ScreenShot
| Created | 2023.04.16 16:16 | Machine | s1_win7_x6403 |
| Filename | 001.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 43 detected (malicious, high confidence, Packed2, score, Artemis, unsafe, Kryptik, Vb9l, confidence, 100%, Attribute, HighConfidence, GenKryptik, GIPY, GenericKD, CrypterX, Bwnw, high, GenKD, Sabsik, Woreflint, Detected, ai score=82, R002H0ADD23, ucTz4Hz0PsR) | ||
| md5 | 5079a574e95863dcac4206efca348b15 | ||
| sha256 | ea394dc75f1ba9b5ccceef2a76d70917fe4f5d232fee6defff20282ad53cb6e4 | ||
| ssdeep | 49152:4vBmnYuT3UWvuaMoZh9rMVtnibdEFtxv969XMEReFE4l3:ImnfjDuaMobo7vIReOQ | ||
| imphash | 0e94a0a6be63b43bb4f845b28580c999 | ||
| impfuzzy | 48:FKXktT7uOEXuDXxfkJ/KAS5/zFnB6Uy+EGs09SYSvjKXE:FKXktT7uOEYXxf0s/u | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140001000 GetCurrentProcess
0x140001008 VirtualFree
0x140001010 GetModuleFileNameW
0x140001018 GetCurrentProcessId
0x140001020 HeapReAlloc
0x140001028 LCMapStringW
0x140001030 WideCharToMultiByte
0x140001038 LCMapStringA
0x140001040 GetStringTypeW
0x140001048 MultiByteToWideChar
0x140001050 GetStringTypeA
0x140001058 GetLocaleInfoA
0x140001060 InitializeCriticalSectionAndSpinCount
0x140001068 LoadLibraryA
0x140001070 HeapSize
0x140001078 IsValidCodePage
0x140001080 GetStartupInfoW
0x140001088 TerminateProcess
0x140001090 UnhandledExceptionFilter
0x140001098 SetUnhandledExceptionFilter
0x1400010a0 IsDebuggerPresent
0x1400010a8 RtlVirtualUnwind
0x1400010b0 RtlLookupFunctionEntry
0x1400010b8 RtlCaptureContext
0x1400010c0 EncodePointer
0x1400010c8 DecodePointer
0x1400010d0 FlsGetValue
0x1400010d8 FlsSetValue
0x1400010e0 FlsFree
0x1400010e8 SetLastError
0x1400010f0 GetCurrentThreadId
0x1400010f8 GetLastError
0x140001100 FlsAlloc
0x140001108 HeapFree
0x140001110 HeapAlloc
0x140001118 RaiseException
0x140001120 RtlPcToFileHeader
0x140001128 GetModuleHandleW
0x140001130 Sleep
0x140001138 GetProcAddress
0x140001140 ExitProcess
0x140001148 WriteFile
0x140001150 GetStdHandle
0x140001158 GetModuleFileNameA
0x140001160 RtlUnwindEx
0x140001168 FreeEnvironmentStringsW
0x140001170 GetEnvironmentStringsW
0x140001178 GetCommandLineW
0x140001180 SetHandleCount
0x140001188 GetFileType
0x140001190 GetStartupInfoA
0x140001198 DeleteCriticalSection
0x1400011a0 HeapSetInformation
0x1400011a8 HeapCreate
0x1400011b0 QueryPerformanceCounter
0x1400011b8 GetTickCount
0x1400011c0 GetSystemTimeAsFileTime
0x1400011c8 LeaveCriticalSection
0x1400011d0 EnterCriticalSection
0x1400011d8 GetCPInfo
0x1400011e0 GetACP
0x1400011e8 GetOEMCP
USER32.dll
0x1400011f8 DispatchMessageW
0x140001200 DefWindowProcW
0x140001208 EndPaint
0x140001210 DestroyWindow
0x140001218 TranslateAcceleratorW
0x140001220 GetMessageW
0x140001228 PostQuitMessage
0x140001230 DialogBoxParamW
0x140001238 LoadCursorW
0x140001240 BeginPaint
0x140001248 TranslateMessage
0x140001250 LoadAcceleratorsW
0x140001258 RegisterClassExW
0x140001260 LoadIconW
0x140001268 EndDialog
0x140001270 LoadStringW
0x140001278 ShowWindow
0x140001280 CreateWindowExW
0x140001288 UpdateWindow
EAT(Export Address Table) is none
KERNEL32.dll
0x140001000 GetCurrentProcess
0x140001008 VirtualFree
0x140001010 GetModuleFileNameW
0x140001018 GetCurrentProcessId
0x140001020 HeapReAlloc
0x140001028 LCMapStringW
0x140001030 WideCharToMultiByte
0x140001038 LCMapStringA
0x140001040 GetStringTypeW
0x140001048 MultiByteToWideChar
0x140001050 GetStringTypeA
0x140001058 GetLocaleInfoA
0x140001060 InitializeCriticalSectionAndSpinCount
0x140001068 LoadLibraryA
0x140001070 HeapSize
0x140001078 IsValidCodePage
0x140001080 GetStartupInfoW
0x140001088 TerminateProcess
0x140001090 UnhandledExceptionFilter
0x140001098 SetUnhandledExceptionFilter
0x1400010a0 IsDebuggerPresent
0x1400010a8 RtlVirtualUnwind
0x1400010b0 RtlLookupFunctionEntry
0x1400010b8 RtlCaptureContext
0x1400010c0 EncodePointer
0x1400010c8 DecodePointer
0x1400010d0 FlsGetValue
0x1400010d8 FlsSetValue
0x1400010e0 FlsFree
0x1400010e8 SetLastError
0x1400010f0 GetCurrentThreadId
0x1400010f8 GetLastError
0x140001100 FlsAlloc
0x140001108 HeapFree
0x140001110 HeapAlloc
0x140001118 RaiseException
0x140001120 RtlPcToFileHeader
0x140001128 GetModuleHandleW
0x140001130 Sleep
0x140001138 GetProcAddress
0x140001140 ExitProcess
0x140001148 WriteFile
0x140001150 GetStdHandle
0x140001158 GetModuleFileNameA
0x140001160 RtlUnwindEx
0x140001168 FreeEnvironmentStringsW
0x140001170 GetEnvironmentStringsW
0x140001178 GetCommandLineW
0x140001180 SetHandleCount
0x140001188 GetFileType
0x140001190 GetStartupInfoA
0x140001198 DeleteCriticalSection
0x1400011a0 HeapSetInformation
0x1400011a8 HeapCreate
0x1400011b0 QueryPerformanceCounter
0x1400011b8 GetTickCount
0x1400011c0 GetSystemTimeAsFileTime
0x1400011c8 LeaveCriticalSection
0x1400011d0 EnterCriticalSection
0x1400011d8 GetCPInfo
0x1400011e0 GetACP
0x1400011e8 GetOEMCP
USER32.dll
0x1400011f8 DispatchMessageW
0x140001200 DefWindowProcW
0x140001208 EndPaint
0x140001210 DestroyWindow
0x140001218 TranslateAcceleratorW
0x140001220 GetMessageW
0x140001228 PostQuitMessage
0x140001230 DialogBoxParamW
0x140001238 LoadCursorW
0x140001240 BeginPaint
0x140001248 TranslateMessage
0x140001250 LoadAcceleratorsW
0x140001258 RegisterClassExW
0x140001260 LoadIconW
0x140001268 EndDialog
0x140001270 LoadStringW
0x140001278 ShowWindow
0x140001280 CreateWindowExW
0x140001288 UpdateWindow
EAT(Export Address Table) is none