ScreenShot
| Created | 2023.08.10 16:40 | Machine | s1_win7_x6403 |
| Filename | 159.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 46 detected (AIDetectMalware, Pcumi, malicious, high confidence, 9KW@I92pcumi, Kryptik, V4k9, Eldorado, Attribute, HighConfidence, HUBU, score, MalwareX, Generic@AI, RDML, hDhT9JyIaiCMUc0rw3NWGw, Nekark, jfhbf, Siggen20, Locky, GenericRXWF, Outbreak, Vigorf, Detected, ai score=84, BScope, Chgt, Static AI, Suspicious PE, susgen, confidence, 100%) | ||
| md5 | fbc04c52eb18b7db7206ef8cd0bbc1ab | ||
| sha256 | 6b0494bef1b645ecf957f9f2b81c3aa985a9ebaaf29a2ecfb4d8aea023fcac13 | ||
| ssdeep | 12288:T0QZ/qYtu5LNSC5/lfiIDnqNlSuFZrtzm+Rbak+lAitGbNf4R0j2OJkZC5wqaMEa:wQzwRfiSniRLa5ahJQRIzJCywqaXdyl | ||
| imphash | 283efa8b8b510b11551f297f9dcd33d1 | ||
| impfuzzy | 24:7kf0HTOovTS1jtGGzplJeDc+pl3eDoLotOsFURZHu93vFZSudTxGMck:AsHSOS1jtGGz2c+ppXhyFZSux | ||
Network IP location
Signature (20cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 46 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Executes one or more WMI queries |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
USER32.dll
0x4981e4 GetPhysicalCursorPos
COMCTL32.dll
0x498000 ImageList_SetDragCursorImage
KERNEL32.dll
0x498030 WriteConsoleW
0x498034 GetCommandLineA
0x498038 GetModuleFileNameA
0x49803c CopyFileA
0x498040 QueryPerformanceCounter
0x498044 GetCurrentProcessId
0x498048 GetCurrentThreadId
0x49804c GetSystemTimeAsFileTime
0x498050 InitializeSListHead
0x498054 IsDebuggerPresent
0x498058 UnhandledExceptionFilter
0x49805c SetUnhandledExceptionFilter
0x498060 GetStartupInfoW
0x498064 IsProcessorFeaturePresent
0x498068 GetModuleHandleW
0x49806c GetCurrentProcess
0x498070 TerminateProcess
0x498074 CloseHandle
0x498078 RaiseException
0x49807c RtlUnwind
0x498080 InterlockedPushEntrySList
0x498084 InterlockedFlushSList
0x498088 GetLastError
0x49808c SetLastError
0x498090 EncodePointer
0x498094 EnterCriticalSection
0x498098 LeaveCriticalSection
0x49809c DeleteCriticalSection
0x4980a0 InitializeCriticalSectionAndSpinCount
0x4980a4 TlsAlloc
0x4980a8 TlsGetValue
0x4980ac TlsSetValue
0x4980b0 TlsFree
0x4980b4 FreeLibrary
0x4980b8 GetProcAddress
0x4980bc LoadLibraryExW
0x4980c0 GetStdHandle
0x4980c4 WriteFile
0x4980c8 GetModuleFileNameW
0x4980cc ExitProcess
0x4980d0 GetModuleHandleExW
0x4980d4 DecodePointer
0x4980d8 GetCommandLineW
0x4980dc GetCurrentThread
0x4980e0 OutputDebugStringW
0x4980e4 HeapAlloc
0x4980e8 HeapFree
0x4980ec FindClose
0x4980f0 FindFirstFileExW
0x4980f4 FindNextFileW
0x4980f8 IsValidCodePage
0x4980fc GetACP
0x498100 GetOEMCP
0x498104 GetCPInfo
0x498108 MultiByteToWideChar
0x49810c WideCharToMultiByte
0x498110 GetEnvironmentStringsW
0x498114 FreeEnvironmentStringsW
0x498118 SetEnvironmentVariableW
0x49811c SetStdHandle
