ScreenShot
| Created | 2023.03.17 10:09 | Machine | s1_win7_x6401 |
| Filename | 111.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 39 detected (Zenpak, DownLoader7, Zusy, Artemis, V6m6, malicious, confidence, 100%, Attribute, HighConfidence, Rozena, score, ccmw, Ktgl, Slenfbot, alimm, hsuud, Wacatac, Detected, R562460, ai score=85, R002H0CCF23, CLOUD) | ||
| md5 | 6e5c1da79c9bdb532b062567460b4f1d | ||
| sha256 | 28a7dbd97cb25d923a80ebba8f856b9eb55664e419a4dc5ff17ced1e2726fb05 | ||
| ssdeep | 768:lPaX1h9m+6NB7kUTI3TwHm3WPeFn+vNEtQ2:la3m+Q7kU00HoWPeAetL | ||
| imphash | aca77bb36f4ee9dc931c40d10b8cabe8 | ||
| impfuzzy | 24:jOovnZt6DWQFQjERyvDh/J3IeRT4RfLpYTG:Cet1LDjhcRfFYTG | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 39 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Repeatedly searches for a not-found process |
| info | Checks amount of memory in system |
| info | This executable has a PDB path |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x408000 GetCommandLineA
0x408004 HeapFree
0x408008 GetVersionExA
0x40800c HeapAlloc
0x408010 GetProcessHeap
0x408014 TerminateProcess
0x408018 GetCurrentProcess
0x40801c UnhandledExceptionFilter
0x408020 SetUnhandledExceptionFilter
0x408024 IsDebuggerPresent
0x408028 GetProcAddress
0x40802c GetModuleHandleA
0x408030 ExitProcess
0x408034 WriteFile
0x408038 GetStdHandle
0x40803c GetModuleFileNameA
0x408040 FreeEnvironmentStringsA
0x408044 GetEnvironmentStrings
0x408048 FreeEnvironmentStringsW
0x40804c WideCharToMultiByte
0x408050 GetLastError
0x408054 GetEnvironmentStringsW
0x408058 SetHandleCount
0x40805c GetFileType
0x408060 GetStartupInfoA
0x408064 DeleteCriticalSection
0x408068 TlsGetValue
0x40806c TlsAlloc
0x408070 TlsSetValue
0x408074 TlsFree
0x408078 InterlockedIncrement
0x40807c SetLastError
0x408080 GetCurrentThreadId
0x408084 InterlockedDecrement
0x408088 HeapDestroy
0x40808c HeapCreate
0x408090 VirtualFree
0x408094 QueryPerformanceCounter
0x408098 GetTickCount
0x40809c GetCurrentProcessId
0x4080a0 GetSystemTimeAsFileTime
0x4080a4 LeaveCriticalSection
0x4080a8 EnterCriticalSection
0x4080ac LoadLibraryA
0x4080b0 InitializeCriticalSection
0x4080b4 Sleep
0x4080b8 GetCPInfo
0x4080bc GetACP
0x4080c0 GetOEMCP
0x4080c4 VirtualAlloc
0x4080c8 HeapReAlloc
0x4080cc RtlUnwind
0x4080d0 HeapSize
0x4080d4 MultiByteToWideChar
0x4080d8 GetLocaleInfoA
0x4080dc LCMapStringA
0x4080e0 LCMapStringW
0x4080e4 GetStringTypeA
0x4080e8 GetStringTypeW
EAT(Export Address Table) is none
KERNEL32.dll
0x408000 GetCommandLineA
0x408004 HeapFree
0x408008 GetVersionExA
0x40800c HeapAlloc
0x408010 GetProcessHeap
0x408014 TerminateProcess
0x408018 GetCurrentProcess
0x40801c UnhandledExceptionFilter
0x408020 SetUnhandledExceptionFilter
0x408024 IsDebuggerPresent
0x408028 GetProcAddress
0x40802c GetModuleHandleA
0x408030 ExitProcess
0x408034 WriteFile
0x408038 GetStdHandle
0x40803c GetModuleFileNameA
0x408040 FreeEnvironmentStringsA
0x408044 GetEnvironmentStrings
0x408048 FreeEnvironmentStringsW
0x40804c WideCharToMultiByte
0x408050 GetLastError
0x408054 GetEnvironmentStringsW
0x408058 SetHandleCount
0x40805c GetFileType
0x408060 GetStartupInfoA
0x408064 DeleteCriticalSection
0x408068 TlsGetValue
0x40806c TlsAlloc
0x408070 TlsSetValue
0x408074 TlsFree
0x408078 InterlockedIncrement
0x40807c SetLastError
0x408080 GetCurrentThreadId
0x408084 InterlockedDecrement
0x408088 HeapDestroy
0x40808c HeapCreate
0x408090 VirtualFree
0x408094 QueryPerformanceCounter
0x408098 GetTickCount
0x40809c GetCurrentProcessId
0x4080a0 GetSystemTimeAsFileTime
0x4080a4 LeaveCriticalSection
0x4080a8 EnterCriticalSection
0x4080ac LoadLibraryA
0x4080b0 InitializeCriticalSection
0x4080b4 Sleep
0x4080b8 GetCPInfo
0x4080bc GetACP
0x4080c0 GetOEMCP
0x4080c4 VirtualAlloc
0x4080c8 HeapReAlloc
0x4080cc RtlUnwind
0x4080d0 HeapSize
0x4080d4 MultiByteToWideChar
0x4080d8 GetLocaleInfoA
0x4080dc LCMapStringA
0x4080e0 LCMapStringW
0x4080e4 GetStringTypeA
0x4080e8 GetStringTypeW
EAT(Export Address Table) is none