BScope, FileCryptor, CLOUD, Static AI, Malicious PE, GdSda, susgen) | ||
| md5 | dabae535097a94f593d5afad04acd5ea | ||
| sha256 | e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391 | ||
| ssdeep | 12288:Zzj8qPa/HOT28EnUB10QkrtMZm0IHuPK27wb8/BE:ZXzPa9JnU4750h7wbKi | ||
| imphash | 9734ba8626408cec04bb8fa7d8bb6e83 | ||
| impfuzzy | 24:WL8FXADzAOefTtO6trS1CM3JeDc+pl39ro4vcGM1SOovbO0ZuBmzEpQz19wuDce9:rTO25trS1CM2c+ppZhm31C6O4fI | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 47 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| info | Checks amount of memory in system |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (10cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x453038 CreateDirectoryA
0x45303c IsWow64Process
0x453040 lstrcatA
0x453044 GetModuleHandleA
0x453048 lstrcpyA
0x45304c WinExec
0x453050 lstrlenA
0x453054 HeapAlloc
0x453058 GetProcAddress
0x45305c lstrcpynA
0x453060 GetProcessHeap
0x453064 WriteConsoleW
0x453068 LocalFree
0x45306c GetWindowsDirectoryA
0x453070 CloseHandle
0x453074 DeleteFileA
0x453078 LoadLibraryA
0x45307c GetFileAttributesA
0x453080 GetLastError
0x453084 CopyFileA
0x453088 Sleep
0x45308c LocalAlloc
0x453090 GetVolumeInformationA
0x453094 GetCurrentProcess
0x453098 HeapFree
0x45309c GetModuleFileNameA
0x4530a0 SetEndOfFile
0x4530a4 HeapReAlloc
0x4530a8 HeapSize
0x4530ac ReadConsoleW
0x4530b0 ReadFile
0x4530b4 FlushFileBuffers
0x4530b8 CreateFileW
0x4530bc GetStringTypeW
0x4530c0 SetStdHandle
0x4530c4 UnhandledExceptionFilter
0x4530c8 SetUnhandledExceptionFilter
0x4530cc TerminateProcess
0x4530d0 IsProcessorFeaturePresent
0x4530d4 IsDebuggerPresent
0x4530d8 GetStartupInfoW
0x4530dc GetModuleHandleW
0x4530e0 QueryPerformanceCounter
0x4530e4 GetCurrentProcessId
0x4530e8 GetCurrentThreadId
0x4530ec GetSystemTimeAsFileTime
0x4530f0 InitializeSListHead
0x4530f4 RtlUnwind
0x4530f8 RaiseException
0x4530fc SetLastError
0x453100 EncodePointer
0x453104 EnterCriticalSection
0x453108 LeaveCriticalSection
0x45310c DeleteCriticalSection
0x453110 InitializeCriticalSectionAndSpinCount
0x453114 TlsAlloc
0x453118 TlsGetValue
0x45311c TlsSetValue
0x453120 TlsFree
0x453124 FreeLibrary
0x453128 LoadLibraryExW
0x45312c ExitProcess
0x453130 GetModuleHandleExW
0x453134 GetModuleFileNameW
0x453138 GetStdHandle
0x45313c WriteFile
0x453140 MultiByteToWideChar
0x453144 LCMapStringW
0x453148 MoveFileExW
0x45314c GetFileType
0x453150 GetConsoleOutputCP
0x453154 GetConsoleMode
0x453158 GetFileSizeEx
0x45315c SetFilePointerEx
0x453160 FindClose
0x453164 FindFirstFileExW
0x453168 FindNextFileW
0x45316c IsValidCodePage
0x453170 GetACP
0x453174 GetOEMCP
0x453178 GetCPInfo
0x45317c GetCommandLineA
0x453180 GetCommandLineW
0x453184 WideCharToMultiByte
0x453188 GetEnvironmentStringsW
0x45318c FreeEnvironmentStringsW
0x453190 DecodePointer
ADVAPI32.dll
0x453000 CreateServiceA
0x453004 RegCloseKey
0x453008 StartServiceCtrlDispatcherA
0x45300c GetCurrentHwProfileA
0x453010 CloseServiceHandle
0x453014 RegQueryValueExA
0x453018 SetServiceStatus
0x45301c RegisterServiceCtrlHandlerA
0x453020 OpenSCManagerA
0x453024 GetUserNameA
