ScreenShot
| Created | 2023.03.27 10:39 | Machine | s1_win7_x6401 |
| Filename | ox.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 46 detected (GenericKD, Artemis, Kryptik, Vw7d, malicious, confidence, 100%, Eldorado, Attribute, HighConfidence, high confidence, HTDD, score, CrypterX, FalseSign, Eplw, DownLoader45, RHADAMANTHYS, YXDCXZ, Generic PWS, high, Nekark, puqtw, Redline, Detected, ai score=84, unsafe, uItweMsNyVJ, GdSda) | ||
| md5 | cfc3dc40432c7d8d8f838bc20c12bf27 | ||
| sha256 | b6fbf6a0edd6938b1f202feec419341d21d47731ca16fa5b5eabe2672d24a454 | ||
| ssdeep | 6144:IhkI+5/nYc1aWY/yMupzdh62iBIjSp1pbD7:IhkNic1xY/KYJejS7pv7 | ||
| imphash | e8d1c822bb1493104fac7c5466a244d9 | ||
| impfuzzy | 24:0YxDaOovnOQFQjERyvDh/J3ISlRT4acmfLpl8rQ:0YLEOLDjhcacmfFKrQ | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 46 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40e00c AreFileApisANSI
0x40e010 GetSystemInfo
0x40e014 GetProcessHeap
0x40e018 GetModuleHandleA
0x40e01c FreeConsole
0x40e020 MultiByteToWideChar
0x40e024 GetProcAddress
0x40e028 GetCommandLineA
0x40e02c SetUnhandledExceptionFilter
0x40e030 GetModuleHandleW
0x40e034 Sleep
0x40e038 ExitProcess
0x40e03c WriteFile
0x40e040 GetStdHandle
0x40e044 GetModuleFileNameA
0x40e048 FreeEnvironmentStringsA
0x40e04c GetEnvironmentStrings
0x40e050 FreeEnvironmentStringsW
0x40e054 WideCharToMultiByte
0x40e058 GetLastError
0x40e05c GetEnvironmentStringsW
0x40e060 SetHandleCount
0x40e064 GetFileType
0x40e068 GetStartupInfoA
0x40e06c DeleteCriticalSection
0x40e070 TlsGetValue
0x40e074 TlsAlloc
0x40e078 TlsSetValue
0x40e07c TlsFree
0x40e080 InterlockedIncrement
0x40e084 SetLastError
0x40e088 GetCurrentThreadId
0x40e08c InterlockedDecrement
0x40e090 HeapCreate
0x40e094 VirtualFree
0x40e098 HeapFree
0x40e09c QueryPerformanceCounter
0x40e0a0 GetTickCount
0x40e0a4 GetCurrentProcessId
0x40e0a8 GetSystemTimeAsFileTime
0x40e0ac HeapAlloc
0x40e0b0 RaiseException
0x40e0b4 GetCPInfo
0x40e0b8 GetACP
0x40e0bc GetOEMCP
0x40e0c0 IsValidCodePage
0x40e0c4 TerminateProcess
0x40e0c8 GetCurrentProcess
0x40e0cc UnhandledExceptionFilter
0x40e0d0 IsDebuggerPresent
0x40e0d4 LeaveCriticalSection
0x40e0d8 EnterCriticalSection
0x40e0dc LoadLibraryA
0x40e0e0 InitializeCriticalSectionAndSpinCount
0x40e0e4 VirtualAlloc
0x40e0e8 HeapReAlloc
0x40e0ec RtlUnwind
0x40e0f0 HeapSize
0x40e0f4 LCMapStringA
0x40e0f8 LCMapStringW
0x40e0fc GetStringTypeA
0x40e100 GetStringTypeW
0x40e104 GetLocaleInfoA
GDI32.dll
0x40e000 SelectObject
0x40e004 CreateFontIndirectA
ole32.dll
0x40e10c CoDisableCallCancellation
EAT(Export Address Table) is none
KERNEL32.dll
0x40e00c AreFileApisANSI
0x40e010 GetSystemInfo
0x40e014 GetProcessHeap
0x40e018 GetModuleHandleA
0x40e01c FreeConsole
0x40e020 MultiByteToWideChar
0x40e024 GetProcAddress
0x40e028 GetCommandLineA
0x40e02c SetUnhandledExceptionFilter
0x40e030 GetModuleHandleW
0x40e034 Sleep
0x40e038 ExitProcess
0x40e03c WriteFile
0x40e040 GetStdHandle
0x40e044 GetModuleFileNameA
0x40e048 FreeEnvironmentStringsA
0x40e04c GetEnvironmentStrings
0x40e050 FreeEnvironmentStringsW
0x40e054 WideCharToMultiByte
0x40e058 GetLastError
0x40e05c GetEnvironmentStringsW
0x40e060 SetHandleCount
0x40e064 GetFileType
0x40e068 GetStartupInfoA
0x40e06c DeleteCriticalSection
0x40e070 TlsGetValue
0x40e074 TlsAlloc
0x40e078 TlsSetValue
0x40e07c TlsFree
0x40e080 InterlockedIncrement
0x40e084 SetLastError
0x40e088 GetCurrentThreadId
0x40e08c InterlockedDecrement
0x40e090 HeapCreate
0x40e094 VirtualFree
0x40e098 HeapFree
0x40e09c QueryPerformanceCounter
0x40e0a0 GetTickCount
0x40e0a4 GetCurrentProcessId
0x40e0a8 GetSystemTimeAsFileTime
0x40e0ac HeapAlloc
0x40e0b0 RaiseException
0x40e0b4 GetCPInfo
0x40e0b8 GetACP
0x40e0bc GetOEMCP
0x40e0c0 IsValidCodePage
0x40e0c4 TerminateProcess
0x40e0c8 GetCurrentProcess
0x40e0cc UnhandledExceptionFilter
0x40e0d0 IsDebuggerPresent
0x40e0d4 LeaveCriticalSection
0x40e0d8 EnterCriticalSection
0x40e0dc LoadLibraryA
0x40e0e0 InitializeCriticalSectionAndSpinCount
0x40e0e4 VirtualAlloc
0x40e0e8 HeapReAlloc
0x40e0ec RtlUnwind
0x40e0f0 HeapSize
0x40e0f4 LCMapStringA
0x40e0f8 LCMapStringW
0x40e0fc GetStringTypeA
0x40e100 GetStringTypeW
0x40e104 GetLocaleInfoA
GDI32.dll
0x40e000 SelectObject
0x40e004 CreateFontIndirectA
ole32.dll
0x40e10c CoDisableCallCancellation
EAT(Export Address Table) is none