ScreenShot
| Created | 2024.06.19 14:20 | Machine | s1_win7_x6401 |
| Filename | invoice.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 24 detected (AIDetectMalware, malicious, high confidence, score, Unsafe, kcakpf, Generic@AI, RDML, rHXKkKuGL6dt4T681JXXLA, Real Protect, high, Detected, Wacatac, ZexaF, nq3@aerCP3e, Gencirc, Static AI, Suspicious PE, MxResIcn, confidence) | ||
| md5 | dfc21ed56aafad102fd6b985a15f8423 | ||
| sha256 | 81ff684b35cd19013c8a0ff8a4b01ea2932e11debba1be2cd058539742d0491a | ||
| ssdeep | 3072:lkAn8TlyyzWmbQoOzKyLR6n4BCHwjqWRwZnqsCwYLA:l18hyCCKyLRZZRw5qtLA | ||
| imphash | c4b8b0aba9f9c876ca624bdbda64d516 | ||
| impfuzzy | 24:YjXIY1WZSPOT+OovMRv4QrD+gv8ENEbwdn:u48OTJr0xbKn | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 24 AntiVirus engines on VirusTotal as malicious |
| watch | Creates an Alternate Data Stream (ADS) |
| watch | Creates known Upatre files |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | One or more processes crashed |
| info | The executable uses a known packer |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40f000 CloseHandle
0x40f004 WaitForSingleObject
0x40f008 Sleep
0x40f00c CreateDirectoryA
0x40f010 GetTempPathA
0x40f014 GetModuleFileNameA
0x40f018 GetVolumeInformationA
0x40f01c GetTickCount
0x40f020 LCMapStringA
0x40f024 SetEndOfFile
0x40f028 LoadLibraryA
0x40f02c GetOEMCP
0x40f030 GetACP
0x40f034 GetCPInfo
0x40f038 GetLastError
0x40f03c DeleteFileA
0x40f040 ExitProcess
0x40f044 TerminateProcess
0x40f048 GetCurrentProcess
0x40f04c GetModuleHandleA
0x40f050 GetStartupInfoA
0x40f054 GetCommandLineA
0x40f058 GetVersion
0x40f05c SetHandleCount
0x40f060 GetStdHandle
0x40f064 GetFileType
0x40f068 ReadFile
0x40f06c SetFilePointer
0x40f070 HeapFree
0x40f074 WriteFile
0x40f078 GetProcAddress
0x40f07c UnhandledExceptionFilter
0x40f080 FreeEnvironmentStringsA
0x40f084 FreeEnvironmentStringsW
0x40f088 WideCharToMultiByte
0x40f08c GetEnvironmentStrings
0x40f090 GetEnvironmentStringsW
0x40f094 HeapDestroy
0x40f098 HeapCreate
0x40f09c VirtualFree
0x40f0a0 RtlUnwind
0x40f0a4 HeapAlloc
0x40f0a8 SetStdHandle
0x40f0ac VirtualAlloc
0x40f0b0 HeapReAlloc
0x40f0b4 FlushFileBuffers
0x40f0b8 CreateFileA
0x40f0bc MultiByteToWideChar
0x40f0c0 GetStringTypeA
0x40f0c4 GetStringTypeW
0x40f0c8 LCMapStringW
USER32.dll
0x40f0d8 MessageBoxA
SHELL32.dll
0x40f0d0 ShellExecuteExA
WINMM.dll
0x40f0e0 timeGetTime
EAT(Export Address Table) is none
KERNEL32.dll
0x40f000 CloseHandle
0x40f004 WaitForSingleObject
0x40f008 Sleep
0x40f00c CreateDirectoryA
0x40f010 GetTempPathA
0x40f014 GetModuleFileNameA
0x40f018 GetVolumeInformationA
0x40f01c GetTickCount
0x40f020 LCMapStringA
0x40f024 SetEndOfFile
0x40f028 LoadLibraryA
0x40f02c GetOEMCP
0x40f030 GetACP
0x40f034 GetCPInfo
0x40f038 GetLastError
0x40f03c DeleteFileA
0x40f040 ExitProcess
0x40f044 TerminateProcess
0x40f048 GetCurrentProcess
0x40f04c GetModuleHandleA
0x40f050 GetStartupInfoA
0x40f054 GetCommandLineA
0x40f058 GetVersion
0x40f05c SetHandleCount
0x40f060 GetStdHandle
0x40f064 GetFileType
0x40f068 ReadFile
0x40f06c SetFilePointer
0x40f070 HeapFree
0x40f074 WriteFile
0x40f078 GetProcAddress
0x40f07c UnhandledExceptionFilter
0x40f080 FreeEnvironmentStringsA
0x40f084 FreeEnvironmentStringsW
0x40f088 WideCharToMultiByte
0x40f08c GetEnvironmentStrings
0x40f090 GetEnvironmentStringsW
0x40f094 HeapDestroy
0x40f098 HeapCreate
0x40f09c VirtualFree
0x40f0a0 RtlUnwind
0x40f0a4 HeapAlloc
0x40f0a8 SetStdHandle
0x40f0ac VirtualAlloc
0x40f0b0 HeapReAlloc
0x40f0b4 FlushFileBuffers
0x40f0b8 CreateFileA
0x40f0bc MultiByteToWideChar
0x40f0c0 GetStringTypeA
0x40f0c4 GetStringTypeW
0x40f0c8 LCMapStringW
USER32.dll
0x40f0d8 MessageBoxA
SHELL32.dll
0x40f0d0 ShellExecuteExA
WINMM.dll
0x40f0e0 timeGetTime
EAT(Export Address Table) is none