ScreenShot
| Created | 2023.04.16 16:22 | Machine | s1_win7_x6403 |
| Filename | 114.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 48 detected (GenericKD, Miner, X@bOO9GAfi, Vo9r, malicious, confidence, 100%, Themida, Eldorado, high confidence, multiple detections, score, ccmw, CrypterX, Cwnw, AGEN, Inject4, REDLINE, YXDDPZ, Static AI, Malicious SFX, ai score=86, Sabsik, Cordimik, E27ZIZ, Detected, Artemis, unsafe, Generic@AI, RDML, yVMBhx1lKddJ, L+pe0GB4A, Fw87TM+XcPM, Kryptik, HPND, ZexaF, mvW@ai@Txld) | ||
| md5 | dd0379a70a71b60b3a81a91d49c88648 | ||
| sha256 | eb070fb1f4a7b4c38f28b71b4ddd4127e839fbb960c471a51f299ef78d7eed87 | ||
| ssdeep | 196608:Vhys2Nil815lcLJh0zKFEoTPIqdpS92OK7a3DI/Gu0q7T:VhyNM05lcLJ7FEo49rKuTiDT | ||
| imphash | 00be6e6c4f9e287672c8301b72bdabf3 | ||
| impfuzzy | 48:WOX8LKc1XFjsX1Pfc++64GYgeBtDXMunCHFa:WJLKc1XFgX1Pfc++rjdBtDXMunMFa | ||
Network IP location
Signature (43cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | A process attempted to delay the analysis task. |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Checks for the presence of known devices from debuggers and forensic tools |
| watch | Checks for the presence of known windows from debuggers and forensic tools |
| watch | Checks the version of Bios |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects the presence of Wine emulator |
| watch | Detects Virtual Machines through their custom firmware |
| watch | Detects VirtualBox through the presence of a registry key |
| watch | Detects VMWare through the in instruction feature |
| watch | Harvests credentials from local FTP client softwares |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | One or more non-whitelisted processes were created |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An application raised an exception which may be indicative of an exploit crash |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Expresses interest in specific running processes |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Starts servers listening |
| notice | Steals private information from local Internet browsers |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (23cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | NPKI_Zero | File included NPKI | binaries (download) |
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | themida_packer | themida packer | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | icon_file_format | icon file format | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x430000 GetLastError
0x430004 SetLastError
0x430008 GetCurrentProcess
0x43000c DeviceIoControl
0x430010 SetFileTime
0x430014 CloseHandle
0x430018 CreateDirectoryW
0x43001c RemoveDirectoryW
0x430020 CreateFileW
0x430024 DeleteFileW
0x430028 CreateHardLinkW
0x43002c GetShortPathNameW
0x430030 GetLongPathNameW
0x430034 MoveFileW
0x430038 GetFileType
0x43003c GetStdHandle
0x430040 WriteFile
0x430044 ReadFile
0x430048 FlushFileBuffers
0x43004c SetEndOfFile
0x430050 SetFilePointer
0x430054 SetFileAttributesW
0x430058 GetFileAttributesW
0x43005c FindClose
0x430060 FindFirstFileW
0x430064 FindNextFileW
0x430068 GetVersionExW
0x43006c GetCurrentDirectoryW
0x430070 GetFullPathNameW
0x430074 FoldStringW
0x430078 GetModuleFileNameW
0x43007c GetModuleHandleW
0x430080 FindResourceW
0x430084 FreeLibrary
0x430088 GetProcAddress
0x43008c GetCurrentProcessId
0x430090 ExitProcess
