ScreenShot
| Created | 2023.05.20 16:27 | Machine | s1_win7_x6401 |
| Filename | mn.php | ||
| Type | PE32+ executable (DLL) (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | f19e4ec96f8b163760b236127387c5a8 | ||
| sha256 | af2df15590ceead71690e885b743fe7cea32d6221b1569044898aa68cf12a9d1 | ||
| ssdeep | 24576:2l70x0gt0nxZLHfHulAR02Sq2lr5ljm/91JGvd+mmiSyZHpVMXD+mwCyWJD8:J/I/OlARNSq2ShiVH7oZlJD8 | ||
| imphash | 47e01530ad43ec939d1c47709a80a5c6 | ||
| impfuzzy | 12:3JtXZI+3ncfh++yLfv680qXJXPXJwdzrJEnDx9A41mLRBRZqRq0ZGNsfbZHur:Zt6Scirv680qteJEnDx95uc5oObZHur | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (6cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x180025000 GetProcessHeap
0x180025008 CreateFileA
0x180025010 CloseHandle
0x180025018 GetLastError
0x180025020 HeapWalk
0x180025028 CreateFiber
0x180025030 SwitchToFiber
0x180025038 CreateActCtxA
0x180025040 ActivateActCtx
0x180025048 DeactivateActCtx
0x180025050 OpenThread
0x180025058 GetFileAttributesA
0x180025060 FindFirstFileA
0x180025068 FindNextFileA
0x180025070 GetModuleFileNameA
0x180025078 GetModuleHandleA
0x180025080 GetCurrentProcessId
0x180025088 GetFileInformationByHandle
0x180025090 CreateFileMappingA
0x180025098 VirtualAlloc
0x1800250a0 RaiseException
0x1800250a8 RtlCaptureContext
0x1800250b0 RtlLookupFunctionEntry
0x1800250b8 RtlVirtualUnwind
0x1800250c0 IsDebuggerPresent
0x1800250c8 UnhandledExceptionFilter
0x1800250d0 SetUnhandledExceptionFilter
0x1800250d8 GetCurrentProcess
0x1800250e0 TerminateProcess
0x1800250e8 IsProcessorFeaturePresent
0x1800250f0 SetLastError
0x1800250f8 HeapAlloc
0x180025100 HeapFree
0x180025108 GetModuleHandleW
0x180025110 GetProcAddress
0x180025118 TlsGetValue
0x180025120 TlsSetValue
0x180025128 FreeLibrary
0x180025130 LoadLibraryExW
0x180025138 CompareStringW
0x180025140 LCMapStringW
0x180025148 EnterCriticalSection
0x180025150 LeaveCriticalSection
0x180025158 IsValidCodePage
0x180025160 GetACP
0x180025168 GetOEMCP
0x180025170 GetCPInfo
0x180025178 ExitProcess
0x180025180 GetModuleHandleExW
0x180025188 GetStringTypeW
0x180025190 MultiByteToWideChar
0x180025198 WideCharToMultiByte
0x1800251a0 HeapSize
0x1800251a8 HeapReAlloc
0x1800251b0 RtlUnwindEx
0x1800251b8 GetEnvironmentStringsW
0x1800251c0 FreeEnvironmentStringsW
0x1800251c8 SetEnvironmentVariableA
EAT(Export Address Table) Library
0x180024360 JDuCS622tuL6
0x180021b90 MkcDIl34k3Si
0x180008240 PcYge9j
0x180020480 eOXScagadNKe
KERNEL32.dll
0x180025000 GetProcessHeap
0x180025008 CreateFileA
0x180025010 CloseHandle
0x180025018 GetLastError
0x180025020 HeapWalk
0x180025028 CreateFiber
0x180025030 SwitchToFiber
0x180025038 CreateActCtxA
0x180025040 ActivateActCtx
0x180025048 DeactivateActCtx
0x180025050 OpenThread
0x180025058 GetFileAttributesA
0x180025060 FindFirstFileA
0x180025068 FindNextFileA
0x180025070 GetModuleFileNameA
0x180025078 GetModuleHandleA
0x180025080 GetCurrentProcessId
0x180025088 GetFileInformationByHandle
0x180025090 CreateFileMappingA
0x180025098 VirtualAlloc
0x1800250a0 RaiseException
0x1800250a8 RtlCaptureContext
0x1800250b0 RtlLookupFunctionEntry
0x1800250b8 RtlVirtualUnwind
0x1800250c0 IsDebuggerPresent
0x1800250c8 UnhandledExceptionFilter
0x1800250d0 SetUnhandledExceptionFilter
0x1800250d8 GetCurrentProcess
0x1800250e0 TerminateProcess
0x1800250e8 IsProcessorFeaturePresent
0x1800250f0 SetLastError
0x1800250f8 HeapAlloc
0x180025100 HeapFree
0x180025108 GetModuleHandleW
0x180025110 GetProcAddress
0x180025118 TlsGetValue
0x180025120 TlsSetValue
0x180025128 FreeLibrary
0x180025130 LoadLibraryExW
0x180025138 CompareStringW
0x180025140 LCMapStringW
0x180025148 EnterCriticalSection
0x180025150 LeaveCriticalSection
0x180025158 IsValidCodePage
0x180025160 GetACP
0x180025168 GetOEMCP
0x180025170 GetCPInfo
0x180025178 ExitProcess
0x180025180 GetModuleHandleExW
0x180025188 GetStringTypeW
0x180025190 MultiByteToWideChar
0x180025198 WideCharToMultiByte
0x1800251a0 HeapSize
0x1800251a8 HeapReAlloc
0x1800251b0 RtlUnwindEx
0x1800251b8 GetEnvironmentStringsW
0x1800251c0 FreeEnvironmentStringsW
0x1800251c8 SetEnvironmentVariableA
EAT(Export Address Table) Library
0x180024360 JDuCS622tuL6
0x180021b90 MkcDIl34k3Si
0x180008240 PcYge9j
0x180020480 eOXScagadNKe