ScreenShot
| Created | 2023.03.20 11:21 | Machine | s1_win7_x6401 |
| Filename | sqlcmd.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 47 detected (Siggen20, Sabsik, Save, SelfDel, malicious, confidence, 100%, ZexaF, jyW@aaBaqZai, Attribute, HighConfidence, high confidence, Kryptik, HROL, CrypterX, Ktgl, Generic ML PUA, NetLoader, score, Detected, dptks, ai score=82, Malware@#4b4pg0zs0g0b, Casdet, UN14F8, PowershellDownloader, R561248, Artemis, unsafe, R014H0CCH23, BL7FfxAqZIF, susgen) | ||
| md5 | 562348e8dbd71f796420599713c73c02 | ||
| sha256 | 28fff67a5ec01a9ccd4c5101cdfeaa2a714d90322b39a5b5be4cb48e4ff78ea2 | ||
| ssdeep | 3072:OBkoDOa0GfjuYQWOd1nfS9KlTHSsq+dzplmKzBfcnhHKMISCVN/Q:/Vq+pluMMCn/ | ||
| imphash | 31eba92d0073ffa8bbcfdb9711b34088 | ||
| impfuzzy | 24:+BKkhMULu9iHglZUqtMS1gNhlJnc+pl3eDoupSOovbOwZivFghUc:+BKkF4/tMS1gN5c+pp23/ShX | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 47 AntiVirus engines on VirusTotal as malicious |
| watch | Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Drops an executable to the user AppData folder |
| notice | Poweshell is sending data to a remote host |
| notice | URL downloaded by powershell script |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Powershell script has download & invoke calls |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
| info | PowershellDI | Extract Download/Invoke calls from powershell script | scripts |
PE API
IAT(Import Address Table) Library
WININET.dll
0x41c144 InternetReadFile
0x41c148 InternetCloseHandle
0x41c14c InternetCrackUrlW
0x41c150 InternetOpenW
0x41c154 InternetOpenUrlW
0x41c158 InternetQueryDataAvailable
SHLWAPI.dll
0x41c130 StrStrW
0x41c134 wnsprintfW
KERNEL32.dll
0x41c00c SetFilePointerEx
0x41c010 GetConsoleMode
0x41c014 GetConsoleOutputCP
0x41c018 FlushFileBuffers
0x41c01c WriteFile
0x41c020 GetModuleFileNameW
0x41c024 GetEnvironmentVariableW
0x41c028 CreateFileW
0x41c02c GetFileAttributesW
0x41c030 LoadLibraryA
0x41c034 WriteConsoleW
0x41c038 CloseHandle
0x41c03c ExitProcess
0x41c040 GetModuleHandleW
0x41c044 lstrcpyW
0x41c048 GetTempFileNameW
0x41c04c HeapFree
0x41c050 HeapReAlloc
0x41c054 HeapAlloc
0x41c058 GetProcessHeap
0x41c05c WideCharToMultiByte
0x41c060 HeapSize
0x41c064 EncodePointer
0x41c068 lstrcatW
0x41c06c LCMapStringW
0x41c070 UnhandledExceptionFilter
0x41c074 SetUnhandledExceptionFilter
0x41c078 GetCurrentProcess
0x41c07c TerminateProcess
0x41c080 IsProcessorFeaturePresent
0x41c084 QueryPerformanceCounter
0x41c088 GetCurrentProcessId
0x41c08c GetCurrentThreadId
0x41c090 GetSystemTimeAsFileTime
0x41c094 InitializeSListHead
0x41c098 IsDebuggerPresent
0x41c09c GetStartupInfoW
0x41c0a0 RaiseException
0x41c0a4 DecodePointer
0x41c0a8 RtlUnwind
0x41c0ac GetLastError
0x41c0b0 SetLastError
0x41c0b4 EnterCriticalSection
0x41c0b8 LeaveCriticalSection
0x41c0bc DeleteCriticalSection
0x41c0c0 InitializeCriticalSectionAndSpinCount