0x453028 StartServiceA
0x45302c RegOpenKeyExA
0x453030 OpenServiceA
SHELL32.dll
0x4531ac SHGetSpecialFolderPathA
0x4531b0 SHGetFolderPathA
0x4531b4 ShellExecuteA
SETUPAPI.dll
0x453198 SetupDiGetClassDevsA
0x45319c SetupDiEnumDeviceInterfaces
0x4531a0 SetupDiGetDeviceInterfaceDetailA
0x4531a4 SetupDiEnumDeviceInfo
EAT(Export Address Table) is none
KERNEL32.dll
0x453038 CreateDirectoryA
0x45303c IsWow64Process
0x453040 lstrcatA
0x453044 GetModuleHandleA
0x453048 lstrcpyA
0x45304c WinExec
0x453050 lstrlenA
0x453054 HeapAlloc
0x453058 GetProcAddress
0x45305c lstrcpynA
0x453060 GetProcessHeap
0x453064 WriteConsoleW
0x453068 LocalFree
0x45306c GetWindowsDirectoryA
0x453070 CloseHandle
0x453074 DeleteFileA
0x453078 LoadLibraryA
0x45307c GetFileAttributesA
0x453080 GetLastError
0x453084 CopyFileA
0x453088 Sleep
0x45308c LocalAlloc
0x453090 GetVolumeInformationA
0x453094 GetCurrentProcess
0x453098 HeapFree
0x45309c GetModuleFileNameA
0x4530a0 SetEndOfFile
0x4530a4 HeapReAlloc
0x4530a8 HeapSize
0x4530ac ReadConsoleW
0x4530b0 ReadFile
0x4530b4 FlushFileBuffers
0x4530b8 CreateFileW
0x4530bc GetStringTypeW
0x4530c0 SetStdHandle
0x4530c4 UnhandledExceptionFilter
0x4530c8 SetUnhandledExceptionFilter
0x4530cc TerminateProcess
0x4530d0 IsProcessorFeaturePresent
0x4530d4 IsDebuggerPresent
0x4530d8 GetStartupInfoW
0x4530dc GetModuleHandleW
0x4530e0 QueryPerformanceCounter
0x4530e4 GetCurrentProcessId
0x4530e8 GetCurrentThreadId
0x4530ec GetSystemTimeAsFileTime
0x4530f0 InitializeSListHead
0x4530f4 RtlUnwind
0x4530f8 RaiseException
0x4530fc SetLastError
0x453100 EncodePointer
0x453104 EnterCriticalSection
0x453108 LeaveCriticalSection
0x45310c DeleteCriticalSection
0x453110 InitializeCriticalSectionAndSpinCount
0x453114 TlsAlloc
0x453118 TlsGetValue
0x45311c TlsSetValue
0x453120 TlsFree
0x453124 FreeLibrary
0x453128 LoadLibraryExW
0x45312c ExitProcess
0x453130 GetModuleHandleExW
0x453134 GetModuleFileNameW
0x453138 GetStdHandle
0x45313c WriteFile
0x453140 MultiByteToWideChar
0x453144 LCMapStringW
0x453148 MoveFileExW
0x45314c GetFileType
0x453150 GetConsoleOutputCP
0x453154 GetConsoleMode
0x453158 GetFileSizeEx
0x45315c SetFilePointerEx
0x453160 FindClose
0x453164 FindFirstFileExW
0x453168 FindNextFileW
0x45316c IsValidCodePage
0x453170 GetACP
0x453174 GetOEMCP
0x453178 GetCPInfo
0x45317c GetCommandLineA
0x453180 GetCommandLineW
0x453184 WideCharToMultiByte
0x453188 GetEnvironmentStringsW
0x45318c FreeEnvironmentStringsW
0x453190 DecodePointer
ADVAPI32.dll
0x453000 CreateServiceA
0x453004 RegCloseKey
0x453008 StartServiceCtrlDispatcherA
0x45300c GetCurrentHwProfileA
0x453010 CloseServiceHandle
0x453014 RegQueryValueExA
0x453018 SetServiceStatus
0x45301c RegisterServiceCtrlHandlerA
0x453020 OpenSCManagerA
0x453024 GetUserNameA
0x453028 StartServiceA
0x45302c RegOpenKeyExA
0x453030 OpenServiceA
SHELL32.dll
0x4531ac SHGetSpecialFolderPathA
0x4531b0 SHGetFolderPathA
0x4531b4 ShellExecuteA
SETUPAPI.dll
0x453198 SetupDiGetClassDevsA
0x45319c SetupDiEnumDeviceInterfaces
0x4531a0 SetupDiGetDeviceInterfaceDetailA
0x4531a4 SetupDiEnumDeviceInfo
EAT(Export Address Table) is none