ScreenShot
| Created | 2024.02.04 16:47 | Machine | s1_win7_x6401 |
| Filename | app1.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | |||
| md5 | 86443efb8ee2289340119b5e84aad4f1 | ||
| sha256 | 4d64bbdbca232e9efbf8770386ed39562691793c678856d6e0c0fb1dc4af5219 | ||
| ssdeep | 6144:8Qxe2eVqrNB91UFT5uX7I6ysBVwOmfJJJ655ZZoMrF1kA/t3rrcEPPPoz:8QUH0rNBb2VsI6JBVwQrcEPPPoz | ||
| imphash | 3e4ea5a76e68c74643536824830b0523 | ||
| impfuzzy | 48:nlUMiKmieFR+2u4jxQ9QXiX1Pnv1slTJGAYA86UQ3k1vIqTj/A:n2MiKmhRHu4jxQ9QXiX1Pv1YTJGtvVQz | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| watch | A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. |
| watch | Communicates with host for which no DNS query was performed |
| watch | One or more of the buffers contains an embedded PE file |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1400343d0 AddVectoredExceptionHandler
0x1400343d8 CloseHandle
0x1400343e0 CreateEventA
0x1400343e8 CreateSemaphoreA
0x1400343f0 DeleteCriticalSection
0x1400343f8 DuplicateHandle
0x140034400 EnterCriticalSection
0x140034408 FreeLibrary
0x140034410 GetCurrentProcess
0x140034418 GetCurrentProcessId
0x140034420 GetCurrentThread
0x140034428 GetCurrentThreadId
0x140034430 GetHandleInformation
0x140034438 GetLastError
0x140034440 GetModuleHandleA
0x140034448 GetProcAddress
0x140034450 GetProcessAffinityMask
0x140034458 GetStartupInfoA
0x140034460 GetSystemTimeAsFileTime
0x140034468 GetThreadContext
0x140034470 GetThreadPriority
0x140034478 GetTickCount
0x140034480 InitializeCriticalSection
0x140034488 IsDBCSLeadByteEx
0x140034490 IsDebuggerPresent
0x140034498 LeaveCriticalSection
0x1400344a0 LoadLibraryA
0x1400344a8 MultiByteToWideChar
0x1400344b0 OpenProcess
0x1400344b8 OutputDebugStringA
0x1400344c0 QueryPerformanceCounter
0x1400344c8 QueryPerformanceFrequency
0x1400344d0 RaiseException
0x1400344d8 ReleaseSemaphore
0x1400344e0 RemoveVectoredExceptionHandler
0x1400344e8 ResetEvent
0x1400344f0 ResumeThread
0x1400344f8 SetEvent
0x140034500 SetLastError
0x140034508 SetProcessAffinityMask
0x140034510 SetThreadContext
0x140034518 SetThreadPriority
0x140034520 SetUnhandledExceptionFilter
0x140034528 Sleep
0x140034530 SuspendThread
0x140034538 TlsAlloc
0x140034540 TlsGetValue
0x140034548 TlsSetValue
0x140034550 TryEnterCriticalSection
0x140034558 VirtualAlloc
0x140034560 VirtualFree
0x140034568 VirtualProtect
0x140034570 VirtualQuery
0x140034578 WaitForMultipleObjects
0x140034580 WaitForSingleObject
0x140034588 WideCharToMultiByte
msvcrt.dll
0x140034598 __C_specific_handler
0x1400345a0 ___lc_codepage_func
0x1400345a8 ___mb_cur_max_func
0x1400345b0 __getmainargs
0x1400345b8 __initenv
0x1400345c0 __iob_func
0x1400345c8 __lconv_init
0x1400345d0 __set_app_type
0x1400345d8 __setusermatherr
0x1400345e0 _acmdln
0x1400345e8 _amsg_exit
0x1400345f0 _beginthreadex
0x1400345f8 _cexit
0x140034600 _commode
0x140034608 _endthreadex
0x140034610 _errno
0x140034618 _fileno
0x140034620 _fmode
0x140034628 _initterm
0x140034630 _lock
0x140034638 _onexit
0x140034640 _setjmp
0x140034648 _setmode
0x140034650 _strdup
0x140034658 _ultoa
0x140034660 _unlock
0x140034668 _vsnprintf
0x140034670 _vsnwprintf
0x140034678 abort
0x140034680 calloc
0x140034688 exit
0x140034690 fflush
0x140034698 fgetwc
0x1400346a0 fprintf
