ScreenShot
| Created | 2022.05.20 14:21 | Machine | s1_win7_x6401 |
| Filename | updated.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 51 detected (AIDetect, malware1, Injuke, Inject4, Lazy, GenericRXSW, Unsafe, Save, PSWStealer, ZexaF, RuY@aia1Snd, Kryptik, Eldorado, Attribute, HighConfidence, malicious, high confidence, HPFH, Fragtor, PWSX, Falsesign, Lify, AZORULT, YXCEPZ, tctlg, kcloud, score, R492451, BScope, ai score=84, CLOUD, susgen, Genetic, confidence, 100%) | ||
| md5 | a1128f30ff8209aa2a2d414e6da4076f | ||
| sha256 | 64ce95ae24281b52d627bb4757c0c816170b865ae9c23e9642e72fefebef1dff | ||
| ssdeep | 12288:e6PAqtyGLbFSccQdITR6eaFeA/sIrPA+ApmqB11cVKjLPdz:rwGXBBWTTaFeA/sIrPAD4qB1KQz | ||
| imphash | 37a87ba4c777dcd1db50684f6b029f1b | ||
| impfuzzy | 24:zGA27D5SyPhcpVWZstMeGbJBl3ELoEOovbO3kFZMv5GMAkEZHu9n:zGAW/pcpVestMeG7pSc30FZG1 | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 51 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
USER32.dll
0x48c134 GetSystemMetrics
0x48c138 GetSysColorBrush
0x48c13c FindWindowA
KERNEL32.dll
0x48c000 GetProcAddress
0x48c004 CreateFileW
0x48c008 HeapSize
0x48c00c GetProcessHeap
0x48c010 GetCurrentThreadId
0x48c014 MultiByteToWideChar
0x48c018 GetLastError
0x48c01c GetCurrentProcessId
0x48c020 GetConsoleWindow
0x48c024 WideCharToMultiByte
0x48c028 EnterCriticalSection
0x48c02c LeaveCriticalSection
0x48c030 InitializeCriticalSectionEx
0x48c034 DeleteCriticalSection
0x48c038 EncodePointer
0x48c03c DecodePointer
0x48c040 LCMapStringEx
0x48c044 GetStringTypeW
0x48c048 GetCPInfo
0x48c04c UnhandledExceptionFilter
0x48c050 SetUnhandledExceptionFilter
0x48c054 GetCurrentProcess
0x48c058 TerminateProcess
0x48c05c IsProcessorFeaturePresent
0x48c060 QueryPerformanceCounter
0x48c064 GetSystemTimeAsFileTime
0x48c068 InitializeSListHead
0x48c06c IsDebuggerPresent
0x48c070 GetStartupInfoW
0x48c074 GetModuleHandleW
0x48c078 SetStdHandle
0x48c07c RaiseException
0x48c080 RtlUnwind
0x48c084 SetLastError
0x48c088 InitializeCriticalSectionAndSpinCount
0x48c08c TlsAlloc
0x48c090 TlsGetValue
0x48c094 TlsSetValue
0x48c098 TlsFree
0x48c09c FreeLibrary
0x48c0a0 WriteConsoleW
0x48c0a4 LoadLibraryExW
0x48c0a8 GetStdHandle
0x48c0ac WriteFile
0x48c0b0 GetModuleFileNameW
0x48c0b4 ExitProcess
0x48c0b8 GetModuleHandleExW
0x48c0bc GetCommandLineA
0x48c0c0 GetCommandLineW
0x48c0c4 HeapAlloc
0x48c0c8 HeapFree
0x48c0cc CompareStringW
0x48c0d0 LCMapStringW
0x48c0d4 GetLocaleInfoW
0x48c0d8 IsValidLocale
0x48c0dc GetUserDefaultLCID
0x48c0e0 EnumSystemLocalesW
