ScreenShot
| Created | 2023.06.19 09:44 | Machine | s1_win7_x6403 |
| Filename | 11.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 22 detected (AIDetectMalware, Attribute, HighConfidence, malicious, high confidence, PWSX, AGEN, high, score, Static AI, Malicious PE, Detected, Wacapew, unsafe, Generic@AI, RDML, FJqoNOlI3LHnJfvEW5GdZw, susgen, ZexaF, mq0@aCA883ii, confidence) | ||
| md5 | 807e357f04ecc60c6ee77725b584cbda | ||
| sha256 | f42f905e53103ceafc6c83c23657663e9ea3288732deb8e5bbc38812e79033e3 | ||
| ssdeep | 6144:3LPMfpIT+wBBEHArokOAz9DoiAlTxGj0u:7eIZz9Do9Tx | ||
| imphash | b88ff38d8a9dd531263365f3574a285e | ||
| impfuzzy | 24:t3jt7DWMjOovg/J3JKnktsQFQ8RyvDkRT4QfalWyR:uMCHhts3DgcQfaIyR | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 22 AntiVirus engines on VirusTotal as malicious |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x411008 CreateThread
0x41100c lstrlenW
0x411010 VirtualProtect
0x411014 WaitForSingleObject
0x411018 LoadLibraryA
0x41101c VirtualAlloc
0x411020 GetModuleHandleA
0x411024 GetProcAddress
0x411028 Sleep
0x41102c RtlUnwind
0x411030 RaiseException
0x411034 GetCommandLineA
0x411038 GetModuleHandleW
0x41103c TlsGetValue
0x411040 TlsAlloc
0x411044 TlsSetValue
0x411048 TlsFree
0x41104c InterlockedIncrement
0x411050 SetLastError
0x411054 GetCurrentThreadId
0x411058 GetLastError
0x41105c InterlockedDecrement
0x411060 HeapFree
0x411064 HeapAlloc
0x411068 TerminateProcess
0x41106c GetCurrentProcess
0x411070 UnhandledExceptionFilter
0x411074 SetUnhandledExceptionFilter
0x411078 IsDebuggerPresent
0x41107c ExitProcess
0x411080 WriteFile
0x411084 GetStdHandle
0x411088 GetModuleFileNameA
0x41108c FreeEnvironmentStringsA
0x411090 GetEnvironmentStrings
0x411094 FreeEnvironmentStringsW
0x411098 WideCharToMultiByte
0x41109c GetEnvironmentStringsW
0x4110a0 SetHandleCount
0x4110a4 GetFileType
0x4110a8 GetStartupInfoA
0x4110ac DeleteCriticalSection
0x4110b0 HeapCreate
0x4110b4 VirtualFree
0x4110b8 QueryPerformanceCounter
0x4110bc GetTickCount
0x4110c0 GetCurrentProcessId
0x4110c4 GetSystemTimeAsFileTime
0x4110c8 GetCPInfo
0x4110cc GetACP
0x4110d0 GetOEMCP
0x4110d4 IsValidCodePage
0x4110d8 LeaveCriticalSection
0x4110dc EnterCriticalSection
0x4110e0 HeapReAlloc
0x4110e4 HeapSize
0x4110e8 InitializeCriticalSectionAndSpinCount
0x4110ec LCMapStringA
0x4110f0 MultiByteToWideChar
0x4110f4 LCMapStringW
0x4110f8 GetStringTypeA
0x4110fc GetStringTypeW
0x411100 GetLocaleInfoA
GDI32.dll
0x411000 GdiGetBatchLimit
EAT(Export Address Table) is none
KERNEL32.dll
0x411008 CreateThread
0x41100c lstrlenW
0x411010 VirtualProtect
0x411014 WaitForSingleObject
0x411018 LoadLibraryA
0x41101c VirtualAlloc
0x411020 GetModuleHandleA
0x411024 GetProcAddress
0x411028 Sleep
0x41102c RtlUnwind
0x411030 RaiseException
0x411034 GetCommandLineA
0x411038 GetModuleHandleW
0x41103c TlsGetValue
0x411040 TlsAlloc
0x411044 TlsSetValue
0x411048 TlsFree
0x41104c InterlockedIncrement
0x411050 SetLastError
0x411054 GetCurrentThreadId
0x411058 GetLastError
0x41105c InterlockedDecrement
0x411060 HeapFree
0x411064 HeapAlloc
0x411068 TerminateProcess
0x41106c GetCurrentProcess
0x411070 UnhandledExceptionFilter
0x411074 SetUnhandledExceptionFilter
0x411078 IsDebuggerPresent
0x41107c ExitProcess
0x411080 WriteFile
0x411084 GetStdHandle
0x411088 GetModuleFileNameA
0x41108c FreeEnvironmentStringsA
0x411090 GetEnvironmentStrings
0x411094 FreeEnvironmentStringsW
0x411098 WideCharToMultiByte
0x41109c GetEnvironmentStringsW
0x4110a0 SetHandleCount
0x4110a4 GetFileType
0x4110a8 GetStartupInfoA
0x4110ac DeleteCriticalSection
0x4110b0 HeapCreate
0x4110b4 VirtualFree
0x4110b8 QueryPerformanceCounter
0x4110bc GetTickCount
0x4110c0 GetCurrentProcessId
0x4110c4 GetSystemTimeAsFileTime
0x4110c8 GetCPInfo
0x4110cc GetACP
0x4110d0 GetOEMCP
0x4110d4 IsValidCodePage
0x4110d8 LeaveCriticalSection
0x4110dc EnterCriticalSection
0x4110e0 HeapReAlloc
0x4110e4 HeapSize
0x4110e8 InitializeCriticalSectionAndSpinCount
0x4110ec LCMapStringA
0x4110f0 MultiByteToWideChar
0x4110f4 LCMapStringW
0x4110f8 GetStringTypeA
0x4110fc GetStringTypeW
0x411100 GetLocaleInfoA
GDI32.dll
0x411000 GdiGetBatchLimit
EAT(Export Address Table) is none