ScreenShot
| Created | 2022.12.13 13:27 | Machine | s1_win7_x6401 |
| Filename | file.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 40 detected (AIDetect, malware1, PsDownload, Fragtor, Unsafe, Save, Kryptik, malicious, confidence, Eldorado, Attribute, HighConfidence, high confidence, HROL, score, CrypterX, Shohdi, high, ai score=82, kcloud, Sabsik, Detected, GenericRXUR, BScope, TrojanPSW, Coins, CLASSIC, susgen, ZexaF, qCW@aWkhyeoi) | ||
| md5 | 0db52d1259097e34f3e1d142ad75f9d1 | ||
| sha256 | 1689115f18f0a6a898e7ffeb40ebb6235008522e436cb122cf3bb64bc2aed506 | ||
| ssdeep | 6144:0Y67I5LCHeUh8cOwE8LrZDa3Y4RCJOoOkvpb2/i:hqIx68cOwzLrZDa3fRCsoMi | ||
| imphash | cddebb8fa6c0a087547241e14a7bb869 | ||
| impfuzzy | 24:+BKkhMULu9MBjHglZl9c+5jVeD+t9S18/l39yJEcMSOovbOwZY9Q3whe:+BKkDR4dc+Pt9S18/prH3nQ3Ue | ||
Network IP location
Signature (23cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 40 AntiVirus engines on VirusTotal as malicious |
| watch | Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Drops an executable to the user AppData folder |
| notice | Poweshell is sending data to a remote host |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | URL downloaded by powershell script |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Powershell script has download & invoke calls |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
| info | PowershellDI | Extract Download/Invoke calls from powershell script | scripts |
PE API
IAT(Import Address Table) Library
WININET.dll
0x41e154 InternetReadFile
0x41e158 InternetCloseHandle
0x41e15c InternetCrackUrlW
0x41e160 InternetOpenW
0x41e164 InternetOpenUrlW
0x41e168 InternetQueryDataAvailable
SHLWAPI.dll
0x41e13c StrStrW
0x41e140 wnsprintfW
KERNEL32.dll
0x41e00c SetFilePointerEx
0x41e010 GetConsoleMode
0x41e014 GetConsoleOutputCP
0x41e018 FlushFileBuffers
0x41e01c WriteFile
0x41e020 GetModuleFileNameW
0x41e024 GetEnvironmentVariableW
0x41e028 CreateFileW
0x41e02c GetFileAttributesW
0x41e030 GetSystemWow64DirectoryW
0x41e034 GetLastError
0x41e038 LoadLibraryA
0x41e03c WriteConsoleW
0x41e040 CloseHandle
0x41e044 ExitProcess
0x41e048 GetModuleHandleW
0x41e04c lstrcpyW
0x41e050 GetTempFileNameW
0x41e054 HeapFree
0x41e058 HeapReAlloc
0x41e05c HeapAlloc
0x41e060 GetProcessHeap
0x41e064 WideCharToMultiByte
0x41e068 HeapSize
0x41e06c GetStringTypeW
0x41e070 SetStdHandle
0x41e074 EncodePointer
0x41e078 lstrcatW
0x41e07c GetStartupInfoW
0x41e080 EnterCriticalSection
0x41e084 LeaveCriticalSection
0x41e088 DeleteCriticalSection
0x41e08c SetEvent
0x41e090 ResetEvent
0x41e094 WaitForSingleObjectEx
0x41e098 CreateEventW
0x41e09c GetProcAddress
0x41e0a0 UnhandledExceptionFilter
0x41e0a4 SetUnhandledExceptionFilter
0x41e0a8 GetCurrentProcess
0x41e0ac TerminateProcess
0x41e0b0 IsProcessorFeaturePresent
0x41e0b4 IsDebuggerPresent
0x41e0b8 DecodePointer
0x41e0bc QueryPerformanceCounter
0x41e0c0 GetCurrentProcessId
0x41e0c4 GetCurrentThreadId
0x41e0c8 GetSystemTimeAsFileTime
0x41e0cc InitializeSListHead
0x41e0d0 RaiseException
