ScreenShot
| Created | 2023.03.07 18:07 | Machine | s1_win7_x6402 |
| Filename | ChatGPT.scr | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | a0b3955d2406cf5b66628ea21bb1a41a | ||
| sha256 | ae6ee222c3ae8fb96f8513ff270ab95c2ad0738ba80c0d9bb140b42c5d0d5398 | ||
| ssdeep | 3072:N1wfJhEMhVSOyayzDt5qMROznoH6roQL46kZd1IKIDiWZVXyF:7YLLhVSNDt5qMAoH4oAkZduKQiz | ||
| imphash | 1b58743aa6d3922ef077981e7514edd8 | ||
| impfuzzy | 24:G7DaOovnOQFQjERyvDh/J3ISlRT47mfLplhqsgVxt3z7gUMEXx/Nun:GNEOLDjhc7mfF7qdVXD7ZMEXpN0 | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41100c FreeConsole
0x411010 InitializeCriticalSection
0x411014 GetLocaleInfoA
0x411018 GetModuleHandleA
0x41101c HeapSize
0x411020 GetProcAddress
0x411024 GetCommandLineA
0x411028 SetUnhandledExceptionFilter
0x41102c GetModuleHandleW
0x411030 Sleep
0x411034 ExitProcess
0x411038 WriteFile
0x41103c GetStdHandle
0x411040 GetModuleFileNameA
0x411044 FreeEnvironmentStringsA
0x411048 GetEnvironmentStrings
0x41104c FreeEnvironmentStringsW
0x411050 WideCharToMultiByte
0x411054 GetLastError
0x411058 GetEnvironmentStringsW
0x41105c SetHandleCount
0x411060 GetFileType
0x411064 GetStartupInfoA
0x411068 DeleteCriticalSection
0x41106c TlsGetValue
0x411070 TlsAlloc
0x411074 TlsSetValue
0x411078 TlsFree
0x41107c InterlockedIncrement
0x411080 SetLastError
0x411084 GetCurrentThreadId
0x411088 InterlockedDecrement
0x41108c HeapCreate
0x411090 VirtualFree
0x411094 HeapFree
0x411098 QueryPerformanceCounter
0x41109c GetTickCount
0x4110a0 GetCurrentProcessId
0x4110a4 GetSystemTimeAsFileTime
0x4110a8 GetCPInfo
0x4110ac GetACP
0x4110b0 GetOEMCP
0x4110b4 IsValidCodePage
0x4110b8 TerminateProcess
0x4110bc GetCurrentProcess
0x4110c0 UnhandledExceptionFilter
0x4110c4 IsDebuggerPresent
0x4110c8 LeaveCriticalSection
0x4110cc EnterCriticalSection
0x4110d0 LoadLibraryA
0x4110d4 InitializeCriticalSectionAndSpinCount
0x4110d8 HeapAlloc
0x4110dc VirtualAlloc
0x4110e0 HeapReAlloc
0x4110e4 RtlUnwind
0x4110e8 LCMapStringA
0x4110ec MultiByteToWideChar
0x4110f0 LCMapStringW
0x4110f4 GetStringTypeA
0x4110f8 GetStringTypeW
USER32.dll
0x411100 GetDlgItemTextA
0x411104 SendMessageA
0x411108 GetCursorPos
0x41110c TrackPopupMenu
0x411110 ClientToScreen
0x411114 DestroyMenu
0x411118 CreatePopupMenu
0x41111c AppendMenuA
0x411120 SendDlgItemMessageA
0x411124 GetDlgItem
GDI32.dll
0x411000 GetObjectW
0x411004 SetDCPenColor
EAT(Export Address Table) is none
KERNEL32.dll
0x41100c FreeConsole
0x411010 InitializeCriticalSection
0x411014 GetLocaleInfoA
0x411018 GetModuleHandleA
0x41101c HeapSize
0x411020 GetProcAddress
0x411024 GetCommandLineA
0x411028 SetUnhandledExceptionFilter
0x41102c GetModuleHandleW
0x411030 Sleep
0x411034 ExitProcess
0x411038 WriteFile
0x41103c GetStdHandle
0x411040 GetModuleFileNameA
0x411044 FreeEnvironmentStringsA
0x411048 GetEnvironmentStrings
0x41104c FreeEnvironmentStringsW
0x411050 WideCharToMultiByte
0x411054 GetLastError
0x411058 GetEnvironmentStringsW
0x41105c SetHandleCount
0x411060 GetFileType
0x411064 GetStartupInfoA
0x411068 DeleteCriticalSection
0x41106c TlsGetValue
0x411070 TlsAlloc
0x411074 TlsSetValue
0x411078 TlsFree
0x41107c InterlockedIncrement
0x411080 SetLastError
0x411084 GetCurrentThreadId
0x411088 InterlockedDecrement
0x41108c HeapCreate
0x411090 VirtualFree
0x411094 HeapFree
0x411098 QueryPerformanceCounter
0x41109c GetTickCount
0x4110a0 GetCurrentProcessId
0x4110a4 GetSystemTimeAsFileTime
0x4110a8 GetCPInfo
0x4110ac GetACP
0x4110b0 GetOEMCP
0x4110b4 IsValidCodePage
0x4110b8 TerminateProcess
0x4110bc GetCurrentProcess
0x4110c0 UnhandledExceptionFilter
0x4110c4 IsDebuggerPresent
0x4110c8 LeaveCriticalSection
0x4110cc EnterCriticalSection
0x4110d0 LoadLibraryA
0x4110d4 InitializeCriticalSectionAndSpinCount
0x4110d8 HeapAlloc
0x4110dc VirtualAlloc
0x4110e0 HeapReAlloc
0x4110e4 RtlUnwind
0x4110e8 LCMapStringA
0x4110ec MultiByteToWideChar
0x4110f0 LCMapStringW
0x4110f4 GetStringTypeA
0x4110f8 GetStringTypeW
USER32.dll
0x411100 GetDlgItemTextA
0x411104 SendMessageA
0x411108 GetCursorPos
0x41110c TrackPopupMenu
0x411110 ClientToScreen
0x411114 DestroyMenu
0x411118 CreatePopupMenu
0x41111c AppendMenuA
0x411120 SendDlgItemMessageA
0x411124 GetDlgItem
GDI32.dll
0x411000 GetObjectW
0x411004 SetDCPenColor
EAT(Export Address Table) is none