ScreenShot
Created | 2023.03.17 07:36 | Machine | s1_win7_x6401 |
Filename | 91.exe | ||
Type | PE32+ executable (console) x86-64, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 37 detected (malicious, high confidence, GenericKD, Artemis, Aurora, Vdwx, confidence, 100%, Attribute, HighConfidence, a variant of Generik, CKYFYFJ, score, Coins, PWSX, QQPass, QQRob, Aujl, AURORASTEALER, YXDCOZ, Generic ML PUA, Casdet, AGEN, ai score=86, Sabsik, Malware@#2zq6fhhfnv2i9, Detected, Undefined, hm8XUiEnfpE) | ||
md5 | e309c8e66cb963033a3e8cc4b480f81d | ||
sha256 | 7d8f5d965f6466e1282224bf2b39324c4f98ee39c805c89119da7ddc7a36a658 | ||
ssdeep | 49152:1gjtfvNrQtMX9NQz0/BtRd8F4Ji8UUr8eNp2HEqkseUJc0In5:W7rQQvQzyR84JxF8eNp2HEqksPcd | ||
imphash | 1b5afa72ae21524cce342735db6e44db | ||
impfuzzy | 24:32gDy02tdS1CBgdlJeDc+pl39roUOovbO3URZHu99RovPGMR:6tdS1CBgic+ppZi3L63 |
Network IP location
Signature (16cnts)
Level | Description |
---|---|
danger | File has been identified by 37 AntiVirus engines on VirusTotal as malicious |
watch | Appends a known multi-family ransomware file extension to files that have been encrypted |
watch | Communicates with host for which no DNS query was performed |
watch | Detects the presence of Wine emulator |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Creates a shortcut to an executable file |
notice | Creates a suspicious process |
notice | Steals private information from local Internet browsers |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Uses Windows utilities for basic Windows functionality |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Collects information to fingerprint the system (MachineGuid |
info | One or more processes crashed |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (6cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | NPKI_Zero | File included NPKI | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | IsPE64 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140013000 SizeofResource
0x140013008 VirtualAlloc
0x140013010 FindResourceA
0x140013018 LoadLibraryA
0x140013020 FreeConsole
0x140013028 LoadResource
0x140013030 GetProcAddress
0x140013038 WriteConsoleW
0x140013040 RtlCaptureContext
0x140013048 RtlLookupFunctionEntry
0x140013050 RtlVirtualUnwind
0x140013058 UnhandledExceptionFilter
0x140013060 SetUnhandledExceptionFilter
0x140013068 GetCurrentProcess
0x140013070 TerminateProcess
0x140013078 IsProcessorFeaturePresent
0x140013080 IsDebuggerPresent
0x140013088 GetStartupInfoW
0x140013090 GetModuleHandleW
0x140013098 QueryPerformanceCounter
0x1400130a0 GetCurrentProcessId
0x1400130a8 GetCurrentThreadId
0x1400130b0 GetSystemTimeAsFileTime
0x1400130b8 InitializeSListHead
0x1400130c0 RtlUnwindEx
0x1400130c8 RtlPcToFileHeader
0x1400130d0 RaiseException
0x1400130d8 GetLastError
0x1400130e0 SetLastError
0x1400130e8 EncodePointer
0x1400130f0 EnterCriticalSection
0x1400130f8 LeaveCriticalSection
0x140013100 DeleteCriticalSection
0x140013108 InitializeCriticalSectionAndSpinCount
0x140013110 TlsAlloc
0x140013118 TlsGetValue
0x140013120 TlsSetValue
0x140013128 TlsFree
0x140013130 FreeLibrary
0x140013138 LoadLibraryExW
0x140013140 ExitProcess
0x140013148 GetModuleHandleExW
0x140013150 GetModuleFileNameW
