ScreenShot
| Created | 2023.08.18 18:10 | Machine | s1_win7_x6403 |
| Filename | 1ds3y.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 52 detected (Common, Reline, DownLoader45, GenericKDZ, unsafe, Kryptik, Vcsj, malicious, confidence, 100%, Eldorado, Attribute, HighConfidence, high confidence, HUBU, score, Strab, jydtuw, PWSX, Gencirc, Nekark, ruzqy, Artemis, Krypt, Sabsik, Wacatac, Detected, ai score=88, BScope, TrojanPSW, RedLine, RedLineStealer, Chgt, R002H0CH823, 73MEJ80SpeE, RXI3IGygRzs, susgen) | ||
| md5 | b78141a544759e1a07740aa28b35584c | ||
| sha256 | e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d | ||
| ssdeep | 49152:k7k4RlhEaqq33pnQkwGEVpLNBGWBgeRa4Wzroa1A6QxY0TafZf7:2EvnkwGEVp5xBgeRa4+oKA6QG02 | ||
| imphash | f8777667bbfa531db57c83c61c1abacf | ||
| impfuzzy | 48:SoWJcpH+PdD9vrxQSXtXqZr8cGt/zba634uFZdLw:SoWJcpH+P51rxHXtXqx8cGt/PaiC | ||
Network IP location
Signature (30cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 52 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | One or more non-whitelisted processes were created |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (22cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (15cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
USER32.dll
0x51f2e8 SetWindowDisplayAffinity
GDI32.dll
0x51f000 RestoreDC
KERNEL32.dll
0x51f030 CreateFileW
0x51f034 GetCPInfo
0x51f038 RaiseException
0x51f03c InitializeSRWLock
0x51f040 ReleaseSRWLockExclusive
0x51f044 AcquireSRWLockExclusive
0x51f048 EnterCriticalSection
0x51f04c LeaveCriticalSection
0x51f050 InitializeCriticalSectionEx
0x51f054 TryEnterCriticalSection
0x51f058 DeleteCriticalSection
0x51f05c GetCurrentThreadId
0x51f060 InitializeConditionVariable
0x51f064 WakeConditionVariable
0x51f068 WakeAllConditionVariable
0x51f06c SleepConditionVariableCS
0x51f070 SleepConditionVariableSRW
0x51f074 FormatMessageA
0x51f078 WideCharToMultiByte
0x51f07c MultiByteToWideChar
0x51f080 GetStringTypeW
0x51f084 InitOnceBeginInitialize
0x51f088 InitOnceComplete
0x51f08c GetLastError
0x51f090 FreeLibraryWhenCallbackReturns
0x51f094 CreateThreadpoolWork
0x51f098 SubmitThreadpoolWork
0x51f09c CloseThreadpoolWork
0x51f0a0 GetModuleHandleExW
0x51f0a4 RtlCaptureStackBackTrace
0x51f0a8 IsProcessorFeaturePresent
0x51f0ac QueryPerformanceCounter
0x51f0b0 QueryPerformanceFrequency
0x51f0b4 SetFileInformationByHandle
0x51f0b8 FlsAlloc
0x51f0bc FlsGetValue
0x51f0c0 FlsSetValue
0x51f0c4 FlsFree
0x51f0c8 InitOnceExecuteOnce
0x51f0cc CreateEventExW
0x51f0d0 CreateSemaphoreExW
0x51f0d4 FlushProcessWriteBuffers
0x51f0d8 GetCurrentProcessorNumber
0x51f0dc GetSystemTimeAsFileTime
0x51f0e0 GetTickCount64
0x51f0e4 CreateThreadpoolTimer
0x51f0e8 SetThreadpoolTimer
0x51f0ec WaitForThreadpoolTimerCallbacks
0x51f0f0 CloseThreadpoolTimer
0x51f0f4 CreateThreadpoolWait
0x51f0f8 SetThreadpoolWait
0x51f0fc CloseThreadpoolWait
0x51f100 GetModuleHandleW
0x51f104 GetProcAddress
