ScreenShot
| Created | 2024.01.14 13:28 | Machine | s1_win7_x6401 |
| Filename | winserver.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 36 detected (Common, malicious, moderate confidence, score, Generic Dropper, GenericKD, unsafe, Vifj, Attribute, HighConfidence, DropperX, R011C0PLM23, hsbyw, Detected, Casdet, ABRisk, SPAC, Chgt, susgen, PossibleThreat, confidence) | ||
| md5 | 4952f7d5dbfdd54e151d6cd75afcc930 | ||
| sha256 | 5027e50a930fe5890e729194116e23a12f3109606346941c6f932008fa1829f2 | ||
| ssdeep | 192:88EkmyjZ8fjTVfFaCZ7AamqnrAgVhl3Q5tfDXU/tr:8Cmy27jZ7AWR3e0r | ||
| imphash | 07e4d3f8fedafc070f7b31eddac6ba20 | ||
| impfuzzy | 24:52tMK8AfiDYgMyWNwyWPWUDZhyBSJCfocAbD29hJLzABAihTK4Tg+BbQLSQMu5F3:8tMK8aHNg3pQJdH4BMLSQMM | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 36 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| info | This executable has a PDB path |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140002000 HeapCreate
0x140002008 HeapAlloc
0x140002010 RtlLookupFunctionEntry
0x140002018 RtlVirtualUnwind
0x140002020 UnhandledExceptionFilter
0x140002028 SetUnhandledExceptionFilter
0x140002030 GetCurrentProcess
0x140002038 TerminateProcess
0x140002040 IsProcessorFeaturePresent
0x140002048 QueryPerformanceCounter
0x140002050 GetModuleHandleW
0x140002058 IsDebuggerPresent
0x140002060 InitializeSListHead
0x140002068 GetSystemTimeAsFileTime
0x140002070 GetCurrentThreadId
0x140002078 GetCurrentProcessId
0x140002080 RtlCaptureContext
USER32.dll
0x140002090 EnumChildWindows
VCRUNTIME140.dll
0x1400020a0 __C_specific_handler
0x1400020a8 __current_exception
0x1400020b0 __current_exception_context
0x1400020b8 memset
0x1400020c0 memcpy
api-ms-win-crt-string-l1-1-0.dll
0x1400021b0 _strrev
api-ms-win-crt-runtime-l1-1-0.dll
0x140002100 _initialize_onexit_table
0x140002108 terminate
0x140002110 _seh_filter_exe
0x140002118 _register_onexit_function
0x140002120 _set_app_type
0x140002128 _c_exit
0x140002130 _crt_atexit
0x140002138 _cexit
0x140002140 __p___argv
0x140002148 __p___argc
0x140002150 _register_thread_local_exe_atexit_callback
0x140002158 _exit
0x140002160 exit
0x140002168 _initterm_e
0x140002170 _initterm
0x140002178 _get_initial_narrow_environment
0x140002180 _initialize_narrow_environment
0x140002188 _configure_narrow_argv
api-ms-win-crt-math-l1-1-0.dll
0x1400020f0 __setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll
0x140002198 __p__commode
0x1400021a0 _set_fmode
api-ms-win-crt-locale-l1-1-0.dll
0x1400020e0 _configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll
0x1400020d0 _set_new_mode
EAT(Export Address Table) is none
KERNEL32.dll
0x140002000 HeapCreate
0x140002008 HeapAlloc
0x140002010 RtlLookupFunctionEntry
0x140002018 RtlVirtualUnwind
0x140002020 UnhandledExceptionFilter
0x140002028 SetUnhandledExceptionFilter
0x140002030 GetCurrentProcess
0x140002038 TerminateProcess
0x140002040 IsProcessorFeaturePresent
0x140002048 QueryPerformanceCounter
0x140002050 GetModuleHandleW
0x140002058 IsDebuggerPresent
0x140002060 InitializeSListHead
0x140002068 GetSystemTimeAsFileTime
0x140002070 GetCurrentThreadId
0x140002078 GetCurrentProcessId
0x140002080 RtlCaptureContext
USER32.dll
0x140002090 EnumChildWindows
VCRUNTIME140.dll
0x1400020a0 __C_specific_handler
0x1400020a8 __current_exception
0x1400020b0 __current_exception_context
0x1400020b8 memset
0x1400020c0 memcpy
api-ms-win-crt-string-l1-1-0.dll
0x1400021b0 _strrev
api-ms-win-crt-runtime-l1-1-0.dll
0x140002100 _initialize_onexit_table
0x140002108 terminate
0x140002110 _seh_filter_exe
0x140002118 _register_onexit_function
0x140002120 _set_app_type
0x140002128 _c_exit
0x140002130 _crt_atexit
0x140002138 _cexit
0x140002140 __p___argv
0x140002148 __p___argc
0x140002150 _register_thread_local_exe_atexit_callback
0x140002158 _exit
0x140002160 exit
0x140002168 _initterm_e
0x140002170 _initterm
0x140002178 _get_initial_narrow_environment
0x140002180 _initialize_narrow_environment
0x140002188 _configure_narrow_argv
api-ms-win-crt-math-l1-1-0.dll
0x1400020f0 __setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll
0x140002198 __p__commode
0x1400021a0 _set_fmode
api-ms-win-crt-locale-l1-1-0.dll
0x1400020e0 _configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll
0x1400020d0 _set_new_mode
EAT(Export Address Table) is none