ScreenShot
| Created | 2023.06.12 08:41 | Machine | s1_win7_x6401 |
| Filename | ai%E8%BF%9B%E7%A8%8B%E5%AE%88%E6%8A%A4.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | a3b7a00315b7ff714ea9f2a2660bb5b9 | ||
| sha256 | 08960b36601485c4589ad186cc3dea99dfbfe15b40e3d2615747791fdf137674 | ||
| ssdeep | 12288:xM04tD6kXMtOJpPh4JIOiXhRdIDIU1Dzoa0pAn:xMxD6kXM4Ph4I7d2H/ | ||
| imphash | 67a7056e4beedcd946232c27c372d6ab | ||
| impfuzzy | 24:+bVu9QHscpVWjD02tMS17BgdlJBl3eDoF8aNLOovbOtv7gGM0RFZp2OrtSr:dcpVwHtMS17BgDpxNN63FFFZ1tSr | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE Zbot Generic URI/Header Struct .bin
ET MALWARE Generic .bin download from Dotted Quad
ET HUNTING Rejetto HTTP File Sever Response
ET MALWARE Generic .bin download from Dotted Quad
ET HUNTING Rejetto HTTP File Sever Response
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140064000 VirtualProtect
0x140064008 VirtualFree
0x140064010 VirtualAlloc
0x140064018 GetConsoleWindow
0x140064020 CreateFileW
0x140064028 SetStdHandle
0x140064030 SetEnvironmentVariableW
0x140064038 FreeEnvironmentStringsW
0x140064040 GetEnvironmentStringsW
0x140064048 EnterCriticalSection
0x140064050 LeaveCriticalSection
0x140064058 InitializeCriticalSectionEx
0x140064060 DeleteCriticalSection
0x140064068 EncodePointer
0x140064070 DecodePointer
0x140064078 MultiByteToWideChar
0x140064080 WideCharToMultiByte
0x140064088 LCMapStringEx
0x140064090 GetStringTypeW
0x140064098 GetCPInfo
0x1400640a0 RtlCaptureContext
0x1400640a8 RtlLookupFunctionEntry
0x1400640b0 RtlVirtualUnwind
0x1400640b8 UnhandledExceptionFilter
0x1400640c0 SetUnhandledExceptionFilter
0x1400640c8 GetCurrentProcess
0x1400640d0 TerminateProcess
0x1400640d8 IsProcessorFeaturePresent
0x1400640e0 QueryPerformanceCounter
0x1400640e8 GetCurrentProcessId
0x1400640f0 GetCurrentThreadId
0x1400640f8 GetSystemTimeAsFileTime
0x140064100 InitializeSListHead
0x140064108 IsDebuggerPresent
0x140064110 GetStartupInfoW
0x140064118 GetModuleHandleW
0x140064120 RtlUnwindEx
0x140064128 RtlPcToFileHeader
0x140064130 RaiseException
0x140064138 GetLastError
0x140064140 SetLastError
0x140064148 InitializeCriticalSectionAndSpinCount
0x140064150 TlsAlloc
0x140064158 TlsGetValue
0x140064160 TlsSetValue
0x140064168 TlsFree
0x140064170 FreeLibrary
0x140064178 GetProcAddress
0x140064180 LoadLibraryExW
0x140064188 RtlUnwind
0x140064190 GetModuleFileNameW
0x140064198 GetModuleHandleExW
0x1400641a0 HeapAlloc
0x1400641a8 HeapSize
0x1400641b0 HeapValidate
0x1400641b8 GetSystemInfo
0x1400641c0 GetStdHandle
0x1400641c8 WriteFile
0x1400641d0 ExitProcess
0x1400641d8 GetCommandLineA
0x1400641e0 GetCommandLineW
0x1400641e8 GetFileType
0x1400641f0 OutputDebugStringW
0x1400641f8 WriteConsoleW
0x140064200 GetFileSizeEx
0x140064208 SetFilePointerEx
0x140064210 FlushFileBuffers
0x140064218 GetConsoleOutputCP
0x140064220 GetConsoleMode
0x140064228 CloseHandle
0x140064230 FlsAlloc
0x140064238 FlsGetValue
0x140064240 FlsSetValue
0x140064248 FlsFree
0x140064250 CompareStringW
0x140064258 LCMapStringW
0x140064260 GetLocaleInfoW
0x140064268 IsValidLocale
0x140064270 GetUserDefaultLCID
0x140064278 EnumSystemLocalesW
