ScreenShot
Created | 2023.12.22 08:15 | Machine | s1_win7_x6403 |
Filename | sl.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 50 detected (AIDetectMalware, Phorpiex, malicious, high confidence, score, unsafe, Save, Attribute, HighConfidence, Artemis, WormX, Zonidel, CLASSIC, DownLoader46, DLDER, Outbreak, Detected, absyt, ai score=87, HeurC, KVMH017, Leonem, Eldorado, ZexaF, auW@amhtHqki, BScope, Chgt, Gajl, Static AI, Malicious PE, confidence, 100%) | ||
md5 | a6f1e6b5775a94219b69a6261b36244a | ||
sha256 | 82d16b1428721a69501776eb26e14ecf76fe6e82a1d19c5fae6705a1cc0a4319 | ||
ssdeep | 384:DhnP/tVA42CM9c7JVTJMQWS+c73Q+VXiC+:DhP/tVA42V9cbTaQ8y3Q+tiC+ | ||
imphash | 057c392adf7e60f53994e6bacf1e292a | ||
impfuzzy | 48:qHjNNArTGlDSgvY9rBdpOzbdGORtfX89voK6Kb:wjArTGlDIJrp+hGgtfX8eKb |
Network IP location
Signature (7cnts)
Level | Description |
---|---|
danger | File has been identified by 50 AntiVirus engines on VirusTotal as malicious |
watch | Attempts to remove evidence of file being downloaded from the Internet |
watch | Communicates with host for which no DNS query was performed |
watch | Installs itself for autorun at Windows startup |
notice | Creates hidden or system file |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Performs some HTTP requests |
Rules (6cnts)
Level | Name | Description | Collection |
---|---|---|---|
watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | Network_Downloader | File Downloader | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
PE API
IAT(Import Address Table) Library
MSVCR90.dll
0x403088 _adjust_fdiv
0x40308c _controlfp_s
0x403090 _invoke_watson
0x403094 _except_handler4_common
0x403098 _decode_pointer
0x40309c _onexit
0x4030a0 _lock
0x4030a4 __dllonexit
0x4030a8 _unlock
0x4030ac ?terminate@@YAXXZ
0x4030b0 rand
0x4030b4 _crt_debugger_hook
0x4030b8 __set_app_type
0x4030bc _encode_pointer
0x4030c0 __p__fmode
0x4030c4 __p__commode
0x4030c8 memset
0x4030cc __setusermatherr
0x4030d0 _configthreadlocale
0x4030d4 _initterm_e
0x4030d8 _initterm
0x4030dc _acmdln
0x4030e0 exit
0x4030e4 _ismbblead
0x4030e8 _XcptFilter
0x4030ec _exit
0x4030f0 _cexit
0x4030f4 __getmainargs
0x4030f8 _amsg_exit
0x4030fc wcscmp
0x403100 wcslen
0x403104 srand
urlmon.dll
0x403158 URLDownloadToFileW
WININET.dll
0x403138 HttpQueryInfoA
0x40313c InternetOpenUrlW
0x403140 InternetOpenW
0x403144 InternetOpenA
0x403148 InternetOpenUrlA
0x40314c InternetCloseHandle
0x403150 InternetReadFile
SHLWAPI.dll
0x403114 PathFileExistsA
0x403118 PathFileExistsW
0x40311c PathFindFileNameW
KERNEL32.dll
0x403010 InterlockedExchange
0x403014 MoveFileA
0x403018 MoveFileW
0x40301c DeleteFileA
0x403020 CreateMutexA
0x403024 GetLastError
0x403028 ExitProcess
0x40302c GetModuleFileNameW
0x403030 CopyFileW
0x403034 SetFileAttributesW
0x403038 GetTickCount
0x40303c ExpandEnvironmentStringsW
0x403040 InterlockedCompareExchange
0x403044 WriteFile
0x403048 CloseHandle
0x40304c DeleteFileW
0x403050 CreateProcessW
0x403054 Sleep
0x403058 UnhandledExceptionFilter
0x40305c SetUnhandledExceptionFilter
0x403060 IsDebuggerPresent
0x403064 QueryPerformanceCounter
0x403068 GetCurrentThreadId
0x40306c GetCurrentProcessId
0x403070 GetSystemTimeAsFileTime
0x403074 GetStartupInfoA
0x403078 TerminateProcess
0x40307c CreateFileW
0x403080 GetCurrentProcess
USER32.dll
0x403124 FindWindowA
0x403128 SetForegroundWindow
0x40312c ShowWindow
0x403130 wsprintfW
ADVAPI32.dll
0x403000 RegSetValueExW
0x403004 RegCloseKey
0x403008 RegOpenKeyExW
SHELL32.dll
0x40310c ShellExecuteW
EAT(Export Address Table) is none
MSVCR90.dll
0x403088 _adjust_fdiv
0x40308c _controlfp_s
0x403090 _invoke_watson
0x403094 _except_handler4_common
0x403098 _decode_pointer
0x40309c _onexit
0x4030a0 _lock
0x4030a4 __dllonexit
0x4030a8 _unlock
0x4030ac ?terminate@@YAXXZ
0x4030b0 rand
0x4030b4 _crt_debugger_hook
0x4030b8 __set_app_type
0x4030bc _encode_pointer
0x4030c0 __p__fmode
0x4030c4 __p__commode
0x4030c8 memset
0x4030cc __setusermatherr
0x4030d0 _configthreadlocale
0x4030d4 _initterm_e
0x4030d8 _initterm
0x4030dc _acmdln
0x4030e0 exit
0x4030e4 _ismbblead
0x4030e8 _XcptFilter
0x4030ec _exit
0x4030f0 _cexit
0x4030f4 __getmainargs
0x4030f8 _amsg_exit
0x4030fc wcscmp
0x403100 wcslen
0x403104 srand
urlmon.dll
0x403158 URLDownloadToFileW
WININET.dll
0x403138 HttpQueryInfoA
0x40313c InternetOpenUrlW
0x403140 InternetOpenW
0x403144 InternetOpenA
0x403148 InternetOpenUrlA
0x40314c InternetCloseHandle
0x403150 InternetReadFile
SHLWAPI.dll
0x403114 PathFileExistsA
0x403118 PathFileExistsW
0x40311c PathFindFileNameW
KERNEL32.dll
0x403010 InterlockedExchange
0x403014 MoveFileA
0x403018 MoveFileW
0x40301c DeleteFileA
0x403020 CreateMutexA
0x403024 GetLastError
0x403028 ExitProcess
0x40302c GetModuleFileNameW
0x403030 CopyFileW
0x403034 SetFileAttributesW
0x403038 GetTickCount
0x40303c ExpandEnvironmentStringsW
0x403040 InterlockedCompareExchange
0x403044 WriteFile
0x403048 CloseHandle
0x40304c DeleteFileW
0x403050 CreateProcessW
0x403054 Sleep
0x403058 UnhandledExceptionFilter
0x40305c SetUnhandledExceptionFilter
0x403060 IsDebuggerPresent
0x403064 QueryPerformanceCounter
0x403068 GetCurrentThreadId
0x40306c GetCurrentProcessId
0x403070 GetSystemTimeAsFileTime
0x403074 GetStartupInfoA
0x403078 TerminateProcess
0x40307c CreateFileW
0x403080 GetCurrentProcess
USER32.dll
0x403124 FindWindowA
0x403128 SetForegroundWindow
0x40312c ShowWindow
0x403130 wsprintfW
ADVAPI32.dll
0x403000 RegSetValueExW
0x403004 RegCloseKey
0x403008 RegOpenKeyExW
SHELL32.dll
0x40310c ShellExecuteW
EAT(Export Address Table) is none