ScreenShot
| Created | 2023.12.22 08:18 | Machine | s1_win7_x6401 |
| Filename | againn.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 56 detected (AIDetectMalware, Dacic, malicious, high confidence, score, Zusy, unsafe, Save, GenusT, DUGI, Attribute, HighConfidence, Kryptik, HVNE, Artemis, CLASSIC, xgjxp, Siggen3, REDLINE, YXDLSZ, high, Krypt, Detected, ai score=86, hsyn, HeurC, KVMH008, Sabsik, CCFG, Eldorado, R628291, ZexaF, yuW@aGWmJ@f, BScope, Chgt, Gencirc, Static AI, Malicious PE, susgen, HVPA, confidence, 100%) | ||
| md5 | 24d81523b3033dddc3bf6526d86f819d | ||
| sha256 | 69d2b581f741bd5b54f9854172b78b93c7a661d89888adf463c83e6ebe216c7f | ||
| ssdeep | 12288:5JMbnn6WTGU49SM66cS4jI5ZU6L322rZRU/EB1X7I:nMuWr49SM66cS4jIbU6nxPc | ||
| imphash | ec29083df1aec6a6221dd2d98de08acc | ||
| impfuzzy | 24:K+jKNDogMjOov1lG/J3IStsQFQ8RyvDkRT4QfalWM:CMCdzts3DgcQfaIM | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 56 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x414000 CreateEventW
0x414004 WaitForSingleObject
0x414008 Sleep
0x41400c CreateThread
0x414010 lstrlenW
0x414014 VirtualProtect
0x414018 GetProcAddress
0x41401c LoadLibraryA
0x414020 VirtualAlloc
0x414024 GetModuleHandleA
0x414028 FreeConsole
0x41402c RtlUnwind
0x414030 RaiseException
0x414034 GetCommandLineA
0x414038 GetLastError
0x41403c HeapFree
0x414040 GetModuleHandleW
0x414044 TlsGetValue
0x414048 TlsAlloc
0x41404c TlsSetValue
0x414050 TlsFree
0x414054 InterlockedIncrement
0x414058 SetLastError
0x41405c GetCurrentThreadId
0x414060 InterlockedDecrement
0x414064 HeapAlloc
0x414068 TerminateProcess
0x41406c GetCurrentProcess
0x414070 UnhandledExceptionFilter
0x414074 SetUnhandledExceptionFilter
0x414078 IsDebuggerPresent
0x41407c ExitProcess
0x414080 WriteFile
0x414084 GetStdHandle
0x414088 GetModuleFileNameA
0x41408c FreeEnvironmentStringsA
0x414090 GetEnvironmentStrings
0x414094 FreeEnvironmentStringsW
0x414098 WideCharToMultiByte
0x41409c GetEnvironmentStringsW
0x4140a0 SetHandleCount
0x4140a4 GetFileType
0x4140a8 GetStartupInfoA
0x4140ac DeleteCriticalSection
0x4140b0 HeapCreate
0x4140b4 VirtualFree
0x4140b8 QueryPerformanceCounter
0x4140bc GetTickCount
0x4140c0 GetCurrentProcessId
0x4140c4 GetSystemTimeAsFileTime
0x4140c8 GetCPInfo
0x4140cc GetACP
0x4140d0 GetOEMCP
0x4140d4 IsValidCodePage
0x4140d8 LeaveCriticalSection
0x4140dc EnterCriticalSection
0x4140e0 HeapReAlloc
0x4140e4 HeapSize
0x4140e8 InitializeCriticalSectionAndSpinCount
0x4140ec LCMapStringA
0x4140f0 MultiByteToWideChar
0x4140f4 LCMapStringW
0x4140f8 GetStringTypeA
0x4140fc GetStringTypeW
0x414100 GetLocaleInfoA
EAT(Export Address Table) Library
KERNEL32.dll
0x414000 CreateEventW
0x414004 WaitForSingleObject
0x414008 Sleep
0x41400c CreateThread
0x414010 lstrlenW
0x414014 VirtualProtect
0x414018 GetProcAddress
0x41401c LoadLibraryA
0x414020 VirtualAlloc
0x414024 GetModuleHandleA
0x414028 FreeConsole
0x41402c RtlUnwind
0x414030 RaiseException
0x414034 GetCommandLineA
0x414038 GetLastError
0x41403c HeapFree
0x414040 GetModuleHandleW
0x414044 TlsGetValue
0x414048 TlsAlloc
0x41404c TlsSetValue
0x414050 TlsFree
0x414054 InterlockedIncrement
0x414058 SetLastError
0x41405c GetCurrentThreadId
0x414060 InterlockedDecrement
0x414064 HeapAlloc
0x414068 TerminateProcess
0x41406c GetCurrentProcess
0x414070 UnhandledExceptionFilter
0x414074 SetUnhandledExceptionFilter
0x414078 IsDebuggerPresent
0x41407c ExitProcess
0x414080 WriteFile
0x414084 GetStdHandle
0x414088 GetModuleFileNameA
0x41408c FreeEnvironmentStringsA
0x414090 GetEnvironmentStrings
0x414094 FreeEnvironmentStringsW
0x414098 WideCharToMultiByte
0x41409c GetEnvironmentStringsW
0x4140a0 SetHandleCount
0x4140a4 GetFileType
0x4140a8 GetStartupInfoA
0x4140ac DeleteCriticalSection
0x4140b0 HeapCreate
0x4140b4 VirtualFree
0x4140b8 QueryPerformanceCounter
0x4140bc GetTickCount
0x4140c0 GetCurrentProcessId
0x4140c4 GetSystemTimeAsFileTime
0x4140c8 GetCPInfo
0x4140cc GetACP
0x4140d0 GetOEMCP
0x4140d4 IsValidCodePage
0x4140d8 LeaveCriticalSection
0x4140dc EnterCriticalSection
0x4140e0 HeapReAlloc
0x4140e4 HeapSize
0x4140e8 InitializeCriticalSectionAndSpinCount
0x4140ec LCMapStringA
0x4140f0 MultiByteToWideChar
0x4140f4 LCMapStringW
0x4140f8 GetStringTypeA
0x4140fc GetStringTypeW
0x414100 GetLocaleInfoA
EAT(Export Address Table) Library