ScreenShot
| Created | 2023.12.14 19:01 | Machine | s1_win7_x6403 |
| Filename | zil2.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 36 detected (AIDetectMalware, malicious, high confidence, score, unsafe, Save, GenericKD, Attribute, HighConfidence, Kryptik, Havoc, AUiVxTm2GhT, qmftx, Detected, ScarletFlash, SYKJZC, ABRisk, MYSU, R002H0DLD23, FalseSign, Osmw, Static AI, Malicious PE, confidence, 100%) | ||
| md5 | 1115a969720be5ea1206f9da3d991398 | ||
| sha256 | bb466b4f503c00221425ef7e6286f5b5dfc0e6da68bf4653ff5e9c78869ce059 | ||
| ssdeep | 6144:CWfPDFxGnZ0uS6xJmAMS+vKnkZ2Rul2fKVu1iECHy3ivdmogOK529a:C+DF0Z0qxcwJkUIAiXmykBAa | ||
| imphash | bd0c035e87e47779595b8e8281c615af | ||
| impfuzzy | 24:QTF8078p8dYJJyrfjlDqcZzPdNjuGMG95XG66ZykoDqoZn:wn8pv+fkcpFsGRJG6wykoqE | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 36 AntiVirus engines on VirusTotal as malicious |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x140021230 CryptAcquireContextW
0x140021238 CryptCreateHash
0x140021240 CryptDecrypt
0x140021248 CryptDeriveKey
0x140021250 CryptDestroyHash
0x140021258 CryptDestroyKey
0x140021260 CryptHashData
0x140021268 CryptReleaseContext
KERNEL32.dll
0x140021278 CloseHandle
0x140021280 CreateRemoteThread
0x140021288 CreateToolhelp32Snapshot
0x140021290 DeleteCriticalSection
0x140021298 EnterCriticalSection
0x1400212a0 GetLastError
0x1400212a8 GetModuleHandleA
0x1400212b0 GetProcAddress
0x1400212b8 GetStartupInfoA
0x1400212c0 InitializeCriticalSection
0x1400212c8 LeaveCriticalSection
0x1400212d0 OpenProcess
0x1400212d8 Process32First
0x1400212e0 Process32Next
0x1400212e8 SetUnhandledExceptionFilter
0x1400212f0 Sleep
0x1400212f8 TlsGetValue
0x140021300 VirtualAllocEx
0x140021308 VirtualProtect
0x140021310 VirtualQuery
0x140021318 WaitForSingleObject
0x140021320 WriteProcessMemory
0x140021328 lstrcmpiA
msvcrt.dll
0x140021338 __C_specific_handler
0x140021340 __getmainargs
0x140021348 __initenv
0x140021350 __iob_func
0x140021358 __lconv_init
0x140021360 __set_app_type
0x140021368 __setusermatherr
0x140021370 _acmdln
0x140021378 _amsg_exit
0x140021380 _cexit
0x140021388 _commode
0x140021390 _fmode
0x140021398 _initterm
0x1400213a0 _onexit
0x1400213a8 abort
0x1400213b0 calloc
0x1400213b8 exit
0x1400213c0 fprintf
0x1400213c8 free
0x1400213d0 fwrite
0x1400213d8 malloc
0x1400213e0 memcpy
0x1400213e8 signal
0x1400213f0 strlen
0x1400213f8 strncmp
0x140021400 vfprintf
EAT(Export Address Table) is none
ADVAPI32.dll
0x140021230 CryptAcquireContextW
0x140021238 CryptCreateHash
0x140021240 CryptDecrypt
0x140021248 CryptDeriveKey
0x140021250 CryptDestroyHash
0x140021258 CryptDestroyKey
0x140021260 CryptHashData
0x140021268 CryptReleaseContext
KERNEL32.dll
0x140021278 CloseHandle
0x140021280 CreateRemoteThread
0x140021288 CreateToolhelp32Snapshot
0x140021290 DeleteCriticalSection
0x140021298 EnterCriticalSection
0x1400212a0 GetLastError
0x1400212a8 GetModuleHandleA
0x1400212b0 GetProcAddress
0x1400212b8 GetStartupInfoA
0x1400212c0 InitializeCriticalSection
0x1400212c8 LeaveCriticalSection
0x1400212d0 OpenProcess
0x1400212d8 Process32First
0x1400212e0 Process32Next
0x1400212e8 SetUnhandledExceptionFilter
0x1400212f0 Sleep
0x1400212f8 TlsGetValue
0x140021300 VirtualAllocEx
0x140021308 VirtualProtect
0x140021310 VirtualQuery
0x140021318 WaitForSingleObject
0x140021320 WriteProcessMemory
0x140021328 lstrcmpiA
msvcrt.dll
0x140021338 __C_specific_handler
0x140021340 __getmainargs
0x140021348 __initenv
0x140021350 __iob_func
0x140021358 __lconv_init
0x140021360 __set_app_type
0x140021368 __setusermatherr
0x140021370 _acmdln
0x140021378 _amsg_exit
0x140021380 _cexit
0x140021388 _commode
0x140021390 _fmode
0x140021398 _initterm
0x1400213a0 _onexit
0x1400213a8 abort
0x1400213b0 calloc
0x1400213b8 exit
0x1400213c0 fprintf
0x1400213c8 free
0x1400213d0 fwrite
0x1400213d8 malloc
0x1400213e0 memcpy
0x1400213e8 signal
0x1400213f0 strlen
0x1400213f8 strncmp
0x140021400 vfprintf
EAT(Export Address Table) is none