ScreenShot
| Created | 2024.06.16 10:16 | Machine | s1_win7_x6403 |
| Filename | DhlServer.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 64 detected (AIDetectMalware, Redosdru, malicious, high confidence, score, FKFK, JSWJ, Unsafe, V0o6, Attribute, HighConfidence, Tiny, Zlob, dqsnyd, bHLCrSFEsjS, AGEN, Siggen, ZEGOST, SM17, Dorgam, Detected, ai score=84, BigBadWolf, Farfli, BJQ@5t8o8c, JNNA, R148588, ZexaF, duX@a8fOpEf, BScope, Gencirc, GenAsa, 0xwwFzPHhFI, Static AI, Suspicious PE, susgen, Kryptik, GHFL, confidence, 100%) | ||
| md5 | dcaab6548f0017f413d032fac6449fc1 | ||
| sha256 | 7e64b2f168f2c50ce409c142cf7294ec847d633e82481ac2326ef2a49c2b6680 | ||
| ssdeep | 768:3e1iZNbQAKrWGOkGQeN70ZqL37MKBBmbUt4:36iZNer5GQvk0at | ||
| imphash | 45faf44fe201670daca333d176faea38 | ||
| impfuzzy | 24:aM72T+cDooTaLhMiOovlmuB3gv8ERRva8n:aM7SeVM1gd3ca8 | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 64 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a service |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| info | The executable uses a known packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (4cnts) ?
Suricata ids
ET HUNTING Rejetto HTTP File Sever Response
PE API
IAT(Import Address Table) Library
imagehlp.dll
0x40d238 MakeSureDirectoryPathExists
WININET.dll
0x40d224 InternetOpenA
0x40d228 InternetOpenUrlA
0x40d22c InternetReadFile
0x40d230 InternetCloseHandle
KERNEL32.dll
0x40d148 ExitProcess
0x40d14c GetStringTypeW
0x40d150 GetStringTypeA
0x40d154 LCMapStringW
0x40d158 LCMapStringA
0x40d15c MultiByteToWideChar
0x40d160 SetConsoleCtrlHandler
0x40d164 HeapAlloc
0x40d168 GetProcessHeap
0x40d16c VirtualAlloc
0x40d170 VirtualProtect
0x40d174 VirtualFree
0x40d178 GetProcAddress
0x40d17c LoadLibraryA
0x40d180 IsBadReadPtr
0x40d184 HeapFree
0x40d188 FreeLibrary
0x40d18c CloseHandle
0x40d190 WriteFile
0x40d194 CreateFileA
0x40d198 ReadFile
0x40d19c GetFileSize
0x40d1a0 SetFilePointer
0x40d1a4 Sleep
0x40d1a8 HeapReAlloc
0x40d1ac RtlUnwind
0x40d1b0 RaiseException
0x40d1b4 GetModuleHandleA
0x40d1b8 GetStartupInfoA
0x40d1bc GetCommandLineA
0x40d1c0 GetVersion
0x40d1c4 IsBadWritePtr
0x40d1c8 GetModuleFileNameA
0x40d1cc GetEnvironmentVariableA
0x40d1d0 GetVersionExA
0x40d1d4 HeapDestroy
0x40d1d8 HeapCreate
0x40d1dc SetUnhandledExceptionFilter
0x40d1e0 TerminateProcess
0x40d1e4 GetCurrentProcess
0x40d1e8 UnhandledExceptionFilter
0x40d1ec FreeEnvironmentStringsA
0x40d1f0 FreeEnvironmentStringsW
0x40d1f4 WideCharToMultiByte
0x40d1f8 GetEnvironmentStrings
0x40d1fc GetEnvironmentStringsW
0x40d200 SetHandleCount
0x40d204 GetStdHandle
0x40d208 GetFileType
0x40d20c IsBadCodePtr
0x40d210 GetCPInfo
0x40d214 GetACP
0x40d218 GetOEMCP
0x40d21c GetLastError
EAT(Export Address Table) is none
imagehlp.dll
0x40d238 MakeSureDirectoryPathExists
WININET.dll
0x40d224 InternetOpenA
0x40d228 InternetOpenUrlA
0x40d22c InternetReadFile
0x40d230 InternetCloseHandle
KERNEL32.dll
0x40d148 ExitProcess
0x40d14c GetStringTypeW
0x40d150 GetStringTypeA
0x40d154 LCMapStringW
0x40d158 LCMapStringA
0x40d15c MultiByteToWideChar
0x40d160 SetConsoleCtrlHandler
0x40d164 HeapAlloc
0x40d168 GetProcessHeap
0x40d16c VirtualAlloc
0x40d170 VirtualProtect
0x40d174 VirtualFree
0x40d178 GetProcAddress
0x40d17c LoadLibraryA
0x40d180 IsBadReadPtr
0x40d184 HeapFree
0x40d188 FreeLibrary
0x40d18c CloseHandle
0x40d190 WriteFile
0x40d194 CreateFileA
0x40d198 ReadFile
0x40d19c GetFileSize
0x40d1a0 SetFilePointer
0x40d1a4 Sleep
0x40d1a8 HeapReAlloc
0x40d1ac RtlUnwind
0x40d1b0 RaiseException
0x40d1b4 GetModuleHandleA
0x40d1b8 GetStartupInfoA
0x40d1bc GetCommandLineA
0x40d1c0 GetVersion
0x40d1c4 IsBadWritePtr
0x40d1c8 GetModuleFileNameA
0x40d1cc GetEnvironmentVariableA
0x40d1d0 GetVersionExA
0x40d1d4 HeapDestroy
0x40d1d8 HeapCreate
0x40d1dc SetUnhandledExceptionFilter
0x40d1e0 TerminateProcess
0x40d1e4 GetCurrentProcess
0x40d1e8 UnhandledExceptionFilter
0x40d1ec FreeEnvironmentStringsA
0x40d1f0 FreeEnvironmentStringsW
0x40d1f4 WideCharToMultiByte
0x40d1f8 GetEnvironmentStrings
0x40d1fc GetEnvironmentStringsW
0x40d200 SetHandleCount
0x40d204 GetStdHandle
0x40d208 GetFileType
0x40d20c IsBadCodePtr
0x40d210 GetCPInfo
0x40d214 GetACP
0x40d218 GetOEMCP
0x40d21c GetLastError
EAT(Export Address Table) is none