ScreenShot
| Created | 2023.11.04 10:42 | Machine | s1_win7_x6403 |
| Filename | hn-1 | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 55 detected (AIDetectMalware, Lotok, malicious, high confidence, Doina, IGENERIC, NetLoader, FVWA, Silverfox, ulgyzg, confidence, 100%, Attribute, HighConfidence, score, kckclu, CLASSIC, DwnLd, cpsmb, DownLoader46, R002C0PJV23, Detected, Phonzy, Eldorado, R619293, ZedlaF, eu4@aukuV8ki, ai score=88, Farfli, unsafe, Genetic, t8htsWGaJaU, susgen, RATX) | ||
| md5 | a04b173e5b0cb462684e646d91b14683 | ||
| sha256 | c9a965af469f70571a191271783eb2076c2e24e12353a3ec545d8a726fef61f8 | ||
| ssdeep | 768:G407txg6CVX762AORxFGPRDEEOsx3n+79Namb3GluLrXCS32Ta1NzBoFsxHv5rMx:Gd7TGAgFqoQn+mmTCuL79NzBl55rw3 | ||
| imphash | 070b5b44988eb91ceb5948a1cf23bcef | ||
| impfuzzy | 24:D4yKuGH8l9ZZtqdPOovSRkFDPJauRvD6FQ8lRT42fnYjM9QIij3w3rznQnAdAOSr:oclZtqdmx2Dgc2fn+Iy3urznBGOSr | ||
Network IP location
Signature (10cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process rundll32.exe |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| info | Checks if process is being debugged by a debugger |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
SURICATA HTTP Request abnormal Content-Encoding header
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE OneLouder EXE download possibly installing Zeus P2P
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
ET MALWARE JS/WSF Downloader Dec 08 2016 M6
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE OneLouder EXE download possibly installing Zeus P2P
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
ET MALWARE JS/WSF Downloader Dec 08 2016 M6
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1000d000 CloseHandle
0x1000d004 Sleep
0x1000d008 Process32Next
0x1000d00c Process32First
0x1000d010 CreateToolhelp32Snapshot
0x1000d014 GetLastError
0x1000d018 GetEnvironmentVariableA
0x1000d01c CreateMutexA
0x1000d020 OpenMutexA
0x1000d024 FlushFileBuffers
0x1000d028 CreateFileA
0x1000d02c WriteConsoleW
0x1000d030 GetConsoleOutputCP
0x1000d034 WriteConsoleA
0x1000d038 SetStdHandle
0x1000d03c InitializeCriticalSectionAndSpinCount
0x1000d040 LoadLibraryA
0x1000d044 GetSystemTimeAsFileTime
0x1000d048 RaiseException
0x1000d04c TerminateProcess
0x1000d050 GetCurrentProcess
0x1000d054 UnhandledExceptionFilter
0x1000d058 SetUnhandledExceptionFilter
0x1000d05c IsDebuggerPresent
0x1000d060 RtlUnwind
0x1000d064 GetCurrentThreadId
0x1000d068 GetCommandLineA
0x1000d06c HeapAlloc
0x1000d070 HeapFree
0x1000d074 GetCPInfo
0x1000d078 InterlockedIncrement
0x1000d07c InterlockedDecrement
0x1000d080 GetACP
0x1000d084 GetOEMCP
0x1000d088 IsValidCodePage
0x1000d08c GetModuleHandleW
0x1000d090 GetProcAddress
0x1000d094 TlsGetValue
0x1000d098 TlsAlloc
0x1000d09c TlsSetValue
0x1000d0a0 TlsFree
0x1000d0a4 SetLastError
0x1000d0a8 ExitProcess
0x1000d0ac SetHandleCount
0x1000d0b0 GetStdHandle
0x1000d0b4 GetFileType
0x1000d0b8 GetStartupInfoA
0x1000d0bc DeleteCriticalSection
0x1000d0c0 GetModuleFileNameA
0x1000d0c4 FreeEnvironmentStringsA
0x1000d0c8 GetEnvironmentStrings
0x1000d0cc FreeEnvironmentStringsW
0x1000d0d0 WideCharToMultiByte
0x1000d0d4 GetEnvironmentStringsW
0x1000d0d8 HeapCreate
0x1000d0dc HeapDestroy
