ScreenShot
| Created | 2023.09.07 17:47 | Machine | s1_win7_x6403 |
| Filename | 123.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 31 detected (AIDetectMalware, malicious, high confidence, Molotov, Eldorado, Attribute, HighConfidence, score, Reflo, CrypterX, Gencirc, Sabsik, Detected, ai score=86, G0bkKzjdiCR, GenKryptik, GIIA) | ||
| md5 | 4c328b215a84c1b2c982a3268b4a0cea | ||
| sha256 | 3761032e760a2bcc61854a0c7cf22e8e991af0ed60fac92b981853eadda00d1a | ||
| ssdeep | 196608:OB+EV10gI3ZrS8kJ9SW1Y9ILzsjTL0UkhtUuQ:OB+MOgIZSD1Y9ILzsb0U+tUuQ | ||
| imphash | fc274ceb5aa20e8c9a5eb18d1be9c77c | ||
| impfuzzy | 24:1fPJx+kTdF0tWJd1jIlMblRf5XG6qXZ5JkomvlA/GbtcqcFZJF:1fPL+kT6kSslJJG6qJvk1vm/GbuqcdF | ||
Network IP location
Signature (3cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 31 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1409f12a4 CloseHandle
0x1409f12ac CreateSemaphoreW
0x1409f12b4 DeleteCriticalSection
0x1409f12bc EnterCriticalSection
0x1409f12c4 GetCurrentThreadId
0x1409f12cc GetLastError
0x1409f12d4 GetStartupInfoA
0x1409f12dc InitializeCriticalSection
0x1409f12e4 IsDBCSLeadByteEx
0x1409f12ec LeaveCriticalSection
0x1409f12f4 MultiByteToWideChar
0x1409f12fc RaiseException
0x1409f1304 ReleaseSemaphore
0x1409f130c RtlCaptureContext
0x1409f1314 RtlLookupFunctionEntry
0x1409f131c RtlUnwindEx
0x1409f1324 RtlVirtualUnwind
0x1409f132c SetLastError
0x1409f1334 SetUnhandledExceptionFilter
0x1409f133c Sleep
0x1409f1344 TlsAlloc
0x1409f134c TlsFree
0x1409f1354 TlsGetValue
0x1409f135c TlsSetValue
0x1409f1364 VirtualProtect
0x1409f136c VirtualQuery
0x1409f1374 WaitForSingleObject
0x1409f137c WideCharToMultiByte
msvcrt.dll
0x1409f138c __C_specific_handler
0x1409f1394 ___lc_codepage_func
0x1409f139c ___mb_cur_max_func
0x1409f13a4 __getmainargs
0x1409f13ac __initenv
0x1409f13b4 __iob_func
0x1409f13bc __set_app_type
0x1409f13c4 __setusermatherr
0x1409f13cc _acmdln
0x1409f13d4 _amsg_exit
0x1409f13dc _cexit
0x1409f13e4 _commode
0x1409f13ec _errno
0x1409f13f4 _fmode
0x1409f13fc _initterm
0x1409f1404 _onexit
0x1409f140c _time64
0x1409f1414 _wcsicmp
0x1409f141c _wcsnicmp
0x1409f1424 abort
0x1409f142c calloc
0x1409f1434 exit
0x1409f143c fprintf
0x1409f1444 fputc
0x1409f144c fputs
0x1409f1454 fputwc
0x1409f145c free
0x1409f1464 fwprintf
0x1409f146c fwrite
0x1409f1474 localeconv
0x1409f147c malloc
0x1409f1484 memcpy
0x1409f148c memset
0x1409f1494 realloc
0x1409f149c rand
0x1409f14a4 signal
0x1409f14ac srand
0x1409f14b4 strcmp
0x1409f14bc strerror
0x1409f14c4 strlen
0x1409f14cc strncmp
0x1409f14d4 vfprintf
0x1409f14dc wcscat
0x1409f14e4 wcscpy
0x1409f14ec wcslen
0x1409f14f4 wcsncmp
0x1409f14fc wcsstr
EAT(Export Address Table) is none
KERNEL32.dll
0x1409f12a4 CloseHandle
0x1409f12ac CreateSemaphoreW
0x1409f12b4 DeleteCriticalSection
0x1409f12bc EnterCriticalSection
0x1409f12c4 GetCurrentThreadId
0x1409f12cc GetLastError
0x1409f12d4 GetStartupInfoA
0x1409f12dc InitializeCriticalSection
0x1409f12e4 IsDBCSLeadByteEx
0x1409f12ec LeaveCriticalSection
0x1409f12f4 MultiByteToWideChar
0x1409f12fc RaiseException
0x1409f1304 ReleaseSemaphore
0x1409f130c RtlCaptureContext
0x1409f1314 RtlLookupFunctionEntry
0x1409f131c RtlUnwindEx
0x1409f1324 RtlVirtualUnwind
0x1409f132c SetLastError
0x1409f1334 SetUnhandledExceptionFilter
0x1409f133c Sleep
0x1409f1344 TlsAlloc
0x1409f134c TlsFree
0x1409f1354 TlsGetValue
0x1409f135c TlsSetValue
0x1409f1364 VirtualProtect
0x1409f136c VirtualQuery
0x1409f1374 WaitForSingleObject
0x1409f137c WideCharToMultiByte
msvcrt.dll
0x1409f138c __C_specific_handler
0x1409f1394 ___lc_codepage_func
0x1409f139c ___mb_cur_max_func
0x1409f13a4 __getmainargs
0x1409f13ac __initenv
0x1409f13b4 __iob_func
0x1409f13bc __set_app_type
0x1409f13c4 __setusermatherr
0x1409f13cc _acmdln
0x1409f13d4 _amsg_exit
0x1409f13dc _cexit
0x1409f13e4 _commode
0x1409f13ec _errno
0x1409f13f4 _fmode
0x1409f13fc _initterm
0x1409f1404 _onexit
0x1409f140c _time64
0x1409f1414 _wcsicmp
0x1409f141c _wcsnicmp
0x1409f1424 abort
0x1409f142c calloc
0x1409f1434 exit
0x1409f143c fprintf
0x1409f1444 fputc
0x1409f144c fputs
0x1409f1454 fputwc
0x1409f145c free
0x1409f1464 fwprintf
0x1409f146c fwrite
0x1409f1474 localeconv
0x1409f147c malloc
0x1409f1484 memcpy
0x1409f148c memset
0x1409f1494 realloc
0x1409f149c rand
0x1409f14a4 signal
0x1409f14ac srand
0x1409f14b4 strcmp
0x1409f14bc strerror
0x1409f14c4 strlen
0x1409f14cc strncmp
0x1409f14d4 vfprintf
0x1409f14dc wcscat
0x1409f14e4 wcscpy
0x1409f14ec wcslen
0x1409f14f4 wcsncmp
0x1409f14fc wcsstr
EAT(Export Address Table) is none