ScreenShot
| Created | 2023.06.07 07:45 | Machine | s1_win7_x6401 |
| Filename | Jonh.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 24 detected (AIDetectMalware, malicious, high confidence, Artemis, Save, ZexaE, ru2@aCg7nidi, Kryptik, Eldorado, Attribute, HighConfidence, HTSS, Convagent, TrojanX, high, score, Sabsik, unsafe, RedLine) | ||
| md5 | 99c0cd96d46794e20fa539b20e4cff64 | ||
| sha256 | b35a9c4ab45487ac9ba5b5717d975d76679a93a76c81fdd8e18841f16d2266f0 | ||
| ssdeep | 6144:krcV9LR1LM8FaGwVIF52EskSvtpF/mZpgx:5V9jLM8QGwVIn2EskSFjMyx | ||
| imphash | 9a420839291c450c6e0e5c21b3466023 | ||
| impfuzzy | 24:mDROWMjOovg/J3JKnktLQFQQyvDkRT4Qf4plWf:NWMCHhtL3DgcQfAIf | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 24 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x415000 GetProcAddress
0x415004 GetModuleHandleA
0x415008 MultiByteToWideChar
0x41500c GetEnvironmentStringsW
0x415010 QueryPerformanceFrequency
0x415014 RtlUnwind
0x415018 RaiseException
0x41501c GetCommandLineA
0x415020 GetModuleHandleW
0x415024 TlsGetValue
0x415028 TlsAlloc
0x41502c TlsSetValue
0x415030 TlsFree
0x415034 InterlockedIncrement
0x415038 SetLastError
0x41503c GetCurrentThreadId
0x415040 GetLastError
0x415044 InterlockedDecrement
0x415048 HeapFree
0x41504c HeapAlloc
0x415050 TerminateProcess
0x415054 GetCurrentProcess
0x415058 UnhandledExceptionFilter
0x41505c SetUnhandledExceptionFilter
0x415060 IsDebuggerPresent
0x415064 Sleep
0x415068 ExitProcess
0x41506c WriteFile
0x415070 GetStdHandle
0x415074 GetModuleFileNameA
0x415078 FreeEnvironmentStringsA
0x41507c GetEnvironmentStrings
0x415080 FreeEnvironmentStringsW
0x415084 WideCharToMultiByte
0x415088 SetHandleCount
0x41508c GetFileType
0x415090 GetStartupInfoA
0x415094 DeleteCriticalSection
0x415098 HeapCreate
0x41509c VirtualFree
0x4150a0 QueryPerformanceCounter
0x4150a4 GetTickCount
0x4150a8 GetCurrentProcessId
0x4150ac GetSystemTimeAsFileTime
0x4150b0 GetCPInfo
0x4150b4 GetACP
0x4150b8 GetOEMCP
0x4150bc IsValidCodePage
0x4150c0 LeaveCriticalSection
0x4150c4 EnterCriticalSection
0x4150c8 VirtualAlloc
0x4150cc HeapReAlloc
0x4150d0 HeapSize
0x4150d4 LoadLibraryA
0x4150d8 InitializeCriticalSectionAndSpinCount
0x4150dc LCMapStringA
0x4150e0 LCMapStringW
0x4150e4 GetStringTypeA
0x4150e8 GetStringTypeW
0x4150ec GetLocaleInfoA
EAT(Export Address Table) is none
KERNEL32.dll
0x415000 GetProcAddress
0x415004 GetModuleHandleA
0x415008 MultiByteToWideChar
0x41500c GetEnvironmentStringsW
0x415010 QueryPerformanceFrequency
0x415014 RtlUnwind
0x415018 RaiseException
0x41501c GetCommandLineA
0x415020 GetModuleHandleW
0x415024 TlsGetValue
0x415028 TlsAlloc
0x41502c TlsSetValue
0x415030 TlsFree
0x415034 InterlockedIncrement
0x415038 SetLastError
0x41503c GetCurrentThreadId
0x415040 GetLastError
0x415044 InterlockedDecrement
0x415048 HeapFree
0x41504c HeapAlloc
0x415050 TerminateProcess
0x415054 GetCurrentProcess
0x415058 UnhandledExceptionFilter
0x41505c SetUnhandledExceptionFilter
0x415060 IsDebuggerPresent
0x415064 Sleep
0x415068 ExitProcess
0x41506c WriteFile
0x415070 GetStdHandle
0x415074 GetModuleFileNameA
0x415078 FreeEnvironmentStringsA
0x41507c GetEnvironmentStrings
0x415080 FreeEnvironmentStringsW
0x415084 WideCharToMultiByte
0x415088 SetHandleCount
0x41508c GetFileType
0x415090 GetStartupInfoA
0x415094 DeleteCriticalSection
0x415098 HeapCreate
0x41509c VirtualFree
0x4150a0 QueryPerformanceCounter
0x4150a4 GetTickCount
0x4150a8 GetCurrentProcessId
0x4150ac GetSystemTimeAsFileTime
0x4150b0 GetCPInfo
0x4150b4 GetACP
0x4150b8 GetOEMCP
0x4150bc IsValidCodePage
0x4150c0 LeaveCriticalSection
0x4150c4 EnterCriticalSection
0x4150c8 VirtualAlloc
0x4150cc HeapReAlloc
0x4150d0 HeapSize
0x4150d4 LoadLibraryA
0x4150d8 InitializeCriticalSectionAndSpinCount
0x4150dc LCMapStringA
0x4150e0 LCMapStringW
0x4150e4 GetStringTypeA
0x4150e8 GetStringTypeW
0x4150ec GetLocaleInfoA
EAT(Export Address Table) is none