ScreenShot
| Created | 2023.06.15 07:28 | Machine | s1_win7_x6401 |
| Filename | dr_mails_.ipb.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 956d79812c98bbb5f5ba609cba79d5ee | ||
| sha256 | cda1ea0f3ee3f632981cad049258b5054acce691b98ceba725c14c6d9ff02077 | ||
| ssdeep | 6144:5aaOQpfmmD7GFvjzQDlfHVuo4j5sh9Mk3oiHwMeEdyB7IuqGNqVZnnB9paDpeVtt:5aaOWzqunIWroiHwffSuZNqVNnlIYVP | ||
| imphash | 518b2345d494b1e80417ecf496968b80 | ||
| impfuzzy | 12:jObXmIvYaARJRZqR5j7Iv+bjO2lgMCZfhhTZ3:jOWPfc5jI+bjO6gMgHt | ||
Network IP location
Signature (10cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x404000 GetCommandLineW
0x404004 CreateFileW
0x404008 FlushFileBuffers
0x40400c GetFileInformationByHandle
0x404010 SetFileValidData
0x404014 DisconnectNamedPipe
0x404018 HeapCreate
0x40401c InitializeCriticalSection
0x404020 EnterCriticalSection
0x404024 LeaveCriticalSection
0x404028 SetEvent
0x40402c ResetEvent
0x404030 WaitForSingleObject
0x404034 CreateMutexW
0x404038 CreateEventW
0x40403c WaitForMultipleObjects
0x404040 DisableThreadLibraryCalls
0x404044 GetModuleHandleA
0x404048 ConvertFiberToThread
0x40404c DeleteAtom
0x404050 GetCommMask
0x404054 EraseTape
0x404058 AddAtomW
0x40405c FindAtomW
0x404060 GetAtomNameW
EAT(Export Address Table) is none
KERNEL32.dll
0x404000 GetCommandLineW
0x404004 CreateFileW
0x404008 FlushFileBuffers
0x40400c GetFileInformationByHandle
0x404010 SetFileValidData
0x404014 DisconnectNamedPipe
0x404018 HeapCreate
0x40401c InitializeCriticalSection
0x404020 EnterCriticalSection
0x404024 LeaveCriticalSection
0x404028 SetEvent
0x40402c ResetEvent
0x404030 WaitForSingleObject
0x404034 CreateMutexW
0x404038 CreateEventW
0x40403c WaitForMultipleObjects
0x404040 DisableThreadLibraryCalls
0x404044 GetModuleHandleA
0x404048 ConvertFiberToThread
0x40404c DeleteAtom
0x404050 GetCommMask
0x404054 EraseTape
0x404058 AddAtomW
0x40405c FindAtomW
0x404060 GetAtomNameW
EAT(Export Address Table) is none