ScreenShot
| Created | 2023.10.24 07:55 | Machine | s1_win7_x6401 |
| Filename | sus.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 7412fa29d56312aeba1f8b6270233b3c | ||
| sha256 | 355e3f75e42531c06377c7c3f620d407668e98e28e231448a333f941b2e779f5 | ||
| ssdeep | 12288:zQRtiMAfS5S8a1TxC5289nE+LIqHC67cQuzzd9X6a9DhvhhHrxIY:ziAfS5S8a1TSTE+1x46a9DhvhRdI | ||
| imphash | a23cbfa58d4baffb298f8e637aac34ac | ||
| impfuzzy | 48:xBfWDz99xcpVJxKYyXtXqrmcGtnzba63buFZGLZ:xBfWnDxcpVJxKjXtXQmcGtnPa9g | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
GDI32.dll
0x596000 GetMapMode
ole32.dll
0x5962ec CoGetApartmentType
0x5962f0 CoGetObjectContext
KERNEL32.dll
0x596030 CreateFileW
0x596034 HeapSize
0x596038 GetProcessHeap
0x59603c RaiseException
0x596040 CloseHandle
0x596044 WaitForSingleObjectEx
0x596048 Sleep
0x59604c SwitchToThread
0x596050 GetCurrentThreadId
0x596054 GetExitCodeThread
0x596058 GetNativeSystemInfo
0x59605c InitializeSRWLock
0x596060 ReleaseSRWLockExclusive
0x596064 AcquireSRWLockExclusive
0x596068 TryAcquireSRWLockExclusive
0x59606c InitializeConditionVariable
0x596070 WakeConditionVariable
0x596074 WakeAllConditionVariable
0x596078 SleepConditionVariableSRW
0x59607c FormatMessageA
0x596080 InitOnceBeginInitialize
0x596084 InitOnceComplete
0x596088 GetLastError
0x59608c FreeLibraryWhenCallbackReturns
0x596090 CreateThreadpoolWork
0x596094 SubmitThreadpoolWork
0x596098 CloseThreadpoolWork
0x59609c GetModuleHandleExW
0x5960a0 RtlCaptureStackBackTrace
0x5960a4 IsProcessorFeaturePresent
0x5960a8 EnterCriticalSection
0x5960ac LeaveCriticalSection
0x5960b0 InitializeCriticalSectionEx
0x5960b4 DeleteCriticalSection
0x5960b8 QueryPerformanceCounter
0x5960bc QueryPerformanceFrequency
0x5960c0 LocalFree
0x5960c4 GetLocaleInfoEx
0x5960c8 EncodePointer
0x5960cc DecodePointer
0x5960d0 MultiByteToWideChar
0x5960d4 WideCharToMultiByte
0x5960d8 LCMapStringEx
0x5960dc SetFileInformationByHandle
0x5960e0 GetTempPathW
0x5960e4 FlsAlloc
0x5960e8 FlsGetValue
0x5960ec FlsSetValue
0x5960f0 FlsFree
0x5960f4 InitOnceExecuteOnce
0x5960f8 SleepConditionVariableCS
0x5960fc CreateEventExW
0x596100 CreateSemaphoreExW
0x596104 FlushProcessWriteBuffers
0x596108 GetCurrentProcessorNumber
0x59610c GetSystemTimeAsFileTime
0x596110 GetTickCount64
0x596114 CreateThreadpoolTimer
0x596118 SetThreadpoolTimer
0x59611c WaitForThreadpoolTimerCallbacks
0x596120 CloseThreadpoolTimer
0x596124 CreateThreadpoolWait
0x596128 SetThreadpoolWait
0x59612c CloseThreadpoolWait
0x596130 GetModuleHandleW
0x596134 GetProcAddress
0x596138 GetFileInformationByHandleEx
0x59613c CreateSymbolicLinkW
0x596140 GetStringTypeW
0x596144 CompareStringEx
0x596148 GetCPInfo
0x59614c InitializeCriticalSectionAndSpinCount
