ScreenShot
| Created | 2023.05.25 07:45 | Machine | s1_win7_x6401 |
| Filename | a0UFMZnC6ltxphw.dat | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | |||
| md5 | 9c62d0040b9577c8484377357f673dc6 | ||
| sha256 | 8e2e50cacfa709ba9242fee071c645d3286ce52019ae474f0e799f29a4b2ffdf | ||
| ssdeep | 6144:wnCa7uW+h+IJE+edVtbIDBJF0Ecns6y9cjo2iwJtsykZHqxO34aG30VmXSmzlkRT:W77uEs6T39JDVGF4sjWpW | ||
| imphash | f2e9757e5dc55604f9953968faf6ed8a | ||
| impfuzzy | 24:DjnbBQ4DDUlSfdKMJbibkzcjMXtQX8G399Wu//dvR0OovbOPZai:dQx8fdK2cWtQX8GtHdB3l | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | This executable has a PDB path |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1001c03c SetEvent
0x1001c040 ResetEvent
0x1001c044 WaitForSingleObject
0x1001c048 CreateEventA
0x1001c04c WaitForMultipleObjects
0x1001c050 GetCurrentProcessId
0x1001c054 DeleteCriticalSection
0x1001c058 GetSystemInfo
0x1001c05c GetTickCount
0x1001c060 GetModuleHandleA
0x1001c064 GetProcAddress
0x1001c068 CreateFileA
0x1001c06c GetVersionExA
0x1001c070 CreateFileW
0x1001c074 InitializeCriticalSectionAndSpinCount
0x1001c078 LeaveCriticalSection
0x1001c07c EnterCriticalSection
0x1001c080 CancelIo
0x1001c084 GetOverlappedResult
0x1001c088 DeviceIoControl
0x1001c08c SetLastError
0x1001c090 GetLastError
0x1001c094 CloseHandle
0x1001c098 WriteFile
0x1001c09c ReadFile
0x1001c0a0 QueryDosDeviceW
0x1001c0a4 GetLogicalDriveStringsW
0x1001c0a8 OpenProcess
0x1001c0ac GetDriveTypeW
0x1001c0b0 DecodePointer
0x1001c0b4 SetFilePointerEx
0x1001c0b8 GetConsoleMode
0x1001c0bc IsProcessorFeaturePresent
0x1001c0c0 IsDebuggerPresent
0x1001c0c4 UnhandledExceptionFilter
0x1001c0c8 SetUnhandledExceptionFilter
0x1001c0cc GetStartupInfoW
0x1001c0d0 GetModuleHandleW
0x1001c0d4 GetCurrentProcess
0x1001c0d8 TerminateProcess
0x1001c0dc QueryPerformanceCounter
0x1001c0e0 GetCurrentThreadId
0x1001c0e4 GetSystemTimeAsFileTime
0x1001c0e8 InitializeSListHead
0x1001c0ec RaiseException
0x1001c0f0 RtlUnwind
0x1001c0f4 InterlockedFlushSList
0x1001c0f8 EncodePointer
0x1001c0fc TlsAlloc
0x1001c100 TlsGetValue
0x1001c104 TlsSetValue
0x1001c108 TlsFree
0x1001c10c FreeLibrary
0x1001c110 LoadLibraryExW
0x1001c114 CreateThread
0x1001c118 ExitThread
0x1001c11c FreeLibraryAndExitThread
0x1001c120 GetModuleHandleExW
0x1001c124 ExitProcess
0x1001c128 GetModuleFileNameA
0x1001c12c MultiByteToWideChar
0x1001c130 WideCharToMultiByte
0x1001c134 HeapFree
0x1001c138 HeapAlloc
0x1001c13c LCMapStringW
0x1001c140 GetACP
0x1001c144 GetStdHandle
0x1001c148 GetFileType
0x1001c14c FindClose
0x1001c150 FindFirstFileExA
0x1001c154 FindNextFileA
0x1001c158 IsValidCodePage
0x1001c15c GetOEMCP
0x1001c160 GetCPInfo
