ScreenShot
| Created | 2023.12.14 07:58 | Machine | s1_win7_x6401 |
| Filename | NTPDRAPE.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 2 detected (AIDetectMalware, Malicious) | ||
| md5 | 6ae58a1b3f242ea4259e97c6539a618a | ||
| sha256 | b08b54973d3e01bc23d10d5dbbb20eeac24365c80cb80317168ff8c3e87e615b | ||
| ssdeep | 6144:ixa7OnkL0QdVVyHaTzX3dXbg1DdCRSvWd7dlMxEo4EOwlOs4n1yf6VCYZnPNSf5:ixaLL9da6ntk1ISe6xEodd34159nPNG | ||
| imphash | 3af4cfbd1aa2e14fd4d3ad1fb8182305 | ||
| impfuzzy | 24:VuvQiv0ebT0DcqdEuHv22OT+Oov4vukTJgv8ERRvlAKQ+31edAT9TwL:+sebVcpOTJPNJc+KQ+3EGT5A | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| watch | Deletes executed files from disk |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | File has been identified by 2 AntiVirus engines on VirusTotal as malicious |
| info | Checks amount of memory in system |
| info | The executable uses a known packer |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40b000 GetTempFileNameA
0x40b004 GetTempPathA
0x40b008 CreateDirectoryA
0x40b00c RemoveDirectoryA
0x40b010 FindClose
0x40b014 FindNextFileA
0x40b018 FindFirstFileA
0x40b01c Sleep
0x40b020 SetCurrentDirectoryA
0x40b024 CloseHandle
0x40b028 GetExitCodeProcess
0x40b02c CreateProcessA
0x40b030 GetModuleFileNameA
0x40b034 GetStringTypeW
0x40b038 GetStringTypeA
0x40b03c IsBadCodePtr
0x40b040 IsBadReadPtr
0x40b044 SetUnhandledExceptionFilter
0x40b048 LoadLibraryA
0x40b04c GetProcAddress
0x40b050 LCMapStringW
0x40b054 LCMapStringA
0x40b058 CreateFileA
0x40b05c GetLastError
0x40b060 ReadFile
0x40b064 WriteFile
0x40b068 SetFilePointer
0x40b06c SetEnvironmentVariableA
0x40b070 GetCurrentDirectoryA
0x40b074 HeapFree
0x40b078 HeapAlloc
0x40b07c DeleteFileA
0x40b080 ExitProcess
0x40b084 TerminateProcess
0x40b088 GetCurrentProcess
0x40b08c GetModuleHandleA
0x40b090 GetStartupInfoA
0x40b094 GetCommandLineA
0x40b098 GetVersion
0x40b09c RtlUnwind
0x40b0a0 HeapCompact
0x40b0a4 HeapReAlloc
0x40b0a8 GetEnvironmentVariableA
0x40b0ac GetVersionExA
0x40b0b0 HeapDestroy
0x40b0b4 HeapCreate
0x40b0b8 VirtualFree
0x40b0bc VirtualAlloc
0x40b0c0 IsBadWritePtr
0x40b0c4 UnhandledExceptionFilter
0x40b0c8 FreeEnvironmentStringsA
0x40b0cc FreeEnvironmentStringsW
0x40b0d0 WideCharToMultiByte
0x40b0d4 GetEnvironmentStrings
0x40b0d8 GetEnvironmentStringsW
0x40b0dc SetHandleCount
0x40b0e0 GetStdHandle
0x40b0e4 GetFileType
0x40b0e8 GetCPInfo
0x40b0ec GetACP
0x40b0f0 GetOEMCP
0x40b0f4 MultiByteToWideChar
USER32.dll
0x40b0fc wsprintfA
0x40b100 PeekMessageA
0x40b104 GetMessageA
0x40b108 MsgWaitForMultipleObjects
0x40b10c TranslateMessage
0x40b110 DispatchMessageA
0x40b114 LoadStringA
0x40b118 MessageBoxA
EAT(Export Address Table) is none
KERNEL32.dll
0x40b000 GetTempFileNameA
0x40b004 GetTempPathA
0x40b008 CreateDirectoryA
0x40b00c RemoveDirectoryA
0x40b010 FindClose
0x40b014 FindNextFileA
0x40b018 FindFirstFileA
0x40b01c Sleep
0x40b020 SetCurrentDirectoryA
0x40b024 CloseHandle
0x40b028 GetExitCodeProcess
0x40b02c CreateProcessA
0x40b030 GetModuleFileNameA
0x40b034 GetStringTypeW
0x40b038 GetStringTypeA
0x40b03c IsBadCodePtr
0x40b040 IsBadReadPtr
0x40b044 SetUnhandledExceptionFilter
0x40b048 LoadLibraryA
0x40b04c GetProcAddress
0x40b050 LCMapStringW
0x40b054 LCMapStringA
0x40b058 CreateFileA
0x40b05c GetLastError
0x40b060 ReadFile
0x40b064 WriteFile
0x40b068 SetFilePointer
0x40b06c SetEnvironmentVariableA
0x40b070 GetCurrentDirectoryA
0x40b074 HeapFree
0x40b078 HeapAlloc
0x40b07c DeleteFileA
0x40b080 ExitProcess
0x40b084 TerminateProcess
0x40b088 GetCurrentProcess
0x40b08c GetModuleHandleA
0x40b090 GetStartupInfoA
0x40b094 GetCommandLineA
0x40b098 GetVersion
0x40b09c RtlUnwind
0x40b0a0 HeapCompact
0x40b0a4 HeapReAlloc
0x40b0a8 GetEnvironmentVariableA
0x40b0ac GetVersionExA
0x40b0b0 HeapDestroy
0x40b0b4 HeapCreate
0x40b0b8 VirtualFree
0x40b0bc VirtualAlloc
0x40b0c0 IsBadWritePtr
0x40b0c4 UnhandledExceptionFilter
0x40b0c8 FreeEnvironmentStringsA
0x40b0cc FreeEnvironmentStringsW
0x40b0d0 WideCharToMultiByte
0x40b0d4 GetEnvironmentStrings
0x40b0d8 GetEnvironmentStringsW
0x40b0dc SetHandleCount
0x40b0e0 GetStdHandle
0x40b0e4 GetFileType
0x40b0e8 GetCPInfo
0x40b0ec GetACP
0x40b0f0 GetOEMCP
0x40b0f4 MultiByteToWideChar
USER32.dll
0x40b0fc wsprintfA
0x40b100 PeekMessageA
0x40b104 GetMessageA
0x40b108 MsgWaitForMultipleObjects
0x40b10c TranslateMessage
0x40b110 DispatchMessageA
0x40b114 LoadStringA
0x40b118 MessageBoxA
EAT(Export Address Table) is none