ScreenShot
| Created | 2023.03.24 09:45 | Machine | s1_win7_x6403 |
| Filename | WinLoad.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 23 detected (malicious, high confidence, Nuitka, confidence, Attribute, HighConfidence, a variant of Python, F suspicious, Gencirc, Bingoml, AGEN, Python, Wacapew, 8Q1MPD, score, Artemis, unsafe, CLOUD) | ||
| md5 | 12a45205a6da702e56b6a07cbe162445 | ||
| sha256 | 4ffc2dd951674e0de58fd53188ec480ca5a2a2c4770e14d83b8ab3dc31028b65 | ||
| ssdeep | 393216:InI9kFhVMcq9yG1CPwDv3uFhwwzUrU2lvzaUY/CNTqP:4I9k9zSM | ||
| imphash | 1451d0da3602cfabee47afa17fb44252 | ||
| impfuzzy | 48:kf39nR3UV+kdIlslEJGp6qJ8kQk1vkqZsXh:kf3h9UVrdIlYEJGph6kQmkqZ2 | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 23 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Creates executable files on the filesystem |
| info | One or more processes crashed |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
PE API
IAT(Import Address Table) Library
imagehlp.dll
0x140021314 MapAndLoad
0x14002131c UnMapAndLoad
KERNEL32.dll
0x14002132c CloseHandle
0x140021334 CreateDirectoryW
0x14002133c CreateFileW
0x140021344 CreateProcessW
0x14002134c DeleteCriticalSection
0x140021354 EnterCriticalSection
0x14002135c FormatMessageA
0x140021364 FreeLibrary
0x14002136c GenerateConsoleCtrlEvent
0x140021374 GetCommandLineW
0x14002137c GetCurrentProcessId
0x140021384 GetExitCodeProcess
0x14002138c GetLastError
0x140021394 GetModuleFileNameW
0x14002139c GetModuleHandleA
0x1400213a4 GetProcAddress
0x1400213ac GetProcessId
0x1400213b4 GetShortPathNameW
0x1400213bc GetStartupInfoW
0x1400213c4 GetSystemTimeAsFileTime
0x1400213cc GetTempPathW
0x1400213d4 InitializeCriticalSection
0x1400213dc IsDBCSLeadByteEx
0x1400213e4 LeaveCriticalSection
0x1400213ec LoadLibraryA
0x1400213f4 MultiByteToWideChar
0x1400213fc ReadFile
0x140021404 SetConsoleCtrlHandler
0x14002140c SetEnvironmentVariableA
0x140021414 SetFilePointer
0x14002141c SetUnhandledExceptionFilter
0x140021424 Sleep
0x14002142c TlsGetValue
0x140021434 VirtualProtect
0x14002143c VirtualQuery
0x140021444 WaitForSingleObject
0x14002144c WideCharToMultiByte
0x140021454 WriteFile
msvcrt.dll
0x140021464 __C_specific_handler
0x14002146c ___lc_codepage_func
0x140021474 ___mb_cur_max_func
0x14002147c __iob_func
0x140021484 __set_app_type
0x14002148c __setusermatherr
0x140021494 __wargv
0x14002149c __wgetmainargs
0x1400214a4 __winitenv
0x1400214ac _amsg_exit
0x1400214b4 _cexit
0x1400214bc _commode
0x1400214c4 _errno
0x1400214cc _fmode
0x1400214d4 _initterm
0x1400214dc _lock
0x1400214e4 _onexit
0x1400214ec _unlock
0x1400214f4 _wcmdln
0x1400214fc _wcsicmp
0x140021504 abort
0x14002150c calloc
0x140021514 exit
0x14002151c fprintf
0x140021524 fputc
0x14002152c free
0x140021534 fwrite
0x14002153c localeconv
0x140021544 malloc
0x14002154c mbstowcs
0x140021554 memcpy
0x14002155c memset
0x140021564 puts
0x14002156c signal
0x140021574 strerror
0x14002157c strlen
0x140021584 strncmp
0x14002158c vfprintf
0x140021594 wcslen
0x14002159c wcstombs_s
SHELL32.dll
0x1400215ac SHFileOperationW
0x1400215b4 SHGetFolderPathW
EAT(Export Address Table) is none
imagehlp.dll
0x140021314 MapAndLoad
0x14002131c UnMapAndLoad
KERNEL32.dll
0x14002132c CloseHandle
0x140021334 CreateDirectoryW
0x14002133c CreateFileW
0x140021344 CreateProcessW
0x14002134c DeleteCriticalSection
0x140021354 EnterCriticalSection
0x14002135c FormatMessageA
0x140021364 FreeLibrary
0x14002136c GenerateConsoleCtrlEvent
0x140021374 GetCommandLineW
0x14002137c GetCurrentProcessId
0x140021384 GetExitCodeProcess
0x14002138c GetLastError
0x140021394 GetModuleFileNameW
0x14002139c GetModuleHandleA
0x1400213a4 GetProcAddress
0x1400213ac GetProcessId
0x1400213b4 GetShortPathNameW
0x1400213bc GetStartupInfoW
0x1400213c4 GetSystemTimeAsFileTime
0x1400213cc GetTempPathW
0x1400213d4 InitializeCriticalSection
0x1400213dc IsDBCSLeadByteEx
0x1400213e4 LeaveCriticalSection
0x1400213ec LoadLibraryA
0x1400213f4 MultiByteToWideChar
0x1400213fc ReadFile
0x140021404 SetConsoleCtrlHandler
0x14002140c SetEnvironmentVariableA
0x140021414 SetFilePointer
0x14002141c SetUnhandledExceptionFilter
0x140021424 Sleep
0x14002142c TlsGetValue
0x140021434 VirtualProtect
0x14002143c VirtualQuery
0x140021444 WaitForSingleObject
0x14002144c WideCharToMultiByte
0x140021454 WriteFile
msvcrt.dll
0x140021464 __C_specific_handler
0x14002146c ___lc_codepage_func
0x140021474 ___mb_cur_max_func
0x14002147c __iob_func
0x140021484 __set_app_type
0x14002148c __setusermatherr
0x140021494 __wargv
0x14002149c __wgetmainargs
0x1400214a4 __winitenv
0x1400214ac _amsg_exit
0x1400214b4 _cexit
0x1400214bc _commode
0x1400214c4 _errno
0x1400214cc _fmode
0x1400214d4 _initterm
0x1400214dc _lock
0x1400214e4 _onexit
0x1400214ec _unlock
0x1400214f4 _wcmdln
0x1400214fc _wcsicmp
0x140021504 abort
0x14002150c calloc
0x140021514 exit
0x14002151c fprintf
0x140021524 fputc
0x14002152c free
0x140021534 fwrite
0x14002153c localeconv
0x140021544 malloc
0x14002154c mbstowcs
0x140021554 memcpy
0x14002155c memset
0x140021564 puts
0x14002156c signal
0x140021574 strerror
0x14002157c strlen
0x140021584 strncmp
0x14002158c vfprintf
0x140021594 wcslen
0x14002159c wcstombs_s
SHELL32.dll
0x1400215ac SHFileOperationW
0x1400215b4 SHGetFolderPathW
EAT(Export Address Table) is none