ScreenShot
Created | 2024.05.17 15:34 | Machine | s1_win7_x6401 |
Filename | vnc.exe | ||
Type | PE32+ executable (console) x86-64, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 45 detected (Remcos, malicious, high confidence, score, Doina, Lazy, V13d, Artemis, Cobalt, CLOUD, frzdc, YXEEOZ, Rozena, Detected, ai score=83, AgentTesla, ABRisk, WCVF, R648374, Ftgl, Static AI, Suspicious PE, AGen) | ||
md5 | a8e4c5bfdec6d09b86b1a522c2348367 | ||
sha256 | 230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f | ||
ssdeep | 24576:TxB9gs/l97fTp+hmFVrWHGc6H+pvxoOXk81pRNHBoKkoR:/L7bwwBH+1xFXkwpRJZ9R | ||
imphash | c33cf958e4babaa5af9289de09f91f82 | ||
impfuzzy | 24:rojncpVWcD02tMS1AgGUJBl3eDoLoEOovbOIpGMwvwRFZMCEZHu9W1:+cpV5HtMS1AgGspXc37wFZg1 |
Network IP location
Signature (14cnts)
Level | Description |
---|---|
danger | File has been identified by 45 AntiVirus engines on VirusTotal as malicious |
watch | One or more of the buffers contains an embedded PE file |
watch | The process powershell.exe wrote an executable file to disk |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates a shortcut to an executable file |
notice | Creates a suspicious process |
notice | One or more potentially interesting buffers were extracted |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Collects information to fingerprint the system (MachineGuid |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | Uses Windows APIs to generate a cryptographic key |
Rules (9cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
watch | Antivirus | Contains references to security software | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | IsPE64 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | PowerShell | PowerShell script | scripts |
Network (0cnts) ?
Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140070000 CloseHandle
0x140070008 GetLastError
0x140070010 WaitForSingleObject
0x140070018 CreateProcessA
0x140070020 AllocConsole
0x140070028 FreeConsole
0x140070030 WideCharToMultiByte
0x140070038 EnterCriticalSection
0x140070040 LeaveCriticalSection
0x140070048 InitializeCriticalSectionEx
0x140070050 DeleteCriticalSection
0x140070058 EncodePointer
0x140070060 DecodePointer
0x140070068 MultiByteToWideChar
0x140070070 LCMapStringEx
0x140070078 GetStringTypeW
0x140070080 GetCPInfo
0x140070088 RtlCaptureContext
0x140070090 RtlLookupFunctionEntry
0x140070098 RtlVirtualUnwind
0x1400700a0 UnhandledExceptionFilter
0x1400700a8 SetUnhandledExceptionFilter
0x1400700b0 GetCurrentProcess
0x1400700b8 TerminateProcess
0x1400700c0 IsProcessorFeaturePresent
0x1400700c8 QueryPerformanceCounter
0x1400700d0 GetCurrentProcessId
0x1400700d8 GetCurrentThreadId
0x1400700e0 GetSystemTimeAsFileTime
0x1400700e8 InitializeSListHead
0x1400700f0 IsDebuggerPresent
0x1400700f8 GetStartupInfoW
0x140070100 GetModuleHandleW
0x140070108 WriteConsoleW
0x140070110 RtlPcToFileHeader
0x140070118 RaiseException
0x140070120 RtlUnwindEx
0x140070128 SetLastError
0x140070130 InitializeCriticalSectionAndSpinCount
0x140070138 TlsAlloc
0x140070140 TlsGetValue
0x140070148 TlsSetValue
0x140070150 TlsFree
0x140070158 FreeLibrary
0x140070160 GetProcAddress
0x140070168 LoadLibraryExW
0x140070170 GetStdHandle
0x140070178 WriteFile
0x140070180 GetModuleFileNameW
0x140070188 ExitProcess
0x140070190 GetModuleHandleExW
0x140070198 GetCommandLineA
0x1400701a0 GetCommandLineW
0x1400701a8 HeapFree
0x1400701b0 GetConsoleOutputCP