0x1001c164 GetCommandLineA
0x1001c168 GetCommandLineW
0x1001c16c GetEnvironmentStringsW
0x1001c170 FreeEnvironmentStringsW
0x1001c174 GetProcessHeap
0x1001c178 GetStringTypeW
0x1001c17c SetStdHandle
0x1001c180 HeapSize
0x1001c184 HeapReAlloc
0x1001c188 FlushFileBuffers
0x1001c18c GetConsoleCP
0x1001c190 WriteConsoleW
EAT(Export Address Table) Library
0x100045c0 af_addBindingRule
0x100040f0 af_addFlowCtl
0x10003140 af_addRule
0x10003370 af_addRuleEx
0x10003c10 af_adjustProcessPriviledges
0x10003d40 af_completeTCPConnectRequest
0x10003e80 af_completeUDPConnectRequest
0x100046c0 af_deleteBindingRules
0x10004190 af_deleteFlowCtl
0x100031f0 af_deleteRules
0x10002b10 af_free
0x100035d0 af_getConnCount
0x10004750 af_getDriverType
0x100043e0 af_getFlowCtlStat
0x10003750 af_getProcessNameA
0x10003830 af_getProcessNameFromKernel
0x100037c0 af_getProcessNameW
0x10003f60 af_getTCPConnInfo
0x10004480 af_getTCPStat
0x10004030 af_getUDPConnInfo
0x10004520 af_getUDPStat
0x100027b0 af_init
0x10003120 af_ipPostReceive
0x10003100 af_ipPostSend
0x10004340 af_modifyFlowCtl
0x100093c0 af_registerDriver
0x10009420 af_registerDriverEx
0x100040e0 af_setIPEventHandler
0x10003d20 af_setOptions
0x10003280 af_setRules
0x10003470 af_setRulesEx
0x10004220 af_setTCPFlowCtl
0x10002e20 af_setTCPTimeout
0x100042b0 af_setUDPFlowCtl
0x10002dd0 af_tcpClose
0x10002e50 af_tcpDisableFiltering
0x10003cc0 af_tcpIsProxy
0x10002db0 af_tcpPostReceive
0x10002d90 af_tcpPostSend
0x10002d00 af_tcpSetConnectionState
0x10003630 af_tcpSetSockOpt
0x10003000 af_udpDisableFiltering
0x10009480 af_udpPostReceive
0x10002fa0 af_udpPostSend
0x10002ee0 af_udpSetConnectionState
0x10002fd0 bind
KERNEL32.dll
0x1001c03c SetEvent
0x1001c040 ResetEvent
0x1001c044 WaitForSingleObject
0x1001c048 CreateEventA
0x1001c04c WaitForMultipleObjects
0x1001c050 GetCurrentProcessId
0x1001c054 DeleteCriticalSection
0x1001c058 GetSystemInfo
0x1001c05c GetTickCount
0x1001c060 GetModuleHandleA
0x1001c064 GetProcAddress
0x1001c068 CreateFileA
0x1001c06c GetVersionExA
0x1001c070 CreateFileW
0x1001c074 InitializeCriticalSectionAndSpinCount
0x1001c078 LeaveCriticalSection
0x1001c07c EnterCriticalSection
0x1001c080 CancelIo
0x1001c084 GetOverlappedResult
0x1001c088 DeviceIoControl
0x1001c08c SetLastError
0x1001c090 GetLastError
0x1001c094 CloseHandle
0x1001c098 WriteFile
0x1001c09c ReadFile
0x1001c0a0 QueryDosDeviceW
0x1001c0a4 GetLogicalDriveStringsW
0x1001c0a8 OpenProcess
0x1001c0ac GetDriveTypeW
0x1001c0b0 DecodePointer
0x1001c0b4 SetFilePointerEx
0x1001c0b8 GetConsoleMode
0x1001c0bc IsProcessorFeaturePresent
0x1001c0c0 IsDebuggerPresent
0x1001c0c4 UnhandledExceptionFilter
0x1001c0c8 SetUnhandledExceptionFilter
