ScreenShot
| Created | 2023.07.12 17:44 | Machine | s1_win7_x6401 |
| Filename | crypted1.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 48 detected (AIDetectMalware, malicious, high confidence, GenericKD, Save, Fragtor, Kryptik, Eldorado, Attribute, HighConfidence, ETBS, score, PWSX, GenSteal, sylyn, AMADEY, YXDGKZ, high, Static AI, Suspicious PE, Wacatac, Seraph, CredStealer, LRNKXP, Detected, Artemis, ai score=86, BScope, TrojanPSW, RedLine, unsafe, Chgt, v6QHlCF2REF, susgen, ESYR, ZexaF, FDW@aqHn3Wk, confidence, 100%) | ||
| md5 | 34b4037287a02c8d02d26e30be52e390 | ||
| sha256 | 86f3729129401c13e42ea714e4cfe168c3d78669b4bc418d4c46ec4499cd0bf5 | ||
| ssdeep | 6144:8Pg/16yossmlOWJVeQs7uuAOZyUufCwvx4iBFi4wASmhl8:aY16yoss05Lufp7oi8xwihl | ||
| imphash | c3819ddb9793436372bae5f130acfd9d | ||
| impfuzzy | 24:se5ikbZETKAWJjGHcpVWZLD1l9dtWObJh9r9OovbO3gv9FZYGMAkEZHu9s:v5BOWoHcpVeVptWODZo3y9FZ7 | ||
Network IP location
Signature (21cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
ole32.dll
0x42917c CoGetObjectContext
0x429180 CoGetApartmentType
KERNEL32.dll
0x429000 GetCPInfo
0x429004 CreateFileW
0x429008 HeapSize
0x42900c GetModuleHandleA
0x429010 GetModuleHandleW
0x429014 RaiseException
0x429018 GetCurrentThreadId
0x42901c IsProcessorFeaturePresent
0x429020 GetLastError
0x429024 FreeLibraryWhenCallbackReturns
0x429028 CreateThreadpoolWork
0x42902c SubmitThreadpoolWork
0x429030 CloseThreadpoolWork
0x429034 GetModuleHandleExW
0x429038 MultiByteToWideChar
0x42903c InitializeConditionVariable
0x429040 WakeConditionVariable
0x429044 WakeAllConditionVariable
0x429048 SleepConditionVariableSRW
0x42904c InitOnceComplete
0x429050 InitOnceBeginInitialize
0x429054 GetStringTypeW
0x429058 InitializeSRWLock
0x42905c ReleaseSRWLockExclusive
0x429060 AcquireSRWLockExclusive
0x429064 TryAcquireSRWLockExclusive
0x429068 WideCharToMultiByte
0x42906c CloseHandle
0x429070 WaitForSingleObjectEx
0x429074 QueryPerformanceCounter
0x429078 EnterCriticalSection
0x42907c LeaveCriticalSection
0x429080 InitializeCriticalSectionEx
0x429084 DeleteCriticalSection
0x429088 EncodePointer
0x42908c DecodePointer
0x429090 LCMapStringEx
0x429094 GetSystemTimeAsFileTime
0x429098 GetProcAddress
0x42909c WriteConsoleW
0x4290a0 InitializeCriticalSectionAndSpinCount
0x4290a4 SetEvent
0x4290a8 ResetEvent
0x4290ac CreateEventW
0x4290b0 UnhandledExceptionFilter
0x4290b4 SetUnhandledExceptionFilter
0x4290b8 GetCurrentProcess
0x4290bc TerminateProcess
0x4290c0 IsDebuggerPresent
0x4290c4 GetStartupInfoW
0x4290c8 GetCurrentProcessId
0x4290cc InitializeSListHead
0x4290d0 SetStdHandle
0x4290d4 RtlUnwind
0x4290d8 SetLastError
0x4290dc TlsAlloc
0x4290e0 TlsGetValue
0x4290e4 TlsSetValue
0x4290e8 TlsFree
0x4290ec FreeLibrary
0x4290f0 LoadLibraryExW
0x4290f4 ExitProcess
0x4290f8 GetModuleFileNameW
0x4290fc GetStdHandle
0x429100 WriteFile
0x429104 GetCommandLineA
0x429108 GetCommandLineW
0x42910c HeapAlloc
0x429110 HeapFree
0x429114 GetFileType
0x429118 CompareStringW
0x42911c LCMapStringW
0x429120 GetLocaleInfoW
0x429124 IsValidLocale
0x429128 GetUserDefaultLCID
