ScreenShot
| Created | 2024.06.14 10:18 | Machine | s1_win7_x6403 |
| Filename | zardsystemschange.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 44 detected (AIDetectMalware, malicious, high confidence, score, Unsafe, GenericKD, Attribute, HighConfidence, a variant of WinGo, qwitrc, Genric, CLASSIC, AGEN, LUMMASTEALER, YXEFLZ, WinGo, Detected, Sabsik, BEC48S, ABTrojan, FTIZ, Chgt, Jajl, ai score=89, PossibleThreat, confidence, 100%) | ||
| md5 | 414d550d9c7fed5b71913ed7e4dd967b | ||
| sha256 | 8537ddcdf90cfb74ec563ce669da68cb0c48bf1e9a47461dce1f9f87d8b1468c | ||
| ssdeep | 98304:uvjhqgiBjlJw0PVUkEL8KyjpfmMRxUdHDcwp:x5k0dUdLYmMRxU5x | ||
| imphash | 5929190c8765f5bc37b052ab5c6c53e7 | ||
| impfuzzy | 48:qJrKxMCy9cmwKeFR+2u42xQ2HpdXiX1PJOmSnlTJGfYJ861k1vcqTjz:qJexMCyamCRHu42xQ2HPXiX1PgblTJGh | ||
Network IP location
Signature (2cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 44 AntiVirus engines on VirusTotal as malicious |
| info | One or more processes crashed |
Rules (8cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | DllRegisterServer_Zero | execute regsvr32.exe | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x14083247c AddAtomA
0x140832484 AddVectoredExceptionHandler
0x14083248c CloseHandle
0x140832494 CreateEventA
0x14083249c CreateFileA
0x1408324a4 CreateIoCompletionPort
0x1408324ac CreateMutexA
0x1408324b4 CreateSemaphoreA
0x1408324bc CreateThread
0x1408324c4 CreateWaitableTimerExW
0x1408324cc DeleteAtom
0x1408324d4 DeleteCriticalSection
0x1408324dc DuplicateHandle
0x1408324e4 EnterCriticalSection
0x1408324ec ExitProcess
0x1408324f4 FindAtomA
0x1408324fc FormatMessageA
0x140832504 FreeEnvironmentStringsW
0x14083250c GetAtomNameA
0x140832514 GetConsoleMode
0x14083251c GetCurrentProcess
0x140832524 GetCurrentProcessId
0x14083252c GetCurrentThread
0x140832534 GetCurrentThreadId
0x14083253c GetEnvironmentStringsW
0x140832544 GetErrorMode
0x14083254c GetHandleInformation
0x140832554 GetLastError
0x14083255c GetProcAddress
0x140832564 GetProcessAffinityMask
0x14083256c GetQueuedCompletionStatusEx
0x140832574 GetStartupInfoA
0x14083257c GetStdHandle
0x140832584 GetSystemDirectoryA
0x14083258c GetSystemInfo
0x140832594 GetSystemTimeAsFileTime
0x14083259c GetThreadContext
0x1408325a4 GetThreadPriority
0x1408325ac GetTickCount
0x1408325b4 InitializeCriticalSection
0x1408325bc IsDBCSLeadByteEx
0x1408325c4 IsDebuggerPresent
0x1408325cc LeaveCriticalSection
0x1408325d4 LoadLibraryExW
0x1408325dc LoadLibraryW
0x1408325e4 LocalFree
0x1408325ec MultiByteToWideChar
0x1408325f4 OpenProcess
0x1408325fc OutputDebugStringA
0x140832604 PostQueuedCompletionStatus
0x14083260c QueryPerformanceCounter
0x140832614 QueryPerformanceFrequency
0x14083261c RaiseException
0x140832624 RaiseFailFastException
0x14083262c ReleaseMutex
0x140832634 ReleaseSemaphore