0x596150 SetEvent
0x596154 ResetEvent
0x596158 CreateEventW
0x59615c GetCurrentProcessId
0x596160 InitializeSListHead
0x596164 IsDebuggerPresent
0x596168 UnhandledExceptionFilter
0x59616c SetUnhandledExceptionFilter
0x596170 GetStartupInfoW
0x596174 GetCurrentProcess
0x596178 TerminateProcess
0x59617c SetStdHandle
0x596180 RtlUnwind
0x596184 InterlockedPushEntrySList
0x596188 InterlockedFlushSList
0x59618c SetLastError
0x596190 TlsAlloc
0x596194 TlsGetValue
0x596198 TlsSetValue
0x59619c TlsFree
0x5961a0 FreeLibrary
0x5961a4 LoadLibraryExW
0x5961a8 CreateThread
0x5961ac ExitThread
0x5961b0 ResumeThread
0x5961b4 FreeLibraryAndExitThread
0x5961b8 GetStdHandle
0x5961bc WriteFile
0x5961c0 GetModuleFileNameW
0x5961c4 ExitProcess
0x5961c8 GetCommandLineA
0x5961cc GetCommandLineW
0x5961d0 GetCurrentThread
0x5961d4 HeapFree
0x5961d8 SetConsoleCtrlHandler
0x5961dc HeapAlloc
0x5961e0 GetDateFormatW
0x5961e4 GetTimeFormatW
0x5961e8 CompareStringW
0x5961ec LCMapStringW
0x5961f0 GetLocaleInfoW
0x5961f4 IsValidLocale
0x5961f8 GetUserDefaultLCID
0x5961fc EnumSystemLocalesW
0x596200 GetFileType
0x596204 GetFileSizeEx
0x596208 SetFilePointerEx
0x59620c FlushFileBuffers
0x596210 GetConsoleOutputCP
0x596214 GetConsoleMode
0x596218 ReadFile
0x59621c ReadConsoleW
0x596220 HeapReAlloc
0x596224 GetTimeZoneInformation
0x596228 OutputDebugStringW
0x59622c FindClose
0x596230 FindFirstFileExW
0x596234 FindNextFileW
0x596238 IsValidCodePage
0x59623c GetACP
0x596240 GetOEMCP
0x596244 GetEnvironmentStringsW
0x596248 FreeEnvironmentStringsW
0x59624c SetEnvironmentVariableW
0x596250 WriteConsoleW
EAT(Export Address Table) is none
GDI32.dll
0x596000 GetMapMode
ole32.dll
0x5962ec CoGetApartmentType
0x5962f0 CoGetObjectContext
KERNEL32.dll
0x596030 CreateFileW
0x596034 HeapSize
0x596038 GetProcessHeap
0x59603c RaiseException
0x596040 CloseHandle
0x596044 WaitForSingleObjectEx
0x596048 Sleep
0x59604c SwitchToThread
0x596050 GetCurrentThreadId
0x596054 GetExitCodeThread
0x596058 GetNativeSystemInfo
0x59605c InitializeSRWLock
0x596060 ReleaseSRWLockExclusive
0x596064 AcquireSRWLockExclusive
0x596068 TryAcquireSRWLockExclusive
0x59606c InitializeConditionVariable
0x596070 WakeConditionVariable
0x596074 WakeAllConditionVariable
0x596078 SleepConditionVariableSRW
0x59607c FormatMessageA
0x596080 InitOnceBeginInitialize
0x596084 InitOnceComplete
0x596088 GetLastError
0x59608c FreeLibraryWhenCallbackReturns
0x596090 CreateThreadpoolWork
0x596094 SubmitThreadpoolWork
0x596098 CloseThreadpoolWork
0x59609c GetModuleHandleExW
0x5960a0 RtlCaptureStackBackTrace
0x5960a4 IsProcessorFeaturePresent
0x5960a8 EnterCriticalSection
0x5960ac LeaveCriticalSection
0x5960b0 InitializeCriticalSectionEx
