ScreenShot
| Created | 2023.06.21 05:30 | Machine | s1_win7_x6403 |
| Filename | done.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 26 detected (AIDetectMalware, malicious, high confidence, Fugrafa, Artemis, V2do, confidence, Attribute, HighConfidence, score, PWSX, RHADAMANTHYS, YXDFTZ, Static AI, Suspicious PE, Casdet, ZexaF, DLY@au@Z@opi, ai score=83, BScope, Chgt, CLOUD) | ||
| md5 | 76ede52958acde30e4eb548b60192d26 | ||
| sha256 | d123c9b1b0c55587b7a7036555b22967291543004e233520c7e1cf2ac8668869 | ||
| ssdeep | 24576:9398hIvedCLcL65fsuDFvIQjeeF1BIkxl7MIPVaUmsJ:9tZeLypvIDe1BIkn7M8VaUpJ | ||
| imphash | 0137f7a4db1baf3e8897c47a9441b8c7 | ||
| impfuzzy | 24:+cpVPOXtMSYEoeD/zhyJe1lh71kv7rT8uFZoSOovbOPZHu9CGMAH:+cpVPOXtMSG8z/r1uQuFZA34 | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 26 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x5c8000 Sleep
0x5c8004 CloseHandle
0x5c8008 EnterCriticalSection
0x5c800c LeaveCriticalSection
0x5c8010 InitializeCriticalSectionEx
0x5c8014 DeleteCriticalSection
0x5c8018 GetCurrentThreadId
0x5c801c IsDebuggerPresent
0x5c8020 RaiseException
0x5c8024 MultiByteToWideChar
0x5c8028 WideCharToMultiByte
0x5c802c UnhandledExceptionFilter
0x5c8030 SetUnhandledExceptionFilter
0x5c8034 GetCurrentProcess
0x5c8038 TerminateProcess
0x5c803c IsProcessorFeaturePresent
0x5c8040 QueryPerformanceCounter
0x5c8044 GetCurrentProcessId
0x5c8048 GetSystemTimeAsFileTime
0x5c804c InitializeSListHead
0x5c8050 GetStartupInfoW
0x5c8054 GetModuleHandleW
0x5c8058 GetLastError
0x5c805c HeapAlloc
0x5c8060 HeapFree
0x5c8064 GetProcessHeap
0x5c8068 VirtualQuery
0x5c806c FreeLibrary
0x5c8070 GetProcAddress
0x5c8074 RtlUnwind
0x5c8078 InterlockedPushEntrySList
0x5c807c InterlockedFlushSList
0x5c8080 GetModuleFileNameW
0x5c8084 LoadLibraryExW
0x5c8088 SetLastError
0x5c808c EncodePointer
0x5c8090 InitializeCriticalSectionAndSpinCount
0x5c8094 TlsAlloc
0x5c8098 TlsGetValue
0x5c809c TlsSetValue
0x5c80a0 TlsFree
0x5c80a4 GetModuleHandleExW
0x5c80a8 GetStdHandle
0x5c80ac WriteFile
0x5c80b0 ExitProcess
0x5c80b4 HeapValidate
0x5c80b8 GetSystemInfo
0x5c80bc GetCurrentThread
0x5c80c0 GetFileType
0x5c80c4 OutputDebugStringW
0x5c80c8 WriteConsoleW
0x5c80cc SetConsoleCtrlHandler
0x5c80d0 GetDateFormatW
0x5c80d4 GetTimeFormatW
0x5c80d8 CompareStringW
0x5c80dc LCMapStringW
0x5c80e0 GetLocaleInfoW
0x5c80e4 IsValidLocale
0x5c80e8 GetUserDefaultLCID
0x5c80ec EnumSystemLocalesW
0x5c80f0 FindClose
0x5c80f4 FindFirstFileExW
0x5c80f8 FindNextFileW
0x5c80fc IsValidCodePage
0x5c8100 GetACP
0x5c8104 GetOEMCP
0x5c8108 GetCPInfo
0x5c810c GetCommandLineA
0x5c8110 GetCommandLineW
0x5c8114 GetEnvironmentStringsW
