ScreenShot
| Created | 2023.04.07 16:40 | Machine | s1_win7_x6403 |
| Filename | server.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 57 detected (AIDetectNet, Lotok, Tedy, LotokPMF, S22207093, GenericRXAA, BitCoinMiner, Save, malicious, confidence, 100%, Venik, KillAV, Eldorado, Attribute, HighConfidence, high confidence, Farfli, score, jrwrll, BackdoorX, Gencirc, ZPACK, ZEGOST, SM37, moderate, Static AI, Malicious PE, ai score=89, BLH@6lj6he, Detected, R438653, BScope, TrojanPSW, Cimuz, unsafe, VE56F3v74yI, susgen, GdSda) | ||
| md5 | bb8563b2aa2335abe99a45888e2a47d1 | ||
| sha256 | 555ff1532b71d6001e270b74611c6ce556eeb422fd8366941e88b141dd200ae9 | ||
| ssdeep | 384:uTkWKqDfSFnhadpwhmC+GIYVgg1l+JHnjbIla6U4t9yN1O4dT:uNjLOnhaQhKBgiJHIl04KzZdT | ||
| imphash | 127bc68c3d34a048139e9d88ad1484f8 | ||
| impfuzzy | 24:UyjP+4RIBzg0DCdZRECKQ2CPscHFCJEwuIEciCH54L2TXCWmIBJK9nTBcXBdG3b6:UH6dZRECKQvPSFiGmLUXCj6JKdcXnGr6 | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 57 AntiVirus engines on VirusTotal as malicious |
| notice | Repeatedly searches for a not-found process |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| info | Checks amount of memory in system |
| info | The executable uses a known packer |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40101c FreeLibrary
0x401020 CloseHandle
0x401024 GetModuleFileNameA
0x401028 WaitForSingleObject
0x40102c GetVersionExA
0x401030 CopyFileA
0x401034 GetCurrentProcess
0x401038 GetModuleHandleA
0x40103c GlobalMemoryStatusEx
0x401040 HeapAlloc
0x401044 GetProcessHeap
0x401048 HeapFree
0x40104c SetEvent
0x401050 CreateEventA
0x401054 lstrcmpiA
0x401058 Process32Next
0x40105c Process32First
0x401060 CreateToolhelp32Snapshot
0x401064 lstrcpyA
0x401068 GetStartupInfoA
0x40106c lstrlenA
0x401070 CreateFileA
0x401074 WriteFile
0x401078 lstrcatA
0x40107c VirtualFree
0x401080 GetTickCount
0x401084 LocalAlloc
0x401088 LocalSize
0x40108c LocalFree
0x401090 LoadLibraryA
0x401094 GetProcAddress
0x401098 Sleep
0x40109c InterlockedExchange
0x4010a0 VirtualAlloc
0x4010a4 VirtualProtect
USER32.dll
0x40115c GetWindow
0x401160 GetWindowTextA
0x401164 wsprintfA
0x401168 FindWindowA
0x40116c GetLastInputInfo
0x401170 GetClassNameA
ADVAPI32.dll
0x401000 OpenEventLogA
0x401004 ClearEventLogA
0x401008 CloseEventLog
0x40100c SetServiceStatus
0x401010 RegisterServiceCtrlHandlerA
0x401014 StartServiceCtrlDispatcherA
MSVCRT.dll
0x4010ac realloc
0x4010b0 _stricmp
0x4010b4 _strupr
0x4010b8 _controlfp
0x4010bc __set_app_type
0x4010c0 ??3@YAXPAX@Z
0x4010c4 memcpy
0x4010c8 ceil
0x4010cc _ftol
0x4010d0 __CxxFrameHandler
0x4010d4 _CxxThrowException
0x4010d8 memset
0x4010dc ??2@YAPAXI@Z
0x4010e0 memcmp
0x4010e4 strlen
0x4010e8 strstr
0x4010ec strcpy
0x4010f0 strncpy
0x4010f4 strrchr
0x4010f8 atoi
0x4010fc strcspn
0x401100 rand
0x401104 memmove
0x401108 strcat
0x40110c strcmp
0x401110 _strcmpi
0x401114 free
0x401118 _beginthreadex
0x40111c _except_handler3
0x401120 strchr
0x401124 ??1type_info@@UAE@XZ
0x401128 __dllonexit
0x40112c _onexit
0x401130 _exit
0x401134 _XcptFilter
0x401138 exit
0x40113c _acmdln
0x401140 __getmainargs
0x401144 _initterm
0x401148 __setusermatherr
0x40114c _adjust_fdiv
0x401150 __p__commode
0x401154 __p__fmode
EAT(Export Address Table) is none
KERNEL32.dll
0x40101c FreeLibrary
0x401020 CloseHandle
0x401024 GetModuleFileNameA
0x401028 WaitForSingleObject
0x40102c GetVersionExA
0x401030 CopyFileA
0x401034 GetCurrentProcess
0x401038 GetModuleHandleA
0x40103c GlobalMemoryStatusEx
0x401040 HeapAlloc
0x401044 GetProcessHeap
0x401048 HeapFree
0x40104c SetEvent
0x401050 CreateEventA
0x401054 lstrcmpiA
0x401058 Process32Next
0x40105c Process32First
0x401060 CreateToolhelp32Snapshot
0x401064 lstrcpyA
0x401068 GetStartupInfoA
0x40106c lstrlenA
0x401070 CreateFileA
0x401074 WriteFile
0x401078 lstrcatA
0x40107c VirtualFree
0x401080 GetTickCount
0x401084 LocalAlloc
0x401088 LocalSize
0x40108c LocalFree
0x401090 LoadLibraryA
0x401094 GetProcAddress
0x401098 Sleep
0x40109c InterlockedExchange
0x4010a0 VirtualAlloc
0x4010a4 VirtualProtect
USER32.dll
0x40115c GetWindow
0x401160 GetWindowTextA
0x401164 wsprintfA
0x401168 FindWindowA
0x40116c GetLastInputInfo
0x401170 GetClassNameA
ADVAPI32.dll
0x401000 OpenEventLogA
0x401004 ClearEventLogA
0x401008 CloseEventLog
0x40100c SetServiceStatus
0x401010 RegisterServiceCtrlHandlerA
0x401014 StartServiceCtrlDispatcherA
MSVCRT.dll
0x4010ac realloc
0x4010b0 _stricmp
0x4010b4 _strupr
0x4010b8 _controlfp
0x4010bc __set_app_type
0x4010c0 ??3@YAXPAX@Z
0x4010c4 memcpy
0x4010c8 ceil
0x4010cc _ftol
0x4010d0 __CxxFrameHandler
0x4010d4 _CxxThrowException
0x4010d8 memset
0x4010dc ??2@YAPAXI@Z
0x4010e0 memcmp
0x4010e4 strlen
0x4010e8 strstr
0x4010ec strcpy
0x4010f0 strncpy
0x4010f4 strrchr
0x4010f8 atoi
0x4010fc strcspn
0x401100 rand
0x401104 memmove
0x401108 strcat
0x40110c strcmp
0x401110 _strcmpi
0x401114 free
0x401118 _beginthreadex
0x40111c _except_handler3
0x401120 strchr
0x401124 ??1type_info@@UAE@XZ
0x401128 __dllonexit
0x40112c _onexit
0x401130 _exit
0x401134 _XcptFilter
0x401138 exit
0x40113c _acmdln
0x401140 __getmainargs
0x401144 _initterm
0x401148 __setusermatherr
0x40114c _adjust_fdiv
0x401150 __p__commode
0x401154 __p__fmode
EAT(Export Address Table) is none