ScreenShot
| Created | 2023.07.18 07:23 | Machine | s1_win7_x6401 |
| Filename | rofl.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 38 detected (AIDetectMalware, Strab, @GW@I9114hei, Vvsj, malicious, Attribute, HighConfidence, high confidence, GenKryptik, GLWW, score, Generic@AI, RDML, l2PQivzRvxuRaZmmjyC57g, Nekark, wwrgd, Siggen3, Artemis, Sabsik, GenericRXVT, ai score=85, unsafe, Chgt, susgen, confidence) | ||
| md5 | 2ee4b1df29fe85c016c84d5855b0ec9f | ||
| sha256 | 686f9d8e29ba0fd3e4285ecd2f85716bea5be6c3b6571c955c9f6ea9274dc9cf | ||
| ssdeep | 12288:aExUboCrf3E1zPXkbaEGJmtNjVu2q8OqdCB5GDdSUHrCAZWgAYhaoa6Wn4jfHh1:a3skbXG+NlOqFeA/BO6W4jp | ||
| imphash | 1bc1c4b914e9ea42a3ab5d27158f0056 | ||
| impfuzzy | 48:DaxYWJcpH+zD9nsXtXOthWGzSpU63TuFZG/:DaxYWJcpH+X6XtXOthWGGpUfQ | ||
Network IP location
Signature (20cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 38 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Executes one or more WMI queries |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x475000 Sleep
0x475004 LoadLibraryW
0x475008 CloseHandle
0x47500c WaitForSingleObjectEx
0x475010 SwitchToThread
0x475014 GetCurrentThreadId
0x475018 GetExitCodeThread
0x47501c GetNativeSystemInfo
0x475020 QueryPerformanceCounter
0x475024 QueryPerformanceFrequency
0x475028 InitializeSRWLock
0x47502c ReleaseSRWLockExclusive
0x475030 AcquireSRWLockExclusive
0x475034 EnterCriticalSection
0x475038 LeaveCriticalSection
0x47503c InitializeCriticalSectionEx
0x475040 TryEnterCriticalSection
0x475044 DeleteCriticalSection
0x475048 InitializeConditionVariable
0x47504c WakeConditionVariable
0x475050 WakeAllConditionVariable
0x475054 SleepConditionVariableCS
0x475058 SleepConditionVariableSRW
0x47505c FormatMessageA
0x475060 SetFileInformationByHandle
0x475064 FlsAlloc
0x475068 FlsGetValue
0x47506c FlsSetValue
0x475070 FlsFree
0x475074 InitOnceExecuteOnce
0x475078 CreateEventExW
0x47507c CreateSemaphoreExW
0x475080 FlushProcessWriteBuffers
0x475084 GetCurrentProcessorNumber
0x475088 GetSystemTimeAsFileTime
0x47508c GetTickCount64
0x475090 FreeLibraryWhenCallbackReturns
0x475094 CreateThreadpoolWork
0x475098 SubmitThreadpoolWork
0x47509c CloseThreadpoolWork
0x4750a0 CreateThreadpoolTimer
0x4750a4 SetThreadpoolTimer
0x4750a8 WaitForThreadpoolTimerCallbacks
0x4750ac CloseThreadpoolTimer
0x4750b0 CreateThreadpoolWait
0x4750b4 SetThreadpoolWait
0x4750b8 CloseThreadpoolWait
0x4750bc GetModuleHandleW
0x4750c0 GetProcAddress
0x4750c4 GetFileInformationByHandleEx
0x4750c8 CreateSymbolicLinkW
0x4750cc LocalFree
0x4750d0 UnhandledExceptionFilter
0x4750d4 SetUnhandledExceptionFilter
0x4750d8 GetCurrentProcess
0x4750dc TerminateProcess
0x4750e0 IsProcessorFeaturePresent
0x4750e4 GetCurrentProcessId
0x4750e8 InitializeSListHead
0x4750ec IsDebuggerPresent
0x4750f0 GetStartupInfoW
0x4750f4 WriteConsoleW
0x4750f8 RaiseException
0x4750fc RtlUnwind
0x475100 InterlockedPushEntrySList
0x475104 InterlockedFlushSList
0x475108 GetLastError
0x47510c SetLastError
0x475110 EncodePointer
0x475114 InitializeCriticalSectionAndSpinCount
0x475118 TlsAlloc
0x47511c TlsGetValue
0x475120 TlsSetValue
0x475124 TlsFree
0x475128 FreeLibrary
0x47512c LoadLibraryExW
0x475130 CreateThread
0x475134 ExitThread
0x475138 ResumeThread
0x47513c FreeLibraryAndExitThread
0x475140 GetModuleHandleExW
0x475144 GetStdHandle
0x475148 WriteFile
0x47514c GetModuleFileNameW
0x475150 ExitProcess
0x475154 GetCommandLineA
0x475158 GetCommandLineW
0x47515c GetCurrentThread
0x475160 HeapAlloc
0x475164 HeapFree
0x475168 GetDateFormatW
0x47516c GetTimeFormatW
0x475170 CompareStringW
0x475174 LCMapStringW
0x475178 GetLocaleInfoW
0x47517c IsValidLocale
0x475180 GetUserDefaultLCID
0x475184 EnumSystemLocalesW
0x475188 GetFileType
0x47518c SetConsoleCtrlHandler
0x475190 GetFileSizeEx
0x475194 SetFilePointerEx
0x475198 OutputDebugStringW
0x47519c FindClose
0x4751a0 FindFirstFileExW
0x4751a4 FindNextFileW
0x4751a8 IsValidCodePage