0x1000d0e0 VirtualFree
0x1000d0e4 QueryPerformanceCounter
0x1000d0e8 GetTickCount
0x1000d0ec GetCurrentProcessId
0x1000d0f0 LeaveCriticalSection
0x1000d0f4 EnterCriticalSection
0x1000d0f8 VirtualAlloc
0x1000d0fc HeapReAlloc
0x1000d100 WriteFile
0x1000d104 LCMapStringA
0x1000d108 MultiByteToWideChar
0x1000d10c LCMapStringW
0x1000d110 GetStringTypeA
0x1000d114 GetStringTypeW
0x1000d118 GetLocaleInfoA
0x1000d11c HeapSize
0x1000d120 SetFilePointer
0x1000d124 GetConsoleCP
0x1000d128 GetConsoleMode
USER32.dll
0x1000d138 KillTimer
0x1000d13c SetTimer
0x1000d140 GetMessageA
0x1000d144 MessageBoxA
0x1000d148 GetDesktopWindow
0x1000d14c PostQuitMessage
0x1000d150 TranslateMessage
0x1000d154 DispatchMessageA
SHELL32.dll
0x1000d130 ShellExecuteExA
urlmon.dll
0x1000d15c URLDownloadToFileA
EAT(Export Address Table) Library
0x10002100 Edge
KERNEL32.dll
0x1000d000 CloseHandle
0x1000d004 Sleep
0x1000d008 Process32Next
0x1000d00c Process32First
0x1000d010 CreateToolhelp32Snapshot
0x1000d014 GetLastError
0x1000d018 GetEnvironmentVariableA
0x1000d01c CreateMutexA
0x1000d020 OpenMutexA
0x1000d024 FlushFileBuffers
0x1000d028 CreateFileA
0x1000d02c WriteConsoleW
0x1000d030 GetConsoleOutputCP
0x1000d034 WriteConsoleA
0x1000d038 SetStdHandle
0x1000d03c InitializeCriticalSectionAndSpinCount
0x1000d040 LoadLibraryA
0x1000d044 GetSystemTimeAsFileTime
0x1000d048 RaiseException
0x1000d04c TerminateProcess
0x1000d050 GetCurrentProcess
0x1000d054 UnhandledExceptionFilter
0x1000d058 SetUnhandledExceptionFilter
0x1000d05c IsDebuggerPresent
0x1000d060 RtlUnwind
0x1000d064 GetCurrentThreadId
0x1000d068 GetCommandLineA
0x1000d06c HeapAlloc
0x1000d070 HeapFree
0x1000d074 GetCPInfo
0x1000d078 InterlockedIncrement
0x1000d07c InterlockedDecrement
0x1000d080 GetACP
0x1000d084 GetOEMCP
0x1000d088 IsValidCodePage
0x1000d08c GetModuleHandleW
0x1000d090 GetProcAddress
0x1000d094 TlsGetValue
0x1000d098 TlsAlloc
0x1000d09c TlsSetValue
0x1000d0a0 TlsFree
0x1000d0a4 SetLastError
0x1000d0a8 ExitProcess
0x1000d0ac SetHandleCount
0x1000d0b0 GetStdHandle
0x1000d0b4 GetFileType
0x1000d0b8 GetStartupInfoA
0x1000d0bc DeleteCriticalSection
0x1000d0c0 GetModuleFileNameA
0x1000d0c4 FreeEnvironmentStringsA
0x1000d0c8 GetEnvironmentStrings
0x1000d0cc FreeEnvironmentStringsW
0x1000d0d0 WideCharToMultiByte
0x1000d0d4 GetEnvironmentStringsW
0x1000d0d8 HeapCreate
0x1000d0dc HeapDestroy
0x1000d0e0 VirtualFree
0x1000d0e4 QueryPerformanceCounter
0x1000d0e8 GetTickCount
0x1000d0ec GetCurrentProcessId
0x1000d0f0 LeaveCriticalSection
0x1000d0f4 EnterCriticalSection
0x1000d0f8 VirtualAlloc
0x1000d0fc HeapReAlloc
0x1000d100 WriteFile
0x1000d104 LCMapStringA
0x1000d108 MultiByteToWideChar
0x1000d10c LCMapStringW
0x1000d110 GetStringTypeA
0x1000d114 GetStringTypeW
0x1000d118 GetLocaleInfoA
0x1000d11c HeapSize
0x1000d120 SetFilePointer
0x1000d124 GetConsoleCP
0x1000d128 GetConsoleMode
USER32.dll
0x1000d138 KillTimer
0x1000d13c SetTimer
0x1000d140 GetMessageA
0x1000d144 MessageBoxA
0x1000d148 GetDesktopWindow
0x1000d14c PostQuitMessage
0x1000d150 TranslateMessage
0x1000d154 DispatchMessageA
SHELL32.dll
0x1000d130 ShellExecuteExA
urlmon.dll
0x1000d15c URLDownloadToFileA
EAT(Export Address Table) Library
0x10002100 Edge