ScreenShot
| Created | 2023.07.12 17:35 | Machine | s1_win7_x6403 |
| Filename | crypted.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 30 detected (AIDetectMalware, unsafe, Save, malicious, confidence, ZexaF, hvW@au3y0fc, Kryptik, Eldorado, Attribute, HighConfidence, high confidence, ETBS, score, PWSX, Generic ML PUA, high, RedLine, RDCA, LJ2WHR, Detected, Artemis, BScope, TrojanPSW, Lska3PRcODO, Static AI, Malicious PE, ESYR) | ||
| md5 | aa06cd111cb6800e04353ec34723044b | ||
| sha256 | e919ae428cb8359cae0d30ceeb9f1c9b7470bb9bf75ba70d65d87c175b5d4a18 | ||
| ssdeep | 6144:4xquEWzU74wCPALLYdTBlIAOlBj+UHFiHLIxnQfy/odA2jzFwvdI:I0WzU74nzIrBjnAmnQigAOwO | ||
| imphash | c35499a3c274c45eacc6e8d485573f91 | ||
| impfuzzy | 24:7H9q0Su985ikbZETKAWJjGHcpVWZLDsl94GtC7bJh9LLOovbO3gv9FZYGMAkES:M5BOWoHcpVeMcGteDJ63y9FZG | ||
Network IP location
Signature (24cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 30 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
SHELL32.dll
0x429184 SHSetLocalizedName
0x429188 None
GDI32.dll
0x429000 GetArcDirection
ole32.dll
0x429190 CoGetApartmentType
0x429194 CoGetObjectContext
KERNEL32.dll
0x429008 HeapSize
0x42900c CreateFileW
0x429010 GetProcessHeap
0x429014 SetStdHandle
0x429018 SetEnvironmentVariableW
0x42901c GetModuleHandleA
0x429020 GetModuleHandleW
0x429024 RaiseException
0x429028 GetCurrentThreadId
0x42902c IsProcessorFeaturePresent
0x429030 GetLastError
0x429034 FreeLibraryWhenCallbackReturns
0x429038 CreateThreadpoolWork
0x42903c SubmitThreadpoolWork
0x429040 CloseThreadpoolWork
0x429044 GetModuleHandleExW
0x429048 MultiByteToWideChar
0x42904c InitializeConditionVariable
0x429050 WakeConditionVariable
0x429054 WakeAllConditionVariable
0x429058 SleepConditionVariableSRW
0x42905c InitOnceComplete
0x429060 InitOnceBeginInitialize
0x429064 GetStringTypeW
0x429068 InitializeSRWLock
0x42906c ReleaseSRWLockExclusive
0x429070 AcquireSRWLockExclusive
0x429074 TryAcquireSRWLockExclusive
0x429078 WideCharToMultiByte
0x42907c CloseHandle
0x429080 WaitForSingleObjectEx
0x429084 QueryPerformanceCounter
0x429088 EnterCriticalSection
0x42908c LeaveCriticalSection
0x429090 InitializeCriticalSectionEx
0x429094 DeleteCriticalSection
0x429098 EncodePointer
0x42909c DecodePointer
0x4290a0 LCMapStringEx
0x4290a4 GetSystemTimeAsFileTime
0x4290a8 GetProcAddress
0x4290ac WriteConsoleW
0x4290b0 GetCPInfo
0x4290b4 InitializeCriticalSectionAndSpinCount
0x4290b8 SetEvent
0x4290bc ResetEvent
0x4290c0 CreateEventW
0x4290c4 GetCurrentProcessId
0x4290c8 InitializeSListHead
0x4290cc IsDebuggerPresent
0x4290d0 UnhandledExceptionFilter
0x4290d4 SetUnhandledExceptionFilter
0x4290d8 GetStartupInfoW
0x4290dc GetCurrentProcess
0x4290e0 TerminateProcess
0x4290e4 FreeEnvironmentStringsW
0x4290e8 RtlUnwind
0x4290ec SetLastError
0x4290f0 TlsAlloc
0x4290f4 TlsGetValue
0x4290f8 TlsSetValue
0x4290fc TlsFree
0x429100 FreeLibrary
0x429104 LoadLibraryExW
0x429108 GetStdHandle
0x42910c WriteFile
0x429110 GetModuleFileNameW
0x429114 ExitProcess
0x429118 GetCommandLineA
0x42911c GetCommandLineW
0x429120 HeapAlloc
0x429124 HeapFree
0x429128 GetFileType
0x42912c CompareStringW
0x429130 LCMapStringW
