ScreenShot
| Created | 2024.07.04 17:03 | Machine | s1_win7_x6403 |
| Filename | UtilityR.dll | ||
| Type | PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 49 detected (AIDetectMalware, Windows, CobaltStrike, Malicious, score, Zusy, Unsafe, Cobalt, Artifact, CLASSIC, AGEN, COBEACON, Detected, ai score=80, Eldorado, R374111, GdSda, Static AI, Malicious PE, susgen, confidence, 100%) | ||
| md5 | 09a621243e242bc725c811cd4efac771 | ||
| sha256 | cf6676b304dca69f8db2e63f86f794292598cd33a4381590055225e800339f08 | ||
| ssdeep | 6144:Uayxa+H79xJBx1jrVRHBJqcxxDLU0kB2Q5vroy6u:Ufs+HRxJ1jJ3o2s0kBbNUx | ||
| imphash | a17186a0dbc86b565628d4a9b8c9cc17 | ||
| impfuzzy | 12:QB8wRJR+5TZnJ2cDkiiARZqRJh7aa0uPXJNiXJGqYU4aRa91KpJqiGxiZn:Q2kfg1JlDdncJ9aa0mez4P91OqiGQZn | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 49 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | DllRegisterServer_Zero | execute regsvr32.exe | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x6bb141cc CloseHandle
0x6bb141d4 ConnectNamedPipe
0x6bb141dc CreateFileA
0x6bb141e4 CreateNamedPipeA
0x6bb141ec CreateThread
0x6bb141f4 DeleteCriticalSection
0x6bb141fc EnterCriticalSection
0x6bb14204 GetCurrentProcess
0x6bb1420c GetCurrentProcessId
0x6bb14214 GetCurrentThreadId
0x6bb1421c GetLastError
0x6bb14224 GetModuleHandleA
0x6bb1422c GetProcAddress
0x6bb14234 GetSystemTimeAsFileTime
0x6bb1423c GetTickCount
0x6bb14244 InitializeCriticalSection
0x6bb1424c LeaveCriticalSection
0x6bb14254 QueryPerformanceCounter
0x6bb1425c ReadFile
0x6bb14264 RtlAddFunctionTable
0x6bb1426c RtlCaptureContext
0x6bb14274 RtlLookupFunctionEntry
0x6bb1427c RtlVirtualUnwind
0x6bb14284 SetUnhandledExceptionFilter
0x6bb1428c Sleep
0x6bb14294 TerminateProcess
0x6bb1429c TlsGetValue
0x6bb142a4 UnhandledExceptionFilter
0x6bb142ac VirtualAlloc
0x6bb142b4 VirtualProtect
0x6bb142bc VirtualQuery
0x6bb142c4 WriteFile
msvcrt.dll
0x6bb142d4 __iob_func
0x6bb142dc _amsg_exit
0x6bb142e4 _initterm
0x6bb142ec _lock
0x6bb142f4 _unlock
0x6bb142fc abort
0x6bb14304 calloc
0x6bb1430c free
0x6bb14314 fwrite
0x6bb1431c malloc
0x6bb14324 realloc
0x6bb1432c signal
0x6bb14334 sprintf
0x6bb1433c strlen
0x6bb14344 strncmp
0x6bb1434c vfprintf
EAT(Export Address Table) Library
0x6bac169b DllGetClassObject
0x6bac1657 DllMain
0x6bac1695 DllRegisterServer
0x6bac1698 DllUnregisterServer
0x6bac16a4 StartW
KERNEL32.dll
0x6bb141cc CloseHandle
0x6bb141d4 ConnectNamedPipe
0x6bb141dc CreateFileA
0x6bb141e4 CreateNamedPipeA
0x6bb141ec CreateThread
0x6bb141f4 DeleteCriticalSection
0x6bb141fc EnterCriticalSection
0x6bb14204 GetCurrentProcess
0x6bb1420c GetCurrentProcessId
0x6bb14214 GetCurrentThreadId
0x6bb1421c GetLastError
0x6bb14224 GetModuleHandleA
0x6bb1422c GetProcAddress
0x6bb14234 GetSystemTimeAsFileTime
0x6bb1423c GetTickCount
0x6bb14244 InitializeCriticalSection
0x6bb1424c LeaveCriticalSection
0x6bb14254 QueryPerformanceCounter
0x6bb1425c ReadFile
0x6bb14264 RtlAddFunctionTable
0x6bb1426c RtlCaptureContext
0x6bb14274 RtlLookupFunctionEntry
0x6bb1427c RtlVirtualUnwind
0x6bb14284 SetUnhandledExceptionFilter
0x6bb1428c Sleep
0x6bb14294 TerminateProcess
0x6bb1429c TlsGetValue
0x6bb142a4 UnhandledExceptionFilter
0x6bb142ac VirtualAlloc
0x6bb142b4 VirtualProtect
0x6bb142bc VirtualQuery
0x6bb142c4 WriteFile
msvcrt.dll
0x6bb142d4 __iob_func
0x6bb142dc _amsg_exit
0x6bb142e4 _initterm
0x6bb142ec _lock
0x6bb142f4 _unlock
0x6bb142fc abort
0x6bb14304 calloc
0x6bb1430c free
0x6bb14314 fwrite
0x6bb1431c malloc
0x6bb14324 realloc
0x6bb1432c signal
0x6bb14334 sprintf
0x6bb1433c strlen
0x6bb14344 strncmp
0x6bb1434c vfprintf
EAT(Export Address Table) Library
0x6bac169b DllGetClassObject
0x6bac1657 DllMain
0x6bac1695 DllRegisterServer
0x6bac1698 DllUnregisterServer
0x6bac16a4 StartW