ScreenShot
| Created | 2023.09.21 10:20 | Machine | s1_win7_x6403 |
| Filename | 55aa5e.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 22 detected (AIDetectMalware, V354, malicious, confidence, 100%, ZexaF, @J0@a4h0yuni, Attribute, HighConfidence, high confidence, Amadey, ARQLZM72JmD, high, score, Static AI, Malicious PE, BScope, TrojanPSW, Coins, unsafe, R002H0DIK23) | ||
| md5 | 56c197e493f74f9233a16cdefab3109f | ||
| sha256 | 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01 | ||
| ssdeep | 98304:ULop5mhzd71cBjG9Azp56BV8cM0AnwGSOnTXsYGeCW1zbiG54WeOVEMMRHGV7E:0op5mqU9KE8nNZnTXaexbZWsMGV7E | ||
| imphash | a4516a6804cddd5e52a802d79bbd487b | ||
| impfuzzy | 96:3XUJGdcpeqtSS1I2zZct6RLoc1AXJ+Zcp+qjwSttLyuua:3rcZcNZ+Ra | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 22 AntiVirus engines on VirusTotal as malicious |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates a suspicious process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x781000 CreateFileA
0x781004 CloseHandle
0x781008 GetSystemInfo
0x78100c CreateThread
0x781010 GetThreadContext
0x781014 GetProcAddress
0x781018 VirtualAllocEx
0x78101c RemoveDirectoryA
0x781020 GetFileAttributesA
0x781024 CreateProcessA
0x781028 CreateDirectoryA
0x78102c SetThreadContext
0x781030 WriteConsoleW
0x781034 ReadConsoleW
0x781038 SetEndOfFile
0x78103c HeapReAlloc
0x781040 HeapSize
0x781044 GetLastError
0x781048 CopyFileA
0x78104c GetTempPathA
0x781050 Sleep
0x781054 GetModuleHandleA
0x781058 SetCurrentDirectoryA
0x78105c ResumeThread
0x781060 GetComputerNameExW
0x781064 GetVersionExW
0x781068 CreateMutexA
0x78106c VirtualAlloc
0x781070 WriteFile
0x781074 VirtualFree
0x781078 WriteProcessMemory
0x78107c GetModuleFileNameA
0x781080 ReadProcessMemory
0x781084 ReadFile
0x781088 SetFilePointerEx
0x78108c GetTimeZoneInformation
0x781090 GetConsoleMode
0x781094 GetConsoleCP
0x781098 FlushFileBuffers
0x78109c GetStringTypeW
0x7810a0 GetProcessHeap
0x7810a4 SetEnvironmentVariableW
0x7810a8 FreeEnvironmentStringsW
0x7810ac GetEnvironmentStringsW
0x7810b0 WideCharToMultiByte
0x7810b4 GetCPInfo
0x7810b8 GetOEMCP
0x7810bc GetACP
0x7810c0 IsValidCodePage
0x7810c4 FindNextFileW
0x7810c8 FindFirstFileExW
0x7810cc FindClose
0x7810d0 SetStdHandle
0x7810d4 GetFullPathNameW
0x7810d8 GetCurrentDirectoryW
0x7810dc DeleteFileW
0x7810e0 EnterCriticalSection
0x7810e4 LeaveCriticalSection
0x7810e8 InitializeCriticalSectionAndSpinCount
0x7810ec DeleteCriticalSection
0x7810f0 SetEvent
0x7810f4 ResetEvent
0x7810f8 WaitForSingleObjectEx
0x7810fc CreateEventW
0x781100 GetModuleHandleW
0x781104 IsDebuggerPresent
0x781108 UnhandledExceptionFilter
0x78110c SetUnhandledExceptionFilter
0x781110 GetStartupInfoW
0x781114 IsProcessorFeaturePresent
0x781118 QueryPerformanceCounter
0x78111c GetCurrentProcessId
0x781120 GetCurrentThreadId
0x781124 GetSystemTimeAsFileTime
0x781128 InitializeSListHead
0x78112c GetCurrentProcess
0x781130 TerminateProcess
0x781134 RaiseException
0x781138 SetLastError
0x78113c RtlUnwind
0x781140 TlsAlloc
0x781144 TlsGetValue
0x781148 TlsSetValue
0x78114c TlsFree
0x781150 FreeLibrary
0x781154 LoadLibraryExW
0x781158 ExitProcess
0x78115c GetModuleHandleExW
0x781160 CreateFileW
0x781164 GetDriveTypeW
0x781168 GetFileInformationByHandle
