ScreenShot
| Created | 2023.05.22 16:19 | Machine | s1_win7_x6403 |
| Filename | Satan_AIO.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 30 detected (malicious, high confidence, Barys, Artemis, A0t7, VMProtect, Attribute, HighConfidence, score, R510300, ai score=82, unsafe, Outbreak, confidence) | ||
| md5 | c8c82a0f0ee038fddb54cbf156f2e300 | ||
| sha256 | 399987a10d716912a53e259227fd90bab5e239ac253ff6bd5171a71d9f719746 | ||
| ssdeep | 196608:bFk1xjIShj19s9NtuwuU7wsaK381VGACLbRI:IhIShZ90puU7wsF3GEACn | ||
| imphash | 13b6fd52de0539c3ee52dddd27773b20 | ||
| impfuzzy | 24:vs2mVnDrAQIfhi+X6oOppwaQtXJHc9NDI5Q8:/inDrAQIfh7XomnXpcM5Q8 | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 30 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
WS2_32.dll
0x140b6f000 setsockopt
WLDAP32.dll
0x140b6f010 None
CRYPT32.dll
0x140b6f020 CertDuplicateCertificateContext
ADVAPI32.dll
0x140b6f030 CryptEnumProvidersW
KERNEL32.dll
0x140b6f040 ResumeThread
USER32.dll
0x140b6f050 UnhookWindowsHookEx
SHELL32.dll
0x140b6f060 ShellExecuteA
urlmon.dll
0x140b6f070 URLOpenBlockingStreamA
WININET.dll
0x140b6f080 InternetCloseHandle
ntdll.dll
0x140b6f090 RtlImageNtHeader
USERENV.dll
0x140b6f0a0 UnloadUserProfile
RPCRT4.dll
0x140b6f0b0 RpcStringFreeA
crypt.dll
0x140b6f0c0 BCryptGenRandom
WTSAPI32.dll
0x140b6f0d0 WTSSendMessageW
KERNEL32.dll
0x140b6f0e0 GetSystemTimeAsFileTime
USER32.dll
0x140b6f0f0 GetUserObjectInformationW
KERNEL32.dll
0x140b6f100 LocalAlloc
0x140b6f108 LocalFree
0x140b6f110 GetModuleFileNameW
0x140b6f118 GetProcessAffinityMask
0x140b6f120 SetProcessAffinityMask
0x140b6f128 SetThreadAffinityMask
0x140b6f130 Sleep
0x140b6f138 ExitProcess
0x140b6f140 FreeLibrary
0x140b6f148 LoadLibraryA
0x140b6f150 GetModuleHandleA
0x140b6f158 GetProcAddress
USER32.dll
0x140b6f168 GetProcessWindowStation
0x140b6f170 GetUserObjectInformationW
EAT(Export Address Table) Library
WS2_32.dll
0x140b6f000 setsockopt
WLDAP32.dll
0x140b6f010 None
CRYPT32.dll
0x140b6f020 CertDuplicateCertificateContext
ADVAPI32.dll
0x140b6f030 CryptEnumProvidersW
KERNEL32.dll
0x140b6f040 ResumeThread
USER32.dll
0x140b6f050 UnhookWindowsHookEx
SHELL32.dll
0x140b6f060 ShellExecuteA
urlmon.dll
0x140b6f070 URLOpenBlockingStreamA
WININET.dll
0x140b6f080 InternetCloseHandle
ntdll.dll
0x140b6f090 RtlImageNtHeader
USERENV.dll
0x140b6f0a0 UnloadUserProfile
RPCRT4.dll
0x140b6f0b0 RpcStringFreeA
crypt.dll
0x140b6f0c0 BCryptGenRandom
WTSAPI32.dll
0x140b6f0d0 WTSSendMessageW
KERNEL32.dll
0x140b6f0e0 GetSystemTimeAsFileTime
USER32.dll
0x140b6f0f0 GetUserObjectInformationW
KERNEL32.dll
0x140b6f100 LocalAlloc
0x140b6f108 LocalFree
0x140b6f110 GetModuleFileNameW
0x140b6f118 GetProcessAffinityMask
0x140b6f120 SetProcessAffinityMask
0x140b6f128 SetThreadAffinityMask
0x140b6f130 Sleep
0x140b6f138 ExitProcess
0x140b6f140 FreeLibrary
0x140b6f148 LoadLibraryA
0x140b6f150 GetModuleHandleA
0x140b6f158 GetProcAddress
USER32.dll
0x140b6f168 GetProcessWindowStation
0x140b6f170 GetUserObjectInformationW
EAT(Export Address Table) Library