ScreenShot
| Created | 2023.12.12 08:02 | Machine | s1_win7_x6401 |
| Filename | toolspub2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 05193c12562beb5de5f05ae6816c976f | ||
| sha256 | ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d | ||
| ssdeep | 3072:t07gIqLEHi+cOtsLpAjPsXp0qCAfs5qtrpJrkG5RScg7:cgIqLKi+cCjPwlCL5qBM | ||
| imphash | bcb945da6d587ee0214ea3353c638407 | ||
| impfuzzy | 24:jkrkIpNs0X6FSDTgFfkhlJ0DB4jpWCM6BJRdh4bt/zm0+cfpluHuOZyvnRSBw9c:kRfK4qfEMYzdGt/Srcfp0uRSBw9c | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | This executable has a PDB path |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x420008 GetConsoleAliasesLengthW
0x42000c EnumDateFormatsExW
0x420010 TlsGetValue
0x420014 LoadResource
0x420018 SystemTimeToTzSpecificLocalTime
0x42001c GlobalAddAtomA
0x420020 InterlockedIncrement
0x420024 GetCurrentProcess
0x420028 InterlockedCompareExchange
0x42002c OpenSemaphoreA
0x420030 GetTickCount
0x420034 GetDateFormatA
0x420038 GetVolumePathNameW
0x42003c GetCurrencyFormatW
0x420040 GlobalAlloc
0x420044 GlobalFindAtomA
0x420048 Sleep
0x42004c AssignProcessToJobObject
0x420050 SizeofResource
0x420054 GetSystemWindowsDirectoryA
0x420058 CreateFileW
0x42005c FlushFileBuffers
0x420060 CreateJobObjectA
0x420064 GetFullPathNameA
0x420068 GetLastError
0x42006c SetLastError
0x420070 BackupRead
0x420074 GetProcAddress
0x420078 GetProcessHeaps
0x42007c VirtualAlloc
0x420080 BeginUpdateResourceW
0x420084 SetComputerNameA
0x420088 LoadLibraryA
0x42008c CreateFileMappingW
0x420090 FoldStringA
0x420094 FindFirstVolumeMountPointA
0x420098 CreateIoCompletionPort
0x42009c GetModuleHandleA
0x4200a0 FindFirstChangeNotificationA
0x4200a4 VirtualProtect
0x4200a8 GetVersionExA
0x4200ac FindAtomW
0x4200b0 GetWindowsDirectoryW
0x4200b4 LCMapStringW
0x4200b8 InterlockedExchange
0x4200bc GetComputerNameA
0x4200c0 UnhandledExceptionFilter
0x4200c4 SetUnhandledExceptionFilter
0x4200c8 GetModuleHandleW
0x4200cc ExitProcess
0x4200d0 GetStartupInfoW
0x4200d4 WriteFile
0x4200d8 GetStdHandle
0x4200dc GetModuleFileNameA
0x4200e0 GetCPInfo
0x4200e4 InterlockedDecrement
0x4200e8 GetACP
0x4200ec GetOEMCP
0x4200f0 IsValidCodePage
0x4200f4 TlsAlloc
0x4200f8 TlsSetValue
0x4200fc TlsFree
0x420100 GetCurrentThreadId
0x420104 HeapSize
0x420108 HeapFree
0x42010c TerminateProcess
0x420110 IsDebuggerPresent
0x420114 DeleteCriticalSection
0x420118 LeaveCriticalSection
0x42011c EnterCriticalSection
0x420120 InitializeCriticalSectionAndSpinCount
0x420124 GetModuleFileNameW
0x420128 FreeEnvironmentStringsW
0x42012c GetEnvironmentStringsW
0x420130 GetCommandLineW
0x420134 SetHandleCount
0x420138 GetFileType
0x42013c GetStartupInfoA
0x420140 HeapCreate
0x420144 VirtualFree
0x420148 QueryPerformanceCounter
0x42014c GetCurrentProcessId
0x420150 GetSystemTimeAsFileTime