0x78116c GetFileType
0x781170 PeekNamedPipe
0x781174 SystemTimeToTzSpecificLocalTime
0x781178 FileTimeToSystemTime
0x78117c GetModuleFileNameW
0x781180 GetStdHandle
0x781184 GetCommandLineA
0x781188 GetCommandLineW
0x78118c HeapFree
0x781190 HeapAlloc
0x781194 MultiByteToWideChar
0x781198 CompareStringW
0x78119c LCMapStringW
0x7811a0 DecodePointer
ADVAPI32.dll
0x7811a8 RegCloseKey
0x7811ac RegQueryValueExA
0x7811b0 GetSidSubAuthorityCount
0x7811b4 GetSidSubAuthority
0x7811b8 GetUserNameA
0x7811bc LookupAccountNameA
0x7811c0 RegSetValueExA
0x7811c4 RegOpenKeyExA
0x7811c8 GetSidIdentifierAuthority
SHELL32.dll
0x7811d0 ShellExecuteA
0x7811d4 None
0x7811d8 SHGetFolderPathA
WININET.dll
0x7811e0 HttpOpenRequestA
0x7811e4 InternetReadFile
0x7811e8 InternetConnectA
0x7811ec HttpSendRequestA
0x7811f0 InternetCloseHandle
0x7811f4 InternetOpenA
0x7811f8 InternetOpenW
0x7811fc InternetOpenUrlA
KERNEL32.dll
0x781204 GetSystemTimeAsFileTime
0x781208 GetModuleHandleA
0x78120c CreateEventA
0x781210 GetModuleFileNameW
0x781214 TerminateProcess
0x781218 GetCurrentProcess
0x78121c CreateToolhelp32Snapshot
0x781220 Thread32First
0x781224 GetCurrentProcessId
0x781228 GetCurrentThreadId
0x78122c OpenThread
0x781230 Thread32Next
0x781234 CloseHandle
0x781238 SuspendThread
0x78123c ResumeThread
0x781240 WriteProcessMemory
0x781244 GetSystemInfo
0x781248 VirtualAlloc
0x78124c VirtualProtect
0x781250 VirtualFree
0x781254 GetProcessAffinityMask
0x781258 SetProcessAffinityMask
0x78125c GetCurrentThread
0x781260 SetThreadAffinityMask
0x781264 Sleep
0x781268 LoadLibraryA
0x78126c FreeLibrary
0x781270 GetTickCount
0x781274 SystemTimeToFileTime
0x781278 FileTimeToSystemTime
0x78127c GlobalFree
0x781280 LocalAlloc
0x781284 LocalFree
0x781288 GetProcAddress
0x78128c ExitProcess
0x781290 EnterCriticalSection
0x781294 LeaveCriticalSection
0x781298 InitializeCriticalSection
0x78129c DeleteCriticalSection
0x7812a0 GetModuleHandleW
0x7812a4 LoadResource
0x7812a8 MultiByteToWideChar
0x7812ac FindResourceExW
0x7812b0 FindResourceExA
0x7812b4 WideCharToMultiByte
0x7812b8 GetThreadLocale
0x7812bc GetUserDefaultLCID
0x7812c0 GetSystemDefaultLCID
0x7812c4 EnumResourceNamesA
0x7812c8 EnumResourceNamesW
0x7812cc EnumResourceLanguagesA
0x7812d0 EnumResourceLanguagesW
0x7812d4 EnumResourceTypesA
0x7812d8 EnumResourceTypesW
0x7812dc CreateFileW
0x7812e0 LoadLibraryW
0x7812e4 GetLastError
0x7812e8 FlushFileBuffers
0x7812ec WriteConsoleW
0x7812f0 SetStdHandle
0x7812f4 IsProcessorFeaturePresent
0x7812f8 DecodePointer
0x7812fc GetCommandLineA
0x781300 RaiseException
0x781304 HeapFree
0x781308 GetCPInfo
0x78130c InterlockedIncrement
0x781310 InterlockedDecrement
0x781314 GetACP
0x781318 GetOEMCP
0x78131c IsValidCodePage
0x781320 EncodePointer
0x781324 TlsAlloc
0x781328 TlsGetValue
0x78132c TlsSetValue
0x781330 TlsFree
0x781334 SetLastError
0x781338 UnhandledExceptionFilter
0x78133c SetUnhandledExceptionFilter
0x781340 IsDebuggerPresent
0x781344 HeapAlloc
0x781348 LCMapStringW
0x78134c GetStringTypeW
0x781350 SetHandleCount
0x781354 GetStdHandle
0x781358 InitializeCriticalSectionAndSpinCount
0x78135c GetFileType
0x781360 GetStartupInfoW
0x781364 GetModuleFileNameA
0x781368 FreeEnvironmentStringsW
0x78136c GetEnvironmentStringsW