0x430094 SetThreadExecutionState
0x430098 Sleep
0x43009c LoadLibraryW
0x4300a0 GetSystemDirectoryW
0x4300a4 CompareStringW
0x4300a8 AllocConsole
0x4300ac FreeConsole
0x4300b0 AttachConsole
0x4300b4 WriteConsoleW
0x4300b8 GetProcessAffinityMask
0x4300bc CreateThread
0x4300c0 SetThreadPriority
0x4300c4 InitializeCriticalSection
0x4300c8 EnterCriticalSection
0x4300cc LeaveCriticalSection
0x4300d0 DeleteCriticalSection
0x4300d4 SetEvent
0x4300d8 ResetEvent
0x4300dc ReleaseSemaphore
0x4300e0 WaitForSingleObject
0x4300e4 CreateEventW
0x4300e8 CreateSemaphoreW
0x4300ec GetSystemTime
0x4300f0 SystemTimeToTzSpecificLocalTime
0x4300f4 TzSpecificLocalTimeToSystemTime
0x4300f8 SystemTimeToFileTime
0x4300fc FileTimeToLocalFileTime
0x430100 LocalFileTimeToFileTime
0x430104 FileTimeToSystemTime
0x430108 GetCPInfo
0x43010c IsDBCSLeadByte
0x430110 MultiByteToWideChar
0x430114 WideCharToMultiByte
0x430118 GlobalAlloc
0x43011c GetTickCount
0x430120 LockResource
0x430124 GlobalLock
0x430128 GlobalUnlock
0x43012c GlobalFree
0x430130 LoadResource
0x430134 SizeofResource
0x430138 SetCurrentDirectoryW
0x43013c GetExitCodeProcess
0x430140 GetLocalTime
0x430144 MapViewOfFile
0x430148 UnmapViewOfFile
0x43014c CreateFileMappingW
0x430150 OpenFileMappingW
0x430154 GetCommandLineW
0x430158 SetEnvironmentVariableW
0x43015c ExpandEnvironmentStringsW
0x430160 GetTempPathW
0x430164 MoveFileExW
0x430168 GetLocaleInfoW
0x43016c GetTimeFormatW
0x430170 GetDateFormatW
0x430174 GetNumberFormatW
0x430178 SetFilePointerEx
0x43017c GetConsoleMode
0x430180 GetConsoleCP
0x430184 HeapSize
0x430188 SetStdHandle
0x43018c GetProcessHeap
0x430190 RaiseException
0x430194 GetSystemInfo
0x430198 VirtualProtect
0x43019c VirtualQuery
0x4301a0 LoadLibraryExA
0x4301a4 IsProcessorFeaturePresent
0x4301a8 IsDebuggerPresent
0x4301ac UnhandledExceptionFilter
0x4301b0 SetUnhandledExceptionFilter
0x4301b4 GetStartupInfoW
0x4301b8 QueryPerformanceCounter
0x4301bc GetCurrentThreadId
0x4301c0 GetSystemTimeAsFileTime
0x4301c4 InitializeSListHead
0x4301c8 TerminateProcess
0x4301cc RtlUnwind
0x4301d0 EncodePointer
0x4301d4 InitializeCriticalSectionAndSpinCount
0x4301d8 TlsAlloc
0x4301dc TlsGetValue
0x4301e0 TlsSetValue
0x4301e4 TlsFree
0x4301e8 LoadLibraryExW
0x4301ec QueryPerformanceFrequency
0x4301f0 GetModuleHandleExW
0x4301f4 GetModuleFileNameA
0x4301f8 GetACP
0x4301fc HeapFree
0x430200 HeapAlloc
0x430204 HeapReAlloc
0x430208 GetStringTypeW
0x43020c LCMapStringW
0x430210 FindFirstFileExA
0x430214 FindNextFileA
0x430218 IsValidCodePage
0x43021c GetOEMCP
0x430220 GetCommandLineA
0x430224 GetEnvironmentStringsW
0x430228 FreeEnvironmentStringsW
0x43022c DecodePointer
gdiplus.dll
0x430234 GdiplusShutdown
0x430238 GdiplusStartup
0x43023c GdipCreateHBITMAPFromBitmap
0x430240 GdipCreateBitmapFromStreamICM
0x430244 GdipCreateBitmapFromStream
0x430248 GdipDisposeImage
0x43024c GdipCloneImage
0x430250 GdipFree
0x430254 GdipAlloc
EAT(Export Address Table) Library
KERNEL32.dll
0x430000 GetLastError
0x430004 SetLastError
0x430008 GetCurrentProcess
0x43000c DeviceIoControl
0x430010 SetFileTime
0x430014 CloseHandle
0x430018 CreateDirectoryW
0x43001c RemoveDirectoryW
0x430020 CreateFileW
0x430024 DeleteFileW
0x430028 CreateHardLinkW
0x43002c GetShortPathNameW
0x430030 GetLongPathNameW
0x430034 MoveFileW
0x430038 GetFileType
0x43003c GetStdHandle
0x430040 WriteFile
0x430044 ReadFile
0x430048 FlushFileBuffers
