ScreenShot
| Created | 2023.03.20 11:29 | Machine | s1_win7_x6401 |
| Filename | chat-gpt.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 36 detected (Convagent, Barys, malicious, confidence, 100%, Strab, Attribute, HighConfidence, score, Rgil, PRIVATELOADER, YXDCQZ, zsyhy, Malware@#2s8h65cz99ol2, Casdet, Detected, R564218, Artemis, ai score=80, CLOUD, susgen, MalwareX) | ||
| md5 | 65c2ae916c616382ed8d8df33aa50bbc | ||
| sha256 | 3ed4997b7fc422a343672e1159ca3b4c96b318a63e5ee85dcd7ce1ae9ce7bcd1 | ||
| ssdeep | 49152:lKgfSN6T+QgwZ20UEkoICscDrCq/olbBRNSHX83xs9wfETs7128vkVdDUj6zNs5k:hwZ2sqVRbNsCaSenC+nz1a | ||
| imphash | 90930df37dc3798c0e5f7020bf134bc9 | ||
| impfuzzy | 96:UW/NtoW4WK3orXsdxm7u6S6HzK938viNa4NyQs:UWIW4WtrZ7uYHzKKT4NyQs | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 36 AntiVirus engines on VirusTotal as malicious |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
Secur32.dll
0x140404288 FreeCredentialsHandle
0x140404290 ApplyControlToken
0x140404298 AcquireCredentialsHandleA
0x1404042a0 DeleteSecurityContext
0x1404042a8 DecryptMessage
0x1404042b0 FreeContextBuffer
0x1404042b8 AcceptSecurityContext
0x1404042c0 InitializeSecurityContextW
0x1404042c8 EncryptMessage
0x1404042d0 QueryContextAttributesW
KERNEL32.dll
0x140404000 IsProcessorFeaturePresent
0x140404008 InitializeSListHead
0x140404010 IsDebuggerPresent
0x140404018 UnhandledExceptionFilter
0x140404020 SetUnhandledExceptionFilter
0x140404028 GetSystemTimeAsFileTime
0x140404030 TlsSetValue
0x140404038 TlsGetValue
0x140404040 CreateThread
0x140404048 CloseHandle
0x140404050 ReleaseSRWLockExclusive
0x140404058 AcquireSRWLockExclusive
0x140404060 GetProcAddress
0x140404068 Sleep
0x140404070 GetModuleHandleA
0x140404078 RtlVirtualUnwind
0x140404080 TryAcquireSRWLockExclusive
0x140404088 ReleaseSRWLockShared
0x140404090 AcquireSRWLockShared
0x140404098 SleepConditionVariableSRW
0x1404040a0 GetSystemInfo
0x1404040a8 SetHandleInformation
0x1404040b0 GetCurrentProcessId
0x1404040b8 CreateIoCompletionPort
0x1404040c0 GetQueuedCompletionStatusEx
0x1404040c8 PostQueuedCompletionStatus
0x1404040d0 SetFileCompletionNotificationModes
0x1404040d8 FreeEnvironmentStringsW
0x1404040e0 ReleaseMutex
0x1404040e8 FindClose
0x1404040f0 CompareStringOrdinal
0x1404040f8 GetLastError
0x140404100 AddVectoredExceptionHandler
0x140404108 SetThreadStackGuarantee
0x140404110 SwitchToThread
0x140404118 GetCurrentProcess
0x140404120 GetCurrentThread
0x140404128 RtlCaptureContext
0x140404130 RtlLookupFunctionEntry
0x140404138 SetLastError
0x140404140 GetCurrentDirectoryW
0x140404148 GetEnvironmentStringsW
0x140404150 GetEnvironmentVariableW
0x140404158 DuplicateHandle
0x140404160 SetFilePointerEx
0x140404168 GetStdHandle
0x140404170 WriteFileEx
0x140404178 SleepEx
0x140404180 ReadFileEx
0x140404188 WaitForSingleObject
0x140404190 TerminateProcess
0x140404198 WakeAllConditionVariable
0x1404041a0 WakeConditionVariable
0x1404041a8 QueryPerformanceCounter
0x1404041b0 QueryPerformanceFrequency
0x1404041b8 HeapAlloc
0x1404041c0 GetProcessHeap
0x1404041c8 HeapFree
0x1404041d0 HeapReAlloc
0x1404041d8 WaitForSingleObjectEx
0x1404041e0 LoadLibraryA
0x1404041e8 CreateMutexA
0x1404041f0 CreateFileW
0x1404041f8 GetFileInformationByHandle
0x140404200 GetFileInformationByHandleEx
0x140404208 FindFirstFileW
0x140404210 GetFinalPathNameByHandleW
0x140404218 GetConsoleMode
0x140404220 GetModuleHandleW
0x140404228 FormatMessageW
0x140404230 GetModuleFileNameW
0x140404238 ExitProcess
0x140404240 GetFullPathNameW
0x140404248 CreateNamedPipeW
0x140404250 GetSystemDirectoryW
0x140404258 GetWindowsDirectoryW
0x140404260 CreateProcessW
0x140404268 GetFileAttributesW
0x140404270 WriteConsoleW
0x140404278 GetCurrentThreadId
advapi32.dll
