ScreenShot
Created | 2024.06.28 12:46 | Machine | s1_win7_x6403 |
Filename | %E5%9B%BD%E5%BA%86%E5%BB%B6%E8%BF%9F%E6%94%BE%E5%81%87%E9%80%9A%E7%9F%A5.exe | ||
Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 63 detected (AIDetectMalware, Shelma, tsgG, Windows, CobaltStrike, Malicious, score, CobaltStr, S17675256, GenericKDZ, Unsafe, Genus, Cobalt, gen1, Artifact, EVTS, CozyDuke, CLASSIC, lhumd, Tool, COBEACON, fsibr, Detected, ai score=81, Bulz, SPVV, NDUP, R360995, GenAsa, ZICJWVi3Ujg, Static AI, Malicious PE, susgen, confidence, 100%, Hacktool) | ||
md5 | d0e72468c01cf13b48c0a5ee2a310cb2 | ||
sha256 | 6419aa3ff941635038f6ed18b64b59c413076d33e59782154fa59c65936e3915 | ||
ssdeep | 192:aDMAe4Ckj19RZZ6wpSfu1bKcq5uHj7khBDSeKNH4+mrCyBUbOj6kxiY:aDMAoKz6WtKEj7aBDiKmybAY | ||
imphash | 17b461a082950fc6332228572138b80c | ||
impfuzzy | 24:Q2kfg1JlDzncLb9aa0mezlMC95XGDZ8k1koDquQZn:gfg1jc/bezlzJGV8k1koqz |
Network IP location
Signature (5cnts)
Level | Description |
---|---|
danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
danger | File has been identified by 63 AntiVirus engines on VirusTotal as malicious |
watch | Communicates with host for which no DNS query was performed |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
info | One or more processes crashed |
Rules (3cnts)
Level | Name | Description | Collection |
---|---|---|---|
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
info | IsPE64 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x409244 CloseHandle
0x40924c ConnectNamedPipe
0x409254 CreateFileA
0x40925c CreateNamedPipeA
0x409264 CreateThread
0x40926c DeleteCriticalSection
0x409274 EnterCriticalSection
0x40927c GetCurrentProcess
0x409284 GetCurrentProcessId
0x40928c GetCurrentThreadId
0x409294 GetLastError
0x40929c GetModuleHandleA
0x4092a4 GetProcAddress
0x4092ac GetStartupInfoA
0x4092b4 GetSystemTimeAsFileTime
0x4092bc GetTickCount
0x4092c4 InitializeCriticalSection
0x4092cc LeaveCriticalSection
0x4092d4 LoadLibraryW
0x4092dc QueryPerformanceCounter
0x4092e4 ReadFile
0x4092ec RtlAddFunctionTable
0x4092f4 RtlCaptureContext
0x4092fc RtlLookupFunctionEntry
0x409304 RtlVirtualUnwind
0x40930c SetUnhandledExceptionFilter
0x409314 Sleep
0x40931c TerminateProcess
0x409324 TlsGetValue
0x40932c UnhandledExceptionFilter
0x409334 VirtualAlloc
0x40933c VirtualProtect
0x409344 VirtualQuery
0x40934c WriteFile
msvcrt.dll
0x40935c __C_specific_handler
0x409364 __dllonexit
0x40936c __getmainargs
0x409374 __initenv
0x40937c __iob_func
0x409384 __lconv_init
0x40938c __set_app_type
0x409394 __setusermatherr
0x40939c _acmdln
0x4093a4 _amsg_exit
0x4093ac _cexit
0x4093b4 _fmode
0x4093bc _initterm
0x4093c4 _lock
0x4093cc _onexit
0x4093d4 _unlock
0x4093dc abort
0x4093e4 calloc
0x4093ec exit
0x4093f4 fprintf
0x4093fc free
0x409404 fwrite
0x40940c malloc
0x409414 memcpy
0x40941c signal
0x409424 sprintf
0x40942c strlen
0x409434 strncmp
0x40943c vfprintf
EAT(Export Address Table) is none
KERNEL32.dll
0x409244 CloseHandle
0x40924c ConnectNamedPipe
0x409254 CreateFileA
0x40925c CreateNamedPipeA
0x409264 CreateThread
0x40926c DeleteCriticalSection
0x409274 EnterCriticalSection
0x40927c GetCurrentProcess
0x409284 GetCurrentProcessId
0x40928c GetCurrentThreadId
0x409294 GetLastError
0x40929c GetModuleHandleA
0x4092a4 GetProcAddress
0x4092ac GetStartupInfoA
0x4092b4 GetSystemTimeAsFileTime
0x4092bc GetTickCount
0x4092c4 InitializeCriticalSection
0x4092cc LeaveCriticalSection
0x4092d4 LoadLibraryW
0x4092dc QueryPerformanceCounter
0x4092e4 ReadFile
0x4092ec RtlAddFunctionTable
0x4092f4 RtlCaptureContext
0x4092fc RtlLookupFunctionEntry
0x409304 RtlVirtualUnwind
0x40930c SetUnhandledExceptionFilter
0x409314 Sleep
0x40931c TerminateProcess
0x409324 TlsGetValue
0x40932c UnhandledExceptionFilter
0x409334 VirtualAlloc
0x40933c VirtualProtect
0x409344 VirtualQuery
0x40934c WriteFile
msvcrt.dll
0x40935c __C_specific_handler
0x409364 __dllonexit
0x40936c __getmainargs
0x409374 __initenv
0x40937c __iob_func
0x409384 __lconv_init
0x40938c __set_app_type
0x409394 __setusermatherr
0x40939c _acmdln
0x4093a4 _amsg_exit
0x4093ac _cexit
0x4093b4 _fmode
0x4093bc _initterm
0x4093c4 _lock
0x4093cc _onexit
0x4093d4 _unlock
0x4093dc abort
0x4093e4 calloc
0x4093ec exit
0x4093f4 fprintf
0x4093fc free
0x409404 fwrite
0x40940c malloc
0x409414 memcpy
0x40941c signal
0x409424 sprintf
0x40942c strlen
0x409434 strncmp
0x40943c vfprintf
EAT(Export Address Table) is none