ScreenShot
| Created | 2023.05.12 09:28 | Machine | s1_win7_x6403 |
| Filename | 71c95442-4415-4ad2-b550-28ba52dceec5 | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 43 detected (AIDetectMalware, GenericKDZ, GenericRXVX, Kryptik, Veq9, Evader, Eldorado, malicious, high confidence, HTLQ, score, ccmw, PWSX, FalseSign, Gflw, AGEN, Inject4, R002C0DEB23, Artemis, moderate, ai score=83, RedLine, Detected, BScope, Bobik, unsafe, DcRat, zlu7nUQDNuH, Outbreak, Coins, confidence) | ||
| md5 | c21947b75b1bbec904d0d954d5571fce | ||
| sha256 | a43a25d2bb5a2770100e7e2bfbfc2bcb06534354468a4a7e9b70109dead13385 | ||
| ssdeep | 3072:mTj8y0Z+a0MT1+fjipy74f7MXCKbTyKodImL4yjPXFGRlefGRvUw90E5HBdrTJfe:m3nI+LMTs2X7MXCsorjPVG26UwX5HB9M | ||
| imphash | ae64f100c0f22c43c95a1d2055ef681a | ||
| impfuzzy | 48:fldo+fcMMnt2uDcoRcRZsyGwtJACeD4uKQU:fHo+fcMMntBDcwc737 | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41d034 GetLocaleInfoW
0x41d038 WriteConsoleA
0x41d03c LoadLibraryA
0x41d040 GetConsoleOutputCP
0x41d044 WriteConsoleW
0x41d048 SetStdHandle
0x41d04c CreateFileA
0x41d050 GetCurrentProcess
0x41d054 GetVersion
0x41d058 GetModuleHandleA
0x41d05c MultiByteToWideChar
0x41d060 InitializeCriticalSectionAndSpinCount
0x41d064 GetProcAddress
0x41d068 WideCharToMultiByte
0x41d06c InterlockedIncrement
0x41d070 InterlockedDecrement
0x41d074 InterlockedExchange
0x41d078 Sleep
0x41d07c InitializeCriticalSection
0x41d080 DeleteCriticalSection
0x41d084 EnterCriticalSection
0x41d088 LeaveCriticalSection
0x41d08c RtlUnwind
0x41d090 RaiseException
0x41d094 TerminateProcess
0x41d098 UnhandledExceptionFilter
0x41d09c SetUnhandledExceptionFilter
0x41d0a0 IsDebuggerPresent
0x41d0a4 GetCommandLineA
0x41d0a8 GetCPInfo
0x41d0ac GetLastError
0x41d0b0 HeapFree
0x41d0b4 LCMapStringA
0x41d0b8 LCMapStringW
0x41d0bc HeapAlloc
0x41d0c0 GetModuleHandleW
0x41d0c4 TlsGetValue
0x41d0c8 TlsAlloc
0x41d0cc TlsSetValue
0x41d0d0 TlsFree
0x41d0d4 SetLastError
0x41d0d8 GetCurrentThreadId
0x41d0dc ExitProcess
0x41d0e0 WriteFile
0x41d0e4 GetStdHandle
0x41d0e8 GetModuleFileNameA
0x41d0ec FreeEnvironmentStringsA
0x41d0f0 GetEnvironmentStrings
0x41d0f4 FreeEnvironmentStringsW
0x41d0f8 GetEnvironmentStringsW
0x41d0fc SetHandleCount
0x41d100 GetFileType
0x41d104 GetStartupInfoA
0x41d108 HeapCreate
0x41d10c VirtualFree
0x41d110 QueryPerformanceCounter
0x41d114 GetTickCount
0x41d118 GetCurrentProcessId
0x41d11c GetSystemTimeAsFileTime
0x41d120 GetStringTypeA
0x41d124 GetStringTypeW
0x41d128 HeapSize
0x41d12c VirtualAlloc
0x41d130 HeapReAlloc
0x41d134 GetACP
0x41d138 GetOEMCP
0x41d13c IsValidCodePage
0x41d140 GetUserDefaultLCID
0x41d144 GetLocaleInfoA
0x41d148 EnumSystemLocalesA
0x41d14c IsValidLocale
0x41d150 GetConsoleCP
0x41d154 GetConsoleMode
0x41d158 FlushFileBuffers
0x41d15c ReadFile
0x41d160 SetFilePointer
0x41d164 CloseHandle
USER32.dll
0x41d16c GetClassInfoA
0x41d170 CallWindowProcA
0x41d174 SetWindowLongA
0x41d178 IsDlgButtonChecked
0x41d17c SetWindowTextA
