ScreenShot
| Created | 2023.05.17 09:34 | Machine | s1_win7_x6402 |
| Filename | csrsv.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 41 detected (AIDetectMalware, malicious, high confidence, Barys, FCND, unsafe, Save, ZexaF, nuW@aWbUXkfi, Attribute, HighConfidence, Amadey, score, Doina, Deyma, BotX, Agen, Ktgl, Static AI, Malicious PE, Detected, ai score=83, GdSda, Generic@AI, RDML, 1sWZhubuURj7J4Ghb6pcQw, susgen, EGTS, confidence, 100%) | ||
| md5 | 13c6b003e4cd8319299a50a51e14a222 | ||
| sha256 | 28f5e5e43a67a48c6a41f9814a50b6faf5d20dfee6b17e867429efca82394681 | ||
| ssdeep | 6144:tWh1VL9EWeJanEYL7OuuT7Ujz41FiPRL:tg1VdSYL3uT7e0KF | ||
| imphash | 30345caf7ab375dfe19647a32bba1efe | ||
| impfuzzy | 48:2EGXMrJGGO/cpe2toS182zZccgTg3IuF57fwSqXHN+guPg:IXMoGmcpe2toS182zZctqDolSg | ||
Network IP location
Signature (24cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 41 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process oneetx.exe |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
Rules (17cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Ave_Maria_Zero | Remote Access Trojan that is also called WARZONE RAT | binaries (download) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
ET MALWARE Amadey CnC Check-In
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x42a040 GetFileAttributesA
0x42a044 CreateFileA
0x42a048 CloseHandle
0x42a04c GetSystemInfo
0x42a050 CreateThread
0x42a054 HeapAlloc
0x42a058 GetThreadContext
0x42a05c GetProcAddress
0x42a060 VirtualAllocEx
0x42a064 LocalFree
0x42a068 GetLastError
0x42a06c ReadProcessMemory
0x42a070 GetProcessHeap
0x42a074 CreateProcessA
0x42a078 CreateDirectoryA
0x42a07c SetThreadContext
0x42a080 WriteConsoleW
0x42a084 ReadConsoleW
0x42a088 SetEndOfFile
0x42a08c SetFilePointerEx
0x42a090 GetTempPathA
0x42a094 Sleep
0x42a098 SetCurrentDirectoryA
0x42a09c GetModuleHandleA
0x42a0a0 GetComputerNameExW
0x42a0a4 ResumeThread
0x42a0a8 GetVersionExW
0x42a0ac CreateMutexA
0x42a0b0 VirtualAlloc
0x42a0b4 WriteFile
0x42a0b8 VirtualFree
0x42a0bc HeapFree
0x42a0c0 WriteProcessMemory
0x42a0c4 GetModuleFileNameA
0x42a0c8 RemoveDirectoryA
0x42a0cc ReadFile
0x42a0d0 HeapReAlloc
0x42a0d4 HeapSize
0x42a0d8 GetTimeZoneInformation
0x42a0dc GetConsoleMode
0x42a0e0 GetConsoleCP
0x42a0e4 FlushFileBuffers
0x42a0e8 GetStringTypeW
0x42a0ec SetEnvironmentVariableW
0x42a0f0 FreeEnvironmentStringsW
0x42a0f4 GetEnvironmentStringsW
0x42a0f8 WideCharToMultiByte
0x42a0fc GetCPInfo
0x42a100 GetOEMCP
0x42a104 GetACP
0x42a108 IsValidCodePage
0x42a10c FindNextFileW
0x42a110 FindFirstFileExW
0x42a114 FindClose
0x42a118 SetStdHandle
0x42a11c GetFullPathNameW
0x42a120 GetCurrentDirectoryW
0x42a124 DeleteFileW
0x42a128 LCMapStringW
0x42a12c EnterCriticalSection
0x42a130 LeaveCriticalSection
0x42a134 InitializeCriticalSectionAndSpinCount
0x42a138 DeleteCriticalSection
0x42a13c SetEvent
0x42a140 ResetEvent
0x42a144 WaitForSingleObjectEx
0x42a148 CreateEventW
