ScreenShot
| Created | 2023.06.11 23:25 | Machine | s1_win7_x6403 |
| Filename | 1IC.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 43 detected (Malicious, score, GenericKDZ, confidence, 100%, Rozena, Eldorado, Attribute, HighConfidence, high confidence, Cobalt, BackdoorX, pucbe, CobaltStrike, COBEACON, YXDFJZ, ai score=80, ShellcodeRunner, Detected, R572731, Artemis, unsafe, Gencirc) | ||
| md5 | 1747af9f1b9db5785c6913ac2ead8ef3 | ||
| sha256 | 5a268b88ea8b1cad2a07b43e855af3ad4f5e9fb0e1aef21ab4d2a66306c3dca4 | ||
| ssdeep | 3072:utNFuBMb+6qKQrKtoNFdUlaPPOirDv23byVT:Mr+lKQrQC0GT | ||
| imphash | 851b3b915be34ffd02bc31b65dd9a2a1 | ||
| impfuzzy | 48:qVoME9SmieFR+2/4jxQHQXiX1PnvNlTJGAYJiJlXkwqTjwGJ:qWMEgmhRH/4jxQHQXiX1PvfTJGtolVqL | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Network activity contains more than one unique useragent |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| info | Queries for the computername |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE Cobalt Strike Beacon Observed
ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x14001c3c4 AddAtomA
0x14001c3cc AddVectoredExceptionHandler
0x14001c3d4 CloseHandle
0x14001c3dc CreateEventA
0x14001c3e4 CreateMutexA
0x14001c3ec CreateSemaphoreA
0x14001c3f4 DeleteAtom
0x14001c3fc DeleteCriticalSection
0x14001c404 DuplicateHandle
0x14001c40c EnterCriticalSection
0x14001c414 FindAtomA
0x14001c41c FormatMessageA
0x14001c424 GetAtomNameA
0x14001c42c GetCurrentProcess
0x14001c434 GetCurrentProcessId
0x14001c43c GetCurrentThread
0x14001c444 GetCurrentThreadId
0x14001c44c GetHandleInformation
0x14001c454 GetLastError
0x14001c45c GetModuleHandleA
0x14001c464 GetProcAddress
0x14001c46c GetProcessAffinityMask
0x14001c474 GetStartupInfoA
0x14001c47c GetSystemTimeAsFileTime
0x14001c484 GetThreadContext
0x14001c48c GetThreadPriority
0x14001c494 GetTickCount
0x14001c49c InitializeCriticalSection
0x14001c4a4 IsDBCSLeadByteEx
0x14001c4ac IsDebuggerPresent
0x14001c4b4 LeaveCriticalSection
0x14001c4bc LocalFree
0x14001c4c4 MultiByteToWideChar
0x14001c4cc OpenProcess
0x14001c4d4 OutputDebugStringA
0x14001c4dc QueryPerformanceCounter
0x14001c4e4 QueryPerformanceFrequency
0x14001c4ec RaiseException
0x14001c4f4 ReleaseMutex
0x14001c4fc ReleaseSemaphore
0x14001c504 RemoveVectoredExceptionHandler
0x14001c50c ResetEvent
0x14001c514 ResumeThread
0x14001c51c SetEvent
0x14001c524 SetLastError
0x14001c52c SetProcessAffinityMask
0x14001c534 SetThreadContext
0x14001c53c SetThreadPriority
0x14001c544 SetUnhandledExceptionFilter
0x14001c54c Sleep
0x14001c554 SuspendThread
0x14001c55c TlsAlloc
0x14001c564 TlsGetValue
0x14001c56c TlsSetValue
0x14001c574 TryEnterCriticalSection
0x14001c57c VirtualProtect
0x14001c584 VirtualQuery
0x14001c58c WaitForMultipleObjects
0x14001c594 WaitForSingleObject
0x14001c59c __C_specific_handler
msvcrt.dll
0x14001c5ac ___lc_codepage_func
0x14001c5b4 ___mb_cur_max_func
0x14001c5bc __getmainargs
0x14001c5c4 __initenv
0x14001c5cc __iob_func
0x14001c5d4 __lconv_init
0x14001c5dc __set_app_type
0x14001c5e4 __setusermatherr
0x14001c5ec _acmdln
0x14001c5f4 _amsg_exit
0x14001c5fc _beginthreadex
0x14001c604 _cexit
0x14001c60c _commode
0x14001c614 _endthreadex
0x14001c61c _errno
0x14001c624 _fmode
0x14001c62c _initterm
0x14001c634 _memccpy
0x14001c63c _onexit
0x14001c644 _setjmp
0x14001c64c _strdup
0x14001c654 _ultoa
0x14001c65c abort
0x14001c664 atoi
0x14001c66c calloc
