ScreenShot
| Created | 2024.05.02 07:26 | Machine | s1_win7_x6401 |
| Filename | cock.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 59 detected (AIDetectMalware, Smokeloader, Malicious, score, Zusy, unsafe, Vnb6, Attribute, HighConfidence, high confidence, ETBS, FVNX, Reline, jxuzdr, u5rTsRyLxoV, AGEN, Siggen3, R002C0DDH24, Detected, ai score=87, HeurC, KVMH008, RedLine, Eldorado, R594477, ZexaF, qPZ@a48Uq4mi, RedLineStealer, GdSda, Gencirc, icLO37q, Static AI, Malicious PE, susgen, ETFD) | ||
| md5 | bd909fb2282ec2e4a11400157c33494a | ||
| sha256 | 9941dc8857ef1b6ffc86f88bd755789ded1b42c6aead836e88466d97bb1db392 | ||
| ssdeep | 12288:Nh8Rq5U2PEmcWW3xXTTj3AehvfRFfYUjgyRnNRuc5VPMqS7hqpkw3A6YFG:QRq5U2PEmcWWJTTkeh3/fJzqhygS | ||
| imphash | 4e56c5a0933590e2f4c1321a628109f2 | ||
| impfuzzy | 24:O9scpVxgZCrttlS1DGzplJBl3eDoLoEOovbOgOuFZMvtGMAHTq+lEZHu95:O9scpV6CrttlS1DGzPpXc3TuFZGl0 | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 59 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x548000 GetModuleHandleW
0x548004 FormatMessageA
0x548008 WideCharToMultiByte
0x54800c MultiByteToWideChar
0x548010 GetStringTypeW
0x548014 EnterCriticalSection
0x548018 LeaveCriticalSection
0x54801c InitializeCriticalSectionEx
0x548020 DeleteCriticalSection
0x548024 LocalFree
0x548028 GetLocaleInfoEx
0x54802c EncodePointer
0x548030 DecodePointer
0x548034 LCMapStringEx
0x548038 CompareStringEx
0x54803c GetCPInfo
0x548040 IsProcessorFeaturePresent
0x548044 UnhandledExceptionFilter
0x548048 SetUnhandledExceptionFilter
0x54804c GetCurrentProcess
0x548050 TerminateProcess
0x548054 QueryPerformanceCounter
0x548058 GetCurrentProcessId
0x54805c GetCurrentThreadId
0x548060 GetSystemTimeAsFileTime
0x548064 InitializeSListHead
0x548068 IsDebuggerPresent
0x54806c GetStartupInfoW
0x548070 CreateFileW
0x548074 RaiseException
0x548078 RtlUnwind
0x54807c InterlockedPushEntrySList
0x548080 InterlockedFlushSList
0x548084 GetLastError
0x548088 SetLastError
0x54808c InitializeCriticalSectionAndSpinCount
0x548090 TlsAlloc
0x548094 TlsGetValue
0x548098 TlsSetValue
0x54809c TlsFree
0x5480a0 FreeLibrary
0x5480a4 GetProcAddress
0x5480a8 LoadLibraryExW
0x5480ac GetStdHandle
0x5480b0 WriteFile
0x5480b4 GetModuleFileNameW
0x5480b8 ExitProcess
0x5480bc GetModuleHandleExW
0x5480c0 GetCommandLineA
0x5480c4 GetCommandLineW
0x5480c8 GetCurrentThread
0x5480cc HeapAlloc
0x5480d0 HeapFree
0x5480d4 GetDateFormatW
0x5480d8 GetTimeFormatW
0x5480dc CompareStringW
0x5480e0 LCMapStringW
0x5480e4 GetLocaleInfoW
0x5480e8 IsValidLocale
0x5480ec GetUserDefaultLCID
0x5480f0 EnumSystemLocalesW
0x5480f4 GetFileType
0x5480f8 GetFileSizeEx
0x5480fc SetFilePointerEx
0x548100 CloseHandle
0x548104 FlushFileBuffers
0x548108 GetConsoleOutputCP
0x54810c GetConsoleMode
