ScreenShot
| Created | 2023.08.31 14:57 | Machine | s1_win7_x6401 |
| Filename | syscall.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 20 detected (malicious, moderate confidence, Buggie, Marte, confidence, 100%, MalwareX, Attribute, HighConfidence, AGen, Shlem, CobaltStrike, Sysdupate, ai score=84, CLOUD) | ||
| md5 | c95d214005076e29185b0f9cb05adcd9 | ||
| sha256 | 3953ea56a2d94506f51e21be5f4342f21293c7fc3e2e46549098819b1ee8d4b6 | ||
| ssdeep | 3072:CY1s5eM5gDRiLpL27b+5S8TF4w/VHli9kcjzAx:3s5eLNidiuk8Jpj | ||
| imphash | 46fac3f6a8e62adbf8207ee77ce0b9f9 | ||
| impfuzzy | 24:rq0A02tMS17UJnc+pl3eDoTyoEOovbO3kPvRRZHu9oGME9T57u88oJ9R:StMS17Ec+pp/yc30nauloLR | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 20 AntiVirus engines on VirusTotal as malicious |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x14001b048 CloseHandle
0x14001b050 Process32FirstW
0x14001b058 Process32NextW
0x14001b060 GetLastError
0x14001b068 CreateToolhelp32Snapshot
0x14001b070 GetFileAttributesW
0x14001b078 WriteConsoleW
0x14001b080 RtlCaptureContext
0x14001b088 RtlLookupFunctionEntry
0x14001b090 RtlVirtualUnwind
0x14001b098 UnhandledExceptionFilter
0x14001b0a0 SetUnhandledExceptionFilter
0x14001b0a8 GetCurrentProcess
0x14001b0b0 TerminateProcess
0x14001b0b8 IsProcessorFeaturePresent
0x14001b0c0 QueryPerformanceCounter
0x14001b0c8 GetCurrentProcessId
0x14001b0d0 GetCurrentThreadId
0x14001b0d8 GetSystemTimeAsFileTime
0x14001b0e0 InitializeSListHead
0x14001b0e8 IsDebuggerPresent
0x14001b0f0 GetStartupInfoW
0x14001b0f8 GetModuleHandleW
0x14001b100 RtlUnwindEx
0x14001b108 SetLastError
0x14001b110 EnterCriticalSection
0x14001b118 LeaveCriticalSection
0x14001b120 DeleteCriticalSection
0x14001b128 InitializeCriticalSectionAndSpinCount
0x14001b130 TlsAlloc
0x14001b138 TlsGetValue
0x14001b140 TlsSetValue
0x14001b148 TlsFree
0x14001b150 FreeLibrary
0x14001b158 GetProcAddress
0x14001b160 LoadLibraryExW
0x14001b168 RaiseException
0x14001b170 GetStdHandle
0x14001b178 WriteFile
0x14001b180 GetModuleFileNameW
0x14001b188 ExitProcess
0x14001b190 GetModuleHandleExW
0x14001b198 GetCommandLineA
0x14001b1a0 GetCommandLineW
0x14001b1a8 HeapAlloc
0x14001b1b0 HeapFree
0x14001b1b8 CompareStringW
0x14001b1c0 LCMapStringW
0x14001b1c8 GetFileType
0x14001b1d0 FindClose
0x14001b1d8 FindFirstFileExW
0x14001b1e0 FindNextFileW
0x14001b1e8 IsValidCodePage
0x14001b1f0 GetACP
0x14001b1f8 GetOEMCP
0x14001b200 GetCPInfo
0x14001b208 MultiByteToWideChar
0x14001b210 WideCharToMultiByte
0x14001b218 GetEnvironmentStringsW
0x14001b220 FreeEnvironmentStringsW
0x14001b228 SetEnvironmentVariableW
0x14001b230 SetStdHandle
0x14001b238 GetStringTypeW
0x14001b240 GetProcessHeap
0x14001b248 FlushFileBuffers
0x14001b250 GetConsoleOutputCP
0x14001b258 GetConsoleMode