0x4751ac GetACP
0x4751b0 GetOEMCP
0x4751b4 GetCPInfo
0x4751b8 MultiByteToWideChar
0x4751bc WideCharToMultiByte
0x4751c0 GetEnvironmentStringsW
0x4751c4 FreeEnvironmentStringsW
0x4751c8 SetEnvironmentVariableW
0x4751cc SetStdHandle
0x4751d0 GetStringTypeW
0x4751d4 GetProcessHeap
0x4751d8 FlushFileBuffers
0x4751dc GetConsoleOutputCP
0x4751e0 GetConsoleMode
0x4751e4 HeapSize
0x4751e8 HeapReAlloc
0x4751ec ReadFile
0x4751f0 ReadConsoleW
0x4751f4 CreateFileW
0x4751f8 DecodePointer
EAT(Export Address Table) is none
KERNEL32.dll
0x475000 Sleep
0x475004 LoadLibraryW
0x475008 CloseHandle
0x47500c WaitForSingleObjectEx
0x475010 SwitchToThread
0x475014 GetCurrentThreadId
0x475018 GetExitCodeThread
0x47501c GetNativeSystemInfo
0x475020 QueryPerformanceCounter
0x475024 QueryPerformanceFrequency
0x475028 InitializeSRWLock
0x47502c ReleaseSRWLockExclusive
0x475030 AcquireSRWLockExclusive
0x475034 EnterCriticalSection
0x475038 LeaveCriticalSection
0x47503c InitializeCriticalSectionEx
0x475040 TryEnterCriticalSection
0x475044 DeleteCriticalSection
0x475048 InitializeConditionVariable
0x47504c WakeConditionVariable
0x475050 WakeAllConditionVariable
0x475054 SleepConditionVariableCS
0x475058 SleepConditionVariableSRW
0x47505c FormatMessageA
0x475060 SetFileInformationByHandle
0x475064 FlsAlloc
0x475068 FlsGetValue
0x47506c FlsSetValue
0x475070 FlsFree
0x475074 InitOnceExecuteOnce
0x475078 CreateEventExW
0x47507c CreateSemaphoreExW
0x475080 FlushProcessWriteBuffers
0x475084 GetCurrentProcessorNumber
0x475088 GetSystemTimeAsFileTime
0x47508c GetTickCount64
0x475090 FreeLibraryWhenCallbackReturns
0x475094 CreateThreadpoolWork
0x475098 SubmitThreadpoolWork
0x47509c CloseThreadpoolWork
0x4750a0 CreateThreadpoolTimer
0x4750a4 SetThreadpoolTimer
0x4750a8 WaitForThreadpoolTimerCallbacks
0x4750ac CloseThreadpoolTimer
0x4750b0 CreateThreadpoolWait
0x4750b4 SetThreadpoolWait
0x4750b8 CloseThreadpoolWait
0x4750bc GetModuleHandleW
0x4750c0 GetProcAddress
0x4750c4 GetFileInformationByHandleEx
0x4750c8 CreateSymbolicLinkW
0x4750cc LocalFree
0x4750d0 UnhandledExceptionFilter
0x4750d4 SetUnhandledExceptionFilter
0x4750d8 GetCurrentProcess
0x4750dc TerminateProcess
0x4750e0 IsProcessorFeaturePresent
0x4750e4 GetCurrentProcessId
0x4750e8 InitializeSListHead
0x4750ec IsDebuggerPresent
0x4750f0 GetStartupInfoW
0x4750f4 WriteConsoleW
0x4750f8 RaiseException
0x4750fc RtlUnwind
0x475100 InterlockedPushEntrySList
0x475104 InterlockedFlushSList
0x475108 GetLastError
0x47510c SetLastError
0x475110 EncodePointer
0x475114 InitializeCriticalSectionAndSpinCount
0x475118 TlsAlloc
0x47511c TlsGetValue
0x475120 TlsSetValue
0x475124 TlsFree
0x475128 FreeLibrary
0x47512c LoadLibraryExW
0x475130 CreateThread
0x475134 ExitThread
0x475138 ResumeThread
0x47513c FreeLibraryAndExitThread
0x475140 GetModuleHandleExW
0x475144 GetStdHandle
0x475148 WriteFile
0x47514c GetModuleFileNameW
0x475150 ExitProcess
0x475154 GetCommandLineA
0x475158 GetCommandLineW
0x47515c GetCurrentThread
0x475160 HeapAlloc
0x475164 HeapFree
0x475168 GetDateFormatW
0x47516c GetTimeFormatW
0x475170 CompareStringW
0x475174 LCMapStringW
0x475178 GetLocaleInfoW
0x47517c IsValidLocale
0x475180 GetUserDefaultLCID
0x475184 EnumSystemLocalesW
0x475188 GetFileType
0x47518c SetConsoleCtrlHandler
0x475190 GetFileSizeEx
0x475194 SetFilePointerEx
0x475198 OutputDebugStringW
0x47519c FindClose
0x4751a0 FindFirstFileExW
0x4751a4 FindNextFileW
0x4751a8 IsValidCodePage
0x4751ac GetACP
0x4751b0 GetOEMCP
0x4751b4 GetCPInfo
0x4751b8 MultiByteToWideChar
0x4751bc WideCharToMultiByte
0x4751c0 GetEnvironmentStringsW
0x4751c4 FreeEnvironmentStringsW
0x4751c8 SetEnvironmentVariableW
0x4751cc SetStdHandle
0x4751d0 GetStringTypeW
0x4751d4 GetProcessHeap
0x4751d8 FlushFileBuffers
0x4751dc GetConsoleOutputCP
0x4751e0 GetConsoleMode
0x4751e4 HeapSize
0x4751e8 HeapReAlloc
0x4751ec ReadFile
0x4751f0 ReadConsoleW
0x4751f4 CreateFileW
0x4751f8 DecodePointer
EAT(Export Address Table) is none