0x1001c0cc GetStartupInfoW
0x1001c0d0 GetModuleHandleW
0x1001c0d4 GetCurrentProcess
0x1001c0d8 TerminateProcess
0x1001c0dc QueryPerformanceCounter
0x1001c0e0 GetCurrentThreadId
0x1001c0e4 GetSystemTimeAsFileTime
0x1001c0e8 InitializeSListHead
0x1001c0ec RaiseException
0x1001c0f0 RtlUnwind
0x1001c0f4 InterlockedFlushSList
0x1001c0f8 EncodePointer
0x1001c0fc TlsAlloc
0x1001c100 TlsGetValue
0x1001c104 TlsSetValue
0x1001c108 TlsFree
0x1001c10c FreeLibrary
0x1001c110 LoadLibraryExW
0x1001c114 CreateThread
0x1001c118 ExitThread
0x1001c11c FreeLibraryAndExitThread
0x1001c120 GetModuleHandleExW
0x1001c124 ExitProcess
0x1001c128 GetModuleFileNameA
0x1001c12c MultiByteToWideChar
0x1001c130 WideCharToMultiByte
0x1001c134 HeapFree
0x1001c138 HeapAlloc
0x1001c13c LCMapStringW
0x1001c140 GetACP
0x1001c144 GetStdHandle
0x1001c148 GetFileType
0x1001c14c FindClose
0x1001c150 FindFirstFileExA
0x1001c154 FindNextFileA
0x1001c158 IsValidCodePage
0x1001c15c GetOEMCP
0x1001c160 GetCPInfo
0x1001c164 GetCommandLineA
0x1001c168 GetCommandLineW
0x1001c16c GetEnvironmentStringsW
0x1001c170 FreeEnvironmentStringsW
0x1001c174 GetProcessHeap
0x1001c178 GetStringTypeW
0x1001c17c SetStdHandle
0x1001c180 HeapSize
0x1001c184 HeapReAlloc
0x1001c188 FlushFileBuffers
0x1001c18c GetConsoleCP
0x1001c190 WriteConsoleW
EAT(Export Address Table) Library
0x100045c0 af_addBindingRule
0x100040f0 af_addFlowCtl
0x10003140 af_addRule
0x10003370 af_addRuleEx
0x10003c10 af_adjustProcessPriviledges
0x10003d40 af_completeTCPConnectRequest
0x10003e80 af_completeUDPConnectRequest
0x100046c0 af_deleteBindingRules
0x10004190 af_deleteFlowCtl
0x100031f0 af_deleteRules
0x10002b10 af_free
0x100035d0 af_getConnCount
0x10004750 af_getDriverType
0x100043e0 af_getFlowCtlStat
0x10003750 af_getProcessNameA
0x10003830 af_getProcessNameFromKernel
0x100037c0 af_getProcessNameW
0x10003f60 af_getTCPConnInfo
0x10004480 af_getTCPStat
0x10004030 af_getUDPConnInfo
0x10004520 af_getUDPStat
0x100027b0 af_init
0x10003120 af_ipPostReceive
0x10003100 af_ipPostSend
0x10004340 af_modifyFlowCtl
0x100093c0 af_registerDriver
0x10009420 af_registerDriverEx
0x100040e0 af_setIPEventHandler
0x10003d20 af_setOptions
0x10003280 af_setRules
0x10003470 af_setRulesEx
0x10004220 af_setTCPFlowCtl
0x10002e20 af_setTCPTimeout
0x100042b0 af_setUDPFlowCtl
0x10002dd0 af_tcpClose
0x10002e50 af_tcpDisableFiltering
0x10003cc0 af_tcpIsProxy
0x10002db0 af_tcpPostReceive
0x10002d90 af_tcpPostSend
0x10002d00 af_tcpSetConnectionState
0x10003630 af_tcpSetSockOpt
0x10003000 af_udpDisableFiltering
0x10009480 af_udpPostReceive
0x10002fa0 af_udpPostSend
0x10002ee0 af_udpSetConnectionState
0x10002fd0 bind