ScreenShot
| Created | 2023.04.05 17:37 | Machine | s1_win7_x6403 |
| Filename | toolspub1.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 38 detected (AIDetectNet, Zusy, Stop, Save, malicious, confidence, 100%, Attribute, HighConfidence, high confidence, score, DropperX, Lockbit, Krypt, Static AI, Suspicious PE, ai score=87, SmokeLoader, Azorult, Detected, unsafe, Generic@AI, RDML, 7QuzMP, vHmE445poXpqQ, UrSnif, susgen) | ||
| md5 | 3d8854201d7131f95772a5ba7be47be6 | ||
| sha256 | ed9d9bd0b0061d9770ec73c41a4d31a2f1785fe7c7cc3444c3b50dd4f00aac2a | ||
| ssdeep | 3072:pM+7EmrlCkROx5IDwhpUgGn80q2MKwdJYWJ36e4T4s5vWjQvT:37GPm0ponhk8WR6xNvT | ||
| imphash | 106eb5dbb7fdc2adeef530fb10849030 | ||
| impfuzzy | 24:jsOHSu8oRkkrkRYjMAkwfILtJ0DSdV4WCbi/Jvz14QtSuO7BvqrI2+fcjtrlAOoK:YOHrV9+nFOcr1+fcjtNvMY7j5ceA4 | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 38 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | This executable has a PDB path |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40101c GetCommState
0x401020 ReadConsoleA
0x401024 WaitNamedPipeA
0x401028 ScrollConsoleScreenBufferW
0x40102c SetFirmwareEnvironmentVariableA
0x401030 CreateJobObjectW
0x401034 InterlockedCompareExchange
0x401038 FreeEnvironmentStringsA
0x40103c GetModuleHandleW
0x401040 EnumCalendarInfoExW
0x401044 GetConsoleAliasesLengthA
0x401048 TlsSetValue
0x40104c FindResourceExA
0x401050 LoadLibraryW
0x401054 GetConsoleMode
0x401058 GetVersionExW
0x40105c GetConsoleAliasW
0x401060 HeapValidate
0x401064 SetConsoleCursorPosition
0x401068 GetFileAttributesW
0x40106c GetMailslotInfo
0x401070 GetStringTypeExA
0x401074 GetCPInfoExW
0x401078 VerSetConditionMask
0x40107c SetLastError
0x401080 BackupRead
0x401084 GetProcAddress
0x401088 VirtualAlloc
0x40108c BeginUpdateResourceW
0x401090 RemoveDirectoryA
0x401094 SetStdHandle
0x401098 LocalAlloc
0x40109c WritePrivateProfileStringA
0x4010a0 WriteProfileSectionW
0x4010a4 AddAtomA
0x4010a8 FoldStringW
0x4010ac EnumResourceTypesW
0x4010b0 GetModuleHandleA
0x4010b4 OpenEventW
0x4010b8 QueryPerformanceFrequency
0x4010bc GetShortPathNameW
0x4010c0 GetWindowsDirectoryW
0x4010c4 AddConsoleAliasA
0x4010c8 GetConsoleProcessList
0x4010cc DebugBreak
0x4010d0 CommConfigDialogW
0x4010d4 DeleteFileA
0x4010d8 InterlockedIncrement
0x4010dc DeleteVolumeMountPointA
0x4010e0 GetProfileIntW
0x4010e4 MoveFileExA
0x4010e8 InterlockedFlushSList
0x4010ec GetSystemDefaultLangID
0x4010f0 InterlockedDecrement
0x4010f4 Sleep
0x4010f8 InitializeCriticalSection
0x4010fc DeleteCriticalSection
0x401100 EnterCriticalSection
0x401104 LeaveCriticalSection
0x401108 UnhandledExceptionFilter
0x40110c SetUnhandledExceptionFilter
0x401110 GetLastError
0x401114 HeapFree
0x401118 MultiByteToWideChar
0x40111c GetCommandLineA
0x401120 GetStartupInfoA
0x401124 RtlUnwind
0x401128 RaiseException
0x40112c ExitProcess
0x401130 WriteFile
0x401134 GetStdHandle
0x401138 GetModuleFileNameA
0x40113c TerminateProcess
0x401140 GetCurrentProcess
0x401144 IsDebuggerPresent
0x401148 HeapAlloc
0x40114c HeapCreate
0x401150 VirtualFree
0x401154 HeapReAlloc
0x401158 GetCPInfo
0x40115c GetACP
0x401160 GetOEMCP
0x401164 IsValidCodePage
0x401168 TlsGetValue
0x40116c TlsAlloc
0x401170 TlsFree
0x401174 GetCurrentThreadId
0x401178 SetHandleCount
0x40117c GetFileType
0x401180 SetFilePointer
0x401184 GetEnvironmentStrings
0x401188 FreeEnvironmentStringsW
0x40118c WideCharToMultiByte
0x401190 GetEnvironmentStringsW
0x401194 QueryPerformanceCounter
0x401198 GetTickCount
0x40119c GetCurrentProcessId
0x4011a0 GetSystemTimeAsFileTime
0x4011a4 HeapSize
0x4011a8 GetLocaleInfoA
0x4011ac GetStringTypeA
