ScreenShot
| Created | 2023.09.17 09:36 | Machine | s1_win7_x6403 |
| Filename | sunor.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | |||
| md5 | cf75403e04f4d4527f4fb25958a387c2 | ||
| sha256 | a4706512878883f194a126e7bdad4d05f245d0f891c5a1fd442bbf8959be3a76 | ||
| ssdeep | 98304:2WhlrBfKEixPnwstRUE6DHcQ1P7GFF8k65l007P8:Q5N6hHB1jq56bP8 | ||
| imphash | 30d1665d4c796f53fba13defcdef7cf1 | ||
| impfuzzy | 48:J9HO/R5LR6XF9rfc+CX186XM+YbBtDXMunS3LFH:J5o5LR6XF9fc+CX180cbBtDXMun4LFH | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (17cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x436000 GetLastError
0x436004 SetLastError
0x436008 FormatMessageW
0x43600c CreateDirectoryW
0x436010 CreateFileW
0x436014 DeleteFileW
0x436018 RemoveDirectoryW
0x43601c SetFileTime
0x436020 CloseHandle
0x436024 DeviceIoControl
0x436028 GetCurrentProcess
0x43602c CreateHardLinkW
0x436030 GetLongPathNameW
0x436034 GetShortPathNameW
0x436038 MoveFileW
0x43603c GetStdHandle
0x436040 FlushFileBuffers
0x436044 GetFileType
0x436048 ReadFile
0x43604c SetEndOfFile
0x436050 SetFilePointer
0x436054 WriteFile
0x436058 GetFileAttributesW
0x43605c SetFileAttributesW
0x436060 GetCurrentProcessId
0x436064 FindClose
0x436068 FindFirstFileW
0x43606c FindNextFileW
0x436070 GetVersionExW
0x436074 GetCurrentDirectoryW
0x436078 GetFullPathNameW
0x43607c FoldStringW
0x436080 GetModuleFileNameW
0x436084 GetModuleHandleW
0x436088 FindResourceW
0x43608c FreeLibrary
0x436090 GetProcAddress
0x436094 Sleep
0x436098 ExitProcess
0x43609c GetSystemDirectoryW
0x4360a0 LoadLibraryW
0x4360a4 SetThreadExecutionState
0x4360a8 CompareStringW
0x4360ac AllocConsole
0x4360b0 FreeConsole
0x4360b4 AttachConsole
0x4360b8 WriteConsoleW
0x4360bc InitializeCriticalSection
0x4360c0 EnterCriticalSection
0x4360c4 LeaveCriticalSection
0x4360c8 DeleteCriticalSection
0x4360cc SetEvent
0x4360d0 ResetEvent
0x4360d4 ReleaseSemaphore
0x4360d8 WaitForSingleObject
0x4360dc CreateEventW
0x4360e0 CreateSemaphoreW
0x4360e4 CreateThread
0x4360e8 SetThreadPriority
0x4360ec GetProcessAffinityMask
0x4360f0 FileTimeToLocalFileTime
0x4360f4 LocalFileTimeToFileTime
0x4360f8 GetSystemTime
0x4360fc SystemTimeToTzSpecificLocalTime
0x436100 TzSpecificLocalTimeToSystemTime
0x436104 FileTimeToSystemTime
0x436108 SystemTimeToFileTime
0x43610c MultiByteToWideChar
0x436110 WideCharToMultiByte
0x436114 GetCPInfo
0x436118 IsDBCSLeadByte
0x43611c GlobalAlloc
0x436120 SetCurrentDirectoryW
0x436124 LoadResource
0x436128 LockResource
0x43612c SizeofResource
0x436130 GlobalUnlock
0x436134 GlobalLock
0x436138 GlobalFree
0x43613c GetDateFormatW
0x436140 GetTimeFormatW
0x436144 GetCommandLineW
0x436148 SetEnvironmentVariableW
0x43614c ExpandEnvironmentStringsW
0x436150 GetTempPathW
0x436154 GetExitCodeProcess
0x436158 GetLocalTime
0x43615c GetTickCount