0x5960b4 DeleteCriticalSection
0x5960b8 QueryPerformanceCounter
0x5960bc QueryPerformanceFrequency
0x5960c0 LocalFree
0x5960c4 GetLocaleInfoEx
0x5960c8 EncodePointer
0x5960cc DecodePointer
0x5960d0 MultiByteToWideChar
0x5960d4 WideCharToMultiByte
0x5960d8 LCMapStringEx
0x5960dc SetFileInformationByHandle
0x5960e0 GetTempPathW
0x5960e4 FlsAlloc
0x5960e8 FlsGetValue
0x5960ec FlsSetValue
0x5960f0 FlsFree
0x5960f4 InitOnceExecuteOnce
0x5960f8 SleepConditionVariableCS
0x5960fc CreateEventExW
0x596100 CreateSemaphoreExW
0x596104 FlushProcessWriteBuffers
0x596108 GetCurrentProcessorNumber
0x59610c GetSystemTimeAsFileTime
0x596110 GetTickCount64
0x596114 CreateThreadpoolTimer
0x596118 SetThreadpoolTimer
0x59611c WaitForThreadpoolTimerCallbacks
0x596120 CloseThreadpoolTimer
0x596124 CreateThreadpoolWait
0x596128 SetThreadpoolWait
0x59612c CloseThreadpoolWait
0x596130 GetModuleHandleW
0x596134 GetProcAddress
0x596138 GetFileInformationByHandleEx
0x59613c CreateSymbolicLinkW
0x596140 GetStringTypeW
0x596144 CompareStringEx
0x596148 GetCPInfo
0x59614c InitializeCriticalSectionAndSpinCount
0x596150 SetEvent
0x596154 ResetEvent
0x596158 CreateEventW
0x59615c GetCurrentProcessId
0x596160 InitializeSListHead
0x596164 IsDebuggerPresent
0x596168 UnhandledExceptionFilter
0x59616c SetUnhandledExceptionFilter
0x596170 GetStartupInfoW
0x596174 GetCurrentProcess
0x596178 TerminateProcess
0x59617c SetStdHandle
0x596180 RtlUnwind
0x596184 InterlockedPushEntrySList
0x596188 InterlockedFlushSList
0x59618c SetLastError
0x596190 TlsAlloc
0x596194 TlsGetValue
0x596198 TlsSetValue
0x59619c TlsFree
0x5961a0 FreeLibrary
0x5961a4 LoadLibraryExW
0x5961a8 CreateThread
0x5961ac ExitThread
0x5961b0 ResumeThread
0x5961b4 FreeLibraryAndExitThread
0x5961b8 GetStdHandle
0x5961bc WriteFile
0x5961c0 GetModuleFileNameW
0x5961c4 ExitProcess
0x5961c8 GetCommandLineA
0x5961cc GetCommandLineW
0x5961d0 GetCurrentThread
0x5961d4 HeapFree
0x5961d8 SetConsoleCtrlHandler
0x5961dc HeapAlloc
0x5961e0 GetDateFormatW
0x5961e4 GetTimeFormatW
0x5961e8 CompareStringW
0x5961ec LCMapStringW
0x5961f0 GetLocaleInfoW
0x5961f4 IsValidLocale
0x5961f8 GetUserDefaultLCID
0x5961fc EnumSystemLocalesW
0x596200 GetFileType
0x596204 GetFileSizeEx
0x596208 SetFilePointerEx
0x59620c FlushFileBuffers
0x596210 GetConsoleOutputCP
0x596214 GetConsoleMode
0x596218 ReadFile
0x59621c ReadConsoleW
0x596220 HeapReAlloc
0x596224 GetTimeZoneInformation
0x596228 OutputDebugStringW
0x59622c FindClose
0x596230 FindFirstFileExW
0x596234 FindNextFileW
0x596238 IsValidCodePage
0x59623c GetACP
0x596240 GetOEMCP
0x596244 GetEnvironmentStringsW
0x596248 FreeEnvironmentStringsW
0x59624c SetEnvironmentVariableW
0x596250 WriteConsoleW
EAT(Export Address Table) is none