0x429134 GetLocaleInfoW
0x429138 IsValidLocale
0x42913c GetUserDefaultLCID
0x429140 EnumSystemLocalesW
0x429144 FlushFileBuffers
0x429148 GetConsoleOutputCP
0x42914c GetConsoleMode
0x429150 ReadFile
0x429154 GetFileSizeEx
0x429158 SetFilePointerEx
0x42915c ReadConsoleW
0x429160 HeapReAlloc
0x429164 FindClose
0x429168 FindFirstFileExW
0x42916c FindNextFileW
0x429170 IsValidCodePage
0x429174 GetACP
0x429178 GetOEMCP
0x42917c GetEnvironmentStringsW
EAT(Export Address Table) is none
SHELL32.dll
0x429184 SHSetLocalizedName
0x429188 None
GDI32.dll
0x429000 GetArcDirection
ole32.dll
0x429190 CoGetApartmentType
0x429194 CoGetObjectContext
KERNEL32.dll
0x429008 HeapSize
0x42900c CreateFileW
0x429010 GetProcessHeap
0x429014 SetStdHandle
0x429018 SetEnvironmentVariableW
0x42901c GetModuleHandleA
0x429020 GetModuleHandleW
0x429024 RaiseException
0x429028 GetCurrentThreadId
0x42902c IsProcessorFeaturePresent
0x429030 GetLastError
0x429034 FreeLibraryWhenCallbackReturns
0x429038 CreateThreadpoolWork
0x42903c SubmitThreadpoolWork
0x429040 CloseThreadpoolWork
0x429044 GetModuleHandleExW
0x429048 MultiByteToWideChar
0x42904c InitializeConditionVariable
0x429050 WakeConditionVariable
0x429054 WakeAllConditionVariable
0x429058 SleepConditionVariableSRW
0x42905c InitOnceComplete
0x429060 InitOnceBeginInitialize
0x429064 GetStringTypeW
0x429068 InitializeSRWLock
0x42906c ReleaseSRWLockExclusive
0x429070 AcquireSRWLockExclusive
0x429074 TryAcquireSRWLockExclusive
0x429078 WideCharToMultiByte
0x42907c CloseHandle
0x429080 WaitForSingleObjectEx
0x429084 QueryPerformanceCounter
0x429088 EnterCriticalSection
0x42908c LeaveCriticalSection
0x429090 InitializeCriticalSectionEx
0x429094 DeleteCriticalSection
0x429098 EncodePointer
0x42909c DecodePointer
0x4290a0 LCMapStringEx
0x4290a4 GetSystemTimeAsFileTime
0x4290a8 GetProcAddress
0x4290ac WriteConsoleW
0x4290b0 GetCPInfo
0x4290b4 InitializeCriticalSectionAndSpinCount
0x4290b8 SetEvent
0x4290bc ResetEvent
0x4290c0 CreateEventW
0x4290c4 GetCurrentProcessId
0x4290c8 InitializeSListHead
0x4290cc IsDebuggerPresent
0x4290d0 UnhandledExceptionFilter
0x4290d4 SetUnhandledExceptionFilter
0x4290d8 GetStartupInfoW
0x4290dc GetCurrentProcess
0x4290e0 TerminateProcess
0x4290e4 FreeEnvironmentStringsW
0x4290e8 RtlUnwind
0x4290ec SetLastError
0x4290f0 TlsAlloc
0x4290f4 TlsGetValue
0x4290f8 TlsSetValue
0x4290fc TlsFree
0x429100 FreeLibrary
0x429104 LoadLibraryExW
0x429108 GetStdHandle
0x42910c WriteFile
0x429110 GetModuleFileNameW
0x429114 ExitProcess
0x429118 GetCommandLineA
0x42911c GetCommandLineW
0x429120 HeapAlloc
0x429124 HeapFree
0x429128 GetFileType
0x42912c CompareStringW
0x429130 LCMapStringW
0x429134 GetLocaleInfoW
0x429138 IsValidLocale
0x42913c GetUserDefaultLCID
0x429140 EnumSystemLocalesW
0x429144 FlushFileBuffers
0x429148 GetConsoleOutputCP
0x42914c GetConsoleMode
0x429150 ReadFile
0x429154 GetFileSizeEx
0x429158 SetFilePointerEx
0x42915c ReadConsoleW
0x429160 HeapReAlloc
0x429164 FindClose
0x429168 FindFirstFileExW
0x42916c FindNextFileW
0x429170 IsValidCodePage
0x429174 GetACP
0x429178 GetOEMCP
0x42917c GetEnvironmentStringsW
EAT(Export Address Table) is none