ScreenShot
| Created | 2023.07.26 17:31 | Machine | s1_win7_x6403 |
| Filename | explore.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 51 detected (Common, Rekvex, Zusy, Rozena, Vbsa, ABRisk, VDRD, Attribute, HighConfidence, malicious, high confidence, score, TrojanX, Gencirc, Redcap, nksry, R002C0XGP23, Detected, R521258, Artemis, ai score=80, unsafe, Chgt, IE1K4aiQOqH, JMMR, cwKE, susgen, confidence, 100%) | ||
| md5 | 0eb17599a6d6340826cde1fb9555a801 | ||
| sha256 | bf1462ab1a3cf16b7d68d3adf6e045445295dc6aeeb282a8aa2cbdfba764bae5 | ||
| ssdeep | 1536:uszP8laTTjQTUCoL+bfDioMqmmQqVsW3d09dlP9uCZc5:uszEmXQISLioMkQEMh9uC | ||
| imphash | 3bd4d8d7ac218192f962c78cd0a6d8f2 | ||
| impfuzzy | 24:0McS1o0qtSmlJnc+pl3eDoTY2EOovbO3URZHu93vB3CgBU:AS1YtSkc+pp/YS3vBZe | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 51 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects the presence of Wine emulator |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | One or more potentially interesting buffers were extracted |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x14000e000 VirtualAlloc
0x14000e008 Sleep
0x14000e010 WriteConsoleW
0x14000e018 CloseHandle
0x14000e020 CreateFileW
0x14000e028 SetFilePointerEx
0x14000e030 GetConsoleMode
0x14000e038 QueryPerformanceCounter
0x14000e040 GetCurrentProcessId
0x14000e048 GetCurrentThreadId
0x14000e050 GetSystemTimeAsFileTime
0x14000e058 InitializeSListHead
0x14000e060 RtlCaptureContext
0x14000e068 RtlLookupFunctionEntry
0x14000e070 RtlVirtualUnwind
0x14000e078 IsDebuggerPresent
0x14000e080 UnhandledExceptionFilter
0x14000e088 SetUnhandledExceptionFilter
0x14000e090 GetStartupInfoW
0x14000e098 IsProcessorFeaturePresent
0x14000e0a0 GetModuleHandleW
0x14000e0a8 RtlUnwindEx
0x14000e0b0 GetLastError
0x14000e0b8 SetLastError
0x14000e0c0 EnterCriticalSection
0x14000e0c8 LeaveCriticalSection
0x14000e0d0 DeleteCriticalSection
0x14000e0d8 InitializeCriticalSectionAndSpinCount
0x14000e0e0 TlsAlloc
0x14000e0e8 TlsGetValue
0x14000e0f0 TlsSetValue
0x14000e0f8 TlsFree
0x14000e100 FreeLibrary
0x14000e108 GetProcAddress
0x14000e110 LoadLibraryExW
0x14000e118 RaiseException
0x14000e120 GetStdHandle
0x14000e128 WriteFile
0x14000e130 GetModuleFileNameW
0x14000e138 GetCurrentProcess
0x14000e140 ExitProcess
0x14000e148 TerminateProcess
0x14000e150 GetModuleHandleExW
0x14000e158 GetCommandLineA
0x14000e160 GetCommandLineW
0x14000e168 HeapAlloc
0x14000e170 HeapFree
0x14000e178 FindClose
0x14000e180 FindFirstFileExW
0x14000e188 FindNextFileW
0x14000e190 IsValidCodePage
0x14000e198 GetACP
0x14000e1a0 GetOEMCP
0x14000e1a8 GetCPInfo
0x14000e1b0 MultiByteToWideChar
0x14000e1b8 WideCharToMultiByte
0x14000e1c0 GetEnvironmentStringsW
0x14000e1c8 FreeEnvironmentStringsW
0x14000e1d0 SetEnvironmentVariableW
0x14000e1d8 SetStdHandle
0x14000e1e0 GetFileType
0x14000e1e8 GetStringTypeW
0x14000e1f0 CompareStringW
0x14000e1f8 LCMapStringW
0x14000e200 GetProcessHeap
0x14000e208 HeapSize
0x14000e210 HeapReAlloc
0x14000e218 FlushFileBuffers
0x14000e220 GetConsoleOutputCP
WSOCK32.dll
0x14000e230 send
0x14000e238 socket
0x14000e240 connect
0x14000e248 recv
0x14000e250 WSAStartup
0x14000e258 closesocket
EAT(Export Address Table) is none
KERNEL32.dll
0x14000e000 VirtualAlloc
0x14000e008 Sleep
0x14000e010 WriteConsoleW
0x14000e018 CloseHandle
0x14000e020 CreateFileW
0x14000e028 SetFilePointerEx
0x14000e030 GetConsoleMode
0x14000e038 QueryPerformanceCounter
0x14000e040 GetCurrentProcessId
0x14000e048 GetCurrentThreadId
0x14000e050 GetSystemTimeAsFileTime
0x14000e058 InitializeSListHead
0x14000e060 RtlCaptureContext
0x14000e068 RtlLookupFunctionEntry
0x14000e070 RtlVirtualUnwind
0x14000e078 IsDebuggerPresent
0x14000e080 UnhandledExceptionFilter
0x14000e088 SetUnhandledExceptionFilter
0x14000e090 GetStartupInfoW
0x14000e098 IsProcessorFeaturePresent
0x14000e0a0 GetModuleHandleW
0x14000e0a8 RtlUnwindEx
0x14000e0b0 GetLastError
0x14000e0b8 SetLastError
0x14000e0c0 EnterCriticalSection
0x14000e0c8 LeaveCriticalSection
0x14000e0d0 DeleteCriticalSection
0x14000e0d8 InitializeCriticalSectionAndSpinCount
0x14000e0e0 TlsAlloc
0x14000e0e8 TlsGetValue
0x14000e0f0 TlsSetValue
0x14000e0f8 TlsFree
0x14000e100 FreeLibrary
0x14000e108 GetProcAddress
0x14000e110 LoadLibraryExW
0x14000e118 RaiseException
0x14000e120 GetStdHandle
0x14000e128 WriteFile
0x14000e130 GetModuleFileNameW
0x14000e138 GetCurrentProcess
0x14000e140 ExitProcess
0x14000e148 TerminateProcess
0x14000e150 GetModuleHandleExW
0x14000e158 GetCommandLineA
0x14000e160 GetCommandLineW
0x14000e168 HeapAlloc
0x14000e170 HeapFree
0x14000e178 FindClose
0x14000e180 FindFirstFileExW
0x14000e188 FindNextFileW
0x14000e190 IsValidCodePage
0x14000e198 GetACP
0x14000e1a0 GetOEMCP
0x14000e1a8 GetCPInfo
0x14000e1b0 MultiByteToWideChar
0x14000e1b8 WideCharToMultiByte
0x14000e1c0 GetEnvironmentStringsW
0x14000e1c8 FreeEnvironmentStringsW
0x14000e1d0 SetEnvironmentVariableW
0x14000e1d8 SetStdHandle
0x14000e1e0 GetFileType
0x14000e1e8 GetStringTypeW
0x14000e1f0 CompareStringW
0x14000e1f8 LCMapStringW
0x14000e200 GetProcessHeap
0x14000e208 HeapSize
0x14000e210 HeapReAlloc
0x14000e218 FlushFileBuffers
0x14000e220 GetConsoleOutputCP
WSOCK32.dll
0x14000e230 send
0x14000e238 socket
0x14000e240 connect
0x14000e248 recv
0x14000e250 WSAStartup
0x14000e258 closesocket
EAT(Export Address Table) is none