0x41e0d4 InitializeCriticalSectionAndSpinCount
0x41e0d8 TlsAlloc
0x41e0dc TlsGetValue
0x41e0e0 TlsSetValue
0x41e0e4 TlsFree
0x41e0e8 FreeLibrary
0x41e0ec LoadLibraryExW
0x41e0f0 SetLastError
0x41e0f4 RtlUnwind
0x41e0f8 GetModuleHandleExW
0x41e0fc GetStdHandle
0x41e100 FindClose
0x41e104 FindFirstFileExW
0x41e108 FindNextFileW
0x41e10c IsValidCodePage
0x41e110 GetACP
0x41e114 GetOEMCP
0x41e118 GetCPInfo
0x41e11c GetCommandLineA
0x41e120 GetCommandLineW
0x41e124 MultiByteToWideChar
0x41e128 GetEnvironmentStringsW
0x41e12c FreeEnvironmentStringsW
0x41e130 LCMapStringW
0x41e134 GetFileType
USER32.dll
0x41e148 wsprintfW
0x41e14c MessageBoxA
ADVAPI32.dll
0x41e000 GetSidSubAuthority
0x41e004 GetSidSubAuthorityCount
EAT(Export Address Table) is none
WININET.dll
0x41e154 InternetReadFile
0x41e158 InternetCloseHandle
0x41e15c InternetCrackUrlW
0x41e160 InternetOpenW
0x41e164 InternetOpenUrlW
0x41e168 InternetQueryDataAvailable
SHLWAPI.dll
0x41e13c StrStrW
0x41e140 wnsprintfW
KERNEL32.dll
0x41e00c SetFilePointerEx
0x41e010 GetConsoleMode
0x41e014 GetConsoleOutputCP
0x41e018 FlushFileBuffers
0x41e01c WriteFile
0x41e020 GetModuleFileNameW
0x41e024 GetEnvironmentVariableW
0x41e028 CreateFileW
0x41e02c GetFileAttributesW
0x41e030 GetSystemWow64DirectoryW
0x41e034 GetLastError
0x41e038 LoadLibraryA
0x41e03c WriteConsoleW
0x41e040 CloseHandle
0x41e044 ExitProcess
0x41e048 GetModuleHandleW
0x41e04c lstrcpyW
0x41e050 GetTempFileNameW
0x41e054 HeapFree
0x41e058 HeapReAlloc
0x41e05c HeapAlloc
0x41e060 GetProcessHeap
0x41e064 WideCharToMultiByte
0x41e068 HeapSize
0x41e06c GetStringTypeW
0x41e070 SetStdHandle
0x41e074 EncodePointer
0x41e078 lstrcatW
0x41e07c GetStartupInfoW
0x41e080 EnterCriticalSection
0x41e084 LeaveCriticalSection
0x41e088 DeleteCriticalSection
0x41e08c SetEvent
0x41e090 ResetEvent
0x41e094 WaitForSingleObjectEx
0x41e098 CreateEventW
0x41e09c GetProcAddress
0x41e0a0 UnhandledExceptionFilter
0x41e0a4 SetUnhandledExceptionFilter
0x41e0a8 GetCurrentProcess
0x41e0ac TerminateProcess
0x41e0b0 IsProcessorFeaturePresent
0x41e0b4 IsDebuggerPresent
0x41e0b8 DecodePointer
0x41e0bc QueryPerformanceCounter
0x41e0c0 GetCurrentProcessId
0x41e0c4 GetCurrentThreadId
0x41e0c8 GetSystemTimeAsFileTime
0x41e0cc InitializeSListHead
0x41e0d0 RaiseException
0x41e0d4 InitializeCriticalSectionAndSpinCount
0x41e0d8 TlsAlloc
0x41e0dc TlsGetValue
0x41e0e0 TlsSetValue
0x41e0e4 TlsFree
0x41e0e8 FreeLibrary
0x41e0ec LoadLibraryExW
0x41e0f0 SetLastError
0x41e0f4 RtlUnwind
0x41e0f8 GetModuleHandleExW
0x41e0fc GetStdHandle
0x41e100 FindClose
0x41e104 FindFirstFileExW
0x41e108 FindNextFileW
0x41e10c IsValidCodePage
0x41e110 GetACP
0x41e114 GetOEMCP
0x41e118 GetCPInfo
0x41e11c GetCommandLineA
0x41e120 GetCommandLineW
0x41e124 MultiByteToWideChar
0x41e128 GetEnvironmentStringsW
0x41e12c FreeEnvironmentStringsW
0x41e130 LCMapStringW
0x41e134 GetFileType
USER32.dll
0x41e148 wsprintfW
0x41e14c MessageBoxA
ADVAPI32.dll
0x41e000 GetSidSubAuthority
0x41e004 GetSidSubAuthorityCount
EAT(Export Address Table) is none