ScreenShot
| Created | 2023.12.14 19:12 | Machine | s1_win7_x6401 |
| Filename | wai3.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 35 detected (AIDetectMalware, malicious, high confidence, score, unsafe, Save, GenericKD, Attribute, HighConfidence, ShellcodeRunner, BackdoorX, Havoc, NEi201AYkVM, Redcap, qdmtm, PSLoader, Detected, ai score=83, ScarletFlash, 1LX0NW, Chgt, R002H0DLD23, Gencirc, Static AI, Malicious PE, confidence, 100%) | ||
| md5 | 07eba257f3c68d1effd1704ad3bdf746 | ||
| sha256 | 3308965802e98b741b4746e70b353c4e4b264d624ac7d9bfba531f90caa30c73 | ||
| ssdeep | 6144:PPIDLr6Dnmo5GpdCcmA2S+LKnkpL2Rut2pKVuYiElHyAiv3ZGR6rSTY+x8mogOKn:PPIPr6J2EuFkMIooIb/vRybxBpCO | ||
| imphash | 7cb96f961423ed60b38a4407fba7d0a3 | ||
| impfuzzy | 24:QTF8078p8dYJgf3lDq+kYVm0MblR95XG6qXZ8k1komvlxcqKZy:wn8pvGfI+kYVFslTJG6qJ8k1k1vkqL | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 35 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x140027270 CryptAcquireContextW
0x140027278 CryptCreateHash
0x140027280 CryptDecrypt
0x140027288 CryptDeriveKey
0x140027290 CryptDestroyHash
0x140027298 CryptDestroyKey
0x1400272a0 CryptHashData
0x1400272a8 CryptReleaseContext
KERNEL32.dll
0x1400272b8 DeleteCriticalSection
0x1400272c0 EnterCriticalSection
0x1400272c8 FreeConsole
0x1400272d0 GetCurrentProcess
0x1400272d8 GetCurrentThread
0x1400272e0 GetLastError
0x1400272e8 GetModuleHandleA
0x1400272f0 GetProcAddress
0x1400272f8 GetStartupInfoA
0x140027300 InitializeCriticalSection
0x140027308 IsDBCSLeadByteEx
0x140027310 LeaveCriticalSection
0x140027318 MultiByteToWideChar
0x140027320 QueueUserAPC
0x140027328 SetUnhandledExceptionFilter
0x140027330 Sleep
0x140027338 TlsGetValue
0x140027340 VirtualAlloc
0x140027348 VirtualProtect
0x140027350 VirtualQuery
0x140027358 WideCharToMultiByte
0x140027360 WriteProcessMemory
msvcrt.dll
0x140027370 __C_specific_handler
0x140027378 ___lc_codepage_func
0x140027380 ___mb_cur_max_func
0x140027388 __getmainargs
0x140027390 __initenv
0x140027398 __iob_func
0x1400273a0 __lconv_init
0x1400273a8 __set_app_type
0x1400273b0 __setusermatherr
0x1400273b8 _acmdln
0x1400273c0 _amsg_exit
0x1400273c8 _cexit
0x1400273d0 _commode
0x1400273d8 _errno
0x1400273e0 _fmode
0x1400273e8 _initterm
0x1400273f0 _lock
0x1400273f8 _onexit
0x140027400 _unlock
0x140027408 abort
0x140027410 calloc
0x140027418 exit
0x140027420 fprintf
0x140027428 fputc
0x140027430 free
0x140027438 fwrite
0x140027440 localeconv
0x140027448 malloc
0x140027450 memcpy
0x140027458 signal
0x140027460 strerror
0x140027468 strlen
0x140027470 strncmp
0x140027478 vfprintf
0x140027480 wcslen
EAT(Export Address Table) is none
ADVAPI32.dll
0x140027270 CryptAcquireContextW
0x140027278 CryptCreateHash
0x140027280 CryptDecrypt
0x140027288 CryptDeriveKey
0x140027290 CryptDestroyHash
0x140027298 CryptDestroyKey
0x1400272a0 CryptHashData
0x1400272a8 CryptReleaseContext
KERNEL32.dll
0x1400272b8 DeleteCriticalSection
0x1400272c0 EnterCriticalSection
0x1400272c8 FreeConsole
0x1400272d0 GetCurrentProcess
0x1400272d8 GetCurrentThread
0x1400272e0 GetLastError
0x1400272e8 GetModuleHandleA
0x1400272f0 GetProcAddress
0x1400272f8 GetStartupInfoA
0x140027300 InitializeCriticalSection
0x140027308 IsDBCSLeadByteEx
0x140027310 LeaveCriticalSection
0x140027318 MultiByteToWideChar
0x140027320 QueueUserAPC
0x140027328 SetUnhandledExceptionFilter
0x140027330 Sleep
0x140027338 TlsGetValue
0x140027340 VirtualAlloc
0x140027348 VirtualProtect
0x140027350 VirtualQuery
0x140027358 WideCharToMultiByte
0x140027360 WriteProcessMemory
msvcrt.dll
0x140027370 __C_specific_handler
0x140027378 ___lc_codepage_func
0x140027380 ___mb_cur_max_func
0x140027388 __getmainargs
0x140027390 __initenv
0x140027398 __iob_func
0x1400273a0 __lconv_init
0x1400273a8 __set_app_type
0x1400273b0 __setusermatherr
0x1400273b8 _acmdln
0x1400273c0 _amsg_exit
0x1400273c8 _cexit
0x1400273d0 _commode
0x1400273d8 _errno
0x1400273e0 _fmode
0x1400273e8 _initterm
0x1400273f0 _lock
0x1400273f8 _onexit
0x140027400 _unlock
0x140027408 abort
0x140027410 calloc
0x140027418 exit
0x140027420 fprintf
0x140027428 fputc
0x140027430 free
0x140027438 fwrite
0x140027440 localeconv
0x140027448 malloc
0x140027450 memcpy
0x140027458 signal
0x140027460 strerror
0x140027468 strlen
0x140027470 strncmp
0x140027478 vfprintf
0x140027480 wcslen
EAT(Export Address Table) is none