ScreenShot
| Created | 2023.12.14 19:07 | Machine | s1_win7_x6403 |
| Filename | fol5.exe | ||
| Type | PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 23 detected (AIDetectMalware, malicious, high confidence, score, unsafe, Havoc, Vk1l, Attribute, HighConfidence, FmKscZQWeQD, Shellcoderunner, Detected, ScarletFlash, Chgt, Static AI, Suspicious PE, PossibleThreat, confidence, 100%) | ||
| md5 | 220427ccd450638df243193a8ba34f23 | ||
| sha256 | 8b25d00b2d476a122c869e59bbc3f0635c36d59066a12ee7a054563602794a89 | ||
| ssdeep | 24576:qtFiVP1PH+UqAb2n6MQE3hfhJhhKh1hhhhSehhFhhhUhgzA:qtFiVP1PH+qYQE+zA | ||
| imphash | bc3dde5bfd8628ae140056ffcca67115 | ||
| impfuzzy | 48:wn8pvzfMP+kp6kSslTJG6qTU3zk61vm/Gwbqgss60OI:wn8p7fMPrp6kSYTJGhojkM+bqgsJa | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| warning | File has been identified by 23 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x1400f9464 CryptAcquireContextW
0x1400f946c CryptCreateHash
0x1400f9474 CryptDecrypt
0x1400f947c CryptDeriveKey
0x1400f9484 CryptDestroyHash
0x1400f948c CryptDestroyKey
0x1400f9494 CryptHashData
0x1400f949c CryptReleaseContext
KERNEL32.dll
0x1400f94ac CloseHandle
0x1400f94b4 CreateSemaphoreW
0x1400f94bc DeleteCriticalSection
0x1400f94c4 EnterCriticalSection
0x1400f94cc FreeConsole
0x1400f94d4 GetCurrentProcess
0x1400f94dc GetCurrentThreadId
0x1400f94e4 GetLastError
0x1400f94ec GetModuleHandleA
0x1400f94f4 GetModuleHandleW
0x1400f94fc GetProcAddress
0x1400f9504 GetStartupInfoA
0x1400f950c InitializeCriticalSection
0x1400f9514 IsDBCSLeadByteEx
0x1400f951c LeaveCriticalSection
0x1400f9524 LoadLibraryW
0x1400f952c MultiByteToWideChar
0x1400f9534 RaiseException
0x1400f953c ReleaseSemaphore
0x1400f9544 RtlCaptureContext
0x1400f954c RtlLookupFunctionEntry
0x1400f9554 RtlUnwindEx
0x1400f955c RtlVirtualUnwind
0x1400f9564 SetLastError
0x1400f956c SetUnhandledExceptionFilter
0x1400f9574 Sleep
0x1400f957c TlsAlloc
0x1400f9584 TlsFree
0x1400f958c TlsGetValue
0x1400f9594 TlsSetValue
0x1400f959c VirtualProtect
0x1400f95a4 VirtualQuery
0x1400f95ac WaitForSingleObject
0x1400f95b4 WideCharToMultiByte
msvcrt.dll
0x1400f95c4 __C_specific_handler
0x1400f95cc ___lc_codepage_func
0x1400f95d4 ___mb_cur_max_func
0x1400f95dc __getmainargs
0x1400f95e4 __initenv
0x1400f95ec __iob_func
0x1400f95f4 __lconv_init
0x1400f95fc __set_app_type
0x1400f9604 __setusermatherr
0x1400f960c _acmdln
0x1400f9614 _amsg_exit
0x1400f961c _cexit
0x1400f9624 _commode
0x1400f962c _errno
0x1400f9634 _filelengthi64
0x1400f963c _fileno
0x1400f9644 _fmode
0x1400f964c _fstat64
0x1400f9654 _initterm
0x1400f965c _lock
0x1400f9664 _lseeki64
0x1400f966c _onexit
0x1400f9674 _strnicmp
0x1400f967c _unlock
0x1400f9684 _wfopen
0x1400f968c abort
0x1400f9694 calloc
0x1400f969c exit
0x1400f96a4 fclose
0x1400f96ac fflush
0x1400f96b4 fgetpos
0x1400f96bc fopen
0x1400f96c4 fprintf
0x1400f96cc fputc
0x1400f96d4 fputs
0x1400f96dc fread
0x1400f96e4 free
0x1400f96ec fsetpos
0x1400f96f4 fwrite
0x1400f96fc getc
0x1400f9704 getwc
0x1400f970c isspace
0x1400f9714 iswctype
0x1400f971c localeconv
0x1400f9724 malloc
0x1400f972c memchr
0x1400f9734 memcmp
0x1400f973c memcpy
0x1400f9744 memmove
0x1400f974c memset
0x1400f9754 putc
0x1400f975c putwc
0x1400f9764 realloc
0x1400f976c setlocale
0x1400f9774 setvbuf
0x1400f977c signal
0x1400f9784 strcmp
0x1400f978c strcoll
0x1400f9794 strerror
0x1400f979c strftime
0x1400f97a4 strlen
0x1400f97ac strncmp
0x1400f97b4 strxfrm
0x1400f97bc towlower