0x42a14c GetModuleHandleW
0x42a150 UnhandledExceptionFilter
0x42a154 SetUnhandledExceptionFilter
0x42a158 GetCurrentProcess
0x42a15c TerminateProcess
0x42a160 IsProcessorFeaturePresent
0x42a164 IsDebuggerPresent
0x42a168 GetStartupInfoW
0x42a16c QueryPerformanceCounter
0x42a170 GetCurrentProcessId
0x42a174 GetCurrentThreadId
0x42a178 GetSystemTimeAsFileTime
0x42a17c InitializeSListHead
0x42a180 RaiseException
0x42a184 SetLastError
0x42a188 RtlUnwind
0x42a18c TlsAlloc
0x42a190 TlsGetValue
0x42a194 TlsSetValue
0x42a198 TlsFree
0x42a19c FreeLibrary
0x42a1a0 LoadLibraryExW
0x42a1a4 ExitProcess
0x42a1a8 GetModuleHandleExW
0x42a1ac CreateFileW
0x42a1b0 GetDriveTypeW
0x42a1b4 GetFileInformationByHandle
0x42a1b8 GetFileType
0x42a1bc PeekNamedPipe
0x42a1c0 SystemTimeToTzSpecificLocalTime
0x42a1c4 FileTimeToSystemTime
0x42a1c8 GetModuleFileNameW
0x42a1cc GetStdHandle
0x42a1d0 GetCommandLineA
0x42a1d4 GetCommandLineW
0x42a1d8 MultiByteToWideChar
0x42a1dc CompareStringW
0x42a1e0 DecodePointer
USER32.dll
0x42a1fc GetSystemMetrics
0x42a200 ReleaseDC
0x42a204 GetDC
GDI32.dll
0x42a028 CreateCompatibleBitmap
0x42a02c SelectObject
0x42a030 CreateCompatibleDC
0x42a034 DeleteObject
0x42a038 BitBlt
ADVAPI32.dll
0x42a000 RegCloseKey
0x42a004 RegGetValueA
0x42a008 RegQueryValueExA
0x42a00c GetUserNameA
0x42a010 RegSetValueExA
0x42a014 RegOpenKeyExA
0x42a018 ConvertSidToStringSidW
0x42a01c GetUserNameW
0x42a020 LookupAccountNameW
SHELL32.dll
0x42a1e8 SHGetFolderPathA
0x42a1ec ShellExecuteA
0x42a1f0 None
0x42a1f4 SHFileOperationA
WININET.dll
0x42a20c HttpOpenRequestA
0x42a210 InternetReadFile
0x42a214 InternetConnectA
0x42a218 HttpSendRequestA
0x42a21c InternetCloseHandle
0x42a220 InternetOpenA
0x42a224 HttpAddRequestHeadersA
0x42a228 HttpSendRequestExW
0x42a22c HttpEndRequestA
0x42a230 InternetOpenW
0x42a234 InternetOpenUrlA
0x42a238 InternetWriteFile
gdiplus.dll
0x42a240 GdipSaveImageToFile
0x42a244 GdipGetImageEncodersSize
0x42a248 GdipDisposeImage
0x42a24c GdipCreateBitmapFromHBITMAP
0x42a250 GdipGetImageEncoders
0x42a254 GdiplusShutdown
0x42a258 GdiplusStartup
EAT(Export Address Table) is none
KERNEL32.dll
0x42a040 GetFileAttributesA
0x42a044 CreateFileA
0x42a048 CloseHandle
0x42a04c GetSystemInfo
0x42a050 CreateThread
0x42a054 HeapAlloc
0x42a058 GetThreadContext
0x42a05c GetProcAddress
0x42a060 VirtualAllocEx
0x42a064 LocalFree
0x42a068 GetLastError
0x42a06c ReadProcessMemory
0x42a070 GetProcessHeap
0x42a074 CreateProcessA
0x42a078 CreateDirectoryA
0x42a07c SetThreadContext
0x42a080 WriteConsoleW
0x42a084 ReadConsoleW
0x42a088 SetEndOfFile
0x42a08c SetFilePointerEx
0x42a090 GetTempPathA
0x42a094 Sleep
0x42a098 SetCurrentDirectoryA
0x42a09c GetModuleHandleA
0x42a0a0 GetComputerNameExW
0x42a0a4 ResumeThread
0x42a0a8 GetVersionExW
0x42a0ac CreateMutexA
0x42a0b0 VirtualAlloc
0x42a0b4 WriteFile
0x42a0b8 VirtualFree
0x42a0bc HeapFree
0x42a0c0 WriteProcessMemory
0x42a0c4 GetModuleFileNameA