0x436160 CreateFileMappingW
0x436164 OpenFileMappingW
0x436168 MapViewOfFile
0x43616c UnmapViewOfFile
0x436170 LocalFree
0x436174 MoveFileExW
0x436178 GetLocaleInfoW
0x43617c GetNumberFormatW
0x436180 DecodePointer
0x436184 GetConsoleMode
0x436188 GetConsoleOutputCP
0x43618c HeapSize
0x436190 SetFilePointerEx
0x436194 GetStringTypeW
0x436198 SetStdHandle
0x43619c GetProcessHeap
0x4361a0 LCMapStringW
0x4361a4 FreeEnvironmentStringsW
0x4361a8 RaiseException
0x4361ac GetSystemInfo
0x4361b0 VirtualProtect
0x4361b4 VirtualQuery
0x4361b8 LoadLibraryExA
0x4361bc IsProcessorFeaturePresent
0x4361c0 IsDebuggerPresent
0x4361c4 UnhandledExceptionFilter
0x4361c8 SetUnhandledExceptionFilter
0x4361cc GetStartupInfoW
0x4361d0 QueryPerformanceCounter
0x4361d4 GetCurrentThreadId
0x4361d8 GetSystemTimeAsFileTime
0x4361dc InitializeSListHead
0x4361e0 TerminateProcess
0x4361e4 RtlUnwind
0x4361e8 EncodePointer
0x4361ec InitializeCriticalSectionAndSpinCount
0x4361f0 TlsAlloc
0x4361f4 TlsGetValue
0x4361f8 TlsSetValue
0x4361fc TlsFree
0x436200 LoadLibraryExW
0x436204 QueryPerformanceFrequency
0x436208 GetModuleHandleExW
0x43620c HeapFree
0x436210 HeapReAlloc
0x436214 HeapAlloc
0x436218 FindFirstFileExW
0x43621c IsValidCodePage
0x436220 GetACP
0x436224 GetOEMCP
0x436228 GetCommandLineA
0x43622c GetEnvironmentStringsW
OLEAUT32.dll
0x436234 SysAllocString
0x436238 SysFreeString
0x43623c VariantClear
gdiplus.dll
0x436244 GdipAlloc
0x436248 GdipDisposeImage
0x43624c GdipCloneImage
0x436250 GdipCreateBitmapFromStream
0x436254 GdipCreateBitmapFromStreamICM
0x436258 GdipCreateHBITMAPFromBitmap
0x43625c GdiplusStartup
0x436260 GdiplusShutdown
0x436264 GdipFree
EAT(Export Address Table) Library
KERNEL32.dll
0x436000 GetLastError
0x436004 SetLastError
0x436008 FormatMessageW
0x43600c CreateDirectoryW
0x436010 CreateFileW
0x436014 DeleteFileW
0x436018 RemoveDirectoryW
0x43601c SetFileTime
0x436020 CloseHandle
0x436024 DeviceIoControl
0x436028 GetCurrentProcess
0x43602c CreateHardLinkW
0x436030 GetLongPathNameW
0x436034 GetShortPathNameW
0x436038 MoveFileW
0x43603c GetStdHandle
0x436040 FlushFileBuffers
0x436044 GetFileType
0x436048 ReadFile
0x43604c SetEndOfFile
0x436050 SetFilePointer
0x436054 WriteFile
0x436058 GetFileAttributesW
0x43605c SetFileAttributesW
0x436060 GetCurrentProcessId
0x436064 FindClose
0x436068 FindFirstFileW
0x43606c FindNextFileW
0x436070 GetVersionExW
0x436074 GetCurrentDirectoryW
0x436078 GetFullPathNameW
0x43607c FoldStringW
0x436080 GetModuleFileNameW
0x436084 GetModuleHandleW
0x436088 FindResourceW
0x43608c FreeLibrary
0x436090 GetProcAddress
0x436094 Sleep
0x436098 ExitProcess
0x43609c GetSystemDirectoryW
0x4360a0 LoadLibraryW
0x4360a4 SetThreadExecutionState
0x4360a8 CompareStringW
0x4360ac AllocConsole
0x4360b0 FreeConsole
0x4360b4 AttachConsole
