ScreenShot
| Created | 2023.10.04 10:43 | Machine | s1_win7_x6402 |
| Filename | 52.xll | ||
| Type | PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 7 detected (Attribute, HighConfidence, Convagent, TrojanX, Sabsik) | ||
| md5 | fdbe1d30cc4a01948fe99be1159bbb5d | ||
| sha256 | f487ddbc921e3def921e18b2790c19af1a8ba09cd531e51df7861a637b40726d | ||
| ssdeep | 1536:F7pxSJsy6Nh5wFHssKjrtN/5jqzyCNwGXGhrxc45gwN:/YwNh5wFHssKXnxjNCNHG8wN | ||
| imphash | f599f6d6eed879ac9612841c28ee3418 | ||
| impfuzzy | 12:jYRJRJJoAR+hqR2qBrKHlJYasTqa91KddFQJqcsaGXZn:j8fjB+kTYliHx91SDcqcFGXZn | ||
Network IP location
Signature (10cnts)
| Level | Description |
|---|---|
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates a suspicious process |
| notice | File has been identified by 7 AntiVirus engines on VirusTotal as malicious |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | One or more processes crashed |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x3a02711a4 CopyFileW
0x3a02711ac DeleteCriticalSection
0x3a02711b4 EnterCriticalSection
0x3a02711bc GetLastError
0x3a02711c4 InitializeCriticalSection
0x3a02711cc IsDBCSLeadByteEx
0x3a02711d4 LeaveCriticalSection
0x3a02711dc MultiByteToWideChar
0x3a02711e4 Sleep
0x3a02711ec TlsGetValue
0x3a02711f4 VirtualProtect
0x3a02711fc VirtualQuery
0x3a0271204 WinExec
msvcrt.dll
0x3a0271214 ___lc_codepage_func
0x3a027121c ___mb_cur_max_func
0x3a0271224 __iob_func
0x3a027122c _amsg_exit
0x3a0271234 _errno
0x3a027123c _initterm
0x3a0271244 _lock
0x3a027124c _unlock
0x3a0271254 abort
0x3a027125c calloc
0x3a0271264 free
0x3a027126c fwrite
0x3a0271274 getc
0x3a027127c islower
0x3a0271284 isspace
0x3a027128c isupper
0x3a0271294 isxdigit
0x3a027129c localeconv
0x3a02712a4 malloc
0x3a02712ac memcpy
0x3a02712b4 memset
0x3a02712bc realloc
0x3a02712c4 strcat
0x3a02712cc strlen
0x3a02712d4 strncmp
0x3a02712dc strtol
0x3a02712e4 strtoul
0x3a02712ec tolower
0x3a02712f4 ungetc
0x3a02712fc vfprintf
EAT(Export Address Table) Library
0x3a026b000 hash
0x3a0261470 xlAutoOpen
0x3a02613d0 xor_decrypt
KERNEL32.dll
0x3a02711a4 CopyFileW
0x3a02711ac DeleteCriticalSection
0x3a02711b4 EnterCriticalSection
0x3a02711bc GetLastError
0x3a02711c4 InitializeCriticalSection
0x3a02711cc IsDBCSLeadByteEx
0x3a02711d4 LeaveCriticalSection
0x3a02711dc MultiByteToWideChar
0x3a02711e4 Sleep
0x3a02711ec TlsGetValue
0x3a02711f4 VirtualProtect
0x3a02711fc VirtualQuery
0x3a0271204 WinExec
msvcrt.dll
0x3a0271214 ___lc_codepage_func
0x3a027121c ___mb_cur_max_func
0x3a0271224 __iob_func
0x3a027122c _amsg_exit
0x3a0271234 _errno
0x3a027123c _initterm
0x3a0271244 _lock
0x3a027124c _unlock
0x3a0271254 abort
0x3a027125c calloc
0x3a0271264 free
0x3a027126c fwrite
0x3a0271274 getc
0x3a027127c islower
0x3a0271284 isspace
0x3a027128c isupper
0x3a0271294 isxdigit
0x3a027129c localeconv
0x3a02712a4 malloc
0x3a02712ac memcpy
0x3a02712b4 memset
0x3a02712bc realloc
0x3a02712c4 strcat
0x3a02712cc strlen
0x3a02712d4 strncmp
0x3a02712dc strtol
0x3a02712e4 strtoul
0x3a02712ec tolower
0x3a02712f4 ungetc
0x3a02712fc vfprintf
EAT(Export Address Table) Library
0x3a026b000 hash
0x3a0261470 xlAutoOpen
0x3a02613d0 xor_decrypt