0x14001b260 GetFileSizeEx
0x14001b268 SetFilePointerEx
0x14001b270 HeapSize
0x14001b278 HeapReAlloc
0x14001b280 CreateFileW
ADVAPI32.dll
0x14001b000 CryptDestroyKey
0x14001b008 CryptAcquireContextW
0x14001b010 CryptDecrypt
0x14001b018 CryptCreateHash
0x14001b020 CryptDeriveKey
0x14001b028 CryptHashData
0x14001b030 CryptReleaseContext
0x14001b038 CryptDestroyHash
EAT(Export Address Table) is none
KERNEL32.dll
0x14001b048 CloseHandle
0x14001b050 Process32FirstW
0x14001b058 Process32NextW
0x14001b060 GetLastError
0x14001b068 CreateToolhelp32Snapshot
0x14001b070 GetFileAttributesW
0x14001b078 WriteConsoleW
0x14001b080 RtlCaptureContext
0x14001b088 RtlLookupFunctionEntry
0x14001b090 RtlVirtualUnwind
0x14001b098 UnhandledExceptionFilter
0x14001b0a0 SetUnhandledExceptionFilter
0x14001b0a8 GetCurrentProcess
0x14001b0b0 TerminateProcess
0x14001b0b8 IsProcessorFeaturePresent
0x14001b0c0 QueryPerformanceCounter
0x14001b0c8 GetCurrentProcessId
0x14001b0d0 GetCurrentThreadId
0x14001b0d8 GetSystemTimeAsFileTime
0x14001b0e0 InitializeSListHead
0x14001b0e8 IsDebuggerPresent
0x14001b0f0 GetStartupInfoW
0x14001b0f8 GetModuleHandleW
0x14001b100 RtlUnwindEx
0x14001b108 SetLastError
0x14001b110 EnterCriticalSection
0x14001b118 LeaveCriticalSection
0x14001b120 DeleteCriticalSection
0x14001b128 InitializeCriticalSectionAndSpinCount
0x14001b130 TlsAlloc
0x14001b138 TlsGetValue
0x14001b140 TlsSetValue
0x14001b148 TlsFree
0x14001b150 FreeLibrary
0x14001b158 GetProcAddress
0x14001b160 LoadLibraryExW
0x14001b168 RaiseException
0x14001b170 GetStdHandle
0x14001b178 WriteFile
0x14001b180 GetModuleFileNameW
0x14001b188 ExitProcess
0x14001b190 GetModuleHandleExW
0x14001b198 GetCommandLineA
0x14001b1a0 GetCommandLineW
0x14001b1a8 HeapAlloc
0x14001b1b0 HeapFree
0x14001b1b8 CompareStringW
0x14001b1c0 LCMapStringW
0x14001b1c8 GetFileType
0x14001b1d0 FindClose
0x14001b1d8 FindFirstFileExW
0x14001b1e0 FindNextFileW
0x14001b1e8 IsValidCodePage
0x14001b1f0 GetACP
0x14001b1f8 GetOEMCP
0x14001b200 GetCPInfo
0x14001b208 MultiByteToWideChar
0x14001b210 WideCharToMultiByte
0x14001b218 GetEnvironmentStringsW
0x14001b220 FreeEnvironmentStringsW
0x14001b228 SetEnvironmentVariableW
0x14001b230 SetStdHandle
0x14001b238 GetStringTypeW
0x14001b240 GetProcessHeap
0x14001b248 FlushFileBuffers
0x14001b250 GetConsoleOutputCP
0x14001b258 GetConsoleMode
0x14001b260 GetFileSizeEx
0x14001b268 SetFilePointerEx
0x14001b270 HeapSize
0x14001b278 HeapReAlloc
0x14001b280 CreateFileW
ADVAPI32.dll
0x14001b000 CryptDestroyKey
0x14001b008 CryptAcquireContextW
0x14001b010 CryptDecrypt
0x14001b018 CryptCreateHash
0x14001b020 CryptDeriveKey
0x14001b028 CryptHashData
0x14001b030 CryptReleaseContext
0x14001b038 CryptDestroyHash
EAT(Export Address Table) is none