0x140404330 GetUserNameW
0x140404338 SystemFunction036
0x140404340 RegCloseKey
0x140404348 RegQueryValueExW
0x140404350 RegOpenKeyExW
ws2_32.dll
0x1404044e0 getaddrinfo
0x1404044e8 getpeername
0x1404044f0 WSACleanup
0x1404044f8 WSAStartup
0x140404500 WSAGetLastError
0x140404508 WSAIoctl
0x140404510 setsockopt
0x140404518 WSASend
0x140404520 send
0x140404528 recv
0x140404530 shutdown
0x140404538 getsockopt
0x140404540 ioctlsocket
0x140404548 connect
0x140404550 ind
0x140404558 WSASocketW
0x140404560 closesocket
0x140404568 getsockname
0x140404570 freeaddrinfo
crypt32.dll
0x140404458 CertVerifyCertificateChainPolicy
0x140404460 CertGetCertificateChain
0x140404468 CertOpenStore
0x140404470 CertCloseStore
0x140404478 CertDuplicateCertificateContext
0x140404480 CertFreeCertificateContext
0x140404488 CertFreeCertificateChain
0x140404490 CertDuplicateCertificateChain
0x140404498 CertEnumCertificatesInStore
0x1404044a0 CertAddCertificateContextToStore
0x1404044a8 CertDuplicateStore
ntdll.dll
0x1404044b8 NtDeviceIoControlFile
0x1404044c0 NtCancelIoFileEx
0x1404044c8 NtCreateFile
0x1404044d0 RtlNtStatusToDosError
crypt.dll
0x140404448 BCryptGenRandom
VCRUNTIME140.dll
0x1404042e0 memmove
0x1404042e8 memset
0x1404042f0 memcmp
0x1404042f8 memcpy
0x140404300 __current_exception_context
0x140404308 _CxxThrowException
0x140404310 __C_specific_handler
0x140404318 __CxxFrameHandler3
0x140404320 __current_exception
api-ms-win-crt-runtime-l1-1-0.dll
0x140404398 exit
0x1404043a0 _configure_narrow_argv
0x1404043a8 _initialize_narrow_environment
0x1404043b0 _initterm
0x1404043b8 __p___argv
0x1404043c0 _cexit
0x1404043c8 _get_initial_narrow_environment
0x1404043d0 _seh_filter_exe
0x1404043d8 _set_app_type
0x1404043e0 _register_thread_local_exe_atexit_callback
0x1404043e8 _initterm_e
0x1404043f0 __p___argc
0x1404043f8 _exit
0x140404400 _c_exit
0x140404408 terminate
0x140404410 _crt_atexit
0x140404418 _register_onexit_function
0x140404420 _initialize_onexit_table
api-ms-win-crt-math-l1-1-0.dll
0x140404388 __setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll
0x140404430 _set_fmode
0x140404438 __p__commode
api-ms-win-crt-locale-l1-1-0.dll
0x140404378 _configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll
0x140404360 _set_new_mode
0x140404368 free
EAT(Export Address Table) is none
Secur32.dll
0x140404288 FreeCredentialsHandle
0x140404290 ApplyControlToken
0x140404298 AcquireCredentialsHandleA
0x1404042a0 DeleteSecurityContext
0x1404042a8 DecryptMessage
0x1404042b0 FreeContextBuffer
0x1404042b8 AcceptSecurityContext
0x1404042c0 InitializeSecurityContextW
0x1404042c8 EncryptMessage
0x1404042d0 QueryContextAttributesW
KERNEL32.dll
0x140404000 IsProcessorFeaturePresent
0x140404008 InitializeSListHead
0x140404010 IsDebuggerPresent
0x140404018 UnhandledExceptionFilter
0x140404020 SetUnhandledExceptionFilter
0x140404028 GetSystemTimeAsFileTime
0x140404030 TlsSetValue
0x140404038 TlsGetValue
0x140404040 CreateThread
0x140404048 CloseHandle
0x140404050 ReleaseSRWLockExclusive
0x140404058 AcquireSRWLockExclusive
0x140404060 GetProcAddress
0x140404068 Sleep
0x140404070 GetModuleHandleA
0x140404078 RtlVirtualUnwind
0x140404080 TryAcquireSRWLockExclusive
0x140404088 ReleaseSRWLockShared
0x140404090 AcquireSRWLockShared
0x140404098 SleepConditionVariableSRW
0x1404040a0 GetSystemInfo
0x1404040a8 SetHandleInformation
0x1404040b0 GetCurrentProcessId
0x1404040b8 CreateIoCompletionPort
0x1404040c0 GetQueuedCompletionStatusEx
0x1404040c8 PostQueuedCompletionStatus
0x1404040d0 SetFileCompletionNotificationModes
0x1404040d8 FreeEnvironmentStringsW
0x1404040e0 ReleaseMutex
0x1404040e8 FindClose
0x1404040f0 CompareStringOrdinal
0x1404040f8 GetLastError
0x140404100 AddVectoredExceptionHandler