0x1400701b8 GetConsoleMode
0x1400701c0 GetFileSizeEx
0x1400701c8 SetFilePointerEx
0x1400701d0 HeapAlloc
0x1400701d8 GetFileType
0x1400701e0 FlsAlloc
0x1400701e8 FlsGetValue
0x1400701f0 FlsSetValue
0x1400701f8 FlsFree
0x140070200 CompareStringW
0x140070208 LCMapStringW
0x140070210 GetLocaleInfoW
0x140070218 IsValidLocale
0x140070220 GetUserDefaultLCID
0x140070228 EnumSystemLocalesW
0x140070230 FlushFileBuffers
0x140070238 ReadFile
0x140070240 ReadConsoleW
0x140070248 HeapReAlloc
0x140070250 FindClose
0x140070258 FindFirstFileExW
0x140070260 FindNextFileW
0x140070268 IsValidCodePage
0x140070270 GetACP
0x140070278 GetOEMCP
0x140070280 GetEnvironmentStringsW
0x140070288 FreeEnvironmentStringsW
0x140070290 SetEnvironmentVariableW
0x140070298 SetStdHandle
0x1400702a0 GetProcessHeap
0x1400702a8 CreateFileW
0x1400702b0 HeapSize
0x1400702b8 SetEndOfFile
0x1400702c0 RtlUnwind
EAT(Export Address Table) is none
KERNEL32.dll
0x140070000 CloseHandle
0x140070008 GetLastError
0x140070010 WaitForSingleObject
0x140070018 CreateProcessA
0x140070020 AllocConsole
0x140070028 FreeConsole
0x140070030 WideCharToMultiByte
0x140070038 EnterCriticalSection
0x140070040 LeaveCriticalSection
0x140070048 InitializeCriticalSectionEx
0x140070050 DeleteCriticalSection
0x140070058 EncodePointer
0x140070060 DecodePointer
0x140070068 MultiByteToWideChar
0x140070070 LCMapStringEx
0x140070078 GetStringTypeW
0x140070080 GetCPInfo
0x140070088 RtlCaptureContext
0x140070090 RtlLookupFunctionEntry
0x140070098 RtlVirtualUnwind
0x1400700a0 UnhandledExceptionFilter
0x1400700a8 SetUnhandledExceptionFilter
0x1400700b0 GetCurrentProcess
0x1400700b8 TerminateProcess
0x1400700c0 IsProcessorFeaturePresent
0x1400700c8 QueryPerformanceCounter
0x1400700d0 GetCurrentProcessId
0x1400700d8 GetCurrentThreadId
0x1400700e0 GetSystemTimeAsFileTime
0x1400700e8 InitializeSListHead
0x1400700f0 IsDebuggerPresent
0x1400700f8 GetStartupInfoW
0x140070100 GetModuleHandleW
0x140070108 WriteConsoleW
0x140070110 RtlPcToFileHeader
0x140070118 RaiseException
0x140070120 RtlUnwindEx
0x140070128 SetLastError
0x140070130 InitializeCriticalSectionAndSpinCount
0x140070138 TlsAlloc
0x140070140 TlsGetValue
0x140070148 TlsSetValue
0x140070150 TlsFree
0x140070158 FreeLibrary
0x140070160 GetProcAddress
0x140070168 LoadLibraryExW
0x140070170 GetStdHandle
0x140070178 WriteFile
0x140070180 GetModuleFileNameW
0x140070188 ExitProcess
0x140070190 GetModuleHandleExW
0x140070198 GetCommandLineA
0x1400701a0 GetCommandLineW
0x1400701a8 HeapFree
0x1400701b0 GetConsoleOutputCP
0x1400701b8 GetConsoleMode
0x1400701c0 GetFileSizeEx
0x1400701c8 SetFilePointerEx
0x1400701d0 HeapAlloc
0x1400701d8 GetFileType
0x1400701e0 FlsAlloc
0x1400701e8 FlsGetValue
0x1400701f0 FlsSetValue
0x1400701f8 FlsFree
0x140070200 CompareStringW
0x140070208 LCMapStringW
0x140070210 GetLocaleInfoW
0x140070218 IsValidLocale
0x140070220 GetUserDefaultLCID
0x140070228 EnumSystemLocalesW
0x140070230 FlushFileBuffers
0x140070238 ReadFile
0x140070240 ReadConsoleW
0x140070248 HeapReAlloc
0x140070250 FindClose
0x140070258 FindFirstFileExW
0x140070260 FindNextFileW
0x140070268 IsValidCodePage
0x140070270 GetACP
0x140070278 GetOEMCP
0x140070280 GetEnvironmentStringsW
0x140070288 FreeEnvironmentStringsW
0x140070290 SetEnvironmentVariableW
0x140070298 SetStdHandle
0x1400702a0 GetProcessHeap
0x1400702a8 CreateFileW
0x1400702b0 HeapSize
0x1400702b8 SetEndOfFile
0x1400702c0 RtlUnwind
EAT(Export Address Table) is none