ScreenShot
| Created | 2023.08.18 18:10 | Machine | s1_win7_x6403 |
| Filename | s28a1f.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 97ae7169e56c372a7d45996303c06d45 | ||
| sha256 | 66b65d1fdaa1182cf815adde1dd40e3e25c81335ad69ecf87657d9e20f540c34 | ||
| ssdeep | 12288:1BCYtKQF/nEl2jwc+tvGDsFL6he7DqD2vHoINw18b98kfsrc5yFhlGx:1AYtK4/nEl2jwc+tvGDsFL6he7DqD2vb | ||
| imphash | 55c1a233198f5209edef885f510d9994 | ||
| impfuzzy | 24:qc1e0Dpej8YiOovUcfdYqdgFQ8Ryv4/J3IjT4+jluJsgqTL0A:XY1Bcf7dHeMc+jsJdi | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40a034 GetModuleHandleW
0x40a038 GetLastError
0x40a03c CreateMutexA
0x40a040 FindResourceW
0x40a044 FreeConsole
0x40a048 SizeofResource
0x40a04c LoadResource
0x40a050 LockResource
0x40a054 VirtualAlloc
0x40a058 LoadLibraryA
0x40a05c GetProcAddress
0x40a060 lstrlenW
0x40a064 VirtualProtect
0x40a068 CreateThread
0x40a06c WaitForSingleObject
0x40a070 Sleep
0x40a074 GetModuleHandleA
0x40a078 AreFileApisANSI
0x40a07c HeapAlloc
0x40a080 GetCommandLineA
0x40a084 DeleteCriticalSection
0x40a088 LeaveCriticalSection
0x40a08c EnterCriticalSection
0x40a090 HeapFree
0x40a094 VirtualFree
0x40a098 HeapReAlloc
0x40a09c HeapCreate
0x40a0a0 ExitProcess
0x40a0a4 WriteFile
0x40a0a8 GetStdHandle
0x40a0ac GetModuleFileNameA
0x40a0b0 SetUnhandledExceptionFilter
0x40a0b4 FreeEnvironmentStringsA
0x40a0b8 GetEnvironmentStrings
0x40a0bc FreeEnvironmentStringsW
0x40a0c0 WideCharToMultiByte
0x40a0c4 GetEnvironmentStringsW
0x40a0c8 SetHandleCount
0x40a0cc GetFileType
0x40a0d0 GetStartupInfoA
0x40a0d4 TlsGetValue
0x40a0d8 TlsAlloc
0x40a0dc TlsSetValue
0x40a0e0 TlsFree
0x40a0e4 InterlockedIncrement
0x40a0e8 SetLastError
0x40a0ec GetCurrentThreadId
0x40a0f0 InterlockedDecrement
0x40a0f4 QueryPerformanceCounter
0x40a0f8 GetTickCount
0x40a0fc GetCurrentProcessId
0x40a100 GetSystemTimeAsFileTime
0x40a104 TerminateProcess
0x40a108 GetCurrentProcess
0x40a10c UnhandledExceptionFilter
0x40a110 IsDebuggerPresent
0x40a114 InitializeCriticalSectionAndSpinCount
0x40a118 RtlUnwind
0x40a11c GetCPInfo
0x40a120 GetACP
0x40a124 GetOEMCP
0x40a128 IsValidCodePage
0x40a12c HeapSize
0x40a130 GetLocaleInfoA
0x40a134 LCMapStringA
0x40a138 MultiByteToWideChar
0x40a13c LCMapStringW
0x40a140 GetStringTypeA
0x40a144 GetStringTypeW
USER32.dll
0x40a14c LoadMenuA
GDI32.dll
0x40a014 GetStockObject
0x40a018 DeleteObject
0x40a01c SetBkMode
0x40a020 SetTextColor
0x40a024 CreateFontIndirectA
0x40a028 SelectObject
0x40a02c GetObjectA
COMDLG32.dll
0x40a008 GetSaveFileNameA
0x40a00c GetOpenFileNameA
ADVAPI32.dll
0x40a000 RegDeleteKeyA
EAT(Export Address Table) is none
KERNEL32.dll
0x40a034 GetModuleHandleW
0x40a038 GetLastError
0x40a03c CreateMutexA
0x40a040 FindResourceW
0x40a044 FreeConsole
0x40a048 SizeofResource
0x40a04c LoadResource
0x40a050 LockResource
0x40a054 VirtualAlloc
0x40a058 LoadLibraryA
0x40a05c GetProcAddress
0x40a060 lstrlenW
0x40a064 VirtualProtect
0x40a068 CreateThread
0x40a06c WaitForSingleObject
0x40a070 Sleep
0x40a074 GetModuleHandleA
0x40a078 AreFileApisANSI
0x40a07c HeapAlloc
0x40a080 GetCommandLineA
0x40a084 DeleteCriticalSection
0x40a088 LeaveCriticalSection
0x40a08c EnterCriticalSection
0x40a090 HeapFree
0x40a094 VirtualFree
0x40a098 HeapReAlloc
0x40a09c HeapCreate
0x40a0a0 ExitProcess
0x40a0a4 WriteFile
0x40a0a8 GetStdHandle
0x40a0ac GetModuleFileNameA
0x40a0b0 SetUnhandledExceptionFilter
0x40a0b4 FreeEnvironmentStringsA
0x40a0b8 GetEnvironmentStrings
0x40a0bc FreeEnvironmentStringsW
0x40a0c0 WideCharToMultiByte
0x40a0c4 GetEnvironmentStringsW
0x40a0c8 SetHandleCount
0x40a0cc GetFileType
0x40a0d0 GetStartupInfoA
0x40a0d4 TlsGetValue
0x40a0d8 TlsAlloc
0x40a0dc TlsSetValue
0x40a0e0 TlsFree
0x40a0e4 InterlockedIncrement
0x40a0e8 SetLastError
0x40a0ec GetCurrentThreadId
0x40a0f0 InterlockedDecrement
0x40a0f4 QueryPerformanceCounter
0x40a0f8 GetTickCount
0x40a0fc GetCurrentProcessId
0x40a100 GetSystemTimeAsFileTime
0x40a104 TerminateProcess
0x40a108 GetCurrentProcess
0x40a10c UnhandledExceptionFilter
0x40a110 IsDebuggerPresent
0x40a114 InitializeCriticalSectionAndSpinCount
0x40a118 RtlUnwind
0x40a11c GetCPInfo
0x40a120 GetACP
0x40a124 GetOEMCP
0x40a128 IsValidCodePage
0x40a12c HeapSize
0x40a130 GetLocaleInfoA
0x40a134 LCMapStringA
0x40a138 MultiByteToWideChar
0x40a13c LCMapStringW
0x40a140 GetStringTypeA
0x40a144 GetStringTypeW
USER32.dll
0x40a14c LoadMenuA
GDI32.dll
0x40a014 GetStockObject
0x40a018 DeleteObject
0x40a01c SetBkMode
0x40a020 SetTextColor
0x40a024 CreateFontIndirectA
0x40a028 SelectObject
0x40a02c GetObjectA
COMDLG32.dll
0x40a008 GetSaveFileNameA
0x40a00c GetOpenFileNameA
ADVAPI32.dll
0x40a000 RegDeleteKeyA
EAT(Export Address Table) is none