ScreenShot
| Created | 2024.05.17 09:57 | Machine | s1_win7_x6401 |
| Filename | adduser.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 43 detected (GenericKD, unsafe, Vf3s, Attribute, HighConfidence, malicious, high confidence, a variant of Generik, NBNLNLF, TrojanX, Znyonm, CLOUD, VSNTA124, Rozena, Detected, ai score=88, GrayWare, Wacapew, Wacatac, ABTrojan, KIOI, R589795, Chgt, R0CcgENdDK0, PossibleThreat, Generik, NKSMKO3) | ||
| md5 | 510f4e20d3a6e15ac818d7e667bbf300 | ||
| sha256 | a678904fe3015f3590aa26ec33ee4f19d26f2369bc462991915754cad2f966f4 | ||
| ssdeep | 1536:wV8k1S+t3NIkzwIUZjwZpXcB4YchVvW0InAcngugNamOHvkE+zhtWba:05lFNIVC9Du/Fba | ||
| imphash | b5217f969ca31ce0344e6f43054a8f8e | ||
| impfuzzy | 12:YRJRJJoARZqRVPXJHqV0MHHGf5XGXKiEG6eGJwk6lTpJqJKZn:8fjBcVK0MGf5XGf6ZykoDqsZn | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
| watch | Uses windows command to add a user to the administrator group |
| notice | Creates a suspicious process |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | Queries for the computername |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140008168 DeleteCriticalSection
0x140008170 EnterCriticalSection
0x140008178 GetLastError
0x140008180 InitializeCriticalSection
0x140008188 LeaveCriticalSection
0x140008190 SetUnhandledExceptionFilter
0x140008198 Sleep
0x1400081a0 TlsGetValue
0x1400081a8 VirtualProtect
0x1400081b0 VirtualQuery
msvcrt.dll
0x1400081c0 __C_specific_handler
0x1400081c8 __getmainargs
0x1400081d0 __initenv
0x1400081d8 __iob_func
0x1400081e0 __set_app_type
0x1400081e8 __setusermatherr
0x1400081f0 _amsg_exit
0x1400081f8 _cexit
0x140008200 _commode
0x140008208 _fmode
0x140008210 _initterm
0x140008218 _onexit
0x140008220 abort
0x140008228 calloc
0x140008230 exit
0x140008238 fprintf
0x140008240 free
0x140008248 fwrite
0x140008250 malloc
0x140008258 memcpy
0x140008260 signal
0x140008268 strlen
0x140008270 strncmp
0x140008278 system
0x140008280 vfprintf
EAT(Export Address Table) is none
KERNEL32.dll
0x140008168 DeleteCriticalSection
0x140008170 EnterCriticalSection
0x140008178 GetLastError
0x140008180 InitializeCriticalSection
0x140008188 LeaveCriticalSection
0x140008190 SetUnhandledExceptionFilter
0x140008198 Sleep
0x1400081a0 TlsGetValue
0x1400081a8 VirtualProtect
0x1400081b0 VirtualQuery
msvcrt.dll
0x1400081c0 __C_specific_handler
0x1400081c8 __getmainargs
0x1400081d0 __initenv
0x1400081d8 __iob_func
0x1400081e0 __set_app_type
0x1400081e8 __setusermatherr
0x1400081f0 _amsg_exit
0x1400081f8 _cexit
0x140008200 _commode
0x140008208 _fmode
0x140008210 _initterm
0x140008218 _onexit
0x140008220 abort
0x140008228 calloc
0x140008230 exit
0x140008238 fprintf
0x140008240 free
0x140008248 fwrite
0x140008250 malloc
0x140008258 memcpy
0x140008260 signal
0x140008268 strlen
0x140008270 strncmp
0x140008278 system
0x140008280 vfprintf
EAT(Export Address Table) is none