ScreenShot
| Created | 2023.04.05 08:30 | Machine | s1_win7_x6402 |
| Filename | Photocopies.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 49 detected (Convagent, Doina, Strab, malicious, confidence, 100%, Eldorado, Attribute, HighConfidence, high confidence, Kryptik, HSYN, CrypterX, vbhNhfFnk7U, RedLineSteal, xuruc, REDLINE, YXDC5Z, Artemis, high, score, Static AI, Suspicious PE, Detected, ai score=84, BScope, unsafe, Passtealer, Gencirc) | ||
| md5 | 2f5769f336565444ad1b4725b55d6dc9 | ||
| sha256 | 81ae9161203cc5f2412234090fd8f173881af882b7318f2110759941c67b8b9c | ||
| ssdeep | 3072:RC0exSEsx8eB2YZN4y1c/8tzLm2cwrIXhKfZVIkKiRH3T5WPd2fxV:qE8eBp3cUBL7zrIXhMXIGRHsI | ||
| imphash | 928d4a09f8768ac7ee6c028cc8e46c06 | ||
| impfuzzy | 24:UbfbRD/MjOov1lG/JKStLQFQ8RyvDkRT4Qf4plWWv1:KfbpMCbtL3DgcQfAIm1 | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 49 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates hidden or system file |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x415008 MultiByteToWideChar
0x41500c FreeConsole
0x415010 SetSystemTimeAdjustment
0x415014 SetFilePointer
0x415018 DeleteAtom
0x41501c AssignProcessToJobObject
0x415020 AddAtomW
0x415024 CreateMutexW
0x415028 GetModuleHandleA
0x41502c SetEndOfFile
0x415030 SetFilePointerEx
0x415034 GetFileInformationByHandle
0x415038 SetFileValidData
0x41503c IsProcessorFeaturePresent
0x415040 GetCurrentThreadId
0x415044 CreateFileW
0x415048 GetVersion
0x41504c GetProcAddress
0x415050 RtlUnwind
0x415054 RaiseException
0x415058 GetCommandLineA
0x41505c GetLastError
0x415060 HeapFree
0x415064 GetModuleHandleW
0x415068 TlsGetValue
0x41506c TlsAlloc
0x415070 TlsSetValue
0x415074 TlsFree
0x415078 InterlockedIncrement
0x41507c SetLastError
0x415080 InterlockedDecrement
0x415084 HeapAlloc
0x415088 TerminateProcess
0x41508c GetCurrentProcess
0x415090 UnhandledExceptionFilter
0x415094 SetUnhandledExceptionFilter
0x415098 IsDebuggerPresent
0x41509c Sleep
0x4150a0 ExitProcess
0x4150a4 WriteFile
0x4150a8 GetStdHandle
0x4150ac GetModuleFileNameA
0x4150b0 FreeEnvironmentStringsA
0x4150b4 GetEnvironmentStrings
0x4150b8 FreeEnvironmentStringsW
0x4150bc WideCharToMultiByte
0x4150c0 GetEnvironmentStringsW
0x4150c4 SetHandleCount
0x4150c8 GetFileType
0x4150cc GetStartupInfoA
0x4150d0 DeleteCriticalSection
0x4150d4 HeapCreate
0x4150d8 VirtualFree
0x4150dc QueryPerformanceCounter
0x4150e0 GetTickCount
0x4150e4 GetCurrentProcessId
0x4150e8 GetSystemTimeAsFileTime
0x4150ec GetCPInfo
0x4150f0 GetACP
0x4150f4 GetOEMCP
0x4150f8 IsValidCodePage
0x4150fc LeaveCriticalSection
0x415100 EnterCriticalSection
0x415104 VirtualAlloc
0x415108 HeapReAlloc
0x41510c HeapSize
0x415110 LoadLibraryA
0x415114 InitializeCriticalSectionAndSpinCount
0x415118 LCMapStringA
0x41511c LCMapStringW
0x415120 GetStringTypeA
0x415124 GetStringTypeW
0x415128 GetLocaleInfoA
ADVAPI32.dll
0x415000 DecryptFileW
VERSION.dll
0x415130 VerInstallFileW
0x415134 GetFileVersionInfoW
0x415138 VerFindFileW
EAT(Export Address Table) is none
KERNEL32.dll
0x415008 MultiByteToWideChar
0x41500c FreeConsole
0x415010 SetSystemTimeAdjustment
0x415014 SetFilePointer
0x415018 DeleteAtom
0x41501c AssignProcessToJobObject
0x415020 AddAtomW
0x415024 CreateMutexW
0x415028 GetModuleHandleA
0x41502c SetEndOfFile
0x415030 SetFilePointerEx
0x415034 GetFileInformationByHandle
0x415038 SetFileValidData
0x41503c IsProcessorFeaturePresent
0x415040 GetCurrentThreadId
0x415044 CreateFileW
0x415048 GetVersion
0x41504c GetProcAddress
0x415050 RtlUnwind
0x415054 RaiseException
0x415058 GetCommandLineA
0x41505c GetLastError
0x415060 HeapFree
0x415064 GetModuleHandleW
0x415068 TlsGetValue
0x41506c TlsAlloc
0x415070 TlsSetValue
0x415074 TlsFree
0x415078 InterlockedIncrement
0x41507c SetLastError
0x415080 InterlockedDecrement
0x415084 HeapAlloc
0x415088 TerminateProcess
0x41508c GetCurrentProcess
0x415090 UnhandledExceptionFilter
0x415094 SetUnhandledExceptionFilter
0x415098 IsDebuggerPresent
0x41509c Sleep
0x4150a0 ExitProcess
0x4150a4 WriteFile
0x4150a8 GetStdHandle
0x4150ac GetModuleFileNameA
0x4150b0 FreeEnvironmentStringsA
0x4150b4 GetEnvironmentStrings
0x4150b8 FreeEnvironmentStringsW
0x4150bc WideCharToMultiByte
0x4150c0 GetEnvironmentStringsW
0x4150c4 SetHandleCount
0x4150c8 GetFileType
0x4150cc GetStartupInfoA
0x4150d0 DeleteCriticalSection
0x4150d4 HeapCreate
0x4150d8 VirtualFree
0x4150dc QueryPerformanceCounter
0x4150e0 GetTickCount
0x4150e4 GetCurrentProcessId
0x4150e8 GetSystemTimeAsFileTime
0x4150ec GetCPInfo
0x4150f0 GetACP
0x4150f4 GetOEMCP
0x4150f8 IsValidCodePage
0x4150fc LeaveCriticalSection
0x415100 EnterCriticalSection
0x415104 VirtualAlloc
0x415108 HeapReAlloc
0x41510c HeapSize
0x415110 LoadLibraryA
0x415114 InitializeCriticalSectionAndSpinCount
0x415118 LCMapStringA
0x41511c LCMapStringW
0x415120 GetStringTypeA
0x415124 GetStringTypeW
0x415128 GetLocaleInfoA
ADVAPI32.dll
0x415000 DecryptFileW
VERSION.dll
0x415130 VerInstallFileW
0x415134 GetFileVersionInfoW
0x415138 VerFindFileW
EAT(Export Address Table) is none