ScreenShot
| Created | 2023.10.23 16:47 | Machine | s1_win7_x6401 |
| Filename | cbchr.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 19 detected (AIDetectMalware, malicious, high confidence, confidence, 100%, ZexaE, pu2@aWcQ0kki, Attribute, HighConfidence, PWSX, high, score, Detected, Redline, Kryptik, 0gn1FRnJmKT, Static AI, Malicious PE) | ||
| md5 | d88a06a393582a79ab6da48982ec87ae | ||
| sha256 | b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537 | ||
| ssdeep | 3072:KHkVhd52JYWsfVrhbjAY1GSEuywqamd/4bWSHqYubGtHshmRgSPG9oMNLxb:KHkVhd52JdYhbt1GCE2bUwZe+PElNh | ||
| imphash | 46e4333691e6901e3051f6d7de5959d7 | ||
| impfuzzy | 24:WjKNDoQkNdZ+fcslv1t0jOovRB7kJ3CFQHRyvuT4UjMZvZA5lICEC:udZ+fce1t0CQZcOucBZufEC | ||
Network IP location
Signature (10cnts)
| Level | Description |
|---|---|
| watch | File has been identified by 19 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Creates a suspicious process |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Command line console output was observed |
| info | Queries for the computername |
Rules (45cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x422000 WaitForSingleObject
0x422004 Sleep
0x422008 CreateThread
0x42200c lstrlenW
0x422010 VirtualProtect
0x422014 GetProcAddress
0x422018 LoadLibraryA
0x42201c VirtualAlloc
0x422020 GetModuleHandleA
0x422024 GetDateFormatW
0x422028 FreeConsole
0x42202c InterlockedIncrement
0x422030 InterlockedDecrement
0x422034 WideCharToMultiByte
0x422038 InterlockedExchange
0x42203c InitializeCriticalSection
0x422040 DeleteCriticalSection
0x422044 EnterCriticalSection
0x422048 LeaveCriticalSection
0x42204c MultiByteToWideChar
0x422050 GetLastError
0x422054 HeapFree
0x422058 HeapAlloc
0x42205c RtlUnwind
0x422060 TerminateProcess
0x422064 GetCurrentProcess
0x422068 UnhandledExceptionFilter
0x42206c SetUnhandledExceptionFilter
0x422070 IsDebuggerPresent
0x422074 RaiseException
0x422078 GetCommandLineA
0x42207c GetCPInfo
0x422080 LCMapStringA
0x422084 LCMapStringW
0x422088 HeapCreate
0x42208c VirtualFree
0x422090 HeapReAlloc
0x422094 GetModuleHandleW
0x422098 ExitProcess
0x42209c WriteFile
0x4220a0 GetStdHandle
0x4220a4 GetModuleFileNameA
0x4220a8 TlsGetValue
0x4220ac TlsAlloc
0x4220b0 TlsSetValue
0x4220b4 TlsFree
0x4220b8 SetLastError
0x4220bc GetCurrentThreadId
0x4220c0 FreeEnvironmentStringsA
0x4220c4 GetEnvironmentStrings
0x4220c8 FreeEnvironmentStringsW
0x4220cc GetEnvironmentStringsW
0x4220d0 SetHandleCount
0x4220d4 GetFileType
0x4220d8 GetStartupInfoA
0x4220dc QueryPerformanceCounter
0x4220e0 GetTickCount
0x4220e4 GetCurrentProcessId
0x4220e8 GetSystemTimeAsFileTime
0x4220ec GetConsoleCP
0x4220f0 GetConsoleMode
0x4220f4 FlushFileBuffers
0x4220f8 ReadFile
0x4220fc SetFilePointer
0x422100 CloseHandle
0x422104 HeapSize
0x422108 GetACP
0x42210c GetOEMCP
0x422110 IsValidCodePage
0x422114 GetUserDefaultLCID
0x422118 GetLocaleInfoA
0x42211c EnumSystemLocalesA
0x422120 IsValidLocale
0x422124 GetStringTypeA
0x422128 GetStringTypeW
0x42212c InitializeCriticalSectionAndSpinCount
0x422130 WriteConsoleA
0x422134 GetConsoleOutputCP
0x422138 WriteConsoleW
0x42213c SetStdHandle
0x422140 GetLocaleInfoW
0x422144 CreateFileA
USER32.dll
0x42214c GetWindowTextLengthW
EAT(Export Address Table) is none
KERNEL32.dll
0x422000 WaitForSingleObject
0x422004 Sleep
0x422008 CreateThread
0x42200c lstrlenW
0x422010 VirtualProtect
0x422014 GetProcAddress
0x422018 LoadLibraryA
0x42201c VirtualAlloc
0x422020 GetModuleHandleA
0x422024 GetDateFormatW
0x422028 FreeConsole
0x42202c InterlockedIncrement
0x422030 InterlockedDecrement
0x422034 WideCharToMultiByte
0x422038 InterlockedExchange
0x42203c InitializeCriticalSection
0x422040 DeleteCriticalSection
0x422044 EnterCriticalSection
0x422048 LeaveCriticalSection
0x42204c MultiByteToWideChar
0x422050 GetLastError
0x422054 HeapFree
0x422058 HeapAlloc
0x42205c RtlUnwind
0x422060 TerminateProcess
0x422064 GetCurrentProcess
0x422068 UnhandledExceptionFilter
0x42206c SetUnhandledExceptionFilter
0x422070 IsDebuggerPresent
0x422074 RaiseException
0x422078 GetCommandLineA
0x42207c GetCPInfo
0x422080 LCMapStringA
0x422084 LCMapStringW
0x422088 HeapCreate
0x42208c VirtualFree
0x422090 HeapReAlloc
0x422094 GetModuleHandleW
0x422098 ExitProcess
0x42209c WriteFile
0x4220a0 GetStdHandle
0x4220a4 GetModuleFileNameA
0x4220a8 TlsGetValue
0x4220ac TlsAlloc
0x4220b0 TlsSetValue
0x4220b4 TlsFree
0x4220b8 SetLastError
0x4220bc GetCurrentThreadId
0x4220c0 FreeEnvironmentStringsA
0x4220c4 GetEnvironmentStrings
0x4220c8 FreeEnvironmentStringsW
0x4220cc GetEnvironmentStringsW
0x4220d0 SetHandleCount
0x4220d4 GetFileType
0x4220d8 GetStartupInfoA
0x4220dc QueryPerformanceCounter
0x4220e0 GetTickCount
0x4220e4 GetCurrentProcessId
0x4220e8 GetSystemTimeAsFileTime
0x4220ec GetConsoleCP
0x4220f0 GetConsoleMode
0x4220f4 FlushFileBuffers
0x4220f8 ReadFile
0x4220fc SetFilePointer
0x422100 CloseHandle
0x422104 HeapSize
0x422108 GetACP
0x42210c GetOEMCP
0x422110 IsValidCodePage
0x422114 GetUserDefaultLCID
0x422118 GetLocaleInfoA
0x42211c EnumSystemLocalesA
0x422120 IsValidLocale
0x422124 GetStringTypeA
0x422128 GetStringTypeW
0x42212c InitializeCriticalSectionAndSpinCount
0x422130 WriteConsoleA
0x422134 GetConsoleOutputCP
0x422138 WriteConsoleW
0x42213c SetStdHandle
0x422140 GetLocaleInfoW
0x422144 CreateFileA
USER32.dll
0x42214c GetWindowTextLengthW
EAT(Export Address Table) is none