ScreenShot
| Created | 2024.05.16 08:59 | Machine | s1_win7_x6401 |
| Filename | x103.log | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 43 detected (malicious, high confidence, score, Artemis, Jaik, Winos, swkaa, Attribute, HighConfidence, ShellcodeRunner, TrojanX, 3Vu5mR7mZjH, Redcap, pprih, Detected, ai score=87, Wacatac, ABRisk, ISPI, BScope, Meterpreter, R002H07EF24, Gencirc, Static AI, Malicious PE, susgen, Behavior) | ||
| md5 | 5c3eb8c100cef5725d79a35664e58646 | ||
| sha256 | 54dc7635c51ecd94cfe8e45cbac2e52191867b9ff0465d778ee5a200bb832c22 | ||
| ssdeep | 1536:MTJxeSgVJ43R2N8gW7YI4z1w+8X5QbdoRPqUw35:M1xeSU4h2NQ7YfF0qn | ||
| imphash | dc9c8857079c430f5f794d5661279457 | ||
| impfuzzy | 24:8fx91Jmn3UdMJ9eOXk5XGDZEk1koDqZZzM:8fH1cEdMJ9erJGVEk1koqzM | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates or sets a registry key to a long series of bytes |
| watch | Installs an hook procedure to monitor for mouse events |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| info | Checks amount of memory in system |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x406130 DeleteCriticalSection
0x406134 EnterCriticalSection
0x406138 GetConsoleWindow
0x40613c GetCurrentProcess
0x406140 GetCurrentProcessId
0x406144 GetCurrentThreadId
0x406148 GetLastError
0x40614c GetStartupInfoA
0x406150 GetSystemTimeAsFileTime
0x406154 GetTickCount
0x406158 InitializeCriticalSection
0x40615c InterlockedCompareExchange
0x406160 InterlockedExchange
0x406164 LeaveCriticalSection
0x406168 QueryPerformanceCounter
0x40616c SetUnhandledExceptionFilter
0x406170 Sleep
0x406174 TerminateProcess
0x406178 TlsGetValue
0x40617c UnhandledExceptionFilter
0x406180 VirtualAlloc
0x406184 VirtualFree
0x406188 VirtualProtect
0x40618c VirtualQuery
msvcrt.dll
0x406194 __dllonexit
0x406198 __getmainargs
0x40619c __initenv
0x4061a0 __lconv_init
0x4061a4 __set_app_type
0x4061a8 __setusermatherr
0x4061ac _acmdln
0x4061b0 _amsg_exit
0x4061b4 _cexit
0x4061b8 _fmode
0x4061bc _initterm
0x4061c0 _iob
0x4061c4 _lock
0x4061c8 _onexit
0x4061cc _unlock
0x4061d0 abort
0x4061d4 calloc
0x4061d8 exit
0x4061dc fprintf
0x4061e0 free
0x4061e4 fwrite
0x4061e8 malloc
0x4061ec memcpy
0x4061f0 puts
0x4061f4 signal
0x4061f8 strlen
0x4061fc strncmp
0x406200 vfprintf
USER32.dll
0x406208 ShowWindow
EAT(Export Address Table) is none
KERNEL32.dll
0x406130 DeleteCriticalSection
0x406134 EnterCriticalSection
0x406138 GetConsoleWindow
0x40613c GetCurrentProcess
0x406140 GetCurrentProcessId
0x406144 GetCurrentThreadId
0x406148 GetLastError
0x40614c GetStartupInfoA
0x406150 GetSystemTimeAsFileTime
0x406154 GetTickCount
0x406158 InitializeCriticalSection
0x40615c InterlockedCompareExchange
0x406160 InterlockedExchange
0x406164 LeaveCriticalSection
0x406168 QueryPerformanceCounter
0x40616c SetUnhandledExceptionFilter
0x406170 Sleep
0x406174 TerminateProcess
0x406178 TlsGetValue
0x40617c UnhandledExceptionFilter
0x406180 VirtualAlloc
0x406184 VirtualFree
0x406188 VirtualProtect
0x40618c VirtualQuery
msvcrt.dll
0x406194 __dllonexit
0x406198 __getmainargs
0x40619c __initenv
0x4061a0 __lconv_init
0x4061a4 __set_app_type
0x4061a8 __setusermatherr
0x4061ac _acmdln
0x4061b0 _amsg_exit
0x4061b4 _cexit
0x4061b8 _fmode
0x4061bc _initterm
0x4061c0 _iob
0x4061c4 _lock
0x4061c8 _onexit
0x4061cc _unlock
0x4061d0 abort
0x4061d4 calloc
0x4061d8 exit
0x4061dc fprintf
0x4061e0 free
0x4061e4 fwrite
0x4061e8 malloc
0x4061ec memcpy
0x4061f0 puts
0x4061f4 signal
0x4061f8 strlen
0x4061fc strncmp
0x406200 vfprintf
USER32.dll
0x406208 ShowWindow
EAT(Export Address Table) is none