ScreenShot
| Created | 2024.06.15 08:21 | Machine | s1_win7_x6403 |
| Filename | 4.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 24981658666a4f40f07f37bfb48d1372 | ||
| sha256 | 7b84f0641444a8e39e14f6a9f3f9363ee142acbe6fcb6dcd046d0ae2c463cf77 | ||
| ssdeep | 768:SkqlrK5isV2AKTVV15bRjeK3gRJg6Dm/u5HfqyaVwsaVwCx:xKIYApC6C/4//aVwsaVwCx | ||
| imphash | b417d74ecba642ca8eceadf01d18afc0 | ||
| impfuzzy | 48:F7/Htu/eQYtjbyMXmLg7b02G3qFn7yeL3Cd:F7/H6JUbRXms7HG3qB7XL3S | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| notice | Creates a service |
| info | The executable uses a known packer |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x406044 MoveFileA
0x406048 GetTempPathA
0x40604c GetModuleFileNameA
0x406050 lstrlenA
0x406054 MoveFileExA
0x406058 GlobalMemoryStatus
0x40605c GetModuleHandleA
0x406060 GetStartupInfoA
0x406064 WaitForSingleObject
0x406068 GetSystemInfo
0x40606c CreateThread
0x406070 CreateProcessA
0x406074 GetFileAttributesA
0x406078 GetLastError
0x40607c LoadLibraryA
0x406080 GetProcAddress
0x406084 FreeLibrary
0x406088 CreateFileA
0x40608c WriteFile
0x406090 CloseHandle
0x406094 ExitThread
0x406098 Sleep
0x40609c GetCurrentProcessId
0x4060a0 CopyFileA
0x4060a4 GetTickCount
USER32.dll
0x40612c MessageBoxA
0x406130 wsprintfA
ADVAPI32.dll
0x406000 CreateServiceA
0x406004 ChangeServiceConfig2A
0x406008 UnlockServiceDatabase
0x40600c OpenServiceA
0x406010 StartServiceA
0x406014 RegSetValueExA
0x406018 CloseServiceHandle
0x40601c StartServiceCtrlDispatcherA
0x406020 RegisterServiceCtrlHandlerA
0x406024 SetServiceStatus
0x406028 RegOpenKeyExA
0x40602c RegOpenKeyA
0x406030 RegQueryValueExA
0x406034 RegCloseKey
0x406038 OpenSCManagerA
0x40603c LockServiceDatabase
WS2_32.dll
0x406138 select
0x40613c __WSAFDIsSet
0x406140 recv
0x406144 WSAIoctl
0x406148 send
0x40614c WSAStartup
0x406150 WSASocketA
0x406154 WSAGetLastError
0x406158 setsockopt
0x40615c htonl
0x406160 sendto
0x406164 WSACleanup
0x406168 gethostbyname
0x40616c socket
0x406170 htons
0x406174 connect
0x406178 closesocket
0x40617c inet_addr
MSVCRT.dll
0x4060ac strlen
0x4060b0 strcat
0x4060b4 _controlfp
0x4060b8 __set_app_type
0x4060bc strcpy
0x4060c0 __p__fmode
0x4060c4 __p__commode
0x4060c8 _adjust_fdiv
0x4060cc __setusermatherr
0x4060d0 _initterm
0x4060d4 __getmainargs
0x4060d8 _acmdln
0x4060dc exit
0x4060e0 _XcptFilter
0x4060e4 _exit
0x4060e8 _iob
0x4060ec malloc
0x4060f0 free
0x4060f4 rand
0x4060f8 sprintf
0x4060fc memset
0x406100 printf
0x406104 fprintf
0x406108 memcpy
0x40610c _except_handler3
0x406110 _local_unwind2
0x406114 strstr
0x406118 ??3@YAXPAX@Z
0x40611c strrchr
0x406120 ??2@YAPAXI@Z
0x406124 strncmp
iphlpapi.dll
0x406184 GetIfTable
EAT(Export Address Table) is none
KERNEL32.dll
0x406044 MoveFileA
0x406048 GetTempPathA
0x40604c GetModuleFileNameA
0x406050 lstrlenA
0x406054 MoveFileExA
0x406058 GlobalMemoryStatus
0x40605c GetModuleHandleA
0x406060 GetStartupInfoA
0x406064 WaitForSingleObject
0x406068 GetSystemInfo
0x40606c CreateThread
0x406070 CreateProcessA
0x406074 GetFileAttributesA
0x406078 GetLastError
0x40607c LoadLibraryA
0x406080 GetProcAddress
0x406084 FreeLibrary
0x406088 CreateFileA
0x40608c WriteFile
0x406090 CloseHandle
0x406094 ExitThread
0x406098 Sleep
0x40609c GetCurrentProcessId
0x4060a0 CopyFileA
0x4060a4 GetTickCount
USER32.dll
0x40612c MessageBoxA
0x406130 wsprintfA
ADVAPI32.dll
0x406000 CreateServiceA
0x406004 ChangeServiceConfig2A
0x406008 UnlockServiceDatabase
0x40600c OpenServiceA
0x406010 StartServiceA
0x406014 RegSetValueExA
0x406018 CloseServiceHandle
0x40601c StartServiceCtrlDispatcherA
0x406020 RegisterServiceCtrlHandlerA
0x406024 SetServiceStatus
0x406028 RegOpenKeyExA
0x40602c RegOpenKeyA
0x406030 RegQueryValueExA
0x406034 RegCloseKey
0x406038 OpenSCManagerA
0x40603c LockServiceDatabase
WS2_32.dll
0x406138 select
0x40613c __WSAFDIsSet
0x406140 recv
0x406144 WSAIoctl
0x406148 send
0x40614c WSAStartup
0x406150 WSASocketA
0x406154 WSAGetLastError
0x406158 setsockopt
0x40615c htonl
0x406160 sendto
0x406164 WSACleanup
0x406168 gethostbyname
0x40616c socket
0x406170 htons
0x406174 connect
0x406178 closesocket
0x40617c inet_addr
MSVCRT.dll
0x4060ac strlen
0x4060b0 strcat
0x4060b4 _controlfp
0x4060b8 __set_app_type
0x4060bc strcpy
0x4060c0 __p__fmode
0x4060c4 __p__commode
0x4060c8 _adjust_fdiv
0x4060cc __setusermatherr
0x4060d0 _initterm
0x4060d4 __getmainargs
0x4060d8 _acmdln
0x4060dc exit
0x4060e0 _XcptFilter
0x4060e4 _exit
0x4060e8 _iob
0x4060ec malloc
0x4060f0 free
0x4060f4 rand
0x4060f8 sprintf
0x4060fc memset
0x406100 printf
0x406104 fprintf
0x406108 memcpy
0x40610c _except_handler3
0x406110 _local_unwind2
0x406114 strstr
0x406118 ??3@YAXPAX@Z
0x40611c strrchr
0x406120 ??2@YAPAXI@Z
0x406124 strncmp
iphlpapi.dll
0x406184 GetIfTable
EAT(Export Address Table) is none