ScreenShot
| Created | 2023.08.28 01:53 | Machine | s1_win7_x6402 |
| Filename | AMSI.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 13 detected (AIDetectMalware, Malicious, score, Artemis, unsafe, Swrort, Python, Detected) | ||
| md5 | a48cb4ce6676d6c36cc5a40434cd629d | ||
| sha256 | 731cd163caaa25f6c3f0a04796fcd0239295cdf768da99c608c6a917b3dc0b60 | ||
| ssdeep | 98304:DFUc2GZJ8MmNmaKZcaIZiiAWmWVglqWjfMX/y5oVqLn/oApyCPA4bp2FzZT0jufm:AGZJ8Mm46JHmNkWu/ySQxyqbpSzZTfuf | ||
| imphash | acbc8f761f4e19d096f011fd86326533 | ||
| impfuzzy | 24:SAzDoCjfOiFj6bplS4vK5TXPEA3O5Oov/tDi3eu9h/J3IYxIFejMzHOT4DwuOqX:m3p8qEESO8YtDmRDIucDoqX | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| watch | Creates a windows hook that monitors keyboard input (keylogger) |
| watch | File has been identified by 13 AntiVirus engines on VirusTotal as malicious |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| info | Checks amount of memory in system |
Rules (19cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_1_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Network_Downloader | File Downloader | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | DllRegisterServer_Zero | execute regsvr32.exe | binaries (download) |
| info | Is_DotNET_DLL | (no description) | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
USER32.dll
0x414180 MessageBoxA
KERNEL32.dll
0x414000 RemoveDirectoryA
0x414004 TlsSetValue
0x414008 GetVersionExA
0x41400c GetProcAddress
0x414010 LoadLibraryA
0x414014 GetModuleFileNameA
0x414018 GetModuleFileNameW
0x41401c GetExitCodeProcess
0x414020 WaitForSingleObject
0x414024 CreateProcessW
0x414028 GetCommandLineW
0x41402c GetStartupInfoW
0x414030 GetTempPathA
0x414034 GetLastError
0x414038 LoadLibraryExA
0x41403c Sleep
0x414040 CreateDirectoryA
0x414044 SetStdHandle
0x414048 EnterCriticalSection
0x41404c InitializeCriticalSectionAndSpinCount
0x414050 LeaveCriticalSection
0x414054 GetFileType
0x414058 DecodePointer
0x41405c EncodePointer
0x414060 SetConsoleCtrlHandler
0x414064 HeapFree
0x414068 GetModuleHandleW
0x41406c ExitProcess
0x414070 FindClose
0x414074 FileTimeToSystemTime
0x414078 FileTimeToLocalFileTime
0x41407c GetDriveTypeA
0x414080 FindFirstFileExA
0x414084 HeapAlloc
0x414088 DeleteFileA
0x41408c FindNextFileA
0x414090 GetCommandLineA
0x414094 HeapSetInformation
0x414098 TerminateProcess
0x41409c GetCurrentProcess
0x4140a0 UnhandledExceptionFilter
0x4140a4 SetUnhandledExceptionFilter
0x4140a8 IsDebuggerPresent
0x4140ac IsProcessorFeaturePresent
0x4140b0 RtlUnwind
0x4140b4 SetHandleCount
0x4140b8 GetStdHandle
0x4140bc DeleteCriticalSection
0x4140c0 TlsAlloc
0x4140c4 TlsGetValue
0x4140c8 SetEnvironmentVariableW
0x4140cc TlsFree
0x4140d0 InterlockedIncrement
0x4140d4 SetLastError
0x4140d8 GetCurrentThreadId
0x4140dc InterlockedDecrement
0x4140e0 HeapCreate
0x4140e4 WideCharToMultiByte
0x4140e8 LoadLibraryW
0x4140ec WriteFile
0x4140f0 GetFullPathNameA
0x4140f4 CloseHandle
0x4140f8 GetFileInformationByHandle
0x4140fc PeekNamedPipe
0x414100 CreateFileA
0x414104 GetCurrentDirectoryW
0x414108 GetFileAttributesA
0x41410c MultiByteToWideChar
0x414110 ReadFile
0x414114 SetFilePointer
0x414118 GetConsoleCP