0x42912c EnumSystemLocalesW
0x429130 FlushFileBuffers
0x429134 GetConsoleOutputCP
0x429138 GetConsoleMode
0x42913c ReadFile
0x429140 GetFileSizeEx
0x429144 SetFilePointerEx
0x429148 ReadConsoleW
0x42914c HeapReAlloc
0x429150 FindClose
0x429154 FindFirstFileExW
0x429158 FindNextFileW
0x42915c IsValidCodePage
0x429160 GetACP
0x429164 GetOEMCP
0x429168 GetEnvironmentStringsW
0x42916c FreeEnvironmentStringsW
0x429170 SetEnvironmentVariableW
0x429174 GetProcessHeap
EAT(Export Address Table) is none
ole32.dll
0x42917c CoGetObjectContext
0x429180 CoGetApartmentType
KERNEL32.dll
0x429000 GetCPInfo
0x429004 CreateFileW
0x429008 HeapSize
0x42900c GetModuleHandleA
0x429010 GetModuleHandleW
0x429014 RaiseException
0x429018 GetCurrentThreadId
0x42901c IsProcessorFeaturePresent
0x429020 GetLastError
0x429024 FreeLibraryWhenCallbackReturns
0x429028 CreateThreadpoolWork
0x42902c SubmitThreadpoolWork
0x429030 CloseThreadpoolWork
0x429034 GetModuleHandleExW
0x429038 MultiByteToWideChar
0x42903c InitializeConditionVariable
0x429040 WakeConditionVariable
0x429044 WakeAllConditionVariable
0x429048 SleepConditionVariableSRW
0x42904c InitOnceComplete
0x429050 InitOnceBeginInitialize
0x429054 GetStringTypeW
0x429058 InitializeSRWLock
0x42905c ReleaseSRWLockExclusive
0x429060 AcquireSRWLockExclusive
0x429064 TryAcquireSRWLockExclusive
0x429068 WideCharToMultiByte
0x42906c CloseHandle
0x429070 WaitForSingleObjectEx
0x429074 QueryPerformanceCounter
0x429078 EnterCriticalSection
0x42907c LeaveCriticalSection
0x429080 InitializeCriticalSectionEx
0x429084 DeleteCriticalSection
0x429088 EncodePointer
0x42908c DecodePointer
0x429090 LCMapStringEx
0x429094 GetSystemTimeAsFileTime
0x429098 GetProcAddress
0x42909c WriteConsoleW
0x4290a0 InitializeCriticalSectionAndSpinCount
0x4290a4 SetEvent
0x4290a8 ResetEvent
0x4290ac CreateEventW
0x4290b0 UnhandledExceptionFilter
0x4290b4 SetUnhandledExceptionFilter
0x4290b8 GetCurrentProcess
0x4290bc TerminateProcess
0x4290c0 IsDebuggerPresent
0x4290c4 GetStartupInfoW
0x4290c8 GetCurrentProcessId
0x4290cc InitializeSListHead
0x4290d0 SetStdHandle
0x4290d4 RtlUnwind
0x4290d8 SetLastError
0x4290dc TlsAlloc
0x4290e0 TlsGetValue
0x4290e4 TlsSetValue
0x4290e8 TlsFree
0x4290ec FreeLibrary
0x4290f0 LoadLibraryExW
0x4290f4 ExitProcess
0x4290f8 GetModuleFileNameW
0x4290fc GetStdHandle
0x429100 WriteFile
0x429104 GetCommandLineA
0x429108 GetCommandLineW
0x42910c HeapAlloc
0x429110 HeapFree
0x429114 GetFileType
0x429118 CompareStringW
0x42911c LCMapStringW
0x429120 GetLocaleInfoW
0x429124 IsValidLocale
0x429128 GetUserDefaultLCID
0x42912c EnumSystemLocalesW
0x429130 FlushFileBuffers
0x429134 GetConsoleOutputCP
0x429138 GetConsoleMode
0x42913c ReadFile
0x429140 GetFileSizeEx
0x429144 SetFilePointerEx
0x429148 ReadConsoleW
0x42914c HeapReAlloc
0x429150 FindClose
0x429154 FindFirstFileExW
0x429158 FindNextFileW
0x42915c IsValidCodePage
0x429160 GetACP
0x429164 GetOEMCP
0x429168 GetEnvironmentStringsW
0x42916c FreeEnvironmentStringsW
0x429170 SetEnvironmentVariableW
0x429174 GetProcessHeap
EAT(Export Address Table) is none