0x42a0c8 RemoveDirectoryA
0x42a0cc ReadFile
0x42a0d0 HeapReAlloc
0x42a0d4 HeapSize
0x42a0d8 GetTimeZoneInformation
0x42a0dc GetConsoleMode
0x42a0e0 GetConsoleCP
0x42a0e4 FlushFileBuffers
0x42a0e8 GetStringTypeW
0x42a0ec SetEnvironmentVariableW
0x42a0f0 FreeEnvironmentStringsW
0x42a0f4 GetEnvironmentStringsW
0x42a0f8 WideCharToMultiByte
0x42a0fc GetCPInfo
0x42a100 GetOEMCP
0x42a104 GetACP
0x42a108 IsValidCodePage
0x42a10c FindNextFileW
0x42a110 FindFirstFileExW
0x42a114 FindClose
0x42a118 SetStdHandle
0x42a11c GetFullPathNameW
0x42a120 GetCurrentDirectoryW
0x42a124 DeleteFileW
0x42a128 LCMapStringW
0x42a12c EnterCriticalSection
0x42a130 LeaveCriticalSection
0x42a134 InitializeCriticalSectionAndSpinCount
0x42a138 DeleteCriticalSection
0x42a13c SetEvent
0x42a140 ResetEvent
0x42a144 WaitForSingleObjectEx
0x42a148 CreateEventW
0x42a14c GetModuleHandleW
0x42a150 UnhandledExceptionFilter
0x42a154 SetUnhandledExceptionFilter
0x42a158 GetCurrentProcess
0x42a15c TerminateProcess
0x42a160 IsProcessorFeaturePresent
0x42a164 IsDebuggerPresent
0x42a168 GetStartupInfoW
0x42a16c QueryPerformanceCounter
0x42a170 GetCurrentProcessId
0x42a174 GetCurrentThreadId
0x42a178 GetSystemTimeAsFileTime
0x42a17c InitializeSListHead
0x42a180 RaiseException
0x42a184 SetLastError
0x42a188 RtlUnwind
0x42a18c TlsAlloc
0x42a190 TlsGetValue
0x42a194 TlsSetValue
0x42a198 TlsFree
0x42a19c FreeLibrary
0x42a1a0 LoadLibraryExW
0x42a1a4 ExitProcess
0x42a1a8 GetModuleHandleExW
0x42a1ac CreateFileW
0x42a1b0 GetDriveTypeW
0x42a1b4 GetFileInformationByHandle
0x42a1b8 GetFileType
0x42a1bc PeekNamedPipe
0x42a1c0 SystemTimeToTzSpecificLocalTime
0x42a1c4 FileTimeToSystemTime
0x42a1c8 GetModuleFileNameW
0x42a1cc GetStdHandle
0x42a1d0 GetCommandLineA
0x42a1d4 GetCommandLineW
0x42a1d8 MultiByteToWideChar
0x42a1dc CompareStringW
0x42a1e0 DecodePointer
USER32.dll
0x42a1fc GetSystemMetrics
0x42a200 ReleaseDC
0x42a204 GetDC
GDI32.dll
0x42a028 CreateCompatibleBitmap
0x42a02c SelectObject
0x42a030 CreateCompatibleDC
0x42a034 DeleteObject
0x42a038 BitBlt
ADVAPI32.dll
0x42a000 RegCloseKey
0x42a004 RegGetValueA
0x42a008 RegQueryValueExA
0x42a00c GetUserNameA
0x42a010 RegSetValueExA
0x42a014 RegOpenKeyExA
0x42a018 ConvertSidToStringSidW
0x42a01c GetUserNameW
0x42a020 LookupAccountNameW
SHELL32.dll
0x42a1e8 SHGetFolderPathA
0x42a1ec ShellExecuteA
0x42a1f0 None
0x42a1f4 SHFileOperationA
WININET.dll
0x42a20c HttpOpenRequestA
0x42a210 InternetReadFile
0x42a214 InternetConnectA
0x42a218 HttpSendRequestA
0x42a21c InternetCloseHandle
0x42a220 InternetOpenA
0x42a224 HttpAddRequestHeadersA
0x42a228 HttpSendRequestExW
0x42a22c HttpEndRequestA
0x42a230 InternetOpenW
0x42a234 InternetOpenUrlA
0x42a238 InternetWriteFile
gdiplus.dll
0x42a240 GdipSaveImageToFile
0x42a244 GdipGetImageEncodersSize
0x42a248 GdipDisposeImage
0x42a24c GdipCreateBitmapFromHBITMAP
0x42a250 GdipGetImageEncoders
0x42a254 GdiplusShutdown
0x42a258 GdiplusStartup
EAT(Export Address Table) is none