0x51f108 GetFileInformationByHandleEx
0x51f10c CreateSymbolicLinkW
0x51f110 CloseHandle
0x51f114 WaitForSingleObjectEx
0x51f118 Sleep
0x51f11c SwitchToThread
0x51f120 GetExitCodeThread
0x51f124 GetNativeSystemInfo
0x51f128 LocalFree
0x51f12c EncodePointer
0x51f130 DecodePointer
0x51f134 LCMapStringEx
0x51f138 GetLocaleInfoEx
0x51f13c CompareStringEx
0x51f140 WriteConsoleW
0x51f144 InitializeCriticalSectionAndSpinCount
0x51f148 SetEvent
0x51f14c ResetEvent
0x51f150 CreateEventW
0x51f154 GetCurrentProcessId
0x51f158 InitializeSListHead
0x51f15c IsDebuggerPresent
0x51f160 UnhandledExceptionFilter
0x51f164 SetUnhandledExceptionFilter
0x51f168 GetStartupInfoW
0x51f16c GetCurrentProcess
0x51f170 TerminateProcess
0x51f174 HeapSize
0x51f178 RtlUnwind
0x51f17c InterlockedPushEntrySList
0x51f180 InterlockedFlushSList
0x51f184 SetLastError
0x51f188 TlsAlloc
0x51f18c TlsGetValue
0x51f190 TlsSetValue
0x51f194 TlsFree
0x51f198 FreeLibrary
0x51f19c LoadLibraryExW
0x51f1a0 CreateThread
0x51f1a4 ExitThread
0x51f1a8 ResumeThread
0x51f1ac FreeLibraryAndExitThread
0x51f1b0 GetStdHandle
0x51f1b4 WriteFile
0x51f1b8 GetModuleFileNameW
0x51f1bc ExitProcess
0x51f1c0 GetCommandLineA
0x51f1c4 GetCommandLineW
0x51f1c8 GetCurrentThread
0x51f1cc HeapFree
0x51f1d0 SetConsoleCtrlHandler
0x51f1d4 GetDateFormatW
0x51f1d8 GetTimeFormatW
0x51f1dc CompareStringW
0x51f1e0 LCMapStringW
0x51f1e4 GetLocaleInfoW
0x51f1e8 IsValidLocale
0x51f1ec GetUserDefaultLCID
0x51f1f0 EnumSystemLocalesW
0x51f1f4 HeapAlloc
0x51f1f8 GetFileType
0x51f1fc GetFileSizeEx
0x51f200 SetFilePointerEx
0x51f204 FlushFileBuffers
0x51f208 GetConsoleOutputCP
0x51f20c GetConsoleMode
0x51f210 ReadFile
0x51f214 ReadConsoleW
0x51f218 HeapReAlloc
0x51f21c GetTimeZoneInformation
0x51f220 OutputDebugStringW
0x51f224 FindClose
0x51f228 FindFirstFileExW
0x51f22c FindNextFileW
0x51f230 IsValidCodePage
0x51f234 GetACP
0x51f238 GetOEMCP
0x51f23c GetEnvironmentStringsW
0x51f240 FreeEnvironmentStringsW
0x51f244 SetEnvironmentVariableW
0x51f248 SetStdHandle
0x51f24c GetProcessHeap
EAT(Export Address Table) is none
USER32.dll
0x51f2e8 SetWindowDisplayAffinity
GDI32.dll
0x51f000 RestoreDC
KERNEL32.dll
0x51f030 CreateFileW
0x51f034 GetCPInfo
0x51f038 RaiseException
0x51f03c InitializeSRWLock
0x51f040 ReleaseSRWLockExclusive
0x51f044 AcquireSRWLockExclusive
0x51f048 EnterCriticalSection
0x51f04c LeaveCriticalSection
0x51f050 InitializeCriticalSectionEx
0x51f054 TryEnterCriticalSection
0x51f058 DeleteCriticalSection
0x51f05c GetCurrentThreadId
0x51f060 InitializeConditionVariable
0x51f064 WakeConditionVariable
0x51f068 WakeAllConditionVariable
0x51f06c SleepConditionVariableCS
0x51f070 SleepConditionVariableSRW
0x51f074 FormatMessageA
0x51f078 WideCharToMultiByte
0x51f07c MultiByteToWideChar
0x51f080 GetStringTypeW
0x51f084 InitOnceBeginInitialize
0x51f088 InitOnceComplete
0x51f08c GetLastError
0x51f090 FreeLibraryWhenCallbackReturns
