ScreenShot
| Created | 2023.10.07 14:50 | Machine | s1_win7_x6403 |
| Filename | build5555.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 40 detected (AIDetectMalware, Doina, malicious, high confidence, Artemis, Spyloader, Vkjk, confidence, Attribute, HighConfidence, a variant of Generik, NBAUNDS, score, Meduza, MalwareX, SMOKELOADER, YXDJGZ, ABRisk, UBRB, Detected, ai score=81, unsafe, Chgt, CLOUD, susgen, PossibleThreat) | ||
| md5 | 82eecea4083e39c33733428c2d845b15 | ||
| sha256 | ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef | ||
| ssdeep | 24576:Yr3uXCxRUKRErpNT3ixen3EyJvRvEx+aFwGSMn/FQiG654Sr:Yreyx7ErOe3XvRvRayM/FU+4s | ||
| imphash | be8c12fdcf1a063957352e3396e671e5 | ||
| impfuzzy | 24:atwcpVfD02tdS1CBgdlJBl3eDoro+qaZ7Olv5GMAkpOovbOPZ7dLzsvzW:xcpVfHtdS1CBgDpX9Z7ONk3Ndvs7W | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 40 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates an Alternate Data Stream (ADS) |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Creates executable files on the filesystem |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (19cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140022000 Sleep
0x140022008 WideCharToMultiByte
0x140022010 Process32NextW
0x140022018 Process32FirstW
0x140022020 GetExitCodeProcess
0x140022028 WriteConsoleW
0x140022030 CreateFileW
0x140022038 HeapSize
0x140022040 SetStdHandle
0x140022048 GetProcessHeap
0x140022050 EncodePointer
0x140022058 DecodePointer
0x140022060 EnterCriticalSection
0x140022068 LeaveCriticalSection
0x140022070 InitializeCriticalSectionEx
0x140022078 DeleteCriticalSection
0x140022080 MultiByteToWideChar
0x140022088 LCMapStringEx
0x140022090 GetStringTypeW
0x140022098 GetCPInfo
0x1400220a0 RtlCaptureContext
0x1400220a8 RtlLookupFunctionEntry
0x1400220b0 RtlVirtualUnwind
0x1400220b8 UnhandledExceptionFilter
0x1400220c0 SetUnhandledExceptionFilter
0x1400220c8 GetCurrentProcess
0x1400220d0 TerminateProcess
0x1400220d8 IsProcessorFeaturePresent
0x1400220e0 IsDebuggerPresent
0x1400220e8 GetStartupInfoW
0x1400220f0 GetModuleHandleW
0x1400220f8 QueryPerformanceCounter
0x140022100 GetCurrentProcessId
0x140022108 GetCurrentThreadId
0x140022110 GetSystemTimeAsFileTime
0x140022118 InitializeSListHead
0x140022120 RtlUnwindEx
0x140022128 RtlPcToFileHeader
0x140022130 RaiseException
0x140022138 GetLastError
0x140022140 SetLastError
0x140022148 InitializeCriticalSectionAndSpinCount
0x140022150 TlsAlloc
0x140022158 TlsGetValue
0x140022160 TlsSetValue
0x140022168 TlsFree
0x140022170 FreeLibrary
0x140022178 GetProcAddress
0x140022180 LoadLibraryExW
0x140022188 ExitProcess
0x140022190 GetModuleHandleExW
0x140022198 GetModuleFileNameW
0x1400221a0 GetStdHandle
0x1400221a8 WriteFile
0x1400221b0 HeapFree
0x1400221b8 HeapAlloc
0x1400221c0 FlsAlloc
0x1400221c8 FlsGetValue
0x1400221d0 FlsSetValue
0x1400221d8 FlsFree
0x1400221e0 LCMapStringW
0x1400221e8 GetLocaleInfoW
0x1400221f0 IsValidLocale
0x1400221f8 GetUserDefaultLCID
0x140022200 EnumSystemLocalesW
0x140022208 DeleteFileW
0x140022210 GetFileType
0x140022218 CloseHandle
0x140022220 FlushFileBuffers
0x140022228 GetConsoleOutputCP
0x140022230 GetConsoleMode
