ScreenShot
| Created | 2023.07.30 09:00 | Machine | s1_win7_x6403 |
| Filename | RobluxCoins.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 45 detected (Common, Shelma, malicious, high confidence, GenericKD, Artemis, PasswordStealer, Save, ABRisk, QYJW, Attribute, HighConfidence, abxe, Rimw, mjgvm, GenKD, ai score=89, Casdet, Detected, unsafe, RansomGen, R03BC0XGR23, iTLV1Mk31UI, PossibleThreat, confidence, 100%) | ||
| md5 | d13b979b1bd8830f093bb9aab1c3f80e | ||
| sha256 | d147723c89539aa5c4cc1ffc41478111a4c058bee7c0faa73ef3c77294a997bb | ||
| ssdeep | 24576:ROCEhCCa2ruQpGU0WZnQNXeicIIKQ/CFO:ROC5NWZnQNXed1/CF | ||
| imphash | 9610b1b4706329fadcb93ef9d2576318 | ||
| impfuzzy | 24:8fg1JcDzncLJ8a0meOX0MG95XGGZC8ETomvlA/GGqdZVdwL:8fg1iclLebRJGsC8ET1vm/GGqXA | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 45 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Manipulates memory of a non-child process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x517278 DeleteCriticalSection
0x517280 EnterCriticalSection
0x517288 GetCurrentProcess
0x517290 GetCurrentProcessId
0x517298 GetCurrentThreadId
0x5172a0 GetLastError
0x5172a8 GetProcAddress
0x5172b0 GetStartupInfoA
0x5172b8 GetSystemTimeAsFileTime
0x5172c0 GetTickCount
0x5172c8 InitializeCriticalSection
0x5172d0 LeaveCriticalSection
0x5172d8 LoadLibraryA
0x5172e0 QueryPerformanceCounter
0x5172e8 RtlAddFunctionTable
0x5172f0 RtlCaptureContext
0x5172f8 RtlLookupFunctionEntry
0x517300 RtlVirtualUnwind
0x517308 SetUnhandledExceptionFilter
0x517310 Sleep
0x517318 TerminateProcess
0x517320 TlsGetValue
0x517328 UnhandledExceptionFilter
0x517330 VirtualAlloc
0x517338 VirtualFree
0x517340 VirtualProtect
0x517348 VirtualQuery
msvcrt.dll
0x517358 __C_specific_handler
0x517360 __getmainargs
0x517368 __initenv
0x517370 __iob_func
0x517378 __lconv_init
0x517380 __set_app_type
0x517388 __setusermatherr
0x517390 _acmdln
0x517398 _amsg_exit
0x5173a0 _cexit
0x5173a8 _fileno
0x5173b0 _fmode
0x5173b8 _get_osfhandle
0x5173c0 _initterm
0x5173c8 _onexit
0x5173d0 _setjmp
0x5173d8 _setmode
0x5173e0 _wfopen
0x5173e8 abort
0x5173f0 calloc
0x5173f8 exit
0x517400 fflush
0x517408 fprintf
0x517410 fputc
0x517418 fputs
0x517420 free
0x517428 fwrite
0x517430 malloc
0x517438 memchr
0x517440 memcpy
0x517448 memset
0x517450 printf
0x517458 setvbuf
0x517460 signal
0x517468 strlen
0x517470 strncmp
0x517478 vfprintf
0x517480 longjmp
USER32.dll
0x517490 MessageBoxA
EAT(Export Address Table) is none
KERNEL32.dll
0x517278 DeleteCriticalSection
0x517280 EnterCriticalSection
0x517288 GetCurrentProcess
0x517290 GetCurrentProcessId
0x517298 GetCurrentThreadId
0x5172a0 GetLastError
0x5172a8 GetProcAddress
0x5172b0 GetStartupInfoA
0x5172b8 GetSystemTimeAsFileTime
0x5172c0 GetTickCount
0x5172c8 InitializeCriticalSection
0x5172d0 LeaveCriticalSection
0x5172d8 LoadLibraryA
0x5172e0 QueryPerformanceCounter
0x5172e8 RtlAddFunctionTable
0x5172f0 RtlCaptureContext
0x5172f8 RtlLookupFunctionEntry
0x517300 RtlVirtualUnwind
0x517308 SetUnhandledExceptionFilter
0x517310 Sleep
0x517318 TerminateProcess
0x517320 TlsGetValue
0x517328 UnhandledExceptionFilter
0x517330 VirtualAlloc
0x517338 VirtualFree
0x517340 VirtualProtect
0x517348 VirtualQuery
msvcrt.dll
0x517358 __C_specific_handler
0x517360 __getmainargs
0x517368 __initenv
0x517370 __iob_func
0x517378 __lconv_init
0x517380 __set_app_type
0x517388 __setusermatherr
0x517390 _acmdln
0x517398 _amsg_exit
0x5173a0 _cexit
0x5173a8 _fileno
0x5173b0 _fmode
0x5173b8 _get_osfhandle
0x5173c0 _initterm
0x5173c8 _onexit
0x5173d0 _setjmp
0x5173d8 _setmode
0x5173e0 _wfopen
0x5173e8 abort
0x5173f0 calloc
0x5173f8 exit
0x517400 fflush
0x517408 fprintf
0x517410 fputc
0x517418 fputs
0x517420 free
0x517428 fwrite
0x517430 malloc
0x517438 memchr
0x517440 memcpy
0x517448 memset
0x517450 printf
0x517458 setvbuf
0x517460 signal
0x517468 strlen
0x517470 strncmp
0x517478 vfprintf
0x517480 longjmp
USER32.dll
0x517490 MessageBoxA
EAT(Export Address Table) is none