ScreenShot
| Created | 2023.07.04 11:14 | Machine | s1_win7_x6403 |
| Filename | JD%20Business%20Plan%202023.lnk | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 4 detected (Bobik, Malgent) | ||
| md5 | 229b39c9a2ed47dd87d2eae54f11f41f | ||
| sha256 | 0d82b1a03a626ae36f777573c66de32b4b5487be24137baa06b9f3da6538166a | ||
| ssdeep | 1572864:uohRuJvESn4nTKLbKVDCsAq3rYkctmFV1Ga6cbgghbqa9Kbu3bFYF8R0ROt11L98:uMu72TKLbyqOc | ||
| imphash | bf1462ce2cfa173883d7ac57d7af7b93 | ||
| impfuzzy | 48:5fcxuMXLgvgLbpPXjjutSyU8YeBMQSELSQw0oIOuKhwo44f9LHIdjJrLBWzNSl:5fcxuMXLgvgLbhXH9yVGVt6RB | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| watch | Creates known IcePoint RAT files |
| notice | Creates a shortcut to an executable file |
| notice | Creates executable files on the filesystem |
| notice | File has been identified by 4 AntiVirus engines on VirusTotal as malicious |
| notice | Moves the original executable to a new location |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | This executable has a PDB path |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (upload) |
| danger | Win_Trojan_Formbook_Zero | Used Formbook | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| watch | Win32_Trojan_PWS_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41601c FindClose
0x416020 FindFirstFileExW
0x416024 FindNextFileW
0x416028 GetFileAttributesExW
0x41602c GetFullPathNameW
0x416030 GetTempPathW
0x416034 GetLastError
0x416038 InitializeCriticalSection
0x41603c EnterCriticalSection
0x416040 LeaveCriticalSection
0x416044 GetEnvironmentVariableW
0x416048 GetCurrentProcess
0x41604c IsWow64Process
0x416050 GetModuleFileNameW
0x416054 GetModuleHandleExW
0x416058 GetProcAddress
0x41605c LoadLibraryExW
0x416060 LoadLibraryA
0x416064 MultiByteToWideChar
0x416068 WideCharToMultiByte
0x41606c FreeLibrary
0x416070 RtlUnwind
0x416074 RaiseException
0x416078 OutputDebugStringW
0x41607c GetModuleHandleW
0x416080 GetCurrentProcessId
0x416084 Sleep
0x416088 RemoveDirectoryW
0x41608c DeleteCriticalSection
0x416090 CreateDirectoryW
0x416094 InitializeSListHead
0x416098 GetCurrentThreadId
0x41609c QueryPerformanceCounter
0x4160a0 IsDebuggerPresent
0x4160a4 IsProcessorFeaturePresent
0x4160a8 TerminateProcess
0x4160ac SetUnhandledExceptionFilter
0x4160b0 UnhandledExceptionFilter
0x4160b4 LCMapStringW
0x4160b8 GetSystemTimeAsFileTime
0x4160bc TlsFree
0x4160c0 TlsSetValue
0x4160c4 TlsGetValue
0x4160c8 TlsAlloc
0x4160cc SwitchToThread
0x4160d0 InitializeCriticalSectionAndSpinCount
0x4160d4 SetLastError
0x4160d8 DecodePointer
0x4160dc EncodePointer
0x4160e0 GetStringTypeW
USER32.dll
0x4160f0 MessageBoxW
SHELL32.dll
0x4160e8 ShellExecuteW
ADVAPI32.dll
0x416000 RegOpenKeyExW
0x416004 RegCloseKey
0x416008 ReportEventW
0x41600c RegisterEventSourceW
0x416010 DeregisterEventSource
0x416014 RegGetValueW
api-ms-win-crt-runtime-l1-1-0.dll
0x41615c terminate
0x416160 _controlfp_s
0x416164 _register_thread_local_exe_atexit_callback
0x416168 _errno
0x41616c _c_exit
0x416170 __p___wargv
0x416174 _seh_filter_exe
0x416178 __p___argc
0x41617c _configure_wide_argv
0x416180 _cexit
0x416184 _crt_atexit
0x416188 _exit
0x41618c exit
0x416190 _register_onexit_function
0x416194 _initialize_onexit_table
0x416198 _set_app_type
0x41619c _initterm_e
0x4161a0 _initterm
0x4161a4 _get_initial_wide_environment
0x4161a8 _invalid_parameter_noinfo_noreturn
0x4161ac _initialize_wide_environment
0x4161b0 abort
api-ms-win-crt-heap-l1-1-0.dll
0x416110 calloc
0x416114 free
0x416118 _set_new_mode
0x41611c _callnewh
0x416120 malloc
api-ms-win-crt-math-l1-1-0.dll
0x416150 frexp
0x416154 __setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll
0x4161b8 _set_fmode
0x4161bc __stdio_common_vsprintf_s
0x4161c0 __p__commode
0x4161c4 fflush
0x4161c8 _wfopen
0x4161cc __stdio_common_vfwprintf
0x4161d0 fputws
0x4161d4 fclose
0x4161d8 fread
0x4161dc fseek
0x4161e0 fwrite
0x4161e4 __acrt_iob_func
0x4161e8 fputwc
0x4161ec __stdio_common_vswprintf
api-ms-win-crt-string-l1-1-0.dll
0x4161f4 strcpy_s