0x781370 HeapCreate
0x781374 HeapDestroy
0x781378 QueryPerformanceCounter
0x78137c HeapSize
0x781380 WriteFile
0x781384 RtlUnwind
0x781388 SetFilePointer
0x78138c GetConsoleCP
0x781390 GetConsoleMode
0x781394 HeapReAlloc
0x781398 VirtualQuery
USER32.dll
0x7813a0 CharUpperBuffW
KERNEL32.dll
0x7813a8 LocalAlloc
0x7813ac LocalFree
0x7813b0 GetModuleFileNameW
0x7813b4 ExitProcess
0x7813b8 LoadLibraryA
0x7813bc GetModuleHandleA
0x7813c0 GetProcAddress
EAT(Export Address Table) is none
KERNEL32.dll
0x781000 CreateFileA
0x781004 CloseHandle
0x781008 GetSystemInfo
0x78100c CreateThread
0x781010 GetThreadContext
0x781014 GetProcAddress
0x781018 VirtualAllocEx
0x78101c RemoveDirectoryA
0x781020 GetFileAttributesA
0x781024 CreateProcessA
0x781028 CreateDirectoryA
0x78102c SetThreadContext
0x781030 WriteConsoleW
0x781034 ReadConsoleW
0x781038 SetEndOfFile
0x78103c HeapReAlloc
0x781040 HeapSize
0x781044 GetLastError
0x781048 CopyFileA
0x78104c GetTempPathA
0x781050 Sleep
0x781054 GetModuleHandleA
0x781058 SetCurrentDirectoryA
0x78105c ResumeThread
0x781060 GetComputerNameExW
0x781064 GetVersionExW
0x781068 CreateMutexA
0x78106c VirtualAlloc
0x781070 WriteFile
0x781074 VirtualFree
0x781078 WriteProcessMemory
0x78107c GetModuleFileNameA
0x781080 ReadProcessMemory
0x781084 ReadFile
0x781088 SetFilePointerEx
0x78108c GetTimeZoneInformation
0x781090 GetConsoleMode
0x781094 GetConsoleCP
0x781098 FlushFileBuffers
0x78109c GetStringTypeW
0x7810a0 GetProcessHeap
0x7810a4 SetEnvironmentVariableW
0x7810a8 FreeEnvironmentStringsW
0x7810ac GetEnvironmentStringsW
0x7810b0 WideCharToMultiByte
0x7810b4 GetCPInfo
0x7810b8 GetOEMCP
0x7810bc GetACP
0x7810c0 IsValidCodePage
0x7810c4 FindNextFileW
0x7810c8 FindFirstFileExW
0x7810cc FindClose
0x7810d0 SetStdHandle
0x7810d4 GetFullPathNameW
0x7810d8 GetCurrentDirectoryW
0x7810dc DeleteFileW
0x7810e0 EnterCriticalSection
0x7810e4 LeaveCriticalSection
0x7810e8 InitializeCriticalSectionAndSpinCount
0x7810ec DeleteCriticalSection
0x7810f0 SetEvent
0x7810f4 ResetEvent
0x7810f8 WaitForSingleObjectEx
0x7810fc CreateEventW
0x781100 GetModuleHandleW
0x781104 IsDebuggerPresent
0x781108 UnhandledExceptionFilter
0x78110c SetUnhandledExceptionFilter
0x781110 GetStartupInfoW
0x781114 IsProcessorFeaturePresent
0x781118 QueryPerformanceCounter
0x78111c GetCurrentProcessId
0x781120 GetCurrentThreadId
0x781124 GetSystemTimeAsFileTime
0x781128 InitializeSListHead
0x78112c GetCurrentProcess
0x781130 TerminateProcess
0x781134 RaiseException
0x781138 SetLastError
0x78113c RtlUnwind
0x781140 TlsAlloc
0x781144 TlsGetValue
0x781148 TlsSetValue
0x78114c TlsFree
0x781150 FreeLibrary
0x781154 LoadLibraryExW
0x781158 ExitProcess
0x78115c GetModuleHandleExW
0x781160 CreateFileW
0x781164 GetDriveTypeW
0x781168 GetFileInformationByHandle
0x78116c GetFileType
0x781170 PeekNamedPipe
0x781174 SystemTimeToTzSpecificLocalTime
0x781178 FileTimeToSystemTime
0x78117c GetModuleFileNameW
0x781180 GetStdHandle
0x781184 GetCommandLineA
0x781188 GetCommandLineW
0x78118c HeapFree
0x781190 HeapAlloc
0x781194 MultiByteToWideChar
0x781198 CompareStringW
0x78119c LCMapStringW
0x7811a0 DecodePointer
ADVAPI32.dll
0x7811a8 RegCloseKey
0x7811ac RegQueryValueExA
0x7811b0 GetSidSubAuthorityCount
0x7811b4 GetSidSubAuthority
