ScreenShot
| Created | 2023.12.11 19:40 | Machine | s1_win7_x6403 |
| Filename | cleaneruop.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 52 detected (AIDetectMalware, tsuD, Zusy, Save, TrojanBanker, ClipBanker, malicious, Attribute, HighConfidence, high confidence, Kryptik, HVLM, PWSX, Gencirc, pkchs, high, score, Redline, Detected, Eldorado, hsyn, CADR, Malware@#2o4ky0lgn6csg, Stealc, ai score=88, BScope, TrojanPSW, unsafe, Chgt, R002H0CL623, 4P9QD0KEbfR, Static AI, Malicious PE, susgen, ZexaF, SuW@amCAsAp, confidence, 100%) | ||
| md5 | c8360d1235aa3bf925228bfe6a1c8a62 | ||
| sha256 | ec94c8c7f81013c6b195c398dca59c2148746850ab4f549dd181b3ec25382453 | ||
| ssdeep | 12288:WhI9jc2M11UZZOHpyRGGNkYj/lUcwAKdTSAixvFbOhl0c0nXBB4kncxJT+R6phS4:WKjb3OJyEQ9+ZSvxvNI0TBBnQJTgmhS4 | ||
| imphash | b610b1ff2dfb4b84acc0b3fb1474f9f2 | ||
| impfuzzy | 24:bjKNDogHOovg/J3JKnKQFQ8RyvDklRT4nZmfWlzf:8uHEK3D+cnZmfW1f | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 52 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x410000 AddAtomW
0x410004 WaitForSingleObject
0x410008 Sleep
0x41000c CreateThread
0x410010 lstrlenW
0x410014 VirtualProtect
0x410018 GetProcAddress
0x41001c LoadLibraryA
0x410020 VirtualAlloc
0x410024 GetModuleHandleA
0x410028 FreeConsole
0x41002c RtlUnwind
0x410030 GetCommandLineA
0x410034 GetModuleHandleW
0x410038 TlsGetValue
0x41003c TlsAlloc
0x410040 TlsSetValue
0x410044 TlsFree
0x410048 InterlockedIncrement
0x41004c SetLastError
0x410050 GetCurrentThreadId
0x410054 GetLastError
0x410058 InterlockedDecrement
0x41005c SetUnhandledExceptionFilter
0x410060 ExitProcess
0x410064 WriteFile
0x410068 GetStdHandle
0x41006c GetModuleFileNameA
0x410070 FreeEnvironmentStringsA
0x410074 GetEnvironmentStrings
0x410078 FreeEnvironmentStringsW
0x41007c WideCharToMultiByte
0x410080 GetEnvironmentStringsW
0x410084 SetHandleCount
0x410088 GetFileType
0x41008c GetStartupInfoA
0x410090 DeleteCriticalSection
0x410094 HeapCreate
0x410098 VirtualFree
0x41009c HeapFree
0x4100a0 QueryPerformanceCounter
0x4100a4 GetTickCount
0x4100a8 GetCurrentProcessId
0x4100ac GetSystemTimeAsFileTime
0x4100b0 RaiseException
0x4100b4 TerminateProcess
0x4100b8 GetCurrentProcess
0x4100bc UnhandledExceptionFilter
0x4100c0 IsDebuggerPresent
0x4100c4 LeaveCriticalSection
0x4100c8 EnterCriticalSection
0x4100cc GetCPInfo
0x4100d0 GetACP
0x4100d4 GetOEMCP
0x4100d8 IsValidCodePage
0x4100dc InitializeCriticalSectionAndSpinCount
0x4100e0 HeapAlloc
0x4100e4 HeapReAlloc
0x4100e8 GetLocaleInfoA
0x4100ec GetStringTypeA
0x4100f0 MultiByteToWideChar
0x4100f4 GetStringTypeW
0x4100f8 LCMapStringA
0x4100fc LCMapStringW
0x410100 HeapSize
EAT(Export Address Table) is none
KERNEL32.dll
0x410000 AddAtomW
0x410004 WaitForSingleObject
0x410008 Sleep
0x41000c CreateThread
0x410010 lstrlenW
0x410014 VirtualProtect
0x410018 GetProcAddress
0x41001c LoadLibraryA
0x410020 VirtualAlloc
0x410024 GetModuleHandleA
0x410028 FreeConsole
0x41002c RtlUnwind
0x410030 GetCommandLineA
0x410034 GetModuleHandleW
0x410038 TlsGetValue
0x41003c TlsAlloc
0x410040 TlsSetValue
0x410044 TlsFree
0x410048 InterlockedIncrement
0x41004c SetLastError
0x410050 GetCurrentThreadId
0x410054 GetLastError
0x410058 InterlockedDecrement
0x41005c SetUnhandledExceptionFilter
0x410060 ExitProcess
0x410064 WriteFile
0x410068 GetStdHandle
0x41006c GetModuleFileNameA
0x410070 FreeEnvironmentStringsA
0x410074 GetEnvironmentStrings
0x410078 FreeEnvironmentStringsW
0x41007c WideCharToMultiByte
0x410080 GetEnvironmentStringsW
0x410084 SetHandleCount
0x410088 GetFileType
0x41008c GetStartupInfoA
0x410090 DeleteCriticalSection
0x410094 HeapCreate
0x410098 VirtualFree
0x41009c HeapFree
0x4100a0 QueryPerformanceCounter
0x4100a4 GetTickCount
0x4100a8 GetCurrentProcessId
0x4100ac GetSystemTimeAsFileTime
0x4100b0 RaiseException
0x4100b4 TerminateProcess
0x4100b8 GetCurrentProcess
0x4100bc UnhandledExceptionFilter
0x4100c0 IsDebuggerPresent
0x4100c4 LeaveCriticalSection
0x4100c8 EnterCriticalSection
0x4100cc GetCPInfo
0x4100d0 GetACP
0x4100d4 GetOEMCP
0x4100d8 IsValidCodePage
0x4100dc InitializeCriticalSectionAndSpinCount
0x4100e0 HeapAlloc
0x4100e4 HeapReAlloc
0x4100e8 GetLocaleInfoA
0x4100ec GetStringTypeA
0x4100f0 MultiByteToWideChar
0x4100f4 GetStringTypeW
0x4100f8 LCMapStringA
0x4100fc LCMapStringW
0x410100 HeapSize
EAT(Export Address Table) is none