0x140064280 HeapFree
0x140064288 HeapReAlloc
0x140064290 HeapQueryInformation
0x140064298 GetProcessHeap
0x1400642a0 ReadFile
0x1400642a8 ReadConsoleW
0x1400642b0 FindClose
0x1400642b8 FindFirstFileExW
0x1400642c0 FindNextFileW
0x1400642c8 IsValidCodePage
0x1400642d0 GetACP
0x1400642d8 GetOEMCP
0x1400642e0 SetEndOfFile
USER32.dll
0x1400642f0 ShowWindow
urlmon.dll
0x140064300 URLDownloadToFileA
EAT(Export Address Table) is none
KERNEL32.dll
0x140064000 VirtualProtect
0x140064008 VirtualFree
0x140064010 VirtualAlloc
0x140064018 GetConsoleWindow
0x140064020 CreateFileW
0x140064028 SetStdHandle
0x140064030 SetEnvironmentVariableW
0x140064038 FreeEnvironmentStringsW
0x140064040 GetEnvironmentStringsW
0x140064048 EnterCriticalSection
0x140064050 LeaveCriticalSection
0x140064058 InitializeCriticalSectionEx
0x140064060 DeleteCriticalSection
0x140064068 EncodePointer
0x140064070 DecodePointer
0x140064078 MultiByteToWideChar
0x140064080 WideCharToMultiByte
0x140064088 LCMapStringEx
0x140064090 GetStringTypeW
0x140064098 GetCPInfo
0x1400640a0 RtlCaptureContext
0x1400640a8 RtlLookupFunctionEntry
0x1400640b0 RtlVirtualUnwind
0x1400640b8 UnhandledExceptionFilter
0x1400640c0 SetUnhandledExceptionFilter
0x1400640c8 GetCurrentProcess
0x1400640d0 TerminateProcess
0x1400640d8 IsProcessorFeaturePresent
0x1400640e0 QueryPerformanceCounter
0x1400640e8 GetCurrentProcessId
0x1400640f0 GetCurrentThreadId
0x1400640f8 GetSystemTimeAsFileTime
0x140064100 InitializeSListHead
0x140064108 IsDebuggerPresent
0x140064110 GetStartupInfoW
0x140064118 GetModuleHandleW
0x140064120 RtlUnwindEx
0x140064128 RtlPcToFileHeader
0x140064130 RaiseException
0x140064138 GetLastError
0x140064140 SetLastError
0x140064148 InitializeCriticalSectionAndSpinCount
0x140064150 TlsAlloc
0x140064158 TlsGetValue
0x140064160 TlsSetValue
0x140064168 TlsFree
0x140064170 FreeLibrary
0x140064178 GetProcAddress
0x140064180 LoadLibraryExW
0x140064188 RtlUnwind
0x140064190 GetModuleFileNameW
0x140064198 GetModuleHandleExW
0x1400641a0 HeapAlloc
0x1400641a8 HeapSize
0x1400641b0 HeapValidate
0x1400641b8 GetSystemInfo
0x1400641c0 GetStdHandle
0x1400641c8 WriteFile
0x1400641d0 ExitProcess
0x1400641d8 GetCommandLineA
0x1400641e0 GetCommandLineW
0x1400641e8 GetFileType
0x1400641f0 OutputDebugStringW
0x1400641f8 WriteConsoleW
0x140064200 GetFileSizeEx
0x140064208 SetFilePointerEx
0x140064210 FlushFileBuffers
0x140064218 GetConsoleOutputCP
0x140064220 GetConsoleMode
0x140064228 CloseHandle
0x140064230 FlsAlloc
0x140064238 FlsGetValue
0x140064240 FlsSetValue
0x140064248 FlsFree
0x140064250 CompareStringW
0x140064258 LCMapStringW
0x140064260 GetLocaleInfoW
0x140064268 IsValidLocale
0x140064270 GetUserDefaultLCID
0x140064278 EnumSystemLocalesW
0x140064280 HeapFree
0x140064288 HeapReAlloc
0x140064290 HeapQueryInformation
0x140064298 GetProcessHeap
0x1400642a0 ReadFile
0x1400642a8 ReadConsoleW
0x1400642b0 FindClose
0x1400642b8 FindFirstFileExW
0x1400642c0 FindNextFileW
0x1400642c8 IsValidCodePage
0x1400642d0 GetACP
0x1400642d8 GetOEMCP
0x1400642e0 SetEndOfFile
USER32.dll
0x1400642f0 ShowWindow
urlmon.dll
0x140064300 URLDownloadToFileA
EAT(Export Address Table) is none