ScreenShot
| Created | 2023.06.19 09:40 | Machine | s1_win7_x6403 |
| Filename | hza93jto37.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 25 detected (AIDetectMalware, Zusy, malicious, ZexaF, QuZ@aWaLpcm, Attribute, HighConfidence, high confidence, score, PWSX, ai score=86, Wacatac, Generic@AI, RDMK, cmRtazo5lzXIA9yXZ8uhkhHrE+sn, susgen, confidence) | ||
| md5 | 77202c57066c182a76514cae6c1aa0e1 | ||
| sha256 | ebfb1c3be89d312d79b273bba951ec9c4abdfcae5e259aa57d925500b24961d3 | ||
| ssdeep | 12288:LbsaH7DjoFcnpVvRLxVuPb7w2fAXdp+vNwQaaGCwcaG8gwCfo9t9D:LAaH7foFcnphsPbc24Np6NwQaRlcavg4 | ||
| imphash | 367ec698363d9c97d916349e5b0aa543 | ||
| impfuzzy | 24:ZGOrOocpVWZsmrYtMS1IGhlJBlxeDoLoEOovbOIFuFZMv3GMAEWEZHu9n:ZGOr1cpVeVrYtMS1IGnXXc3iuFZGT4 | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 25 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
USER32.dll
0x443158 GetWindowRect
0x44315c DragDetect
0x443160 ShowWindow
GDI32.dll
0x443000 SwapBuffers
0x443004 GetBitmapDimensionEx
KERNEL32.dll
0x44300c GetProcessHeap
0x443010 HeapSize
0x443014 CreateFileW
0x443018 TlsFree
0x44301c VirtualProtectEx
0x443020 GetConsoleWindow
0x443024 WideCharToMultiByte
0x443028 MultiByteToWideChar
0x44302c EnterCriticalSection
0x443030 LeaveCriticalSection
0x443034 InitializeCriticalSectionEx
0x443038 DeleteCriticalSection
0x44303c EncodePointer
0x443040 DecodePointer
0x443044 LCMapStringEx
0x443048 GetLocaleInfoEx
0x44304c GetStringTypeW
0x443050 CompareStringEx
0x443054 GetCPInfo
0x443058 UnhandledExceptionFilter
0x44305c SetUnhandledExceptionFilter
0x443060 GetCurrentProcess
0x443064 TerminateProcess
0x443068 IsProcessorFeaturePresent
0x44306c QueryPerformanceCounter
0x443070 GetCurrentProcessId
0x443074 GetCurrentThreadId
0x443078 GetSystemTimeAsFileTime
0x44307c InitializeSListHead
0x443080 IsDebuggerPresent
0x443084 GetStartupInfoW
0x443088 GetModuleHandleW
0x44308c SetStdHandle
0x443090 RaiseException
0x443094 RtlUnwind
0x443098 GetLastError
0x44309c SetLastError
0x4430a0 InitializeCriticalSectionAndSpinCount
0x4430a4 TlsAlloc
0x4430a8 TlsGetValue
0x4430ac TlsSetValue
0x4430b0 WriteConsoleW
0x4430b4 FreeLibrary
0x4430b8 GetProcAddress
0x4430bc LoadLibraryExW
0x4430c0 GetStdHandle
0x4430c4 WriteFile
0x4430c8 GetModuleFileNameW
0x4430cc ExitProcess
0x4430d0 GetModuleHandleExW
0x4430d4 GetCommandLineA
0x4430d8 GetCommandLineW
0x4430dc HeapFree
0x4430e0 HeapAlloc
0x4430e4 GetDateFormatW
0x4430e8 GetTimeFormatW
0x4430ec CompareStringW
0x4430f0 LCMapStringW
0x4430f4 GetLocaleInfoW
0x4430f8 IsValidLocale
0x4430fc GetUserDefaultLCID
0x443100 EnumSystemLocalesW
0x443104 GetFileType
0x443108 HeapReAlloc
0x44310c CloseHandle
0x443110 FlushFileBuffers
