Report - 25e0a8e3b75e5695fcd18aa97568d5d3c40ab0f572d098f985d488dc939e4f35

Malicious Library AntiDebug AntiVM PE32 PE File
ScreenShot
Created 2023.04.06 18:18 Machine s1_win7_x6401
Filename 25e0a8e3b75e5695fcd18aa97568d5d3c40ab0f572d098f985d488dc939e4f35
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
5
Behavior Score
7.4
ZERO API file : malware
VT API (file) 47 detected (Zusy, malicious, high confidence, Stop, Artemis, Save, confidence, 100%, Kryptik, Eldorado, Attribute, HighConfidence, HTGL, score, CrypterX, Lockbit, moderate, UrSnif, AzorUlt, Amadey, Racealer, BBOV5K, Detected, R568317, ai score=81, unsafe, R002H09D523, Generic@AI, RDML, cafMvv8d5q29XbWoj4hCkA, Static AI, Suspicious PE, susgen, HTGK)
md5 d02ac7b008243704a4d4b5b16764ada8
sha256 ab1e8e80ec74470864dd2abf71a6f33e379a57ebacc1a5f88cb97d3b0349c2b0
ssdeep 3072:Rsk+z2MrQmSTShuh3GDuM5M9wbiSE8wO45sjbThrFA:ako2CgTShYGO9wbZ/tjbTP
imphash 7e3b1e18e4b8642ee42be6e8ca53a819
impfuzzy 48:YOHmjOBGfnFOcr/+fcjtJvMY7L0ceIqV9X:jxMfFbr/+fcjtBMY7AceIGV
  Network IP location

Signature (14cnts)

Level Description
danger File has been identified by 47 AntiVirus engines on VirusTotal as malicious
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Tries to unhook Windows functions monitored by Cuckoo
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice One or more potentially interesting buffers were extracted
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks if process is being debugged by a debugger
info One or more processes crashed
info This executable has a PDB path

Rules (11cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x40101c GetCommState
 0x401020 ReadConsoleA
 0x401024 WaitNamedPipeA
 0x401028 SetFirmwareEnvironmentVariableA
 0x40102c CreateJobObjectW
 0x401030 InterlockedCompareExchange
 0x401034 FreeEnvironmentStringsA
 0x401038 GetModuleHandleW
 0x40103c EnumCalendarInfoExW
 0x401040 GetConsoleAliasesLengthA
 0x401044 SetCommState
 0x401048 TlsSetValue
 0x40104c FindResourceExA
 0x401050 LoadLibraryW
 0x401054 GetConsoleMode
 0x401058 GetVersionExW
 0x40105c GetConsoleAliasW
 0x401060 HeapValidate
 0x401064 SetConsoleCursorPosition
 0x401068 GetFileAttributesW
 0x40106c GetMailslotInfo
 0x401070 GetStringTypeExA
 0x401074 GetCPInfoExW
 0x401078 GetLastError
 0x40107c VerSetConditionMask
 0x401080 BackupRead
 0x401084 GetProcAddress
 0x401088 VirtualAlloc
 0x40108c RemoveDirectoryA
 0x401090 SetStdHandle
 0x401094 LocalAlloc
 0x401098 WritePrivateProfileStringA
 0x40109c AddAtomW
 0x4010a0 BeginUpdateResourceA
 0x4010a4 WriteProfileSectionW
 0x4010a8 FoldStringW
 0x4010ac EnumResourceTypesW
 0x4010b0 GetModuleHandleA
 0x4010b4 OpenEventW
 0x4010b8 QueryPerformanceFrequency
 0x4010bc GetShortPathNameW
 0x4010c0 GetWindowsDirectoryW
 0x4010c4 AddConsoleAliasA
 0x4010c8 GetConsoleProcessList
 0x4010cc DebugBreak
 0x4010d0 CommConfigDialogW
 0x4010d4 DeleteFileA
 0x4010d8 InterlockedIncrement
 0x4010dc DeleteVolumeMountPointA
 0x4010e0 GetProfileIntW
 0x4010e4 MoveFileExA
 0x4010e8 InterlockedFlushSList
 0x4010ec GetSystemDefaultLangID
 0x4010f0 CreateFileA
 0x4010f4 WriteConsoleW
 0x4010f8 InterlockedDecrement
 0x4010fc Sleep
 0x401100 InitializeCriticalSection
 0x401104 DeleteCriticalSection
 0x401108 EnterCriticalSection
 0x40110c LeaveCriticalSection
 0x401110 UnhandledExceptionFilter
 0x401114 SetUnhandledExceptionFilter
 0x401118 HeapFree
 0x40111c MultiByteToWideChar
 0x401120 GetCommandLineA
 0x401124 GetStartupInfoA
 0x401128 RtlUnwind
 0x40112c RaiseException
 0x401130 ExitProcess
 0x401134 WriteFile
 0x401138 GetStdHandle
 0x40113c GetModuleFileNameA
 0x401140 TerminateProcess
 0x401144 GetCurrentProcess
 0x401148 IsDebuggerPresent
 0x40114c HeapAlloc
 0x401150 HeapCreate
 0x401154 VirtualFree
 0x401158 HeapReAlloc
 0x40115c GetCPInfo
 0x401160 GetACP
 0x401164 GetOEMCP
 0x401168 IsValidCodePage
 0x40116c TlsGetValue
 0x401170 TlsAlloc
 0x401174 TlsFree
 0x401178 SetLastError
 0x40117c GetCurrentThreadId
 0x401180 GetEnvironmentStrings
 0x401184 FreeEnvironmentStringsW
 0x401188 WideCharToMultiByte
 0x40118c GetEnvironmentStringsW
 0x401190 SetHandleCount
 0x401194 GetFileType
 0x401198 QueryPerformanceCounter
 0x40119c GetTickCount
 0x4011a0 GetCurrentProcessId
 0x4011a4 GetSystemTimeAsFileTime
 0x4011a8 HeapSize
 0x4011ac GetLocaleInfoA
 0x4011b0 GetStringTypeA
 0x4011b4 GetStringTypeW
 0x4011b8 LoadLibraryA
 0x4011bc InitializeCriticalSectionAndSpinCount
 0x4011c0 LCMapStringA
 0x4011c4 LCMapStringW
 0x4011c8 GetConsoleCP
 0x4011cc FlushFileBuffers
 0x4011d0 SetFilePointer
 0x4011d4 CloseHandle
 0x4011d8 WriteConsoleA
 0x4011dc GetConsoleOutputCP
USER32.dll
 0x4011ec CharLowerBuffW
GDI32.dll
 0x401008 GetCharacterPlacementW
 0x40100c SelectPalette
 0x401010 GetTextExtentExPointA
 0x401014 GetCharWidthI
ADVAPI32.dll
 0x401000 MapGenericMask
SHELL32.dll
 0x4011e4 CommandLineToArgvW

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure