ScreenShot
| Created | 2024.06.18 09:38 | Machine | s1_win7_x6401 |
| Filename | arphaDump64.dll | ||
| Type | PE32+ executable (DLL) (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 4 detected (DLLhijack, CLOUD, MxResIcn) | ||
| md5 | b60a81a659f6a8228c3e5df7f1c0819a | ||
| sha256 | 0f4c555dc838ea3ba222b6d64e93be6400f5eccb6ae432a653fb5688eff719d5 | ||
| ssdeep | 1536:z4qguMDQRDG4S/GvGMZ4dvkAxcmgdSrna:z4qgbDQtG+Ydv/xcmgwrn | ||
| imphash | e6f4b2831e058a1d5a1ab6a3d70e5ee2 | ||
| impfuzzy | 24:mDoYdOovBtQzyluuYxJ9kuRvD6FQ8/ST4efJlIQ:MIKtcuD2DCScefJeQ | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | File has been identified by 4 AntiVirus engines on VirusTotal as malicious |
| info | Checks if process is being debugged by a debugger |
| info | This executable has a PDB path |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x18000a000 GetProcAddress
0x18000a008 LoadLibraryA
0x18000a010 GetModuleHandleA
0x18000a018 GetCurrentThreadId
0x18000a020 FlsSetValue
0x18000a028 GetCommandLineA
0x18000a030 TerminateProcess
0x18000a038 GetCurrentProcess
0x18000a040 UnhandledExceptionFilter
0x18000a048 SetUnhandledExceptionFilter
0x18000a050 IsDebuggerPresent
0x18000a058 RtlVirtualUnwind
0x18000a060 RtlLookupFunctionEntry
0x18000a068 RtlCaptureContext
0x18000a070 HeapAlloc
0x18000a078 GetLastError
0x18000a080 HeapFree
0x18000a088 RaiseException
0x18000a090 RtlPcToFileHeader
0x18000a098 EncodePointer
0x18000a0a0 DecodePointer
0x18000a0a8 FlsGetValue
0x18000a0b0 FlsFree
0x18000a0b8 SetLastError
0x18000a0c0 FlsAlloc
0x18000a0c8 Sleep
0x18000a0d0 GetModuleHandleW
0x18000a0d8 ExitProcess
0x18000a0e0 SetHandleCount
0x18000a0e8 GetStdHandle
0x18000a0f0 GetFileType
0x18000a0f8 GetStartupInfoA
0x18000a100 DeleteCriticalSection
0x18000a108 GetModuleFileNameA
0x18000a110 FreeEnvironmentStringsA
0x18000a118 GetEnvironmentStrings
0x18000a120 FreeEnvironmentStringsW
0x18000a128 WideCharToMultiByte
0x18000a130 GetEnvironmentStringsW
0x18000a138 HeapSetInformation
0x18000a140 HeapCreate
0x18000a148 HeapDestroy
0x18000a150 RtlUnwindEx
0x18000a158 QueryPerformanceCounter
0x18000a160 GetTickCount
0x18000a168 GetCurrentProcessId
0x18000a170 GetSystemTimeAsFileTime
0x18000a178 WriteFile
0x18000a180 LeaveCriticalSection
0x18000a188 EnterCriticalSection
0x18000a190 HeapSize
0x18000a198 GetCPInfo
0x18000a1a0 GetACP
0x18000a1a8 GetOEMCP
0x18000a1b0 IsValidCodePage
0x18000a1b8 HeapReAlloc
0x18000a1c0 InitializeCriticalSectionAndSpinCount
0x18000a1c8 GetLocaleInfoA
0x18000a1d0 GetStringTypeA
0x18000a1d8 MultiByteToWideChar
0x18000a1e0 GetStringTypeW
0x18000a1e8 LCMapStringA
0x18000a1f0 LCMapStringW
EAT(Export Address Table) Library
0x180001050 GetArphaCrashReport
0x180001050 GetArphaUtils
0x180001050 SetWindowLocalDump
KERNEL32.dll
0x18000a000 GetProcAddress
0x18000a008 LoadLibraryA
0x18000a010 GetModuleHandleA
0x18000a018 GetCurrentThreadId
0x18000a020 FlsSetValue
0x18000a028 GetCommandLineA
0x18000a030 TerminateProcess
0x18000a038 GetCurrentProcess
0x18000a040 UnhandledExceptionFilter
0x18000a048 SetUnhandledExceptionFilter
0x18000a050 IsDebuggerPresent
0x18000a058 RtlVirtualUnwind
0x18000a060 RtlLookupFunctionEntry
0x18000a068 RtlCaptureContext
0x18000a070 HeapAlloc
0x18000a078 GetLastError
0x18000a080 HeapFree
0x18000a088 RaiseException
0x18000a090 RtlPcToFileHeader
0x18000a098 EncodePointer
0x18000a0a0 DecodePointer
0x18000a0a8 FlsGetValue
0x18000a0b0 FlsFree
0x18000a0b8 SetLastError
0x18000a0c0 FlsAlloc
0x18000a0c8 Sleep
0x18000a0d0 GetModuleHandleW
0x18000a0d8 ExitProcess
0x18000a0e0 SetHandleCount
0x18000a0e8 GetStdHandle
0x18000a0f0 GetFileType
0x18000a0f8 GetStartupInfoA
0x18000a100 DeleteCriticalSection
0x18000a108 GetModuleFileNameA
0x18000a110 FreeEnvironmentStringsA
0x18000a118 GetEnvironmentStrings
0x18000a120 FreeEnvironmentStringsW
0x18000a128 WideCharToMultiByte
0x18000a130 GetEnvironmentStringsW
0x18000a138 HeapSetInformation
0x18000a140 HeapCreate
0x18000a148 HeapDestroy
0x18000a150 RtlUnwindEx
0x18000a158 QueryPerformanceCounter
0x18000a160 GetTickCount
0x18000a168 GetCurrentProcessId
0x18000a170 GetSystemTimeAsFileTime
0x18000a178 WriteFile
0x18000a180 LeaveCriticalSection
0x18000a188 EnterCriticalSection
0x18000a190 HeapSize
0x18000a198 GetCPInfo
0x18000a1a0 GetACP
0x18000a1a8 GetOEMCP
0x18000a1b0 IsValidCodePage
0x18000a1b8 HeapReAlloc
0x18000a1c0 InitializeCriticalSectionAndSpinCount
0x18000a1c8 GetLocaleInfoA
0x18000a1d0 GetStringTypeA
0x18000a1d8 MultiByteToWideChar
0x18000a1e0 GetStringTypeW
0x18000a1e8 LCMapStringA
0x18000a1f0 LCMapStringW
EAT(Export Address Table) Library
0x180001050 GetArphaCrashReport
0x180001050 GetArphaUtils
0x180001050 SetWindowLocalDump