ScreenShot
| Created | 2023.07.22 21:50 | Machine | s1_win7_x6401 |
| Filename | qr.png | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 40 detected (malicious, high confidence, GenericKD, Cobaltstrike, V4xc, ABRisk, IYHJ, Attribute, HighConfidence, GenKryptik, GEGB, score, HacktoolX, FalseSign, Msmw, EPACK, Gen2, Meterpreter, COBEACON, YXDGUZ, Artemis, ai score=80, CobalStrike, VU3Y2S, Detected, unsafe, GfPDmvfR3RE, Rozena, confidence, 100%) | ||
| md5 | 07ecd12de259e62383d687d8eac0b089 | ||
| sha256 | e01e05a89153f718942abf535480ac1d7f311a30f342c571e4c0d42f4785aa61 | ||
| ssdeep | 24576:BUNa3MUnPbWsANXdgEm2vEP9WlkQyOUkiZ9zkRP:BXXSnNNPsVWlkQVUkiZ9zkRP | ||
| imphash | 7c4e296c67498d0ca3bb31360c5368f6 | ||
| impfuzzy | 24:8fH1JlDzncrAa0man0MG95XGDZykoDqoZn:8fH1jcrna0RJGVykoqE | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 40 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x49f1fc DeleteCriticalSection
0x49f204 EnterCriticalSection
0x49f20c FreeConsole
0x49f214 GetCurrentProcess
0x49f21c GetCurrentProcessId
0x49f224 GetCurrentThreadId
0x49f22c GetLastError
0x49f234 GetModuleHandleA
0x49f23c GetProcAddress
0x49f244 GetStartupInfoA
0x49f24c GetSystemTimeAsFileTime
0x49f254 GetTickCount
0x49f25c InitializeCriticalSection
0x49f264 LeaveCriticalSection
0x49f26c OpenThread
0x49f274 QueryPerformanceCounter
0x49f27c QueueUserAPC
0x49f284 RtlAddFunctionTable
0x49f28c RtlCaptureContext
0x49f294 RtlLookupFunctionEntry
0x49f29c RtlVirtualUnwind
0x49f2a4 SetUnhandledExceptionFilter
0x49f2ac Sleep
0x49f2b4 SleepEx
0x49f2bc TerminateProcess
0x49f2c4 TlsGetValue
0x49f2cc UnhandledExceptionFilter
0x49f2d4 VirtualProtect
0x49f2dc VirtualQuery
msvcrt.dll
0x49f2ec __C_specific_handler
0x49f2f4 __getmainargs
0x49f2fc __initenv
0x49f304 __iob_func
0x49f30c __lconv_init
0x49f314 __set_app_type
0x49f31c __setusermatherr
0x49f324 _acmdln
0x49f32c _amsg_exit
0x49f334 _cexit
0x49f33c _fmode
0x49f344 _initterm
0x49f34c _onexit
0x49f354 abort
0x49f35c calloc
0x49f364 exit
0x49f36c fprintf
0x49f374 free
0x49f37c fwrite
0x49f384 malloc
0x49f38c memcpy
0x49f394 signal
0x49f39c strlen
0x49f3a4 strncmp
0x49f3ac vfprintf
EAT(Export Address Table) is none
KERNEL32.dll
0x49f1fc DeleteCriticalSection
0x49f204 EnterCriticalSection
0x49f20c FreeConsole
0x49f214 GetCurrentProcess
0x49f21c GetCurrentProcessId
0x49f224 GetCurrentThreadId
0x49f22c GetLastError
0x49f234 GetModuleHandleA
0x49f23c GetProcAddress
0x49f244 GetStartupInfoA
0x49f24c GetSystemTimeAsFileTime
0x49f254 GetTickCount
0x49f25c InitializeCriticalSection
0x49f264 LeaveCriticalSection
0x49f26c OpenThread
0x49f274 QueryPerformanceCounter
0x49f27c QueueUserAPC
0x49f284 RtlAddFunctionTable
0x49f28c RtlCaptureContext
0x49f294 RtlLookupFunctionEntry
0x49f29c RtlVirtualUnwind
0x49f2a4 SetUnhandledExceptionFilter
0x49f2ac Sleep
0x49f2b4 SleepEx
0x49f2bc TerminateProcess
0x49f2c4 TlsGetValue
0x49f2cc UnhandledExceptionFilter
0x49f2d4 VirtualProtect
0x49f2dc VirtualQuery
msvcrt.dll
0x49f2ec __C_specific_handler
0x49f2f4 __getmainargs
0x49f2fc __initenv
0x49f304 __iob_func
0x49f30c __lconv_init
0x49f314 __set_app_type
0x49f31c __setusermatherr
0x49f324 _acmdln
0x49f32c _amsg_exit
0x49f334 _cexit
0x49f33c _fmode
0x49f344 _initterm
0x49f34c _onexit
0x49f354 abort
0x49f35c calloc
0x49f364 exit
0x49f36c fprintf
0x49f374 free
0x49f37c fwrite
0x49f384 malloc
0x49f38c memcpy
0x49f394 signal
0x49f39c strlen
0x49f3a4 strncmp
0x49f3ac vfprintf
EAT(Export Address Table) is none