0x443114 GetConsoleOutputCP
0x443118 GetConsoleMode
0x44311c ReadFile
0x443120 GetFileSizeEx
0x443124 SetFilePointerEx
0x443128 ReadConsoleW
0x44312c GetTimeZoneInformation
0x443130 FindClose
0x443134 FindFirstFileExW
0x443138 FindNextFileW
0x44313c IsValidCodePage
0x443140 GetACP
0x443144 GetOEMCP
0x443148 GetEnvironmentStringsW
0x44314c FreeEnvironmentStringsW
0x443150 SetEnvironmentVariableW
EAT(Export Address Table) is none
USER32.dll
0x443158 GetWindowRect
0x44315c DragDetect
0x443160 ShowWindow
GDI32.dll
0x443000 SwapBuffers
0x443004 GetBitmapDimensionEx
KERNEL32.dll
0x44300c GetProcessHeap
0x443010 HeapSize
0x443014 CreateFileW
0x443018 TlsFree
0x44301c VirtualProtectEx
0x443020 GetConsoleWindow
0x443024 WideCharToMultiByte
0x443028 MultiByteToWideChar
0x44302c EnterCriticalSection
0x443030 LeaveCriticalSection
0x443034 InitializeCriticalSectionEx
0x443038 DeleteCriticalSection
0x44303c EncodePointer
0x443040 DecodePointer
0x443044 LCMapStringEx
0x443048 GetLocaleInfoEx
0x44304c GetStringTypeW
0x443050 CompareStringEx
0x443054 GetCPInfo
0x443058 UnhandledExceptionFilter
0x44305c SetUnhandledExceptionFilter
0x443060 GetCurrentProcess
0x443064 TerminateProcess
0x443068 IsProcessorFeaturePresent
0x44306c QueryPerformanceCounter
0x443070 GetCurrentProcessId
0x443074 GetCurrentThreadId
0x443078 GetSystemTimeAsFileTime
0x44307c InitializeSListHead
0x443080 IsDebuggerPresent
0x443084 GetStartupInfoW
0x443088 GetModuleHandleW
0x44308c SetStdHandle
0x443090 RaiseException
0x443094 RtlUnwind
0x443098 GetLastError
0x44309c SetLastError
0x4430a0 InitializeCriticalSectionAndSpinCount
0x4430a4 TlsAlloc
0x4430a8 TlsGetValue
0x4430ac TlsSetValue
0x4430b0 WriteConsoleW
0x4430b4 FreeLibrary
0x4430b8 GetProcAddress
0x4430bc LoadLibraryExW
0x4430c0 GetStdHandle
0x4430c4 WriteFile
0x4430c8 GetModuleFileNameW
0x4430cc ExitProcess
0x4430d0 GetModuleHandleExW
0x4430d4 GetCommandLineA
0x4430d8 GetCommandLineW
0x4430dc HeapFree
0x4430e0 HeapAlloc
0x4430e4 GetDateFormatW
0x4430e8 GetTimeFormatW
0x4430ec CompareStringW
0x4430f0 LCMapStringW
0x4430f4 GetLocaleInfoW
0x4430f8 IsValidLocale
0x4430fc GetUserDefaultLCID
0x443100 EnumSystemLocalesW
0x443104 GetFileType
0x443108 HeapReAlloc
0x44310c CloseHandle
0x443110 FlushFileBuffers
0x443114 GetConsoleOutputCP
0x443118 GetConsoleMode
0x44311c ReadFile
0x443120 GetFileSizeEx
0x443124 SetFilePointerEx
0x443128 ReadConsoleW
0x44312c GetTimeZoneInformation
0x443130 FindClose
0x443134 FindFirstFileExW
0x443138 FindNextFileW
0x44313c IsValidCodePage
0x443140 GetACP
0x443144 GetOEMCP
0x443148 GetEnvironmentStringsW
0x44314c FreeEnvironmentStringsW
0x443150 SetEnvironmentVariableW
EAT(Export Address Table) is none