0x4011b0 GetStringTypeW
0x4011b4 LoadLibraryA
0x4011b8 InitializeCriticalSectionAndSpinCount
0x4011bc GetConsoleCP
0x4011c0 LCMapStringA
0x4011c4 LCMapStringW
0x4011c8 WriteConsoleA
0x4011cc GetConsoleOutputCP
0x4011d0 WriteConsoleW
0x4011d4 FlushFileBuffers
0x4011d8 CreateFileA
0x4011dc CloseHandle
GDI32.dll
0x401008 GetCharacterPlacementW
0x40100c SelectPalette
0x401010 GetTextExtentExPointA
0x401014 GetCharWidthI
ADVAPI32.dll
0x401000 MapGenericMask
EAT(Export Address Table) is none
KERNEL32.dll
0x40101c GetCommState
0x401020 ReadConsoleA
0x401024 WaitNamedPipeA
0x401028 ScrollConsoleScreenBufferW
0x40102c SetFirmwareEnvironmentVariableA
0x401030 CreateJobObjectW
0x401034 InterlockedCompareExchange
0x401038 FreeEnvironmentStringsA
0x40103c GetModuleHandleW
0x401040 EnumCalendarInfoExW
0x401044 GetConsoleAliasesLengthA
0x401048 TlsSetValue
0x40104c FindResourceExA
0x401050 LoadLibraryW
0x401054 GetConsoleMode
0x401058 GetVersionExW
0x40105c GetConsoleAliasW
0x401060 HeapValidate
0x401064 SetConsoleCursorPosition
0x401068 GetFileAttributesW
0x40106c GetMailslotInfo
0x401070 GetStringTypeExA
0x401074 GetCPInfoExW
0x401078 VerSetConditionMask
0x40107c SetLastError
0x401080 BackupRead
0x401084 GetProcAddress
0x401088 VirtualAlloc
0x40108c BeginUpdateResourceW
0x401090 RemoveDirectoryA
0x401094 SetStdHandle
0x401098 LocalAlloc
0x40109c WritePrivateProfileStringA
0x4010a0 WriteProfileSectionW
0x4010a4 AddAtomA
0x4010a8 FoldStringW
0x4010ac EnumResourceTypesW
0x4010b0 GetModuleHandleA
0x4010b4 OpenEventW
0x4010b8 QueryPerformanceFrequency
0x4010bc GetShortPathNameW
0x4010c0 GetWindowsDirectoryW
0x4010c4 AddConsoleAliasA
0x4010c8 GetConsoleProcessList
0x4010cc DebugBreak
0x4010d0 CommConfigDialogW
0x4010d4 DeleteFileA
0x4010d8 InterlockedIncrement
0x4010dc DeleteVolumeMountPointA
0x4010e0 GetProfileIntW
0x4010e4 MoveFileExA
0x4010e8 InterlockedFlushSList
0x4010ec GetSystemDefaultLangID
0x4010f0 InterlockedDecrement
0x4010f4 Sleep
0x4010f8 InitializeCriticalSection
0x4010fc DeleteCriticalSection
0x401100 EnterCriticalSection
0x401104 LeaveCriticalSection
0x401108 UnhandledExceptionFilter
0x40110c SetUnhandledExceptionFilter
0x401110 GetLastError
0x401114 HeapFree
0x401118 MultiByteToWideChar
0x40111c GetCommandLineA
0x401120 GetStartupInfoA
0x401124 RtlUnwind
0x401128 RaiseException
0x40112c ExitProcess
0x401130 WriteFile
0x401134 GetStdHandle
0x401138 GetModuleFileNameA
0x40113c TerminateProcess
0x401140 GetCurrentProcess
0x401144 IsDebuggerPresent
0x401148 HeapAlloc
0x40114c HeapCreate
0x401150 VirtualFree
0x401154 HeapReAlloc
0x401158 GetCPInfo
0x40115c GetACP
0x401160 GetOEMCP
0x401164 IsValidCodePage
0x401168 TlsGetValue
0x40116c TlsAlloc
0x401170 TlsFree
0x401174 GetCurrentThreadId
0x401178 SetHandleCount
0x40117c GetFileType
0x401180 SetFilePointer
0x401184 GetEnvironmentStrings
0x401188 FreeEnvironmentStringsW
0x40118c WideCharToMultiByte
0x401190 GetEnvironmentStringsW
0x401194 QueryPerformanceCounter
0x401198 GetTickCount
0x40119c GetCurrentProcessId
0x4011a0 GetSystemTimeAsFileTime
0x4011a4 HeapSize
0x4011a8 GetLocaleInfoA
0x4011ac GetStringTypeA
0x4011b0 GetStringTypeW
0x4011b4 LoadLibraryA
0x4011b8 InitializeCriticalSectionAndSpinCount
0x4011bc GetConsoleCP
0x4011c0 LCMapStringA
0x4011c4 LCMapStringW
0x4011c8 WriteConsoleA
0x4011cc GetConsoleOutputCP
0x4011d0 WriteConsoleW
0x4011d4 FlushFileBuffers
0x4011d8 CreateFileA
0x4011dc CloseHandle
GDI32.dll
0x401008 GetCharacterPlacementW
0x40100c SelectPalette
0x401010 GetTextExtentExPointA
0x401014 GetCharWidthI
ADVAPI32.dll
0x401000 MapGenericMask
EAT(Export Address Table) is none