0x43004c SetEndOfFile
0x430050 SetFilePointer
0x430054 SetFileAttributesW
0x430058 GetFileAttributesW
0x43005c FindClose
0x430060 FindFirstFileW
0x430064 FindNextFileW
0x430068 GetVersionExW
0x43006c GetCurrentDirectoryW
0x430070 GetFullPathNameW
0x430074 FoldStringW
0x430078 GetModuleFileNameW
0x43007c GetModuleHandleW
0x430080 FindResourceW
0x430084 FreeLibrary
0x430088 GetProcAddress
0x43008c GetCurrentProcessId
0x430090 ExitProcess
0x430094 SetThreadExecutionState
0x430098 Sleep
0x43009c LoadLibraryW
0x4300a0 GetSystemDirectoryW
0x4300a4 CompareStringW
0x4300a8 AllocConsole
0x4300ac FreeConsole
0x4300b0 AttachConsole
0x4300b4 WriteConsoleW
0x4300b8 GetProcessAffinityMask
0x4300bc CreateThread
0x4300c0 SetThreadPriority
0x4300c4 InitializeCriticalSection
0x4300c8 EnterCriticalSection
0x4300cc LeaveCriticalSection
0x4300d0 DeleteCriticalSection
0x4300d4 SetEvent
0x4300d8 ResetEvent
0x4300dc ReleaseSemaphore
0x4300e0 WaitForSingleObject
0x4300e4 CreateEventW
0x4300e8 CreateSemaphoreW
0x4300ec GetSystemTime
0x4300f0 SystemTimeToTzSpecificLocalTime
0x4300f4 TzSpecificLocalTimeToSystemTime
0x4300f8 SystemTimeToFileTime
0x4300fc FileTimeToLocalFileTime
0x430100 LocalFileTimeToFileTime
0x430104 FileTimeToSystemTime
0x430108 GetCPInfo
0x43010c IsDBCSLeadByte
0x430110 MultiByteToWideChar
0x430114 WideCharToMultiByte
0x430118 GlobalAlloc
0x43011c GetTickCount
0x430120 LockResource
0x430124 GlobalLock
0x430128 GlobalUnlock
0x43012c GlobalFree
0x430130 LoadResource
0x430134 SizeofResource
0x430138 SetCurrentDirectoryW
0x43013c GetExitCodeProcess
0x430140 GetLocalTime
0x430144 MapViewOfFile
0x430148 UnmapViewOfFile
0x43014c CreateFileMappingW
0x430150 OpenFileMappingW
0x430154 GetCommandLineW
0x430158 SetEnvironmentVariableW
0x43015c ExpandEnvironmentStringsW
0x430160 GetTempPathW
0x430164 MoveFileExW
0x430168 GetLocaleInfoW
0x43016c GetTimeFormatW
0x430170 GetDateFormatW
0x430174 GetNumberFormatW
0x430178 SetFilePointerEx
0x43017c GetConsoleMode
0x430180 GetConsoleCP
0x430184 HeapSize
0x430188 SetStdHandle
0x43018c GetProcessHeap
0x430190 RaiseException
0x430194 GetSystemInfo
0x430198 VirtualProtect
0x43019c VirtualQuery
0x4301a0 LoadLibraryExA
0x4301a4 IsProcessorFeaturePresent
0x4301a8 IsDebuggerPresent
0x4301ac UnhandledExceptionFilter
0x4301b0 SetUnhandledExceptionFilter
0x4301b4 GetStartupInfoW
0x4301b8 QueryPerformanceCounter
0x4301bc GetCurrentThreadId
0x4301c0 GetSystemTimeAsFileTime
0x4301c4 InitializeSListHead
0x4301c8 TerminateProcess
0x4301cc RtlUnwind
0x4301d0 EncodePointer
0x4301d4 InitializeCriticalSectionAndSpinCount
0x4301d8 TlsAlloc
0x4301dc TlsGetValue
0x4301e0 TlsSetValue
0x4301e4 TlsFree
0x4301e8 LoadLibraryExW
0x4301ec QueryPerformanceFrequency
0x4301f0 GetModuleHandleExW
0x4301f4 GetModuleFileNameA
0x4301f8 GetACP
0x4301fc HeapFree
0x430200 HeapAlloc
0x430204 HeapReAlloc
0x430208 GetStringTypeW
0x43020c LCMapStringW
0x430210 FindFirstFileExA
0x430214 FindNextFileA
0x430218 IsValidCodePage
0x43021c GetOEMCP
0x430220 GetCommandLineA
0x430224 GetEnvironmentStringsW
0x430228 FreeEnvironmentStringsW
0x43022c DecodePointer
gdiplus.dll
0x430234 GdiplusShutdown
0x430238 GdiplusStartup
0x43023c GdipCreateHBITMAPFromBitmap
0x430240 GdipCreateBitmapFromStreamICM
0x430244 GdipCreateBitmapFromStream
0x430248 GdipDisposeImage
0x43024c GdipCloneImage
0x430250 GdipFree
0x430254 GdipAlloc
EAT(Export Address Table) Library