ScreenShot
| Created | 2024.05.03 07:48 | Machine | s1_win7_x6401 |
| Filename | flash.cn.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 55 detected (AIDetectMalware, CobaltStrike, Malicious, score, Bulz, unsafe, Cobalt, Windows, Artifact, HacktoolX, CLASSIC, AGEN, Meterpreter, COBEACON, Detected, ai score=85, Kryptik, R521642, Artemis, Static AI, Malicious PE, susgen) | ||
| md5 | 49e2d38242e314cb72ff7a297dbf132f | ||
| sha256 | 0f913c7a1e8a8d7321a63595d16d181d59a4fd7ad6f25bf3b46f93ab60846959 | ||
| ssdeep | 6144:XFp4b/RC+NKy11QUJslQCTUjcjQErjR6Usf2cackwReskk3v1/1IVghjn6:XFpSzQ2syCTCcjQErjRPgTRf3D3R6 | ||
| imphash | 147442e63270e287ed57d33257638324 | ||
| impfuzzy | 24:Q2kfg1JlDzncJ9aa0mezlMG95XGDZykoDquQZn:gfg1jcJbezlRJGVykoqz | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Queries for the computername |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x44c224 CloseHandle
0x44c22c ConnectNamedPipe
0x44c234 CreateFileA
0x44c23c CreateNamedPipeA
0x44c244 CreateThread
0x44c24c DeleteCriticalSection
0x44c254 EnterCriticalSection
0x44c25c GetCurrentProcess
0x44c264 GetCurrentProcessId
0x44c26c GetCurrentThreadId
0x44c274 GetLastError
0x44c27c GetModuleHandleA
0x44c284 GetProcAddress
0x44c28c GetStartupInfoA
0x44c294 GetSystemTimeAsFileTime
0x44c29c GetTickCount
0x44c2a4 InitializeCriticalSection
0x44c2ac LeaveCriticalSection
0x44c2b4 QueryPerformanceCounter
0x44c2bc ReadFile
0x44c2c4 RtlAddFunctionTable
0x44c2cc RtlCaptureContext
0x44c2d4 RtlLookupFunctionEntry
0x44c2dc RtlVirtualUnwind
0x44c2e4 SetUnhandledExceptionFilter
0x44c2ec Sleep
0x44c2f4 TerminateProcess
0x44c2fc TlsGetValue
0x44c304 UnhandledExceptionFilter
0x44c30c VirtualAlloc
0x44c314 VirtualProtect
0x44c31c VirtualQuery
0x44c324 WriteFile
msvcrt.dll
0x44c334 __C_specific_handler
0x44c33c __getmainargs
0x44c344 __initenv
0x44c34c __iob_func
0x44c354 __lconv_init
0x44c35c __set_app_type
0x44c364 __setusermatherr
0x44c36c _acmdln
0x44c374 _amsg_exit
0x44c37c _cexit
0x44c384 _fmode
0x44c38c _initterm
0x44c394 _onexit
0x44c39c abort
0x44c3a4 calloc
0x44c3ac exit
0x44c3b4 fprintf
0x44c3bc free
0x44c3c4 fwrite
0x44c3cc malloc
0x44c3d4 memcpy
0x44c3dc signal
0x44c3e4 sprintf
0x44c3ec strlen
0x44c3f4 strncmp
0x44c3fc vfprintf
EAT(Export Address Table) is none
KERNEL32.dll
0x44c224 CloseHandle
0x44c22c ConnectNamedPipe
0x44c234 CreateFileA
0x44c23c CreateNamedPipeA
0x44c244 CreateThread
0x44c24c DeleteCriticalSection
0x44c254 EnterCriticalSection
0x44c25c GetCurrentProcess
0x44c264 GetCurrentProcessId
0x44c26c GetCurrentThreadId
0x44c274 GetLastError
0x44c27c GetModuleHandleA
0x44c284 GetProcAddress
0x44c28c GetStartupInfoA
0x44c294 GetSystemTimeAsFileTime
0x44c29c GetTickCount
0x44c2a4 InitializeCriticalSection
0x44c2ac LeaveCriticalSection
0x44c2b4 QueryPerformanceCounter
0x44c2bc ReadFile
0x44c2c4 RtlAddFunctionTable
0x44c2cc RtlCaptureContext
0x44c2d4 RtlLookupFunctionEntry
0x44c2dc RtlVirtualUnwind
0x44c2e4 SetUnhandledExceptionFilter
0x44c2ec Sleep
0x44c2f4 TerminateProcess
0x44c2fc TlsGetValue
0x44c304 UnhandledExceptionFilter
0x44c30c VirtualAlloc
0x44c314 VirtualProtect
0x44c31c VirtualQuery
0x44c324 WriteFile
msvcrt.dll
0x44c334 __C_specific_handler
0x44c33c __getmainargs
0x44c344 __initenv
0x44c34c __iob_func
0x44c354 __lconv_init
0x44c35c __set_app_type
0x44c364 __setusermatherr
0x44c36c _acmdln
0x44c374 _amsg_exit
0x44c37c _cexit
0x44c384 _fmode
0x44c38c _initterm
0x44c394 _onexit
0x44c39c abort
0x44c3a4 calloc
0x44c3ac exit
0x44c3b4 fprintf
0x44c3bc free
0x44c3c4 fwrite
0x44c3cc malloc
0x44c3d4 memcpy
0x44c3dc signal
0x44c3e4 sprintf
0x44c3ec strlen
0x44c3f4 strncmp
0x44c3fc vfprintf
EAT(Export Address Table) is none