0x5c8118 FreeEnvironmentStringsW
0x5c811c SetEnvironmentVariableW
0x5c8120 SetStdHandle
0x5c8124 GetStringTypeW
0x5c8128 HeapReAlloc
0x5c812c HeapSize
0x5c8130 HeapQueryInformation
0x5c8134 GetFileSizeEx
0x5c8138 SetFilePointerEx
0x5c813c FlushFileBuffers
0x5c8140 GetConsoleOutputCP
0x5c8144 GetConsoleMode
0x5c8148 ReadFile
0x5c814c ReadConsoleW
0x5c8150 DecodePointer
0x5c8154 CreateFileW
EAT(Export Address Table) is none
KERNEL32.dll
0x5c8000 Sleep
0x5c8004 CloseHandle
0x5c8008 EnterCriticalSection
0x5c800c LeaveCriticalSection
0x5c8010 InitializeCriticalSectionEx
0x5c8014 DeleteCriticalSection
0x5c8018 GetCurrentThreadId
0x5c801c IsDebuggerPresent
0x5c8020 RaiseException
0x5c8024 MultiByteToWideChar
0x5c8028 WideCharToMultiByte
0x5c802c UnhandledExceptionFilter
0x5c8030 SetUnhandledExceptionFilter
0x5c8034 GetCurrentProcess
0x5c8038 TerminateProcess
0x5c803c IsProcessorFeaturePresent
0x5c8040 QueryPerformanceCounter
0x5c8044 GetCurrentProcessId
0x5c8048 GetSystemTimeAsFileTime
0x5c804c InitializeSListHead
0x5c8050 GetStartupInfoW
0x5c8054 GetModuleHandleW
0x5c8058 GetLastError
0x5c805c HeapAlloc
0x5c8060 HeapFree
0x5c8064 GetProcessHeap
0x5c8068 VirtualQuery
0x5c806c FreeLibrary
0x5c8070 GetProcAddress
0x5c8074 RtlUnwind
0x5c8078 InterlockedPushEntrySList
0x5c807c InterlockedFlushSList
0x5c8080 GetModuleFileNameW
0x5c8084 LoadLibraryExW
0x5c8088 SetLastError
0x5c808c EncodePointer
0x5c8090 InitializeCriticalSectionAndSpinCount
0x5c8094 TlsAlloc
0x5c8098 TlsGetValue
0x5c809c TlsSetValue
0x5c80a0 TlsFree
0x5c80a4 GetModuleHandleExW
0x5c80a8 GetStdHandle
0x5c80ac WriteFile
0x5c80b0 ExitProcess
0x5c80b4 HeapValidate
0x5c80b8 GetSystemInfo
0x5c80bc GetCurrentThread
0x5c80c0 GetFileType
0x5c80c4 OutputDebugStringW
0x5c80c8 WriteConsoleW
0x5c80cc SetConsoleCtrlHandler
0x5c80d0 GetDateFormatW
0x5c80d4 GetTimeFormatW
0x5c80d8 CompareStringW
0x5c80dc LCMapStringW
0x5c80e0 GetLocaleInfoW
0x5c80e4 IsValidLocale
0x5c80e8 GetUserDefaultLCID
0x5c80ec EnumSystemLocalesW
0x5c80f0 FindClose
0x5c80f4 FindFirstFileExW
0x5c80f8 FindNextFileW
0x5c80fc IsValidCodePage
0x5c8100 GetACP
0x5c8104 GetOEMCP
0x5c8108 GetCPInfo
0x5c810c GetCommandLineA
0x5c8110 GetCommandLineW
0x5c8114 GetEnvironmentStringsW
0x5c8118 FreeEnvironmentStringsW
0x5c811c SetEnvironmentVariableW
0x5c8120 SetStdHandle
0x5c8124 GetStringTypeW
0x5c8128 HeapReAlloc
0x5c812c HeapSize
0x5c8130 HeapQueryInformation
0x5c8134 GetFileSizeEx
0x5c8138 SetFilePointerEx
0x5c813c FlushFileBuffers
0x5c8140 GetConsoleOutputCP
0x5c8144 GetConsoleMode
0x5c8148 ReadFile
0x5c814c ReadConsoleW
0x5c8150 DecodePointer
0x5c8154 CreateFileW
EAT(Export Address Table) is none