0x51f094 CreateThreadpoolWork
0x51f098 SubmitThreadpoolWork
0x51f09c CloseThreadpoolWork
0x51f0a0 GetModuleHandleExW
0x51f0a4 RtlCaptureStackBackTrace
0x51f0a8 IsProcessorFeaturePresent
0x51f0ac QueryPerformanceCounter
0x51f0b0 QueryPerformanceFrequency
0x51f0b4 SetFileInformationByHandle
0x51f0b8 FlsAlloc
0x51f0bc FlsGetValue
0x51f0c0 FlsSetValue
0x51f0c4 FlsFree
0x51f0c8 InitOnceExecuteOnce
0x51f0cc CreateEventExW
0x51f0d0 CreateSemaphoreExW
0x51f0d4 FlushProcessWriteBuffers
0x51f0d8 GetCurrentProcessorNumber
0x51f0dc GetSystemTimeAsFileTime
0x51f0e0 GetTickCount64
0x51f0e4 CreateThreadpoolTimer
0x51f0e8 SetThreadpoolTimer
0x51f0ec WaitForThreadpoolTimerCallbacks
0x51f0f0 CloseThreadpoolTimer
0x51f0f4 CreateThreadpoolWait
0x51f0f8 SetThreadpoolWait
0x51f0fc CloseThreadpoolWait
0x51f100 GetModuleHandleW
0x51f104 GetProcAddress
0x51f108 GetFileInformationByHandleEx
0x51f10c CreateSymbolicLinkW
0x51f110 CloseHandle
0x51f114 WaitForSingleObjectEx
0x51f118 Sleep
0x51f11c SwitchToThread
0x51f120 GetExitCodeThread
0x51f124 GetNativeSystemInfo
0x51f128 LocalFree
0x51f12c EncodePointer
0x51f130 DecodePointer
0x51f134 LCMapStringEx
0x51f138 GetLocaleInfoEx
0x51f13c CompareStringEx
0x51f140 WriteConsoleW
0x51f144 InitializeCriticalSectionAndSpinCount
0x51f148 SetEvent
0x51f14c ResetEvent
0x51f150 CreateEventW
0x51f154 GetCurrentProcessId
0x51f158 InitializeSListHead
0x51f15c IsDebuggerPresent
0x51f160 UnhandledExceptionFilter
0x51f164 SetUnhandledExceptionFilter
0x51f168 GetStartupInfoW
0x51f16c GetCurrentProcess
0x51f170 TerminateProcess
0x51f174 HeapSize
0x51f178 RtlUnwind
0x51f17c InterlockedPushEntrySList
0x51f180 InterlockedFlushSList
0x51f184 SetLastError
0x51f188 TlsAlloc
0x51f18c TlsGetValue
0x51f190 TlsSetValue
0x51f194 TlsFree
0x51f198 FreeLibrary
0x51f19c LoadLibraryExW
0x51f1a0 CreateThread
0x51f1a4 ExitThread
0x51f1a8 ResumeThread
0x51f1ac FreeLibraryAndExitThread
0x51f1b0 GetStdHandle
0x51f1b4 WriteFile
0x51f1b8 GetModuleFileNameW
0x51f1bc ExitProcess
0x51f1c0 GetCommandLineA
0x51f1c4 GetCommandLineW
0x51f1c8 GetCurrentThread
0x51f1cc HeapFree
0x51f1d0 SetConsoleCtrlHandler
0x51f1d4 GetDateFormatW
0x51f1d8 GetTimeFormatW
0x51f1dc CompareStringW
0x51f1e0 LCMapStringW
0x51f1e4 GetLocaleInfoW
0x51f1e8 IsValidLocale
0x51f1ec GetUserDefaultLCID
0x51f1f0 EnumSystemLocalesW
0x51f1f4 HeapAlloc
0x51f1f8 GetFileType
0x51f1fc GetFileSizeEx
0x51f200 SetFilePointerEx
0x51f204 FlushFileBuffers
0x51f208 GetConsoleOutputCP
0x51f20c GetConsoleMode
0x51f210 ReadFile
0x51f214 ReadConsoleW
0x51f218 HeapReAlloc
0x51f21c GetTimeZoneInformation
0x51f220 OutputDebugStringW
0x51f224 FindClose
0x51f228 FindFirstFileExW
0x51f22c FindNextFileW
0x51f230 IsValidCodePage
0x51f234 GetACP
0x51f238 GetOEMCP
0x51f23c GetEnvironmentStringsW
0x51f240 FreeEnvironmentStringsW
0x51f244 SetEnvironmentVariableW
0x51f248 SetStdHandle
0x51f24c GetProcessHeap
EAT(Export Address Table) is none