0x420154 LCMapStringA
0x420158 WideCharToMultiByte
0x42015c MultiByteToWideChar
0x420160 GetStringTypeA
0x420164 GetStringTypeW
0x420168 GetLocaleInfoA
0x42016c HeapAlloc
0x420170 HeapReAlloc
0x420174 RtlUnwind
USER32.dll
0x42017c RealGetWindowClassA
GDI32.dll
0x420000 SetDeviceGammaRamp
EAT(Export Address Table) is none
KERNEL32.dll
0x420008 GetConsoleAliasesLengthW
0x42000c EnumDateFormatsExW
0x420010 TlsGetValue
0x420014 LoadResource
0x420018 SystemTimeToTzSpecificLocalTime
0x42001c GlobalAddAtomA
0x420020 InterlockedIncrement
0x420024 GetCurrentProcess
0x420028 InterlockedCompareExchange
0x42002c OpenSemaphoreA
0x420030 GetTickCount
0x420034 GetDateFormatA
0x420038 GetVolumePathNameW
0x42003c GetCurrencyFormatW
0x420040 GlobalAlloc
0x420044 GlobalFindAtomA
0x420048 Sleep
0x42004c AssignProcessToJobObject
0x420050 SizeofResource
0x420054 GetSystemWindowsDirectoryA
0x420058 CreateFileW
0x42005c FlushFileBuffers
0x420060 CreateJobObjectA
0x420064 GetFullPathNameA
0x420068 GetLastError
0x42006c SetLastError
0x420070 BackupRead
0x420074 GetProcAddress
0x420078 GetProcessHeaps
0x42007c VirtualAlloc
0x420080 BeginUpdateResourceW
0x420084 SetComputerNameA
0x420088 LoadLibraryA
0x42008c CreateFileMappingW
0x420090 FoldStringA
0x420094 FindFirstVolumeMountPointA
0x420098 CreateIoCompletionPort
0x42009c GetModuleHandleA
0x4200a0 FindFirstChangeNotificationA
0x4200a4 VirtualProtect
0x4200a8 GetVersionExA
0x4200ac FindAtomW
0x4200b0 GetWindowsDirectoryW
0x4200b4 LCMapStringW
0x4200b8 InterlockedExchange
0x4200bc GetComputerNameA
0x4200c0 UnhandledExceptionFilter
0x4200c4 SetUnhandledExceptionFilter
0x4200c8 GetModuleHandleW
0x4200cc ExitProcess
0x4200d0 GetStartupInfoW
0x4200d4 WriteFile
0x4200d8 GetStdHandle
0x4200dc GetModuleFileNameA
0x4200e0 GetCPInfo
0x4200e4 InterlockedDecrement
0x4200e8 GetACP
0x4200ec GetOEMCP
0x4200f0 IsValidCodePage
0x4200f4 TlsAlloc
0x4200f8 TlsSetValue
0x4200fc TlsFree
0x420100 GetCurrentThreadId
0x420104 HeapSize
0x420108 HeapFree
0x42010c TerminateProcess
0x420110 IsDebuggerPresent
0x420114 DeleteCriticalSection
0x420118 LeaveCriticalSection
0x42011c EnterCriticalSection
0x420120 InitializeCriticalSectionAndSpinCount
0x420124 GetModuleFileNameW
0x420128 FreeEnvironmentStringsW
0x42012c GetEnvironmentStringsW
0x420130 GetCommandLineW
0x420134 SetHandleCount
0x420138 GetFileType
0x42013c GetStartupInfoA
0x420140 HeapCreate
0x420144 VirtualFree
0x420148 QueryPerformanceCounter
0x42014c GetCurrentProcessId
0x420150 GetSystemTimeAsFileTime
0x420154 LCMapStringA
0x420158 WideCharToMultiByte
0x42015c MultiByteToWideChar
0x420160 GetStringTypeA
0x420164 GetStringTypeW
0x420168 GetLocaleInfoA
0x42016c HeapAlloc
0x420170 HeapReAlloc
0x420174 RtlUnwind
USER32.dll
0x42017c RealGetWindowClassA
GDI32.dll
0x420000 SetDeviceGammaRamp
EAT(Export Address Table) is none