0x498120 GetFileType
0x498124 GetStringTypeW
0x498128 GetLocaleInfoW
0x49812c IsValidLocale
0x498130 GetUserDefaultLCID
0x498134 EnumSystemLocalesW
0x498138 GetDateFormatW
0x49813c GetTimeFormatW
0x498140 CompareStringW
0x498144 LCMapStringW
0x498148 GetProcessHeap
0x49814c SetConsoleCtrlHandler
0x498150 HeapSize
0x498154 HeapReAlloc
0x498158 FlushFileBuffers
0x49815c GetConsoleOutputCP
0x498160 GetConsoleMode
0x498164 GetFileSizeEx
0x498168 SetFilePointerEx
0x49816c ReadFile
0x498170 ReadConsoleW
0x498174 CreateFileW
EAT(Export Address Table) is none
USER32.dll
0x4981e4 GetPhysicalCursorPos
COMCTL32.dll
0x498000 ImageList_SetDragCursorImage
KERNEL32.dll
0x498030 WriteConsoleW
0x498034 GetCommandLineA
0x498038 GetModuleFileNameA
0x49803c CopyFileA
0x498040 QueryPerformanceCounter
0x498044 GetCurrentProcessId
0x498048 GetCurrentThreadId
0x49804c GetSystemTimeAsFileTime
0x498050 InitializeSListHead
0x498054 IsDebuggerPresent
0x498058 UnhandledExceptionFilter
0x49805c SetUnhandledExceptionFilter
0x498060 GetStartupInfoW
0x498064 IsProcessorFeaturePresent
0x498068 GetModuleHandleW
0x49806c GetCurrentProcess
0x498070 TerminateProcess
0x498074 CloseHandle
0x498078 RaiseException
0x49807c RtlUnwind
0x498080 InterlockedPushEntrySList
0x498084 InterlockedFlushSList
0x498088 GetLastError
0x49808c SetLastError
0x498090 EncodePointer
0x498094 EnterCriticalSection
0x498098 LeaveCriticalSection
0x49809c DeleteCriticalSection
0x4980a0 InitializeCriticalSectionAndSpinCount
0x4980a4 TlsAlloc
0x4980a8 TlsGetValue
0x4980ac TlsSetValue
0x4980b0 TlsFree
0x4980b4 FreeLibrary
0x4980b8 GetProcAddress
0x4980bc LoadLibraryExW
0x4980c0 GetStdHandle
0x4980c4 WriteFile
0x4980c8 GetModuleFileNameW
0x4980cc ExitProcess
0x4980d0 GetModuleHandleExW
0x4980d4 DecodePointer
0x4980d8 GetCommandLineW
0x4980dc GetCurrentThread
0x4980e0 OutputDebugStringW
0x4980e4 HeapAlloc
0x4980e8 HeapFree
0x4980ec FindClose
0x4980f0 FindFirstFileExW
0x4980f4 FindNextFileW
0x4980f8 IsValidCodePage
0x4980fc GetACP
0x498100 GetOEMCP
0x498104 GetCPInfo
0x498108 MultiByteToWideChar
0x49810c WideCharToMultiByte
0x498110 GetEnvironmentStringsW
0x498114 FreeEnvironmentStringsW
0x498118 SetEnvironmentVariableW
0x49811c SetStdHandle
0x498120 GetFileType
0x498124 GetStringTypeW
0x498128 GetLocaleInfoW
0x49812c IsValidLocale
0x498130 GetUserDefaultLCID
0x498134 EnumSystemLocalesW
0x498138 GetDateFormatW
0x49813c GetTimeFormatW
0x498140 CompareStringW
0x498144 LCMapStringW
0x498148 GetProcessHeap
0x49814c SetConsoleCtrlHandler
0x498150 HeapSize
0x498154 HeapReAlloc
0x498158 FlushFileBuffers
0x49815c GetConsoleOutputCP
0x498160 GetConsoleMode
0x498164 GetFileSizeEx
0x498168 SetFilePointerEx
0x49816c ReadFile
0x498170 ReadConsoleW
0x498174 CreateFileW
EAT(Export Address Table) is none