0x4360b8 WriteConsoleW
0x4360bc InitializeCriticalSection
0x4360c0 EnterCriticalSection
0x4360c4 LeaveCriticalSection
0x4360c8 DeleteCriticalSection
0x4360cc SetEvent
0x4360d0 ResetEvent
0x4360d4 ReleaseSemaphore
0x4360d8 WaitForSingleObject
0x4360dc CreateEventW
0x4360e0 CreateSemaphoreW
0x4360e4 CreateThread
0x4360e8 SetThreadPriority
0x4360ec GetProcessAffinityMask
0x4360f0 FileTimeToLocalFileTime
0x4360f4 LocalFileTimeToFileTime
0x4360f8 GetSystemTime
0x4360fc SystemTimeToTzSpecificLocalTime
0x436100 TzSpecificLocalTimeToSystemTime
0x436104 FileTimeToSystemTime
0x436108 SystemTimeToFileTime
0x43610c MultiByteToWideChar
0x436110 WideCharToMultiByte
0x436114 GetCPInfo
0x436118 IsDBCSLeadByte
0x43611c GlobalAlloc
0x436120 SetCurrentDirectoryW
0x436124 LoadResource
0x436128 LockResource
0x43612c SizeofResource
0x436130 GlobalUnlock
0x436134 GlobalLock
0x436138 GlobalFree
0x43613c GetDateFormatW
0x436140 GetTimeFormatW
0x436144 GetCommandLineW
0x436148 SetEnvironmentVariableW
0x43614c ExpandEnvironmentStringsW
0x436150 GetTempPathW
0x436154 GetExitCodeProcess
0x436158 GetLocalTime
0x43615c GetTickCount
0x436160 CreateFileMappingW
0x436164 OpenFileMappingW
0x436168 MapViewOfFile
0x43616c UnmapViewOfFile
0x436170 LocalFree
0x436174 MoveFileExW
0x436178 GetLocaleInfoW
0x43617c GetNumberFormatW
0x436180 DecodePointer
0x436184 GetConsoleMode
0x436188 GetConsoleOutputCP
0x43618c HeapSize
0x436190 SetFilePointerEx
0x436194 GetStringTypeW
0x436198 SetStdHandle
0x43619c GetProcessHeap
0x4361a0 LCMapStringW
0x4361a4 FreeEnvironmentStringsW
0x4361a8 RaiseException
0x4361ac GetSystemInfo
0x4361b0 VirtualProtect
0x4361b4 VirtualQuery
0x4361b8 LoadLibraryExA
0x4361bc IsProcessorFeaturePresent
0x4361c0 IsDebuggerPresent
0x4361c4 UnhandledExceptionFilter
0x4361c8 SetUnhandledExceptionFilter
0x4361cc GetStartupInfoW
0x4361d0 QueryPerformanceCounter
0x4361d4 GetCurrentThreadId
0x4361d8 GetSystemTimeAsFileTime
0x4361dc InitializeSListHead
0x4361e0 TerminateProcess
0x4361e4 RtlUnwind
0x4361e8 EncodePointer
0x4361ec InitializeCriticalSectionAndSpinCount
0x4361f0 TlsAlloc
0x4361f4 TlsGetValue
0x4361f8 TlsSetValue
0x4361fc TlsFree
0x436200 LoadLibraryExW
0x436204 QueryPerformanceFrequency
0x436208 GetModuleHandleExW
0x43620c HeapFree
0x436210 HeapReAlloc
0x436214 HeapAlloc
0x436218 FindFirstFileExW
0x43621c IsValidCodePage
0x436220 GetACP
0x436224 GetOEMCP
0x436228 GetCommandLineA
0x43622c GetEnvironmentStringsW
OLEAUT32.dll
0x436234 SysAllocString
0x436238 SysFreeString
0x43623c VariantClear
gdiplus.dll
0x436244 GdipAlloc
0x436248 GdipDisposeImage
0x43624c GdipCloneImage
0x436250 GdipCreateBitmapFromStream
0x436254 GdipCreateBitmapFromStreamICM
0x436258 GdipCreateHBITMAPFromBitmap
0x43625c GdiplusStartup
0x436260 GdiplusShutdown
0x436264 GdipFree
EAT(Export Address Table) Library