ScreenShot
| Created | 2023.09.30 12:57 | Machine | s1_win7_x6401 |
| Filename | kus.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 38 detected (AIDetectMalware, malicious, high confidence, score, Lazy, Kryptik, Eldorado, Attribute, HighConfidence, HUQK, Injurer, PWSX, Inject4, TRICKBOT, SmokeLoader, Convagent, Detected, ai score=80, Mokes, cp4sb0ybDnO, Static AI, Suspicious PE, susgen, ZexaF, pqW@aOrRf0h, confidence) | ||
| md5 | acf39b9c0b1f3c9addd5dd50a8773a28 | ||
| sha256 | f4f35abb06e0554b92554c8a10b7a0f9c60f5057bb71a931d444a0785929077a | ||
| ssdeep | 6144:yXtz4SHy5uoBMFGV5PEkIXEHvZAOuju3X1fcVs0BC+:lCmuoBMUOMxxus0BC+ | ||
| imphash | 96baacc90461fcd4b5d9fcc50047c098 | ||
| impfuzzy | 24:u8jTcpVWjjeDqte4GhlJBl39WuPLOovbO3kFZMv1GMAkEZHu9J:u0cpVwjHte4Gnpn630FZGb | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 38 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | One or more potentially interesting buffers were extracted |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x427000 DeleteAce
KERNEL32.dll
0x427008 FreeConsole
0x42700c GetCurrentThreadId
0x427010 CloseHandle
0x427014 WaitForSingleObjectEx
0x427018 GetExitCodeThread
0x42701c EnterCriticalSection
0x427020 LeaveCriticalSection
0x427024 InitializeCriticalSectionEx
0x427028 DeleteCriticalSection
0x42702c EncodePointer
0x427030 DecodePointer
0x427034 MultiByteToWideChar
0x427038 WideCharToMultiByte
0x42703c LCMapStringEx
0x427040 QueryPerformanceCounter
0x427044 GetSystemTimeAsFileTime
0x427048 GetModuleHandleW
0x42704c GetProcAddress
0x427050 GetStringTypeW
0x427054 GetCPInfo
0x427058 IsProcessorFeaturePresent
0x42705c UnhandledExceptionFilter
0x427060 SetUnhandledExceptionFilter
0x427064 GetCurrentProcess
0x427068 TerminateProcess
0x42706c GetCurrentProcessId
0x427070 InitializeSListHead
0x427074 IsDebuggerPresent
0x427078 GetStartupInfoW
0x42707c CreateFileW
0x427080 RaiseException
0x427084 RtlUnwind
0x427088 GetLastError
0x42708c SetLastError
0x427090 InitializeCriticalSectionAndSpinCount
0x427094 TlsAlloc
0x427098 TlsGetValue
0x42709c TlsSetValue
0x4270a0 TlsFree
0x4270a4 FreeLibrary
0x4270a8 LoadLibraryExW
0x4270ac CreateThread
0x4270b0 ExitThread
0x4270b4 FreeLibraryAndExitThread
0x4270b8 GetModuleHandleExW
0x4270bc GetStdHandle
0x4270c0 WriteFile
0x4270c4 GetModuleFileNameW
0x4270c8 ExitProcess
0x4270cc GetCommandLineA
0x4270d0 GetCommandLineW
0x4270d4 HeapAlloc
0x4270d8 HeapFree
0x4270dc CompareStringW
0x4270e0 LCMapStringW
0x4270e4 GetLocaleInfoW
0x4270e8 IsValidLocale
0x4270ec GetUserDefaultLCID
0x4270f0 EnumSystemLocalesW
0x4270f4 GetFileType
0x4270f8 FlushFileBuffers
0x4270fc GetConsoleOutputCP
0x427100 GetConsoleMode
0x427104 ReadFile
0x427108 GetFileSizeEx
0x42710c SetFilePointerEx
0x427110 ReadConsoleW
0x427114 HeapReAlloc
0x427118 FindClose
0x42711c FindFirstFileExW
0x427120 FindNextFileW
0x427124 IsValidCodePage
0x427128 GetACP
0x42712c GetOEMCP
0x427130 GetEnvironmentStringsW
0x427134 FreeEnvironmentStringsW
0x427138 SetEnvironmentVariableW
0x42713c SetStdHandle
0x427140 GetProcessHeap
0x427144 HeapSize
0x427148 WriteConsoleW
EAT(Export Address Table) Library
0x406fbc _LoadEnvironment@0
ADVAPI32.dll
0x427000 DeleteAce
KERNEL32.dll
0x427008 FreeConsole
0x42700c GetCurrentThreadId
0x427010 CloseHandle
0x427014 WaitForSingleObjectEx
0x427018 GetExitCodeThread
0x42701c EnterCriticalSection
0x427020 LeaveCriticalSection
0x427024 InitializeCriticalSectionEx
0x427028 DeleteCriticalSection
0x42702c EncodePointer
0x427030 DecodePointer
0x427034 MultiByteToWideChar
0x427038 WideCharToMultiByte
0x42703c LCMapStringEx
0x427040 QueryPerformanceCounter
0x427044 GetSystemTimeAsFileTime
0x427048 GetModuleHandleW
0x42704c GetProcAddress
0x427050 GetStringTypeW
0x427054 GetCPInfo
0x427058 IsProcessorFeaturePresent
0x42705c UnhandledExceptionFilter
0x427060 SetUnhandledExceptionFilter
0x427064 GetCurrentProcess
0x427068 TerminateProcess
0x42706c GetCurrentProcessId
0x427070 InitializeSListHead
0x427074 IsDebuggerPresent
0x427078 GetStartupInfoW
0x42707c CreateFileW
0x427080 RaiseException
0x427084 RtlUnwind
0x427088 GetLastError
0x42708c SetLastError
0x427090 InitializeCriticalSectionAndSpinCount
0x427094 TlsAlloc
0x427098 TlsGetValue
0x42709c TlsSetValue
0x4270a0 TlsFree
0x4270a4 FreeLibrary
0x4270a8 LoadLibraryExW
0x4270ac CreateThread
0x4270b0 ExitThread
0x4270b4 FreeLibraryAndExitThread
0x4270b8 GetModuleHandleExW
0x4270bc GetStdHandle
0x4270c0 WriteFile
0x4270c4 GetModuleFileNameW
0x4270c8 ExitProcess
0x4270cc GetCommandLineA
0x4270d0 GetCommandLineW
0x4270d4 HeapAlloc
0x4270d8 HeapFree
0x4270dc CompareStringW
0x4270e0 LCMapStringW
0x4270e4 GetLocaleInfoW
0x4270e8 IsValidLocale
0x4270ec GetUserDefaultLCID
0x4270f0 EnumSystemLocalesW
0x4270f4 GetFileType
0x4270f8 FlushFileBuffers
0x4270fc GetConsoleOutputCP
0x427100 GetConsoleMode
0x427104 ReadFile
0x427108 GetFileSizeEx
0x42710c SetFilePointerEx
0x427110 ReadConsoleW
0x427114 HeapReAlloc
0x427118 FindClose
0x42711c FindFirstFileExW
0x427120 FindNextFileW
0x427124 IsValidCodePage
0x427128 GetACP
0x42712c GetOEMCP
0x427130 GetEnvironmentStringsW
0x427134 FreeEnvironmentStringsW
0x427138 SetEnvironmentVariableW
0x42713c SetStdHandle
0x427140 GetProcessHeap
0x427144 HeapSize
0x427148 WriteConsoleW
EAT(Export Address Table) Library
0x406fbc _LoadEnvironment@0