0x14083263c RemoveVectoredExceptionHandler
0x140832644 ResetEvent
0x14083264c ResumeThread
0x140832654 SetConsoleCtrlHandler
0x14083265c SetErrorMode
0x140832664 SetEvent
0x14083266c SetLastError
0x140832674 SetProcessAffinityMask
0x14083267c SetProcessPriorityBoost
0x140832684 SetThreadContext
0x14083268c SetThreadPriority
0x140832694 SetUnhandledExceptionFilter
0x14083269c SetWaitableTimer
0x1408326a4 Sleep
0x1408326ac SuspendThread
0x1408326b4 SwitchToThread
0x1408326bc TlsAlloc
0x1408326c4 TlsGetValue
0x1408326cc TlsSetValue
0x1408326d4 TryEnterCriticalSection
0x1408326dc VirtualAlloc
0x1408326e4 VirtualFree
0x1408326ec VirtualProtect
0x1408326f4 VirtualQuery
0x1408326fc WaitForMultipleObjects
0x140832704 WaitForSingleObject
0x14083270c WerGetFlags
0x140832714 WerSetFlags
0x14083271c WideCharToMultiByte
0x140832724 WriteConsoleW
0x14083272c WriteFile
0x140832734 __C_specific_handler
msvcrt.dll
0x140832744 ___lc_codepage_func
0x14083274c ___mb_cur_max_func
0x140832754 __getmainargs
0x14083275c __initenv
0x140832764 __iob_func
0x14083276c __lconv_init
0x140832774 __set_app_type
0x14083277c __setusermatherr
0x140832784 _acmdln
0x14083278c _amsg_exit
0x140832794 _beginthread
0x14083279c _beginthreadex
0x1408327a4 _cexit
0x1408327ac _commode
0x1408327b4 _endthreadex
0x1408327bc _errno
0x1408327c4 _fmode
0x1408327cc _initterm
0x1408327d4 _lock
0x1408327dc _memccpy
0x1408327e4 _onexit
0x1408327ec _setjmp
0x1408327f4 _strdup
0x1408327fc _ultoa
0x140832804 _unlock
0x14083280c abort
0x140832814 calloc
0x14083281c exit
0x140832824 fprintf
0x14083282c fputc
0x140832834 free
0x14083283c fwrite
0x140832844 localeconv
0x14083284c longjmp
0x140832854 malloc
0x14083285c memcpy
0x140832864 memmove
0x14083286c memset
0x140832874 printf
0x14083287c realloc
0x140832884 signal
0x14083288c strerror
0x140832894 strlen
0x14083289c strncmp
0x1408328a4 vfprintf
0x1408328ac wcslen
EAT(Export Address Table) Library
0x14082fc10 _cgo_dummy_export
KERNEL32.dll
0x14083247c AddAtomA
0x140832484 AddVectoredExceptionHandler
0x14083248c CloseHandle
0x140832494 CreateEventA
0x14083249c CreateFileA
0x1408324a4 CreateIoCompletionPort
0x1408324ac CreateMutexA
0x1408324b4 CreateSemaphoreA
0x1408324bc CreateThread
0x1408324c4 CreateWaitableTimerExW
0x1408324cc DeleteAtom
0x1408324d4 DeleteCriticalSection
0x1408324dc DuplicateHandle
0x1408324e4 EnterCriticalSection
0x1408324ec ExitProcess
0x1408324f4 FindAtomA
0x1408324fc FormatMessageA
0x140832504 FreeEnvironmentStringsW
0x14083250c GetAtomNameA
0x140832514 GetConsoleMode
0x14083251c GetCurrentProcess
0x140832524 GetCurrentProcessId
0x14083252c GetCurrentThread
0x140832534 GetCurrentThreadId
0x14083253c GetEnvironmentStringsW
0x140832544 GetErrorMode
0x14083254c GetHandleInformation
0x140832554 GetLastError