0x4161f8 memset
0x4161fc strcspn
0x416200 wcsncmp
0x416204 _wcsicmp
0x416208 _wcsnicmp
0x41620c wcsnlen
0x416210 _wcsdup
api-ms-win-crt-locale-l1-1-0.dll
0x416128 __pctype_func
0x41612c setlocale
0x416130 ___mb_cur_max_func
0x416134 ___lc_codepage_func
0x416138 ___lc_locale_name_func
0x41613c localeconv
0x416140 _unlock_locales
0x416144 _lock_locales
0x416148 _configthreadlocale
api-ms-win-crt-filesystem-l1-1-0.dll
0x416104 _wrename
0x416108 _wremove
api-ms-win-crt-convert-l1-1-0.dll
0x4160f8 wcstoul
0x4160fc _wtoi
api-ms-win-crt-time-l1-1-0.dll
0x416218 _time64
0x41621c wcsftime
0x416220 _gmtime64
EAT(Export Address Table) is none
KERNEL32.dll
0x41601c FindClose
0x416020 FindFirstFileExW
0x416024 FindNextFileW
0x416028 GetFileAttributesExW
0x41602c GetFullPathNameW
0x416030 GetTempPathW
0x416034 GetLastError
0x416038 InitializeCriticalSection
0x41603c EnterCriticalSection
0x416040 LeaveCriticalSection
0x416044 GetEnvironmentVariableW
0x416048 GetCurrentProcess
0x41604c IsWow64Process
0x416050 GetModuleFileNameW
0x416054 GetModuleHandleExW
0x416058 GetProcAddress
0x41605c LoadLibraryExW
0x416060 LoadLibraryA
0x416064 MultiByteToWideChar
0x416068 WideCharToMultiByte
0x41606c FreeLibrary
0x416070 RtlUnwind
0x416074 RaiseException
0x416078 OutputDebugStringW
0x41607c GetModuleHandleW
0x416080 GetCurrentProcessId
0x416084 Sleep
0x416088 RemoveDirectoryW
0x41608c DeleteCriticalSection
0x416090 CreateDirectoryW
0x416094 InitializeSListHead
0x416098 GetCurrentThreadId
0x41609c QueryPerformanceCounter
0x4160a0 IsDebuggerPresent
0x4160a4 IsProcessorFeaturePresent
0x4160a8 TerminateProcess
0x4160ac SetUnhandledExceptionFilter
0x4160b0 UnhandledExceptionFilter
0x4160b4 LCMapStringW
0x4160b8 GetSystemTimeAsFileTime
0x4160bc TlsFree
0x4160c0 TlsSetValue
0x4160c4 TlsGetValue
0x4160c8 TlsAlloc
0x4160cc SwitchToThread
0x4160d0 InitializeCriticalSectionAndSpinCount
0x4160d4 SetLastError
0x4160d8 DecodePointer
0x4160dc EncodePointer
0x4160e0 GetStringTypeW
USER32.dll
0x4160f0 MessageBoxW
SHELL32.dll
0x4160e8 ShellExecuteW
ADVAPI32.dll
0x416000 RegOpenKeyExW
0x416004 RegCloseKey
0x416008 ReportEventW
0x41600c RegisterEventSourceW
0x416010 DeregisterEventSource
0x416014 RegGetValueW
api-ms-win-crt-runtime-l1-1-0.dll
0x41615c terminate
0x416160 _controlfp_s
0x416164 _register_thread_local_exe_atexit_callback
0x416168 _errno
0x41616c _c_exit
0x416170 __p___wargv
0x416174 _seh_filter_exe
0x416178 __p___argc
0x41617c _configure_wide_argv
0x416180 _cexit
0x416184 _crt_atexit
0x416188 _exit
0x41618c exit
0x416190 _register_onexit_function
0x416194 _initialize_onexit_table
0x416198 _set_app_type
0x41619c _initterm_e
0x4161a0 _initterm
0x4161a4 _get_initial_wide_environment
0x4161a8 _invalid_parameter_noinfo_noreturn
0x4161ac _initialize_wide_environment
0x4161b0 abort
api-ms-win-crt-heap-l1-1-0.dll
0x416110 calloc
0x416114 free
0x416118 _set_new_mode
0x41611c _callnewh
0x416120 malloc
api-ms-win-crt-math-l1-1-0.dll
0x416150 frexp
0x416154 __setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll
0x4161b8 _set_fmode
0x4161bc __stdio_common_vsprintf_s
0x4161c0 __p__commode
0x4161c4 fflush
0x4161c8 _wfopen
0x4161cc __stdio_common_vfwprintf
0x4161d0 fputws
0x4161d4 fclose
0x4161d8 fread
0x4161dc fseek
0x4161e0 fwrite
0x4161e4 __acrt_iob_func
0x4161e8 fputwc
0x4161ec __stdio_common_vswprintf
api-ms-win-crt-string-l1-1-0.dll
0x4161f4 strcpy_s
0x4161f8 memset
0x4161fc strcspn
0x416200 wcsncmp
0x416204 _wcsicmp
0x416208 _wcsnicmp
0x41620c wcsnlen
0x416210 _wcsdup
api-ms-win-crt-locale-l1-1-0.dll
0x416128 __pctype_func
0x41612c setlocale
0x416130 ___mb_cur_max_func
0x416134 ___lc_codepage_func
0x416138 ___lc_locale_name_func
0x41613c localeconv
0x416140 _unlock_locales
0x416144 _lock_locales
0x416148 _configthreadlocale
api-ms-win-crt-filesystem-l1-1-0.dll
0x416104 _wrename
0x416108 _wremove
api-ms-win-crt-convert-l1-1-0.dll
0x4160f8 wcstoul
0x4160fc _wtoi
api-ms-win-crt-time-l1-1-0.dll
0x416218 _time64
0x41621c wcsftime
0x416220 _gmtime64
EAT(Export Address Table) is none