0x140013158 GetStdHandle
0x140013160 WriteFile
0x140013168 GetCommandLineA
0x140013170 GetCommandLineW
0x140013178 HeapAlloc
0x140013180 HeapFree
0x140013188 FindClose
0x140013190 FindFirstFileExW
0x140013198 FindNextFileW
0x1400131a0 IsValidCodePage
0x1400131a8 GetACP
0x1400131b0 GetOEMCP
0x1400131b8 GetCPInfo
0x1400131c0 MultiByteToWideChar
0x1400131c8 WideCharToMultiByte
0x1400131d0 GetEnvironmentStringsW
0x1400131d8 FreeEnvironmentStringsW
0x1400131e0 SetEnvironmentVariableW
0x1400131e8 FlsAlloc
0x1400131f0 FlsGetValue
0x1400131f8 FlsSetValue
0x140013200 FlsFree
0x140013208 CompareStringW
0x140013210 LCMapStringW
0x140013218 GetProcessHeap
0x140013220 GetFileType
0x140013228 SetStdHandle
0x140013230 GetStringTypeW
0x140013238 HeapSize
0x140013240 HeapReAlloc
0x140013248 FlushFileBuffers
0x140013250 GetConsoleOutputCP
0x140013258 GetConsoleMode
0x140013260 SetFilePointerEx
0x140013268 CreateFileW
0x140013270 CloseHandle
EAT(Export Address Table) is none
KERNEL32.dll
0x140013000 SizeofResource
0x140013008 VirtualAlloc
0x140013010 FindResourceA
0x140013018 LoadLibraryA
0x140013020 FreeConsole
0x140013028 LoadResource
0x140013030 GetProcAddress
0x140013038 WriteConsoleW
0x140013040 RtlCaptureContext
0x140013048 RtlLookupFunctionEntry
0x140013050 RtlVirtualUnwind
0x140013058 UnhandledExceptionFilter
0x140013060 SetUnhandledExceptionFilter
0x140013068 GetCurrentProcess
0x140013070 TerminateProcess
0x140013078 IsProcessorFeaturePresent
0x140013080 IsDebuggerPresent
0x140013088 GetStartupInfoW
0x140013090 GetModuleHandleW
0x140013098 QueryPerformanceCounter
0x1400130a0 GetCurrentProcessId
0x1400130a8 GetCurrentThreadId
0x1400130b0 GetSystemTimeAsFileTime
0x1400130b8 InitializeSListHead
0x1400130c0 RtlUnwindEx
0x1400130c8 RtlPcToFileHeader
0x1400130d0 RaiseException
0x1400130d8 GetLastError
0x1400130e0 SetLastError
0x1400130e8 EncodePointer
0x1400130f0 EnterCriticalSection
0x1400130f8 LeaveCriticalSection
0x140013100 DeleteCriticalSection
0x140013108 InitializeCriticalSectionAndSpinCount
0x140013110 TlsAlloc
0x140013118 TlsGetValue
0x140013120 TlsSetValue
0x140013128 TlsFree
0x140013130 FreeLibrary
0x140013138 LoadLibraryExW
0x140013140 ExitProcess
0x140013148 GetModuleHandleExW
0x140013150 GetModuleFileNameW
0x140013158 GetStdHandle
0x140013160 WriteFile
0x140013168 GetCommandLineA
0x140013170 GetCommandLineW
0x140013178 HeapAlloc
0x140013180 HeapFree
0x140013188 FindClose
0x140013190 FindFirstFileExW
0x140013198 FindNextFileW
0x1400131a0 IsValidCodePage
0x1400131a8 GetACP
0x1400131b0 GetOEMCP
0x1400131b8 GetCPInfo
0x1400131c0 MultiByteToWideChar
0x1400131c8 WideCharToMultiByte
0x1400131d0 GetEnvironmentStringsW
0x1400131d8 FreeEnvironmentStringsW
0x1400131e0 SetEnvironmentVariableW
0x1400131e8 FlsAlloc
0x1400131f0 FlsGetValue
0x1400131f8 FlsSetValue
0x140013200 FlsFree
0x140013208 CompareStringW
0x140013210 LCMapStringW
0x140013218 GetProcessHeap
0x140013220 GetFileType
0x140013228 SetStdHandle
0x140013230 GetStringTypeW
0x140013238 HeapSize
0x140013240 HeapReAlloc
0x140013248 FlushFileBuffers
0x140013250 GetConsoleOutputCP
0x140013258 GetConsoleMode
0x140013260 SetFilePointerEx
0x140013268 CreateFileW
0x140013270 CloseHandle
EAT(Export Address Table) is none