0x41411c GetConsoleMode
0x414120 FreeEnvironmentStringsW
0x414124 GetEnvironmentStringsW
0x414128 QueryPerformanceCounter
0x41412c GetTickCount
0x414130 GetCurrentProcessId
0x414134 GetSystemTimeAsFileTime
0x414138 HeapReAlloc
0x41413c FlushFileBuffers
0x414140 GetCPInfo
0x414144 GetACP
0x414148 GetOEMCP
0x41414c IsValidCodePage
0x414150 CompareStringW
0x414154 SetEnvironmentVariableA
0x414158 HeapSize
0x41415c GetDriveTypeW
0x414160 SetEndOfFile
0x414164 GetProcessHeap
0x414168 GetTimeZoneInformation
0x41416c LCMapStringW
0x414170 WriteConsoleW
0x414174 GetStringTypeW
0x414178 CreateFileW
WS2_32.dll
0x414188 ntohl
EAT(Export Address Table) is none
USER32.dll
0x414180 MessageBoxA
KERNEL32.dll
0x414000 RemoveDirectoryA
0x414004 TlsSetValue
0x414008 GetVersionExA
0x41400c GetProcAddress
0x414010 LoadLibraryA
0x414014 GetModuleFileNameA
0x414018 GetModuleFileNameW
0x41401c GetExitCodeProcess
0x414020 WaitForSingleObject
0x414024 CreateProcessW
0x414028 GetCommandLineW
0x41402c GetStartupInfoW
0x414030 GetTempPathA
0x414034 GetLastError
0x414038 LoadLibraryExA
0x41403c Sleep
0x414040 CreateDirectoryA
0x414044 SetStdHandle
0x414048 EnterCriticalSection
0x41404c InitializeCriticalSectionAndSpinCount
0x414050 LeaveCriticalSection
0x414054 GetFileType
0x414058 DecodePointer
0x41405c EncodePointer
0x414060 SetConsoleCtrlHandler
0x414064 HeapFree
0x414068 GetModuleHandleW
0x41406c ExitProcess
0x414070 FindClose
0x414074 FileTimeToSystemTime
0x414078 FileTimeToLocalFileTime
0x41407c GetDriveTypeA
0x414080 FindFirstFileExA
0x414084 HeapAlloc
0x414088 DeleteFileA
0x41408c FindNextFileA
0x414090 GetCommandLineA
0x414094 HeapSetInformation
0x414098 TerminateProcess
0x41409c GetCurrentProcess
0x4140a0 UnhandledExceptionFilter
0x4140a4 SetUnhandledExceptionFilter
0x4140a8 IsDebuggerPresent
0x4140ac IsProcessorFeaturePresent
0x4140b0 RtlUnwind
0x4140b4 SetHandleCount
0x4140b8 GetStdHandle
0x4140bc DeleteCriticalSection
0x4140c0 TlsAlloc
0x4140c4 TlsGetValue
0x4140c8 SetEnvironmentVariableW
0x4140cc TlsFree
0x4140d0 InterlockedIncrement
0x4140d4 SetLastError
0x4140d8 GetCurrentThreadId
0x4140dc InterlockedDecrement
0x4140e0 HeapCreate
0x4140e4 WideCharToMultiByte
0x4140e8 LoadLibraryW
0x4140ec WriteFile
0x4140f0 GetFullPathNameA
0x4140f4 CloseHandle
0x4140f8 GetFileInformationByHandle
0x4140fc PeekNamedPipe
0x414100 CreateFileA
0x414104 GetCurrentDirectoryW
0x414108 GetFileAttributesA
0x41410c MultiByteToWideChar
0x414110 ReadFile
0x414114 SetFilePointer
0x414118 GetConsoleCP
0x41411c GetConsoleMode
0x414120 FreeEnvironmentStringsW
0x414124 GetEnvironmentStringsW
0x414128 QueryPerformanceCounter
0x41412c GetTickCount
0x414130 GetCurrentProcessId
0x414134 GetSystemTimeAsFileTime
0x414138 HeapReAlloc
0x41413c FlushFileBuffers
0x414140 GetCPInfo
0x414144 GetACP
0x414148 GetOEMCP
0x41414c IsValidCodePage
0x414150 CompareStringW
0x414154 SetEnvironmentVariableA
0x414158 HeapSize
0x41415c GetDriveTypeW
0x414160 SetEndOfFile
0x414164 GetProcessHeap
0x414168 GetTimeZoneInformation
0x41416c LCMapStringW
0x414170 WriteConsoleW
0x414174 GetStringTypeW
0x414178 CreateFileW
WS2_32.dll
0x414188 ntohl
EAT(Export Address Table) is none