0x14083255c GetProcAddress
0x140832564 GetProcessAffinityMask
0x14083256c GetQueuedCompletionStatusEx
0x140832574 GetStartupInfoA
0x14083257c GetStdHandle
0x140832584 GetSystemDirectoryA
0x14083258c GetSystemInfo
0x140832594 GetSystemTimeAsFileTime
0x14083259c GetThreadContext
0x1408325a4 GetThreadPriority
0x1408325ac GetTickCount
0x1408325b4 InitializeCriticalSection
0x1408325bc IsDBCSLeadByteEx
0x1408325c4 IsDebuggerPresent
0x1408325cc LeaveCriticalSection
0x1408325d4 LoadLibraryExW
0x1408325dc LoadLibraryW
0x1408325e4 LocalFree
0x1408325ec MultiByteToWideChar
0x1408325f4 OpenProcess
0x1408325fc OutputDebugStringA
0x140832604 PostQueuedCompletionStatus
0x14083260c QueryPerformanceCounter
0x140832614 QueryPerformanceFrequency
0x14083261c RaiseException
0x140832624 RaiseFailFastException
0x14083262c ReleaseMutex
0x140832634 ReleaseSemaphore
0x14083263c RemoveVectoredExceptionHandler
0x140832644 ResetEvent
0x14083264c ResumeThread
0x140832654 SetConsoleCtrlHandler
0x14083265c SetErrorMode
0x140832664 SetEvent
0x14083266c SetLastError
0x140832674 SetProcessAffinityMask
0x14083267c SetProcessPriorityBoost
0x140832684 SetThreadContext
0x14083268c SetThreadPriority
0x140832694 SetUnhandledExceptionFilter
0x14083269c SetWaitableTimer
0x1408326a4 Sleep
0x1408326ac SuspendThread
0x1408326b4 SwitchToThread
0x1408326bc TlsAlloc
0x1408326c4 TlsGetValue
0x1408326cc TlsSetValue
0x1408326d4 TryEnterCriticalSection
0x1408326dc VirtualAlloc
0x1408326e4 VirtualFree
0x1408326ec VirtualProtect
0x1408326f4 VirtualQuery
0x1408326fc WaitForMultipleObjects
0x140832704 WaitForSingleObject
0x14083270c WerGetFlags
0x140832714 WerSetFlags
0x14083271c WideCharToMultiByte
0x140832724 WriteConsoleW
0x14083272c WriteFile
0x140832734 __C_specific_handler
msvcrt.dll
0x140832744 ___lc_codepage_func
0x14083274c ___mb_cur_max_func
0x140832754 __getmainargs
0x14083275c __initenv
0x140832764 __iob_func
0x14083276c __lconv_init
0x140832774 __set_app_type
0x14083277c __setusermatherr
0x140832784 _acmdln
0x14083278c _amsg_exit
0x140832794 _beginthread
0x14083279c _beginthreadex
0x1408327a4 _cexit
0x1408327ac _commode
0x1408327b4 _endthreadex
0x1408327bc _errno
0x1408327c4 _fmode
0x1408327cc _initterm
0x1408327d4 _lock
0x1408327dc _memccpy
0x1408327e4 _onexit
0x1408327ec _setjmp
0x1408327f4 _strdup
0x1408327fc _ultoa
0x140832804 _unlock
0x14083280c abort
0x140832814 calloc
0x14083281c exit
0x140832824 fprintf
0x14083282c fputc
0x140832834 free
0x14083283c fwrite
0x140832844 localeconv
0x14083284c longjmp
0x140832854 malloc
0x14083285c memcpy
0x140832864 memmove
0x14083286c memset
0x140832874 printf
0x14083287c realloc
0x140832884 signal
0x14083288c strerror
0x140832894 strlen
0x14083289c strncmp
0x1408328a4 vfprintf
0x1408328ac wcslen
EAT(Export Address Table) Library
0x14082fc10 _cgo_dummy_export