0x7811b8 GetUserNameA
0x7811bc LookupAccountNameA
0x7811c0 RegSetValueExA
0x7811c4 RegOpenKeyExA
0x7811c8 GetSidIdentifierAuthority
SHELL32.dll
0x7811d0 ShellExecuteA
0x7811d4 None
0x7811d8 SHGetFolderPathA
WININET.dll
0x7811e0 HttpOpenRequestA
0x7811e4 InternetReadFile
0x7811e8 InternetConnectA
0x7811ec HttpSendRequestA
0x7811f0 InternetCloseHandle
0x7811f4 InternetOpenA
0x7811f8 InternetOpenW
0x7811fc InternetOpenUrlA
KERNEL32.dll
0x781204 GetSystemTimeAsFileTime
0x781208 GetModuleHandleA
0x78120c CreateEventA
0x781210 GetModuleFileNameW
0x781214 TerminateProcess
0x781218 GetCurrentProcess
0x78121c CreateToolhelp32Snapshot
0x781220 Thread32First
0x781224 GetCurrentProcessId
0x781228 GetCurrentThreadId
0x78122c OpenThread
0x781230 Thread32Next
0x781234 CloseHandle
0x781238 SuspendThread
0x78123c ResumeThread
0x781240 WriteProcessMemory
0x781244 GetSystemInfo
0x781248 VirtualAlloc
0x78124c VirtualProtect
0x781250 VirtualFree
0x781254 GetProcessAffinityMask
0x781258 SetProcessAffinityMask
0x78125c GetCurrentThread
0x781260 SetThreadAffinityMask
0x781264 Sleep
0x781268 LoadLibraryA
0x78126c FreeLibrary
0x781270 GetTickCount
0x781274 SystemTimeToFileTime
0x781278 FileTimeToSystemTime
0x78127c GlobalFree
0x781280 LocalAlloc
0x781284 LocalFree
0x781288 GetProcAddress
0x78128c ExitProcess
0x781290 EnterCriticalSection
0x781294 LeaveCriticalSection
0x781298 InitializeCriticalSection
0x78129c DeleteCriticalSection
0x7812a0 GetModuleHandleW
0x7812a4 LoadResource
0x7812a8 MultiByteToWideChar
0x7812ac FindResourceExW
0x7812b0 FindResourceExA
0x7812b4 WideCharToMultiByte
0x7812b8 GetThreadLocale
0x7812bc GetUserDefaultLCID
0x7812c0 GetSystemDefaultLCID
0x7812c4 EnumResourceNamesA
0x7812c8 EnumResourceNamesW
0x7812cc EnumResourceLanguagesA
0x7812d0 EnumResourceLanguagesW
0x7812d4 EnumResourceTypesA
0x7812d8 EnumResourceTypesW
0x7812dc CreateFileW
0x7812e0 LoadLibraryW
0x7812e4 GetLastError
0x7812e8 FlushFileBuffers
0x7812ec WriteConsoleW
0x7812f0 SetStdHandle
0x7812f4 IsProcessorFeaturePresent
0x7812f8 DecodePointer
0x7812fc GetCommandLineA
0x781300 RaiseException
0x781304 HeapFree
0x781308 GetCPInfo
0x78130c InterlockedIncrement
0x781310 InterlockedDecrement
0x781314 GetACP
0x781318 GetOEMCP
0x78131c IsValidCodePage
0x781320 EncodePointer
0x781324 TlsAlloc
0x781328 TlsGetValue
0x78132c TlsSetValue
0x781330 TlsFree
0x781334 SetLastError
0x781338 UnhandledExceptionFilter
0x78133c SetUnhandledExceptionFilter
0x781340 IsDebuggerPresent
0x781344 HeapAlloc
0x781348 LCMapStringW
0x78134c GetStringTypeW
0x781350 SetHandleCount
0x781354 GetStdHandle
0x781358 InitializeCriticalSectionAndSpinCount
0x78135c GetFileType
0x781360 GetStartupInfoW
0x781364 GetModuleFileNameA
0x781368 FreeEnvironmentStringsW
0x78136c GetEnvironmentStringsW
0x781370 HeapCreate
0x781374 HeapDestroy
0x781378 QueryPerformanceCounter
0x78137c HeapSize
0x781380 WriteFile
0x781384 RtlUnwind
0x781388 SetFilePointer
0x78138c GetConsoleCP
0x781390 GetConsoleMode
0x781394 HeapReAlloc
0x781398 VirtualQuery
USER32.dll
0x7813a0 CharUpperBuffW
KERNEL32.dll
0x7813a8 LocalAlloc
0x7813ac LocalFree
0x7813b0 GetModuleFileNameW
0x7813b4 ExitProcess
0x7813b8 LoadLibraryA
0x7813bc GetModuleHandleA
0x7813c0 GetProcAddress
EAT(Export Address Table) is none