ScreenShot
| Created | 2023.03.27 10:45 | Machine | s1_win7_x6401 |
| Filename | 97.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 45 detected (malicious, high confidence, score, GenericKD, Vuis, confidence, 100%, Donut, ABRisk, TGDN, Attribute, HighConfidence, Xwhl, MulDrop21, Artemis, Redcap, conqm, ai score=84, Wacatac, Casdet, Detected, BScope, TrojanPSW, Reline, R002H0CCO23, Generic@AI, RDML, kdfxKy, kwtJ7jz6gyeYmgA, PossibleThreat, ZexaE, nuW@a4aw2ffi, Chgt) | ||
| md5 | 571ce7de07a8e7ad2bb8abae3c625f11 | ||
| sha256 | 5746e05d0d33d2e861dde5df9ca23c71cff9275e7b8b81bd711175de46ca7c6d | ||
| ssdeep | 3072:hTYk3kXPDy4lZXbDNySimBEvF4fTJHqV9vdjmbYYdYUm:N3UPBjbMtyfTlqbdjZ | ||
| imphash | 7d7fef53be2736bf6dc6acb718bbcbc9 | ||
| impfuzzy | 24:SdecDojtMS12bJnc+pl39/CYoQTNvJzGM1SOovbO9ZY:TtMS12lc+ppQYrz3M | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 45 AntiVirus engines on VirusTotal as malicious |
| watch | Deletes executed files from disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Moves the original executable to a new location |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | Is_DotNET_DLL | (no description) | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
USER32.dll
0x42a118 MessageBoxA
KERNEL32.dll
0x42a000 SetStdHandle
0x42a004 WriteConsoleW
0x42a008 GetLastError
0x42a00c VirtualAlloc
0x42a010 VirtualFree
0x42a014 GetProcAddress
0x42a018 LoadLibraryA
0x42a01c UnhandledExceptionFilter
0x42a020 SetUnhandledExceptionFilter
0x42a024 GetCurrentProcess
0x42a028 TerminateProcess
0x42a02c IsProcessorFeaturePresent
0x42a030 QueryPerformanceCounter
0x42a034 GetCurrentProcessId
0x42a038 GetCurrentThreadId
0x42a03c GetSystemTimeAsFileTime
0x42a040 InitializeSListHead
0x42a044 IsDebuggerPresent
0x42a048 GetStartupInfoW
0x42a04c GetModuleHandleW
0x42a050 CreateFileW
0x42a054 RtlUnwind
0x42a058 SetLastError
0x42a05c EnterCriticalSection
0x42a060 LeaveCriticalSection
0x42a064 DeleteCriticalSection
0x42a068 InitializeCriticalSectionAndSpinCount
0x42a06c TlsAlloc
0x42a070 TlsGetValue
0x42a074 TlsSetValue
0x42a078 TlsFree
0x42a07c FreeLibrary
0x42a080 LoadLibraryExW
0x42a084 EncodePointer
0x42a088 RaiseException
0x42a08c ExitProcess
0x42a090 GetModuleHandleExW
0x42a094 SetConsoleCtrlHandler
0x42a098 GetStdHandle
0x42a09c WriteFile
0x42a0a0 GetModuleFileNameW
0x42a0a4 DecodePointer
0x42a0a8 GetFileType
0x42a0ac HeapAlloc
0x42a0b0 HeapFree
0x42a0b4 LCMapStringW
0x42a0b8 FlushFileBuffers
0x42a0bc GetConsoleOutputCP
0x42a0c0 GetConsoleMode
0x42a0c4 GetFileSizeEx
0x42a0c8 SetFilePointerEx
0x42a0cc FindClose
0x42a0d0 FindFirstFileExW
0x42a0d4 FindNextFileW
0x42a0d8 IsValidCodePage
0x42a0dc GetACP
0x42a0e0 GetOEMCP
0x42a0e4 GetCPInfo
0x42a0e8 GetCommandLineA
0x42a0ec GetCommandLineW
0x42a0f0 MultiByteToWideChar
0x42a0f4 WideCharToMultiByte
0x42a0f8 GetEnvironmentStringsW
0x42a0fc FreeEnvironmentStringsW
0x42a100 GetStringTypeW
0x42a104 GetProcessHeap
0x42a108 HeapSize
0x42a10c HeapReAlloc
0x42a110 CloseHandle
EAT(Export Address Table) is none
USER32.dll
0x42a118 MessageBoxA
KERNEL32.dll
0x42a000 SetStdHandle
0x42a004 WriteConsoleW
0x42a008 GetLastError
0x42a00c VirtualAlloc
0x42a010 VirtualFree
0x42a014 GetProcAddress
0x42a018 LoadLibraryA
0x42a01c UnhandledExceptionFilter
0x42a020 SetUnhandledExceptionFilter
0x42a024 GetCurrentProcess
0x42a028 TerminateProcess
0x42a02c IsProcessorFeaturePresent
0x42a030 QueryPerformanceCounter
0x42a034 GetCurrentProcessId
0x42a038 GetCurrentThreadId
0x42a03c GetSystemTimeAsFileTime
0x42a040 InitializeSListHead
0x42a044 IsDebuggerPresent
0x42a048 GetStartupInfoW
0x42a04c GetModuleHandleW
0x42a050 CreateFileW
0x42a054 RtlUnwind
0x42a058 SetLastError
0x42a05c EnterCriticalSection
0x42a060 LeaveCriticalSection
0x42a064 DeleteCriticalSection
0x42a068 InitializeCriticalSectionAndSpinCount
0x42a06c TlsAlloc
0x42a070 TlsGetValue
0x42a074 TlsSetValue
0x42a078 TlsFree
0x42a07c FreeLibrary
0x42a080 LoadLibraryExW
0x42a084 EncodePointer
0x42a088 RaiseException
0x42a08c ExitProcess
0x42a090 GetModuleHandleExW
0x42a094 SetConsoleCtrlHandler
0x42a098 GetStdHandle
0x42a09c WriteFile
0x42a0a0 GetModuleFileNameW
0x42a0a4 DecodePointer
0x42a0a8 GetFileType
0x42a0ac HeapAlloc
0x42a0b0 HeapFree
0x42a0b4 LCMapStringW
0x42a0b8 FlushFileBuffers
0x42a0bc GetConsoleOutputCP
0x42a0c0 GetConsoleMode
0x42a0c4 GetFileSizeEx
0x42a0c8 SetFilePointerEx
0x42a0cc FindClose
0x42a0d0 FindFirstFileExW
0x42a0d4 FindNextFileW
0x42a0d8 IsValidCodePage
0x42a0dc GetACP
0x42a0e0 GetOEMCP
0x42a0e4 GetCPInfo
0x42a0e8 GetCommandLineA
0x42a0ec GetCommandLineW
0x42a0f0 MultiByteToWideChar
0x42a0f4 WideCharToMultiByte
0x42a0f8 GetEnvironmentStringsW
0x42a0fc FreeEnvironmentStringsW
0x42a100 GetStringTypeW
0x42a104 GetProcessHeap
0x42a108 HeapSize
0x42a10c HeapReAlloc
0x42a110 CloseHandle
EAT(Export Address Table) is none