0x548110 ReadFile
0x548114 HeapReAlloc
0x548118 SetConsoleCtrlHandler
0x54811c GetTimeZoneInformation
0x548120 OutputDebugStringW
0x548124 FindClose
0x548128 FindFirstFileExW
0x54812c FindNextFileW
0x548130 IsValidCodePage
0x548134 GetACP
0x548138 GetOEMCP
0x54813c GetEnvironmentStringsW
0x548140 FreeEnvironmentStringsW
0x548144 SetEnvironmentVariableW
0x548148 SetStdHandle
0x54814c GetProcessHeap
0x548150 ReadConsoleW
0x548154 HeapSize
0x548158 WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x548000 GetModuleHandleW
0x548004 FormatMessageA
0x548008 WideCharToMultiByte
0x54800c MultiByteToWideChar
0x548010 GetStringTypeW
0x548014 EnterCriticalSection
0x548018 LeaveCriticalSection
0x54801c InitializeCriticalSectionEx
0x548020 DeleteCriticalSection
0x548024 LocalFree
0x548028 GetLocaleInfoEx
0x54802c EncodePointer
0x548030 DecodePointer
0x548034 LCMapStringEx
0x548038 CompareStringEx
0x54803c GetCPInfo
0x548040 IsProcessorFeaturePresent
0x548044 UnhandledExceptionFilter
0x548048 SetUnhandledExceptionFilter
0x54804c GetCurrentProcess
0x548050 TerminateProcess
0x548054 QueryPerformanceCounter
0x548058 GetCurrentProcessId
0x54805c GetCurrentThreadId
0x548060 GetSystemTimeAsFileTime
0x548064 InitializeSListHead
0x548068 IsDebuggerPresent
0x54806c GetStartupInfoW
0x548070 CreateFileW
0x548074 RaiseException
0x548078 RtlUnwind
0x54807c InterlockedPushEntrySList
0x548080 InterlockedFlushSList
0x548084 GetLastError
0x548088 SetLastError
0x54808c InitializeCriticalSectionAndSpinCount
0x548090 TlsAlloc
0x548094 TlsGetValue
0x548098 TlsSetValue
0x54809c TlsFree
0x5480a0 FreeLibrary
0x5480a4 GetProcAddress
0x5480a8 LoadLibraryExW
0x5480ac GetStdHandle
0x5480b0 WriteFile
0x5480b4 GetModuleFileNameW
0x5480b8 ExitProcess
0x5480bc GetModuleHandleExW
0x5480c0 GetCommandLineA
0x5480c4 GetCommandLineW
0x5480c8 GetCurrentThread
0x5480cc HeapAlloc
0x5480d0 HeapFree
0x5480d4 GetDateFormatW
0x5480d8 GetTimeFormatW
0x5480dc CompareStringW
0x5480e0 LCMapStringW
0x5480e4 GetLocaleInfoW
0x5480e8 IsValidLocale
0x5480ec GetUserDefaultLCID
0x5480f0 EnumSystemLocalesW
0x5480f4 GetFileType
0x5480f8 GetFileSizeEx
0x5480fc SetFilePointerEx
0x548100 CloseHandle
0x548104 FlushFileBuffers
0x548108 GetConsoleOutputCP
0x54810c GetConsoleMode
0x548110 ReadFile
0x548114 HeapReAlloc
0x548118 SetConsoleCtrlHandler
0x54811c GetTimeZoneInformation
0x548120 OutputDebugStringW
0x548124 FindClose
0x548128 FindFirstFileExW
0x54812c FindNextFileW
0x548130 IsValidCodePage
0x548134 GetACP
0x548138 GetOEMCP
0x54813c GetEnvironmentStringsW
0x548140 FreeEnvironmentStringsW
0x548144 SetEnvironmentVariableW
0x548148 SetStdHandle
0x54814c GetProcessHeap
0x548150 ReadConsoleW
0x548154 HeapSize
0x548158 WriteConsoleW
EAT(Export Address Table) is none