0x140404108 SetThreadStackGuarantee
0x140404110 SwitchToThread
0x140404118 GetCurrentProcess
0x140404120 GetCurrentThread
0x140404128 RtlCaptureContext
0x140404130 RtlLookupFunctionEntry
0x140404138 SetLastError
0x140404140 GetCurrentDirectoryW
0x140404148 GetEnvironmentStringsW
0x140404150 GetEnvironmentVariableW
0x140404158 DuplicateHandle
0x140404160 SetFilePointerEx
0x140404168 GetStdHandle
0x140404170 WriteFileEx
0x140404178 SleepEx
0x140404180 ReadFileEx
0x140404188 WaitForSingleObject
0x140404190 TerminateProcess
0x140404198 WakeAllConditionVariable
0x1404041a0 WakeConditionVariable
0x1404041a8 QueryPerformanceCounter
0x1404041b0 QueryPerformanceFrequency
0x1404041b8 HeapAlloc
0x1404041c0 GetProcessHeap
0x1404041c8 HeapFree
0x1404041d0 HeapReAlloc
0x1404041d8 WaitForSingleObjectEx
0x1404041e0 LoadLibraryA
0x1404041e8 CreateMutexA
0x1404041f0 CreateFileW
0x1404041f8 GetFileInformationByHandle
0x140404200 GetFileInformationByHandleEx
0x140404208 FindFirstFileW
0x140404210 GetFinalPathNameByHandleW
0x140404218 GetConsoleMode
0x140404220 GetModuleHandleW
0x140404228 FormatMessageW
0x140404230 GetModuleFileNameW
0x140404238 ExitProcess
0x140404240 GetFullPathNameW
0x140404248 CreateNamedPipeW
0x140404250 GetSystemDirectoryW
0x140404258 GetWindowsDirectoryW
0x140404260 CreateProcessW
0x140404268 GetFileAttributesW
0x140404270 WriteConsoleW
0x140404278 GetCurrentThreadId
advapi32.dll
0x140404330 GetUserNameW
0x140404338 SystemFunction036
0x140404340 RegCloseKey
0x140404348 RegQueryValueExW
0x140404350 RegOpenKeyExW
ws2_32.dll
0x1404044e0 getaddrinfo
0x1404044e8 getpeername
0x1404044f0 WSACleanup
0x1404044f8 WSAStartup
0x140404500 WSAGetLastError
0x140404508 WSAIoctl
0x140404510 setsockopt
0x140404518 WSASend
0x140404520 send
0x140404528 recv
0x140404530 shutdown
0x140404538 getsockopt
0x140404540 ioctlsocket
0x140404548 connect
0x140404550 ind
0x140404558 WSASocketW
0x140404560 closesocket
0x140404568 getsockname
0x140404570 freeaddrinfo
crypt32.dll
0x140404458 CertVerifyCertificateChainPolicy
0x140404460 CertGetCertificateChain
0x140404468 CertOpenStore
0x140404470 CertCloseStore
0x140404478 CertDuplicateCertificateContext
0x140404480 CertFreeCertificateContext
0x140404488 CertFreeCertificateChain
0x140404490 CertDuplicateCertificateChain
0x140404498 CertEnumCertificatesInStore
0x1404044a0 CertAddCertificateContextToStore
0x1404044a8 CertDuplicateStore
ntdll.dll
0x1404044b8 NtDeviceIoControlFile
0x1404044c0 NtCancelIoFileEx
0x1404044c8 NtCreateFile
0x1404044d0 RtlNtStatusToDosError
crypt.dll
0x140404448 BCryptGenRandom
VCRUNTIME140.dll
0x1404042e0 memmove
0x1404042e8 memset
0x1404042f0 memcmp
0x1404042f8 memcpy
0x140404300 __current_exception_context
0x140404308 _CxxThrowException
0x140404310 __C_specific_handler
0x140404318 __CxxFrameHandler3
0x140404320 __current_exception
api-ms-win-crt-runtime-l1-1-0.dll
0x140404398 exit
0x1404043a0 _configure_narrow_argv
0x1404043a8 _initialize_narrow_environment
0x1404043b0 _initterm
0x1404043b8 __p___argv
0x1404043c0 _cexit
0x1404043c8 _get_initial_narrow_environment
0x1404043d0 _seh_filter_exe
0x1404043d8 _set_app_type
0x1404043e0 _register_thread_local_exe_atexit_callback
0x1404043e8 _initterm_e
0x1404043f0 __p___argc
0x1404043f8 _exit
0x140404400 _c_exit
0x140404408 terminate
0x140404410 _crt_atexit
0x140404418 _register_onexit_function
0x140404420 _initialize_onexit_table
api-ms-win-crt-math-l1-1-0.dll
0x140404388 __setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll
0x140404430 _set_fmode
0x140404438 __p__commode
api-ms-win-crt-locale-l1-1-0.dll
0x140404378 _configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll
0x140404360 _set_new_mode
0x140404368 free
EAT(Export Address Table) is none