ScreenShot
| Created | 2023.07.10 08:03 | Machine | s1_win7_x6403 |
| Filename | photo270.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | e2d38861d75a1dc3c502f418e56222b4 | ||
| sha256 | 0e2dc2a4d7697a84921d01d0ec435e93dc5cd7301d4b86d1d6270e99fc4d7ea3 | ||
| ssdeep | 12288:WsEPWz479Ell3liQ4aU1ghkNDtEZsq2mjgm/x15UUa5407lkqP31T:ss479EXlr4ZSkNDtidgm1U/5407lt | ||
| imphash | d16fc9171842127d5f2d9438e5ae0377 | ||
| impfuzzy | 24:dojMVDo0S1jtubJnc+pl39/CyoEOovbO3URZHu93vB3GMM:jS1jtulc+ppQyc3vBi | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Disables Windows Security features |
| watch | Attempts to disable Windows Auto Updates |
| watch | Attempts to stop active services |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_RL_Gen_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | win_smokeloader_auto | Detects win.smokeloader. | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | CAB_file_format | CAB archive file | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x410000 GetLastError
0x410004 WaitForSingleObject
0x410008 CreateMutexW
0x41000c Sleep
0x410010 CreateThread
0x410014 VirtualAlloc
0x410018 VirtualProtect
0x41001c GetModuleHandleA
0x410020 GetProcAddress
0x410024 LoadLibraryA
0x410028 lstrlenW
0x41002c FreeConsole
0x410030 WriteConsoleW
0x410034 QueryPerformanceCounter
0x410038 GetCurrentProcessId
0x41003c GetCurrentThreadId
0x410040 GetSystemTimeAsFileTime
0x410044 InitializeSListHead
0x410048 IsDebuggerPresent
0x41004c UnhandledExceptionFilter
0x410050 SetUnhandledExceptionFilter
0x410054 GetStartupInfoW
0x410058 IsProcessorFeaturePresent
0x41005c GetModuleHandleW
0x410060 GetCurrentProcess
0x410064 TerminateProcess
0x410068 RtlUnwind
0x41006c SetLastError
0x410070 EnterCriticalSection
0x410074 LeaveCriticalSection
0x410078 DeleteCriticalSection
0x41007c InitializeCriticalSectionAndSpinCount
0x410080 TlsAlloc
0x410084 TlsGetValue
0x410088 TlsSetValue
0x41008c TlsFree
0x410090 FreeLibrary
0x410094 LoadLibraryExW
0x410098 EncodePointer
0x41009c RaiseException
0x4100a0 GetStdHandle
0x4100a4 WriteFile
0x4100a8 GetModuleFileNameW
0x4100ac ExitProcess
0x4100b0 GetModuleHandleExW
0x4100b4 GetCommandLineA
0x4100b8 GetCommandLineW
0x4100bc HeapAlloc
0x4100c0 HeapFree
0x4100c4 FindClose
0x4100c8 FindFirstFileExW
0x4100cc FindNextFileW
0x4100d0 IsValidCodePage
0x4100d4 GetACP
0x4100d8 GetOEMCP
0x4100dc GetCPInfo
0x4100e0 MultiByteToWideChar
0x4100e4 WideCharToMultiByte
0x4100e8 GetEnvironmentStringsW
0x4100ec FreeEnvironmentStringsW
0x4100f0 SetEnvironmentVariableW
0x4100f4 SetStdHandle
0x4100f8 GetFileType
0x4100fc GetStringTypeW
0x410100 CompareStringW
0x410104 LCMapStringW
0x410108 GetProcessHeap
0x41010c HeapSize
0x410110 HeapReAlloc
0x410114 FlushFileBuffers
0x410118 GetConsoleOutputCP
0x41011c GetConsoleMode
0x410120 SetFilePointerEx
0x410124 CreateFileW
0x410128 CloseHandle
0x41012c DecodePointer
EAT(Export Address Table) is none
KERNEL32.dll
0x410000 GetLastError
0x410004 WaitForSingleObject
0x410008 CreateMutexW
0x41000c Sleep
0x410010 CreateThread
0x410014 VirtualAlloc
0x410018 VirtualProtect
0x41001c GetModuleHandleA
0x410020 GetProcAddress
0x410024 LoadLibraryA
0x410028 lstrlenW
0x41002c FreeConsole
0x410030 WriteConsoleW
0x410034 QueryPerformanceCounter
0x410038 GetCurrentProcessId
0x41003c GetCurrentThreadId
0x410040 GetSystemTimeAsFileTime
0x410044 InitializeSListHead
0x410048 IsDebuggerPresent
0x41004c UnhandledExceptionFilter
0x410050 SetUnhandledExceptionFilter
0x410054 GetStartupInfoW
0x410058 IsProcessorFeaturePresent
0x41005c GetModuleHandleW
0x410060 GetCurrentProcess
0x410064 TerminateProcess
0x410068 RtlUnwind
0x41006c SetLastError
0x410070 EnterCriticalSection
0x410074 LeaveCriticalSection
0x410078 DeleteCriticalSection
0x41007c InitializeCriticalSectionAndSpinCount
0x410080 TlsAlloc
0x410084 TlsGetValue
0x410088 TlsSetValue
0x41008c TlsFree
0x410090 FreeLibrary
0x410094 LoadLibraryExW
0x410098 EncodePointer
0x41009c RaiseException
0x4100a0 GetStdHandle
0x4100a4 WriteFile
0x4100a8 GetModuleFileNameW
0x4100ac ExitProcess
0x4100b0 GetModuleHandleExW
0x4100b4 GetCommandLineA
0x4100b8 GetCommandLineW
0x4100bc HeapAlloc
0x4100c0 HeapFree
0x4100c4 FindClose
0x4100c8 FindFirstFileExW
0x4100cc FindNextFileW
0x4100d0 IsValidCodePage
0x4100d4 GetACP
0x4100d8 GetOEMCP
0x4100dc GetCPInfo
0x4100e0 MultiByteToWideChar
0x4100e4 WideCharToMultiByte
0x4100e8 GetEnvironmentStringsW
0x4100ec FreeEnvironmentStringsW
0x4100f0 SetEnvironmentVariableW
0x4100f4 SetStdHandle
0x4100f8 GetFileType
0x4100fc GetStringTypeW
0x410100 CompareStringW
0x410104 LCMapStringW
0x410108 GetProcessHeap
0x41010c HeapSize
0x410110 HeapReAlloc
0x410114 FlushFileBuffers
0x410118 GetConsoleOutputCP
0x41011c GetConsoleMode
0x410120 SetFilePointerEx
0x410124 CreateFileW
0x410128 CloseHandle
0x41012c DecodePointer
EAT(Export Address Table) is none