0x41c0c4 TlsAlloc
0x41c0c8 TlsGetValue
0x41c0cc TlsSetValue
0x41c0d0 TlsFree
0x41c0d4 FreeLibrary
0x41c0d8 GetProcAddress
0x41c0dc LoadLibraryExW
0x41c0e0 GetStdHandle
0x41c0e4 GetModuleHandleExW
0x41c0e8 FindClose
0x41c0ec FindFirstFileExW
0x41c0f0 FindNextFileW
0x41c0f4 IsValidCodePage
0x41c0f8 GetACP
0x41c0fc GetOEMCP
0x41c100 GetCPInfo
0x41c104 GetCommandLineA
0x41c108 GetCommandLineW
0x41c10c MultiByteToWideChar
0x41c110 GetEnvironmentStringsW
0x41c114 FreeEnvironmentStringsW
0x41c118 SetStdHandle
0x41c11c GetFileType
0x41c120 GetStringTypeW
USER32.dll
0x41c13c wsprintfW
ADVAPI32.dll
0x41c000 GetSidSubAuthority
0x41c004 GetSidSubAuthorityCount
SHELL32.dll
0x41c128 ShellExecuteW
EAT(Export Address Table) is none
WININET.dll
0x41c144 InternetReadFile
0x41c148 InternetCloseHandle
0x41c14c InternetCrackUrlW
0x41c150 InternetOpenW
0x41c154 InternetOpenUrlW
0x41c158 InternetQueryDataAvailable
SHLWAPI.dll
0x41c130 StrStrW
0x41c134 wnsprintfW
KERNEL32.dll
0x41c00c SetFilePointerEx
0x41c010 GetConsoleMode
0x41c014 GetConsoleOutputCP
0x41c018 FlushFileBuffers
0x41c01c WriteFile
0x41c020 GetModuleFileNameW
0x41c024 GetEnvironmentVariableW
0x41c028 CreateFileW
0x41c02c GetFileAttributesW
0x41c030 LoadLibraryA
0x41c034 WriteConsoleW
0x41c038 CloseHandle
0x41c03c ExitProcess
0x41c040 GetModuleHandleW
0x41c044 lstrcpyW
0x41c048 GetTempFileNameW
0x41c04c HeapFree
0x41c050 HeapReAlloc
0x41c054 HeapAlloc
0x41c058 GetProcessHeap
0x41c05c WideCharToMultiByte
0x41c060 HeapSize
0x41c064 EncodePointer
0x41c068 lstrcatW
0x41c06c LCMapStringW
0x41c070 UnhandledExceptionFilter
0x41c074 SetUnhandledExceptionFilter
0x41c078 GetCurrentProcess
0x41c07c TerminateProcess
0x41c080 IsProcessorFeaturePresent
0x41c084 QueryPerformanceCounter
0x41c088 GetCurrentProcessId
0x41c08c GetCurrentThreadId
0x41c090 GetSystemTimeAsFileTime
0x41c094 InitializeSListHead
0x41c098 IsDebuggerPresent
0x41c09c GetStartupInfoW
0x41c0a0 RaiseException
0x41c0a4 DecodePointer
0x41c0a8 RtlUnwind
0x41c0ac GetLastError
0x41c0b0 SetLastError
0x41c0b4 EnterCriticalSection
0x41c0b8 LeaveCriticalSection
0x41c0bc DeleteCriticalSection
0x41c0c0 InitializeCriticalSectionAndSpinCount
0x41c0c4 TlsAlloc
0x41c0c8 TlsGetValue
0x41c0cc TlsSetValue
0x41c0d0 TlsFree
0x41c0d4 FreeLibrary
0x41c0d8 GetProcAddress
0x41c0dc LoadLibraryExW
0x41c0e0 GetStdHandle
0x41c0e4 GetModuleHandleExW
0x41c0e8 FindClose
0x41c0ec FindFirstFileExW
0x41c0f0 FindNextFileW
0x41c0f4 IsValidCodePage
0x41c0f8 GetACP
0x41c0fc GetOEMCP
0x41c100 GetCPInfo
0x41c104 GetCommandLineA
0x41c108 GetCommandLineW
0x41c10c MultiByteToWideChar
0x41c110 GetEnvironmentStringsW
0x41c114 FreeEnvironmentStringsW
0x41c118 SetStdHandle
0x41c11c GetFileType
0x41c120 GetStringTypeW
USER32.dll
0x41c13c wsprintfW
ADVAPI32.dll
0x41c000 GetSidSubAuthority
0x41c004 GetSidSubAuthorityCount
SHELL32.dll
0x41c128 ShellExecuteW
EAT(Export Address Table) is none