0x1400f97c4 towupper
0x1400f97cc ungetc
0x1400f97d4 ungetwc
0x1400f97dc vfprintf
0x1400f97e4 wcscoll
0x1400f97ec wcsftime
0x1400f97f4 wcslen
0x1400f97fc wcsxfrm
0x1400f9804 _write
0x1400f980c _read
0x1400f9814 _fileno
0x1400f981c _fdopen
0x1400f9824 _close
ntdll.dll
0x1400f9834 NtAllocateVirtualMemory
0x1400f983c NtClose
0x1400f9844 NtCreateThreadEx
0x1400f984c NtWaitForSingleObject
0x1400f9854 NtWriteVirtualMemory
EAT(Export Address Table) is none
ADVAPI32.dll
0x1400f9464 CryptAcquireContextW
0x1400f946c CryptCreateHash
0x1400f9474 CryptDecrypt
0x1400f947c CryptDeriveKey
0x1400f9484 CryptDestroyHash
0x1400f948c CryptDestroyKey
0x1400f9494 CryptHashData
0x1400f949c CryptReleaseContext
KERNEL32.dll
0x1400f94ac CloseHandle
0x1400f94b4 CreateSemaphoreW
0x1400f94bc DeleteCriticalSection
0x1400f94c4 EnterCriticalSection
0x1400f94cc FreeConsole
0x1400f94d4 GetCurrentProcess
0x1400f94dc GetCurrentThreadId
0x1400f94e4 GetLastError
0x1400f94ec GetModuleHandleA
0x1400f94f4 GetModuleHandleW
0x1400f94fc GetProcAddress
0x1400f9504 GetStartupInfoA
0x1400f950c InitializeCriticalSection
0x1400f9514 IsDBCSLeadByteEx
0x1400f951c LeaveCriticalSection
0x1400f9524 LoadLibraryW
0x1400f952c MultiByteToWideChar
0x1400f9534 RaiseException
0x1400f953c ReleaseSemaphore
0x1400f9544 RtlCaptureContext
0x1400f954c RtlLookupFunctionEntry
0x1400f9554 RtlUnwindEx
0x1400f955c RtlVirtualUnwind
0x1400f9564 SetLastError
0x1400f956c SetUnhandledExceptionFilter
0x1400f9574 Sleep
0x1400f957c TlsAlloc
0x1400f9584 TlsFree
0x1400f958c TlsGetValue
0x1400f9594 TlsSetValue
0x1400f959c VirtualProtect
0x1400f95a4 VirtualQuery
0x1400f95ac WaitForSingleObject
0x1400f95b4 WideCharToMultiByte
msvcrt.dll
0x1400f95c4 __C_specific_handler
0x1400f95cc ___lc_codepage_func
0x1400f95d4 ___mb_cur_max_func
0x1400f95dc __getmainargs
0x1400f95e4 __initenv
0x1400f95ec __iob_func
0x1400f95f4 __lconv_init
0x1400f95fc __set_app_type
0x1400f9604 __setusermatherr
0x1400f960c _acmdln
0x1400f9614 _amsg_exit
0x1400f961c _cexit
0x1400f9624 _commode
0x1400f962c _errno
0x1400f9634 _filelengthi64
0x1400f963c _fileno
0x1400f9644 _fmode
0x1400f964c _fstat64
0x1400f9654 _initterm
0x1400f965c _lock
0x1400f9664 _lseeki64
0x1400f966c _onexit
0x1400f9674 _strnicmp
0x1400f967c _unlock
0x1400f9684 _wfopen
0x1400f968c abort
0x1400f9694 calloc
0x1400f969c exit
0x1400f96a4 fclose
0x1400f96ac fflush
0x1400f96b4 fgetpos
0x1400f96bc fopen
0x1400f96c4 fprintf
0x1400f96cc fputc
0x1400f96d4 fputs
0x1400f96dc fread
0x1400f96e4 free
0x1400f96ec fsetpos
0x1400f96f4 fwrite
0x1400f96fc getc
0x1400f9704 getwc
0x1400f970c isspace
0x1400f9714 iswctype
0x1400f971c localeconv
0x1400f9724 malloc
0x1400f972c memchr
0x1400f9734 memcmp
0x1400f973c memcpy
0x1400f9744 memmove
0x1400f974c memset
0x1400f9754 putc
0x1400f975c putwc
0x1400f9764 realloc
0x1400f976c setlocale
0x1400f9774 setvbuf
0x1400f977c signal
0x1400f9784 strcmp
0x1400f978c strcoll
0x1400f9794 strerror
0x1400f979c strftime
0x1400f97a4 strlen
0x1400f97ac strncmp
0x1400f97b4 strxfrm
0x1400f97bc towlower
0x1400f97c4 towupper
0x1400f97cc ungetc
0x1400f97d4 ungetwc
0x1400f97dc vfprintf
0x1400f97e4 wcscoll
0x1400f97ec wcsftime
0x1400f97f4 wcslen
0x1400f97fc wcsxfrm
0x1400f9804 _write
0x1400f980c _read
0x1400f9814 _fileno
0x1400f981c _fdopen
0x1400f9824 _close
ntdll.dll
0x1400f9834 NtAllocateVirtualMemory
0x1400f983c NtClose
0x1400f9844 NtCreateThreadEx
0x1400f984c NtWaitForSingleObject
0x1400f9854 NtWriteVirtualMemory
EAT(Export Address Table) is none