0x48c0e4 GetFileType
0x48c0e8 CloseHandle
0x48c0ec FlushFileBuffers
0x48c0f0 GetConsoleOutputCP
0x48c0f4 GetConsoleMode
0x48c0f8 ReadFile
0x48c0fc GetFileSizeEx
0x48c100 SetFilePointerEx
0x48c104 ReadConsoleW
0x48c108 HeapReAlloc
0x48c10c FindClose
0x48c110 FindFirstFileExW
0x48c114 FindNextFileW
0x48c118 IsValidCodePage
0x48c11c GetACP
0x48c120 GetOEMCP
0x48c124 GetEnvironmentStringsW
0x48c128 FreeEnvironmentStringsW
0x48c12c SetEnvironmentVariableW
EAT(Export Address Table) is none
USER32.dll
0x48c134 GetSystemMetrics
0x48c138 GetSysColorBrush
0x48c13c FindWindowA
KERNEL32.dll
0x48c000 GetProcAddress
0x48c004 CreateFileW
0x48c008 HeapSize
0x48c00c GetProcessHeap
0x48c010 GetCurrentThreadId
0x48c014 MultiByteToWideChar
0x48c018 GetLastError
0x48c01c GetCurrentProcessId
0x48c020 GetConsoleWindow
0x48c024 WideCharToMultiByte
0x48c028 EnterCriticalSection
0x48c02c LeaveCriticalSection
0x48c030 InitializeCriticalSectionEx
0x48c034 DeleteCriticalSection
0x48c038 EncodePointer
0x48c03c DecodePointer
0x48c040 LCMapStringEx
0x48c044 GetStringTypeW
0x48c048 GetCPInfo
0x48c04c UnhandledExceptionFilter
0x48c050 SetUnhandledExceptionFilter
0x48c054 GetCurrentProcess
0x48c058 TerminateProcess
0x48c05c IsProcessorFeaturePresent
0x48c060 QueryPerformanceCounter
0x48c064 GetSystemTimeAsFileTime
0x48c068 InitializeSListHead
0x48c06c IsDebuggerPresent
0x48c070 GetStartupInfoW
0x48c074 GetModuleHandleW
0x48c078 SetStdHandle
0x48c07c RaiseException
0x48c080 RtlUnwind
0x48c084 SetLastError
0x48c088 InitializeCriticalSectionAndSpinCount
0x48c08c TlsAlloc
0x48c090 TlsGetValue
0x48c094 TlsSetValue
0x48c098 TlsFree
0x48c09c FreeLibrary
0x48c0a0 WriteConsoleW
0x48c0a4 LoadLibraryExW
0x48c0a8 GetStdHandle
0x48c0ac WriteFile
0x48c0b0 GetModuleFileNameW
0x48c0b4 ExitProcess
0x48c0b8 GetModuleHandleExW
0x48c0bc GetCommandLineA
0x48c0c0 GetCommandLineW
0x48c0c4 HeapAlloc
0x48c0c8 HeapFree
0x48c0cc CompareStringW
0x48c0d0 LCMapStringW
0x48c0d4 GetLocaleInfoW
0x48c0d8 IsValidLocale
0x48c0dc GetUserDefaultLCID
0x48c0e0 EnumSystemLocalesW
0x48c0e4 GetFileType
0x48c0e8 CloseHandle
0x48c0ec FlushFileBuffers
0x48c0f0 GetConsoleOutputCP
0x48c0f4 GetConsoleMode
0x48c0f8 ReadFile
0x48c0fc GetFileSizeEx
0x48c100 SetFilePointerEx
0x48c104 ReadConsoleW
0x48c108 HeapReAlloc
0x48c10c FindClose
0x48c110 FindFirstFileExW
0x48c114 FindNextFileW
0x48c118 IsValidCodePage
0x48c11c GetACP
0x48c120 GetOEMCP
0x48c124 GetEnvironmentStringsW
0x48c128 FreeEnvironmentStringsW
0x48c12c SetEnvironmentVariableW
EAT(Export Address Table) is none