ScreenShot
| Created | 2022.05.23 09:35 | Machine | s1_win7_x6403 |
| Filename | crypted.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 33 detected (Donut, Lazy, malicious, confidence, Attribute, HighConfidence, high confidence, a variant of WinGo, Generic@AI, RDML, +WxmF2UOVke5HR1us5riSg, R002C0PEJ22, WinGo, AGEN, ai score=83, score, R492765, GenericRXNH, BScope, Convagent, susgen) | ||
| md5 | e91529f0e5cfd905fe9b3460ba50eef8 | ||
| sha256 | e2a560ab014411433ad31ecfe13de3b561170660a86c726b2c803d94781f8680 | ||
| ssdeep | 24576:4/C2WJACchgZczfkTGsHfaGDGLuCC2LYeghf0gf3eCmmORi59LnYz1abA+KX8Vi:48uQfACd3NmCmg59Yz1abAlXb | ||
| imphash | 9cbefe68f395e67356e2a5d8d1b285c0 | ||
| impfuzzy | 24:UbVjhNwO+VuT2oLtXOr6kwmDruMztxdEr6tP:KwO+VAXOmGx0oP | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Executed a process and injected code into it |
| danger | File has been identified by 33 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects the presence of Wine emulator |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Yara rule detected in process memory |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (20cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
kernel32.dll
0x57f040 WriteFile
0x57f044 WriteConsoleW
0x57f048 WaitForMultipleObjects
0x57f04c WaitForSingleObject
0x57f050 VirtualQuery
0x57f054 VirtualFree
0x57f058 VirtualAlloc
0x57f05c SwitchToThread
0x57f060 SuspendThread
0x57f064 SetWaitableTimer
0x57f068 SetUnhandledExceptionFilter
0x57f06c SetProcessPriorityBoost
0x57f070 SetEvent
0x57f074 SetErrorMode
0x57f078 SetConsoleCtrlHandler
0x57f07c ResumeThread
0x57f080 PostQueuedCompletionStatus
0x57f084 LoadLibraryA
0x57f088 LoadLibraryW
0x57f08c SetThreadContext
0x57f090 GetThreadContext
0x57f094 GetSystemInfo
0x57f098 GetSystemDirectoryA
0x57f09c GetStdHandle
0x57f0a0 GetQueuedCompletionStatusEx
0x57f0a4 GetProcessAffinityMask
0x57f0a8 GetProcAddress
0x57f0ac GetEnvironmentStringsW
0x57f0b0 GetConsoleMode
0x57f0b4 FreeEnvironmentStringsW
0x57f0b8 ExitProcess
0x57f0bc DuplicateHandle
0x57f0c0 CreateWaitableTimerExW
0x57f0c4 CreateThread
0x57f0c8 CreateIoCompletionPort
0x57f0cc CreateFileA
0x57f0d0 CreateEventA
0x57f0d4 CloseHandle
0x57f0d8 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x57f040 WriteFile
0x57f044 WriteConsoleW
0x57f048 WaitForMultipleObjects
0x57f04c WaitForSingleObject
0x57f050 VirtualQuery
0x57f054 VirtualFree
0x57f058 VirtualAlloc
0x57f05c SwitchToThread
0x57f060 SuspendThread
0x57f064 SetWaitableTimer
0x57f068 SetUnhandledExceptionFilter
0x57f06c SetProcessPriorityBoost
0x57f070 SetEvent
0x57f074 SetErrorMode
0x57f078 SetConsoleCtrlHandler
0x57f07c ResumeThread
0x57f080 PostQueuedCompletionStatus
0x57f084 LoadLibraryA
0x57f088 LoadLibraryW
0x57f08c SetThreadContext
0x57f090 GetThreadContext
0x57f094 GetSystemInfo
0x57f098 GetSystemDirectoryA
0x57f09c GetStdHandle
0x57f0a0 GetQueuedCompletionStatusEx
0x57f0a4 GetProcessAffinityMask
0x57f0a8 GetProcAddress
0x57f0ac GetEnvironmentStringsW
0x57f0b0 GetConsoleMode
0x57f0b4 FreeEnvironmentStringsW
0x57f0b8 ExitProcess
0x57f0bc DuplicateHandle
0x57f0c0 CreateWaitableTimerExW
0x57f0c4 CreateThread
0x57f0c8 CreateIoCompletionPort
0x57f0cc CreateFileA
0x57f0d0 CreateEventA
0x57f0d4 CloseHandle
0x57f0d8 AddVectoredExceptionHandler
EAT(Export Address Table) is none