0x1400346a8 fputc
0x1400346b0 free
0x1400346b8 fwrite
0x1400346c0 getc
0x1400346c8 localeconv
0x1400346d0 longjmp
0x1400346d8 malloc
0x1400346e0 memcpy
0x1400346e8 memmove
0x1400346f0 memset
0x1400346f8 printf
0x140034700 realloc
0x140034708 signal
0x140034710 strerror
0x140034718 strlen
0x140034720 strncmp
0x140034728 vfprintf
0x140034730 wcslen
USER32.dll
0x140034740 MessageBoxA
EAT(Export Address Table) is none
KERNEL32.dll
0x1400343d0 AddVectoredExceptionHandler
0x1400343d8 CloseHandle
0x1400343e0 CreateEventA
0x1400343e8 CreateSemaphoreA
0x1400343f0 DeleteCriticalSection
0x1400343f8 DuplicateHandle
0x140034400 EnterCriticalSection
0x140034408 FreeLibrary
0x140034410 GetCurrentProcess
0x140034418 GetCurrentProcessId
0x140034420 GetCurrentThread
0x140034428 GetCurrentThreadId
0x140034430 GetHandleInformation
0x140034438 GetLastError
0x140034440 GetModuleHandleA
0x140034448 GetProcAddress
0x140034450 GetProcessAffinityMask
0x140034458 GetStartupInfoA
0x140034460 GetSystemTimeAsFileTime
0x140034468 GetThreadContext
0x140034470 GetThreadPriority
0x140034478 GetTickCount
0x140034480 InitializeCriticalSection
0x140034488 IsDBCSLeadByteEx
0x140034490 IsDebuggerPresent
0x140034498 LeaveCriticalSection
0x1400344a0 LoadLibraryA
0x1400344a8 MultiByteToWideChar
0x1400344b0 OpenProcess
0x1400344b8 OutputDebugStringA
0x1400344c0 QueryPerformanceCounter
0x1400344c8 QueryPerformanceFrequency
0x1400344d0 RaiseException
0x1400344d8 ReleaseSemaphore
0x1400344e0 RemoveVectoredExceptionHandler
0x1400344e8 ResetEvent
0x1400344f0 ResumeThread
0x1400344f8 SetEvent
0x140034500 SetLastError
0x140034508 SetProcessAffinityMask
0x140034510 SetThreadContext
0x140034518 SetThreadPriority
0x140034520 SetUnhandledExceptionFilter
0x140034528 Sleep
0x140034530 SuspendThread
0x140034538 TlsAlloc
0x140034540 TlsGetValue
0x140034548 TlsSetValue
0x140034550 TryEnterCriticalSection
0x140034558 VirtualAlloc
0x140034560 VirtualFree
0x140034568 VirtualProtect
0x140034570 VirtualQuery
0x140034578 WaitForMultipleObjects
0x140034580 WaitForSingleObject
0x140034588 WideCharToMultiByte
msvcrt.dll
0x140034598 __C_specific_handler
0x1400345a0 ___lc_codepage_func
0x1400345a8 ___mb_cur_max_func
0x1400345b0 __getmainargs
0x1400345b8 __initenv
0x1400345c0 __iob_func
0x1400345c8 __lconv_init
0x1400345d0 __set_app_type
0x1400345d8 __setusermatherr
0x1400345e0 _acmdln
0x1400345e8 _amsg_exit
0x1400345f0 _beginthreadex
0x1400345f8 _cexit
0x140034600 _commode
0x140034608 _endthreadex
0x140034610 _errno
0x140034618 _fileno
0x140034620 _fmode
0x140034628 _initterm
0x140034630 _lock
0x140034638 _onexit
0x140034640 _setjmp
0x140034648 _setmode
0x140034650 _strdup
0x140034658 _ultoa
0x140034660 _unlock
0x140034668 _vsnprintf
0x140034670 _vsnwprintf
0x140034678 abort
0x140034680 calloc
0x140034688 exit
0x140034690 fflush
0x140034698 fgetwc
0x1400346a0 fprintf
0x1400346a8 fputc
0x1400346b0 free
0x1400346b8 fwrite
0x1400346c0 getc
0x1400346c8 localeconv
0x1400346d0 longjmp
0x1400346d8 malloc
0x1400346e0 memcpy
0x1400346e8 memmove
0x1400346f0 memset
0x1400346f8 printf
0x140034700 realloc
0x140034708 signal
0x140034710 strerror
0x140034718 strlen
0x140034720 strncmp
0x140034728 vfprintf
0x140034730 wcslen
USER32.dll
0x140034740 MessageBoxA
EAT(Export Address Table) is none