ScreenShot
| Created | 2023.03.29 17:48 | Machine | s1_win7_x6403 |
| Filename | cubalibre2 | ||
| Type | PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 52 detected (CobaltStrike, Windows, Malicious, score, unsafe, Rozena, confidence, 100%, ABRisk, SAJV, Cobalt, Artifact, Countermeasure, LoaderWinGeneric, FochiBlz, jsnzvk, CLOUD, HIVE, SMYXBJR, Cometer, AGEN, ai score=83, Detected, R512891, ZedlaF, rK4@aug8n, BScope, Swrort, Gencirc, Static AI, Suspicious PE, GdSda) | ||
| md5 | 54a5f1bf56bb033fabafce49f03f6794 | ||
| sha256 | ba79214e7710368ac5a31fd31dd0ac3c06747dc19c8d2351e269f34d13e9525e | ||
| ssdeep | 6144:kaRthwnolFjehLmM56GFivgnx6j5qDc4bf1cf:katXFjgiw6Mggnsqo4bfA | ||
| imphash | 3de1be1af60a3342dbeeee7746f05e4a | ||
| impfuzzy | 12:QB8wRJR+5TZnJ2cDkiiARZqRJh7jPXJNiXJGqYUtRC91KpJqifxiZn:Q2kfg1JlDdncJ9Leze91OqifQZn | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 52 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x6bb0a0f0 CloseHandle
0x6bb0a0f4 ConnectNamedPipe
0x6bb0a0f8 CreateFileA
0x6bb0a0fc CreateNamedPipeA
0x6bb0a100 CreateThread
0x6bb0a104 DeleteCriticalSection
0x6bb0a108 EnterCriticalSection
0x6bb0a10c GetCurrentProcess
0x6bb0a110 GetCurrentProcessId
0x6bb0a114 GetCurrentThreadId
0x6bb0a118 GetLastError
0x6bb0a11c GetModuleHandleA
0x6bb0a120 GetProcAddress
0x6bb0a124 GetSystemTimeAsFileTime
0x6bb0a128 GetTickCount
0x6bb0a12c InitializeCriticalSection
0x6bb0a130 LeaveCriticalSection
0x6bb0a134 QueryPerformanceCounter
0x6bb0a138 ReadFile
0x6bb0a13c SetUnhandledExceptionFilter
0x6bb0a140 Sleep
0x6bb0a144 TerminateProcess
0x6bb0a148 TlsGetValue
0x6bb0a14c UnhandledExceptionFilter
0x6bb0a150 VirtualAlloc
0x6bb0a154 VirtualProtect
0x6bb0a158 VirtualQuery
0x6bb0a15c WriteFile
msvcrt.dll
0x6bb0a164 _amsg_exit
0x6bb0a168 _initterm
0x6bb0a16c _iob
0x6bb0a170 _lock
0x6bb0a174 _unlock
0x6bb0a178 abort
0x6bb0a17c calloc
0x6bb0a180 free
0x6bb0a184 fwrite
0x6bb0a188 malloc
0x6bb0a18c realloc
0x6bb0a190 sprintf
0x6bb0a194 strlen
0x6bb0a198 strncmp
0x6bb0a19c vfprintf
EAT(Export Address Table) Library
0x6bac1756 DllGetClassObject
0x6bac16fb DllMain
0x6bac1750 DllRegisterServer
0x6bac1753 DllUnregisterServer
0x6bac1763 StartW
KERNEL32.dll
0x6bb0a0f0 CloseHandle
0x6bb0a0f4 ConnectNamedPipe
0x6bb0a0f8 CreateFileA
0x6bb0a0fc CreateNamedPipeA
0x6bb0a100 CreateThread
0x6bb0a104 DeleteCriticalSection
0x6bb0a108 EnterCriticalSection
0x6bb0a10c GetCurrentProcess
0x6bb0a110 GetCurrentProcessId
0x6bb0a114 GetCurrentThreadId
0x6bb0a118 GetLastError
0x6bb0a11c GetModuleHandleA
0x6bb0a120 GetProcAddress
0x6bb0a124 GetSystemTimeAsFileTime
0x6bb0a128 GetTickCount
0x6bb0a12c InitializeCriticalSection
0x6bb0a130 LeaveCriticalSection
0x6bb0a134 QueryPerformanceCounter
0x6bb0a138 ReadFile
0x6bb0a13c SetUnhandledExceptionFilter
0x6bb0a140 Sleep
0x6bb0a144 TerminateProcess
0x6bb0a148 TlsGetValue
0x6bb0a14c UnhandledExceptionFilter
0x6bb0a150 VirtualAlloc
0x6bb0a154 VirtualProtect
0x6bb0a158 VirtualQuery
0x6bb0a15c WriteFile
msvcrt.dll
0x6bb0a164 _amsg_exit
0x6bb0a168 _initterm
0x6bb0a16c _iob
0x6bb0a170 _lock
0x6bb0a174 _unlock
0x6bb0a178 abort
0x6bb0a17c calloc
0x6bb0a180 free
0x6bb0a184 fwrite
0x6bb0a188 malloc
0x6bb0a18c realloc
0x6bb0a190 sprintf
0x6bb0a194 strlen
0x6bb0a198 strncmp
0x6bb0a19c vfprintf
EAT(Export Address Table) Library
0x6bac1756 DllGetClassObject
0x6bac16fb DllMain
0x6bac1750 DllRegisterServer
0x6bac1753 DllUnregisterServer
0x6bac1763 StartW