ScreenShot
| Created | 2023.12.14 19:09 | Machine | s1_win7_x6401 |
| Filename | Symbloa.dll | ||
| Type | PE32+ executable (DLL) (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 21 detected (AIDetectMalware, Malicious, score, unsafe, Kryptik, Vymj, confidence, 100%, Attribute, HighConfidence, high confidence, FileRepMalware, Misc, Meterpreter, nYiZ0bvPHVT, CCAH) | ||
| md5 | e55eb7a2b596ee04a0789a06b7d55db8 | ||
| sha256 | 791a18f606fa2fd23c23369e1c5759b53f9a465c223427a501ae1d81bcdb6f85 | ||
| ssdeep | 3072:YdAFFuKGVbp3MCnmtjPTLkNXSXm1sgIkDHQtoJ1CkSZ+7/uLSuz3T56cr8Q99Bh:Y4nAb2z/kRSdSv5Se43T56crt/Bh | ||
| imphash | 027d20fa0f5089caad738182acee6a83 | ||
| impfuzzy | 24:QTF8078p8dYJhkfjB+kZjI4liHx91DvlxcqcBZEwL:wn8pv4fN+kNlUx91Dvkqc8A | ||
Network IP location
Signature (3cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 21 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| info | Checks if process is being debugged by a debugger |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x3bbf5e200 CryptAcquireContextW
0x3bbf5e208 CryptCreateHash
0x3bbf5e210 CryptDecrypt
0x3bbf5e218 CryptDeriveKey
0x3bbf5e220 CryptDestroyHash
0x3bbf5e228 CryptDestroyKey
0x3bbf5e230 CryptHashData
0x3bbf5e238 CryptReleaseContext
KERNEL32.dll
0x3bbf5e248 CreateThread
0x3bbf5e250 DeleteCriticalSection
0x3bbf5e258 EnterCriticalSection
0x3bbf5e260 GetLastError
0x3bbf5e268 InitializeCriticalSection
0x3bbf5e270 IsDBCSLeadByteEx
0x3bbf5e278 LeaveCriticalSection
0x3bbf5e280 MultiByteToWideChar
0x3bbf5e288 Sleep
0x3bbf5e290 TlsGetValue
0x3bbf5e298 VirtualAlloc
0x3bbf5e2a0 VirtualProtect
0x3bbf5e2a8 VirtualQuery
0x3bbf5e2b0 WaitForSingleObject
0x3bbf5e2b8 WideCharToMultiByte
msvcrt.dll
0x3bbf5e2c8 ___lc_codepage_func
0x3bbf5e2d0 ___mb_cur_max_func
0x3bbf5e2d8 __iob_func
0x3bbf5e2e0 _amsg_exit
0x3bbf5e2e8 _errno
0x3bbf5e2f0 _initterm
0x3bbf5e2f8 _lock
0x3bbf5e300 _unlock
0x3bbf5e308 abort
0x3bbf5e310 calloc
0x3bbf5e318 fputc
0x3bbf5e320 free
0x3bbf5e328 fwrite
0x3bbf5e330 localeconv
0x3bbf5e338 malloc
0x3bbf5e340 memcpy
0x3bbf5e348 memset
0x3bbf5e350 realloc
0x3bbf5e358 strerror
0x3bbf5e360 strlen
0x3bbf5e368 strncmp
0x3bbf5e370 vfprintf
0x3bbf5e378 wcslen
USER32.dll
0x3bbf5e388 MessageBoxA
EAT(Export Address Table) Library
0x3bbf51573 MyExportedFunction
ADVAPI32.dll
0x3bbf5e200 CryptAcquireContextW
0x3bbf5e208 CryptCreateHash
0x3bbf5e210 CryptDecrypt
0x3bbf5e218 CryptDeriveKey
0x3bbf5e220 CryptDestroyHash
0x3bbf5e228 CryptDestroyKey
0x3bbf5e230 CryptHashData
0x3bbf5e238 CryptReleaseContext
KERNEL32.dll
0x3bbf5e248 CreateThread
0x3bbf5e250 DeleteCriticalSection
0x3bbf5e258 EnterCriticalSection
0x3bbf5e260 GetLastError
0x3bbf5e268 InitializeCriticalSection
0x3bbf5e270 IsDBCSLeadByteEx
0x3bbf5e278 LeaveCriticalSection
0x3bbf5e280 MultiByteToWideChar
0x3bbf5e288 Sleep
0x3bbf5e290 TlsGetValue
0x3bbf5e298 VirtualAlloc
0x3bbf5e2a0 VirtualProtect
0x3bbf5e2a8 VirtualQuery
0x3bbf5e2b0 WaitForSingleObject
0x3bbf5e2b8 WideCharToMultiByte
msvcrt.dll
0x3bbf5e2c8 ___lc_codepage_func
0x3bbf5e2d0 ___mb_cur_max_func
0x3bbf5e2d8 __iob_func
0x3bbf5e2e0 _amsg_exit
0x3bbf5e2e8 _errno
0x3bbf5e2f0 _initterm
0x3bbf5e2f8 _lock
0x3bbf5e300 _unlock
0x3bbf5e308 abort
0x3bbf5e310 calloc
0x3bbf5e318 fputc
0x3bbf5e320 free
0x3bbf5e328 fwrite
0x3bbf5e330 localeconv
0x3bbf5e338 malloc
0x3bbf5e340 memcpy
0x3bbf5e348 memset
0x3bbf5e350 realloc
0x3bbf5e358 strerror
0x3bbf5e360 strlen
0x3bbf5e368 strncmp
0x3bbf5e370 vfprintf
0x3bbf5e378 wcslen
USER32.dll
0x3bbf5e388 MessageBoxA
EAT(Export Address Table) Library
0x3bbf51573 MyExportedFunction