0x41d180 CheckDlgButton
0x41d184 GetActiveWindow
0x41d188 LoadCursorA
0x41d18c MessageBoxA
0x41d190 wsprintfA
0x41d194 GetDlgItemTextA
GDI32.dll
0x41d014 GetStockObject
0x41d018 DeleteObject
0x41d01c SetBkMode
0x41d020 SetTextColor
0x41d024 CreateFontIndirectA
0x41d028 SelectObject
0x41d02c GetObjectA
COMDLG32.dll
0x41d008 GetSaveFileNameA
0x41d00c GetOpenFileNameA
ADVAPI32.dll
0x41d000 RegDeleteKeyA
EAT(Export Address Table) is none
KERNEL32.dll
0x41d034 GetLocaleInfoW
0x41d038 WriteConsoleA
0x41d03c LoadLibraryA
0x41d040 GetConsoleOutputCP
0x41d044 WriteConsoleW
0x41d048 SetStdHandle
0x41d04c CreateFileA
0x41d050 GetCurrentProcess
0x41d054 GetVersion
0x41d058 GetModuleHandleA
0x41d05c MultiByteToWideChar
0x41d060 InitializeCriticalSectionAndSpinCount
0x41d064 GetProcAddress
0x41d068 WideCharToMultiByte
0x41d06c InterlockedIncrement
0x41d070 InterlockedDecrement
0x41d074 InterlockedExchange
0x41d078 Sleep
0x41d07c InitializeCriticalSection
0x41d080 DeleteCriticalSection
0x41d084 EnterCriticalSection
0x41d088 LeaveCriticalSection
0x41d08c RtlUnwind
0x41d090 RaiseException
0x41d094 TerminateProcess
0x41d098 UnhandledExceptionFilter
0x41d09c SetUnhandledExceptionFilter
0x41d0a0 IsDebuggerPresent
0x41d0a4 GetCommandLineA
0x41d0a8 GetCPInfo
0x41d0ac GetLastError
0x41d0b0 HeapFree
0x41d0b4 LCMapStringA
0x41d0b8 LCMapStringW
0x41d0bc HeapAlloc
0x41d0c0 GetModuleHandleW
0x41d0c4 TlsGetValue
0x41d0c8 TlsAlloc
0x41d0cc TlsSetValue
0x41d0d0 TlsFree
0x41d0d4 SetLastError
0x41d0d8 GetCurrentThreadId
0x41d0dc ExitProcess
0x41d0e0 WriteFile
0x41d0e4 GetStdHandle
0x41d0e8 GetModuleFileNameA
0x41d0ec FreeEnvironmentStringsA
0x41d0f0 GetEnvironmentStrings
0x41d0f4 FreeEnvironmentStringsW
0x41d0f8 GetEnvironmentStringsW
0x41d0fc SetHandleCount
0x41d100 GetFileType
0x41d104 GetStartupInfoA
0x41d108 HeapCreate
0x41d10c VirtualFree
0x41d110 QueryPerformanceCounter
0x41d114 GetTickCount
0x41d118 GetCurrentProcessId
0x41d11c GetSystemTimeAsFileTime
0x41d120 GetStringTypeA
0x41d124 GetStringTypeW
0x41d128 HeapSize
0x41d12c VirtualAlloc
0x41d130 HeapReAlloc
0x41d134 GetACP
0x41d138 GetOEMCP
0x41d13c IsValidCodePage
0x41d140 GetUserDefaultLCID
0x41d144 GetLocaleInfoA
0x41d148 EnumSystemLocalesA
0x41d14c IsValidLocale
0x41d150 GetConsoleCP
0x41d154 GetConsoleMode
0x41d158 FlushFileBuffers
0x41d15c ReadFile
0x41d160 SetFilePointer
0x41d164 CloseHandle
USER32.dll
0x41d16c GetClassInfoA
0x41d170 CallWindowProcA
0x41d174 SetWindowLongA
0x41d178 IsDlgButtonChecked
0x41d17c SetWindowTextA
0x41d180 CheckDlgButton
0x41d184 GetActiveWindow
0x41d188 LoadCursorA
0x41d18c MessageBoxA
0x41d190 wsprintfA
0x41d194 GetDlgItemTextA
GDI32.dll
0x41d014 GetStockObject
0x41d018 DeleteObject
0x41d01c SetBkMode
0x41d020 SetTextColor
0x41d024 CreateFontIndirectA
0x41d028 SelectObject
0x41d02c GetObjectA
COMDLG32.dll
0x41d008 GetSaveFileNameA
0x41d00c GetOpenFileNameA
ADVAPI32.dll
0x41d000 RegDeleteKeyA
EAT(Export Address Table) is none