0x140022238 ReadFile
0x140022240 GetFileSizeEx
0x140022248 SetFilePointerEx
0x140022250 ReadConsoleW
0x140022258 HeapReAlloc
0x140022260 FindClose
0x140022268 FindFirstFileExW
0x140022270 FindNextFileW
0x140022278 IsValidCodePage
0x140022280 GetACP
0x140022288 GetOEMCP
0x140022290 GetCommandLineA
0x140022298 GetCommandLineW
0x1400222a0 GetEnvironmentStringsW
0x1400222a8 FreeEnvironmentStringsW
0x1400222b0 RtlUnwind
ntdll.dll
0x1400222c0 RtlInitUnicodeString
0x1400222c8 LdrLoadDll
0x1400222d0 NtOpenProcess
0x1400222d8 NtQueryInformationProcess
EAT(Export Address Table) is none
KERNEL32.dll
0x140022000 Sleep
0x140022008 WideCharToMultiByte
0x140022010 Process32NextW
0x140022018 Process32FirstW
0x140022020 GetExitCodeProcess
0x140022028 WriteConsoleW
0x140022030 CreateFileW
0x140022038 HeapSize
0x140022040 SetStdHandle
0x140022048 GetProcessHeap
0x140022050 EncodePointer
0x140022058 DecodePointer
0x140022060 EnterCriticalSection
0x140022068 LeaveCriticalSection
0x140022070 InitializeCriticalSectionEx
0x140022078 DeleteCriticalSection
0x140022080 MultiByteToWideChar
0x140022088 LCMapStringEx
0x140022090 GetStringTypeW
0x140022098 GetCPInfo
0x1400220a0 RtlCaptureContext
0x1400220a8 RtlLookupFunctionEntry
0x1400220b0 RtlVirtualUnwind
0x1400220b8 UnhandledExceptionFilter
0x1400220c0 SetUnhandledExceptionFilter
0x1400220c8 GetCurrentProcess
0x1400220d0 TerminateProcess
0x1400220d8 IsProcessorFeaturePresent
0x1400220e0 IsDebuggerPresent
0x1400220e8 GetStartupInfoW
0x1400220f0 GetModuleHandleW
0x1400220f8 QueryPerformanceCounter
0x140022100 GetCurrentProcessId
0x140022108 GetCurrentThreadId
0x140022110 GetSystemTimeAsFileTime
0x140022118 InitializeSListHead
0x140022120 RtlUnwindEx
0x140022128 RtlPcToFileHeader
0x140022130 RaiseException
0x140022138 GetLastError
0x140022140 SetLastError
0x140022148 InitializeCriticalSectionAndSpinCount
0x140022150 TlsAlloc
0x140022158 TlsGetValue
0x140022160 TlsSetValue
0x140022168 TlsFree
0x140022170 FreeLibrary
0x140022178 GetProcAddress
0x140022180 LoadLibraryExW
0x140022188 ExitProcess
0x140022190 GetModuleHandleExW
0x140022198 GetModuleFileNameW
0x1400221a0 GetStdHandle
0x1400221a8 WriteFile
0x1400221b0 HeapFree
0x1400221b8 HeapAlloc
0x1400221c0 FlsAlloc
0x1400221c8 FlsGetValue
0x1400221d0 FlsSetValue
0x1400221d8 FlsFree
0x1400221e0 LCMapStringW
0x1400221e8 GetLocaleInfoW
0x1400221f0 IsValidLocale
0x1400221f8 GetUserDefaultLCID
0x140022200 EnumSystemLocalesW
0x140022208 DeleteFileW
0x140022210 GetFileType
0x140022218 CloseHandle
0x140022220 FlushFileBuffers
0x140022228 GetConsoleOutputCP
0x140022230 GetConsoleMode
0x140022238 ReadFile
0x140022240 GetFileSizeEx
0x140022248 SetFilePointerEx
0x140022250 ReadConsoleW
0x140022258 HeapReAlloc
0x140022260 FindClose
0x140022268 FindFirstFileExW
0x140022270 FindNextFileW
0x140022278 IsValidCodePage
0x140022280 GetACP
0x140022288 GetOEMCP
0x140022290 GetCommandLineA
0x140022298 GetCommandLineW
0x1400222a0 GetEnvironmentStringsW
0x1400222a8 FreeEnvironmentStringsW
0x1400222b0 RtlUnwind
ntdll.dll
0x1400222c0 RtlInitUnicodeString
0x1400222c8 LdrLoadDll
0x1400222d0 NtOpenProcess
0x1400222d8 NtQueryInformationProcess
EAT(Export Address Table) is none