0x14001c674 clock
0x14001c67c exit
0x14001c684 fprintf
0x14001c68c free
0x14001c694 fwrite
0x14001c69c getc
0x14001c6a4 islower
0x14001c6ac isspace
0x14001c6b4 isupper
0x14001c6bc isxdigit
0x14001c6c4 localeconv
0x14001c6cc longjmp
0x14001c6d4 malloc
0x14001c6dc memcpy
0x14001c6e4 memmove
0x14001c6ec memset
0x14001c6f4 printf
0x14001c6fc realloc
0x14001c704 signal
0x14001c70c strlen
0x14001c714 strncmp
0x14001c71c strtol
0x14001c724 strtoul
0x14001c72c tolower
0x14001c734 ungetc
0x14001c73c vfprintf
EAT(Export Address Table) is none
KERNEL32.dll
0x14001c3c4 AddAtomA
0x14001c3cc AddVectoredExceptionHandler
0x14001c3d4 CloseHandle
0x14001c3dc CreateEventA
0x14001c3e4 CreateMutexA
0x14001c3ec CreateSemaphoreA
0x14001c3f4 DeleteAtom
0x14001c3fc DeleteCriticalSection
0x14001c404 DuplicateHandle
0x14001c40c EnterCriticalSection
0x14001c414 FindAtomA
0x14001c41c FormatMessageA
0x14001c424 GetAtomNameA
0x14001c42c GetCurrentProcess
0x14001c434 GetCurrentProcessId
0x14001c43c GetCurrentThread
0x14001c444 GetCurrentThreadId
0x14001c44c GetHandleInformation
0x14001c454 GetLastError
0x14001c45c GetModuleHandleA
0x14001c464 GetProcAddress
0x14001c46c GetProcessAffinityMask
0x14001c474 GetStartupInfoA
0x14001c47c GetSystemTimeAsFileTime
0x14001c484 GetThreadContext
0x14001c48c GetThreadPriority
0x14001c494 GetTickCount
0x14001c49c InitializeCriticalSection
0x14001c4a4 IsDBCSLeadByteEx
0x14001c4ac IsDebuggerPresent
0x14001c4b4 LeaveCriticalSection
0x14001c4bc LocalFree
0x14001c4c4 MultiByteToWideChar
0x14001c4cc OpenProcess
0x14001c4d4 OutputDebugStringA
0x14001c4dc QueryPerformanceCounter
0x14001c4e4 QueryPerformanceFrequency
0x14001c4ec RaiseException
0x14001c4f4 ReleaseMutex
0x14001c4fc ReleaseSemaphore
0x14001c504 RemoveVectoredExceptionHandler
0x14001c50c ResetEvent
0x14001c514 ResumeThread
0x14001c51c SetEvent
0x14001c524 SetLastError
0x14001c52c SetProcessAffinityMask
0x14001c534 SetThreadContext
0x14001c53c SetThreadPriority
0x14001c544 SetUnhandledExceptionFilter
0x14001c54c Sleep
0x14001c554 SuspendThread
0x14001c55c TlsAlloc
0x14001c564 TlsGetValue
0x14001c56c TlsSetValue
0x14001c574 TryEnterCriticalSection
0x14001c57c VirtualProtect
0x14001c584 VirtualQuery
0x14001c58c WaitForMultipleObjects
0x14001c594 WaitForSingleObject
0x14001c59c __C_specific_handler
msvcrt.dll
0x14001c5ac ___lc_codepage_func
0x14001c5b4 ___mb_cur_max_func
0x14001c5bc __getmainargs
0x14001c5c4 __initenv
0x14001c5cc __iob_func
0x14001c5d4 __lconv_init
0x14001c5dc __set_app_type
0x14001c5e4 __setusermatherr
0x14001c5ec _acmdln
0x14001c5f4 _amsg_exit
0x14001c5fc _beginthreadex
0x14001c604 _cexit
0x14001c60c _commode
0x14001c614 _endthreadex
0x14001c61c _errno
0x14001c624 _fmode
0x14001c62c _initterm
0x14001c634 _memccpy
0x14001c63c _onexit
0x14001c644 _setjmp
0x14001c64c _strdup
0x14001c654 _ultoa
0x14001c65c abort
0x14001c664 atoi
0x14001c66c calloc
0x14001c674 clock
0x14001c67c exit
0x14001c684 fprintf
0x14001c68c free
0x14001c694 fwrite
0x14001c69c getc
0x14001c6a4 islower
0x14001c6ac isspace
0x14001c6b4 isupper
0x14001c6bc isxdigit
0x14001c6c4 localeconv
0x14001c6cc longjmp
0x14001c6d4 malloc
0x14001c6dc memcpy
0x14001c6e4 memmove
0x14001c6ec memset
0x14001c6f4 printf
0x14001c6fc realloc
0x14001c704 signal
0x14001c70c strlen
0x14001c714 strncmp
0x14001c71c strtol
0x14001c724 strtoul
0x14001c72c tolower
0x14001c734 ungetc
0x14001c73c vfprintf
EAT(Export Address Table) is none