ScreenShot
| Created | 2023.06.20 17:33 | Machine | s1_win7_x6403 |
| Filename | Service64.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 39 detected (AIDetectMalware, GenericKD, Save, Kryptik, malicious, ZexaF, FzW@aOz, p6hi, Attribute, HighConfidence, high confidence, HTQR, score, Matanbuchus, nandl, high, Static AI, Malicious PE, ai score=89, Wacatac, CredStealer, D8MWR1, Detected, Artemis, unsafe, R002H0DFJ23, Convagent, k8mANxEH1xD, ESYR, confidence) | ||
| md5 | c845efe0b7345f8a3bcfa5f7a5681b9b | ||
| sha256 | cb058d57e98615b394f8cdf007049b606781570cf7647b32cb7d100c651146d4 | ||
| ssdeep | 24576:/U4bhPbuU5KSnXAW7WFasH3CJkFAsuWyTq+:cYhPFgSnwW5JkFBTf+ | ||
| imphash | 4efb63d835bfd91987648120a37175c5 | ||
| impfuzzy | 24:F8jTcpVWZjxD2te4GhlJBl39WuPLOovbO3kFZMv5GMA+EZHu95:F0cpVejQte4Gnpn630FZGf | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 39 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | One or more potentially interesting buffers were extracted |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x426000 FreeConsole
0x426004 GetModuleHandleW
0x426008 MultiByteToWideChar
0x42600c GetStringTypeW
0x426010 WideCharToMultiByte
0x426014 GetCurrentThreadId
0x426018 CloseHandle
0x42601c WaitForSingleObjectEx
0x426020 GetExitCodeThread
0x426024 EnterCriticalSection
0x426028 LeaveCriticalSection
0x42602c InitializeCriticalSectionEx
0x426030 DeleteCriticalSection
0x426034 EncodePointer
0x426038 DecodePointer
0x42603c LCMapStringEx
0x426040 QueryPerformanceCounter
0x426044 GetSystemTimeAsFileTime
0x426048 GetProcAddress
0x42604c GetCPInfo
0x426050 IsProcessorFeaturePresent
0x426054 UnhandledExceptionFilter
0x426058 SetUnhandledExceptionFilter
0x42605c GetCurrentProcess
0x426060 TerminateProcess
0x426064 GetCurrentProcessId
0x426068 InitializeSListHead
0x42606c IsDebuggerPresent
0x426070 GetStartupInfoW
0x426074 CreateFileW
0x426078 RaiseException
0x42607c RtlUnwind
0x426080 GetLastError
0x426084 SetLastError
0x426088 InitializeCriticalSectionAndSpinCount
0x42608c TlsAlloc
0x426090 TlsGetValue
0x426094 TlsSetValue
0x426098 TlsFree
0x42609c FreeLibrary
0x4260a0 LoadLibraryExW
0x4260a4 CreateThread
0x4260a8 ExitThread
0x4260ac FreeLibraryAndExitThread
0x4260b0 GetModuleHandleExW
0x4260b4 GetStdHandle
0x4260b8 WriteFile
0x4260bc GetModuleFileNameW
0x4260c0 ExitProcess
0x4260c4 GetCommandLineA
0x4260c8 GetCommandLineW
0x4260cc HeapAlloc
0x4260d0 HeapFree
0x4260d4 CompareStringW
0x4260d8 LCMapStringW
0x4260dc GetLocaleInfoW
0x4260e0 IsValidLocale
0x4260e4 GetUserDefaultLCID
0x4260e8 EnumSystemLocalesW
0x4260ec GetFileType
0x4260f0 GetFileSizeEx
0x4260f4 SetFilePointerEx
0x4260f8 FlushFileBuffers
0x4260fc GetConsoleOutputCP
0x426100 GetConsoleMode
0x426104 ReadFile
0x426108 HeapReAlloc
0x42610c FindClose
0x426110 FindFirstFileExW
0x426114 FindNextFileW
0x426118 IsValidCodePage
0x42611c GetACP
0x426120 GetOEMCP
0x426124 GetEnvironmentStringsW
0x426128 FreeEnvironmentStringsW
0x42612c SetEnvironmentVariableW
0x426130 SetStdHandle
0x426134 GetProcessHeap
0x426138 ReadConsoleW
0x42613c HeapSize
0x426140 WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x426000 FreeConsole
0x426004 GetModuleHandleW
0x426008 MultiByteToWideChar
0x42600c GetStringTypeW
0x426010 WideCharToMultiByte
0x426014 GetCurrentThreadId
0x426018 CloseHandle
0x42601c WaitForSingleObjectEx
0x426020 GetExitCodeThread
0x426024 EnterCriticalSection
0x426028 LeaveCriticalSection
0x42602c InitializeCriticalSectionEx
0x426030 DeleteCriticalSection
0x426034 EncodePointer
0x426038 DecodePointer
0x42603c LCMapStringEx
0x426040 QueryPerformanceCounter
0x426044 GetSystemTimeAsFileTime
0x426048 GetProcAddress
0x42604c GetCPInfo
0x426050 IsProcessorFeaturePresent
0x426054 UnhandledExceptionFilter
0x426058 SetUnhandledExceptionFilter
0x42605c GetCurrentProcess
0x426060 TerminateProcess
0x426064 GetCurrentProcessId
0x426068 InitializeSListHead
0x42606c IsDebuggerPresent
0x426070 GetStartupInfoW
0x426074 CreateFileW
0x426078 RaiseException
0x42607c RtlUnwind
0x426080 GetLastError
0x426084 SetLastError
0x426088 InitializeCriticalSectionAndSpinCount
0x42608c TlsAlloc
0x426090 TlsGetValue
0x426094 TlsSetValue
0x426098 TlsFree
0x42609c FreeLibrary
0x4260a0 LoadLibraryExW
0x4260a4 CreateThread
0x4260a8 ExitThread
0x4260ac FreeLibraryAndExitThread
0x4260b0 GetModuleHandleExW
0x4260b4 GetStdHandle
0x4260b8 WriteFile
0x4260bc GetModuleFileNameW
0x4260c0 ExitProcess
0x4260c4 GetCommandLineA
0x4260c8 GetCommandLineW
0x4260cc HeapAlloc
0x4260d0 HeapFree
0x4260d4 CompareStringW
0x4260d8 LCMapStringW
0x4260dc GetLocaleInfoW
0x4260e0 IsValidLocale
0x4260e4 GetUserDefaultLCID
0x4260e8 EnumSystemLocalesW
0x4260ec GetFileType
0x4260f0 GetFileSizeEx
0x4260f4 SetFilePointerEx
0x4260f8 FlushFileBuffers
0x4260fc GetConsoleOutputCP
0x426100 GetConsoleMode
0x426104 ReadFile
0x426108 HeapReAlloc
0x42610c FindClose
0x426110 FindFirstFileExW
0x426114 FindNextFileW
0x426118 IsValidCodePage
0x42611c GetACP
0x426120 GetOEMCP
0x426124 GetEnvironmentStringsW
0x426128 FreeEnvironmentStringsW
0x42612c SetEnvironmentVariableW
0x426130 SetStdHandle
0x426134 GetProcessHeap
0x426138 ReadConsoleW
0x42613c HeapSize
0x426140 WriteConsoleW
EAT(Export Address Table) is none