ScreenShot
| Created | 2024.07.11 13:22 | Machine | s1_win7_x6401 |
| Filename | get.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 46 detected (Mimikatz, malicious, high confidence, score, HackTool, WinCred, Unsafe, Volf, Attribute, HighConfidence, Artemis, TrojanPSW, CLOUD, dtesv, R002C0WGA24, Detected, ai score=85, Casdet, ABPWS, FQPH, QQPass, QQRob, Zmhl, confidence) | ||
| md5 | abd6cc945e157b48ef90264ae5f68baa | ||
| sha256 | 1ea8a5f2df236371911746419fdeff66a2c0a05775f6903edc601bef18fe653a | ||
| ssdeep | 3072:nOWUkPfx7BEwu8MsYPLci07XfW8n7nTPEFSV0/AUa/Jx:OXy7hkAv77T0APhx | ||
| imphash | eee578c5d99370b6fc07f9b170ea3b63 | ||
| impfuzzy | 24:tzsPhSo0gS05oLkz8B6Yq8MKcxfu9QHWzWl9UdS1o0qt1UJncplTDoTg2EOovbO4:FsPhjhvYdIOA9UdS1Yt1EcpugS3Snz | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 46 AntiVirus engines on VirusTotal as malicious |
| watch | Locates and dumps memory from the lsass.exe process indicative of credential dumping |
| watch | Requests access to read memory contents of lsass.exe potentially indicative of credential dumping |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ntdll.dll
0x140016318 RtlAdjustPrivilege
0x140016320 NtQueryInformationProcess
0x140016328 RtlEqualString
0x140016330 NtQuerySystemInformation
0x140016338 RtlGetNtVersionNumbers
advapi32.dll
0x1400162f8 A_SHAInit
0x140016300 A_SHAUpdate
0x140016308 A_SHAFinal
ADVAPI32.dll
0x140016000 IsTextUnicode
0x140016008 CredFree
0x140016010 CredUnmarshalCredentialW
0x140016018 ConvertSidToStringSidW
0x140016020 GetUserNameW
0x140016028 CredIsMarshaledCredentialW
RPCRT4.dll
0x1400162b8 NdrMesTypeDecode2
0x1400162c0 NdrMesTypeFree2
0x1400162c8 MesHandleFree
0x1400162d0 MesIncrementalHandleReset
0x1400162d8 MesDecodeIncrementalHandleCreate
USER32.dll
0x1400162e8 IsCharAlphaNumericW
KERNEL32.dll
0x140016038 HeapReAlloc
0x140016040 SetFilePointerEx
0x140016048 GetConsoleMode
0x140016050 WriteConsoleW
0x140016058 CreateFileW
0x140016060 GetSystemInfo
0x140016068 VirtualQuery
0x140016070 LoadLibraryExA
0x140016078 HeapSize
0x140016080 DeleteCriticalSection
0x140016088 GetConsoleCP
0x140016090 FlushFileBuffers
0x140016098 GetProcessHeap
0x1400160a0 GetStringTypeW
0x1400160a8 SetStdHandle
0x1400160b0 SetEnvironmentVariableW
0x1400160b8 FreeEnvironmentStringsW
0x1400160c0 GetEnvironmentStringsW
0x1400160c8 VirtualProtect
0x1400160d0 GetCurrentProcess
0x1400160d8 LocalAlloc
0x1400160e0 OpenProcess
0x1400160e8 GetLastError
0x1400160f0 FileTimeToSystemTime
0x1400160f8 CloseHandle
0x140016100 FileTimeToLocalFileTime
0x140016108 LocalFree
0x140016110 GetTimeFormatW
0x140016118 ReadProcessMemory
0x140016120 FreeLibrary
0x140016128 GetDateFormatW
0x140016130 QueryPerformanceCounter
0x140016138 GetCurrentProcessId
0x140016140 GetCurrentThreadId
0x140016148 GetSystemTimeAsFileTime
0x140016150 InitializeSListHead
0x140016158 RtlCaptureContext
0x140016160 RtlLookupFunctionEntry
0x140016168 RtlVirtualUnwind
0x140016170 IsDebuggerPresent
0x140016178 UnhandledExceptionFilter
0x140016180 SetUnhandledExceptionFilter
0x140016188 GetStartupInfoW
0x140016190 IsProcessorFeaturePresent
0x140016198 GetModuleHandleW
0x1400161a0 GetCPInfo
0x1400161a8 RtlUnwindEx
0x1400161b0 SetLastError
0x1400161b8 EnterCriticalSection
0x1400161c0 LeaveCriticalSection
0x1400161c8 InitializeCriticalSectionAndSpinCount
0x1400161d0 TlsAlloc
0x1400161d8 TlsGetValue
0x1400161e0 TlsSetValue
0x1400161e8 TlsFree
0x1400161f0 GetProcAddress
0x1400161f8 LoadLibraryExW
0x140016200 RaiseException
0x140016208 GetStdHandle
0x140016210 WriteFile
0x140016218 GetModuleFileNameW
0x140016220 MultiByteToWideChar
0x140016228 WideCharToMultiByte
0x140016230 ExitProcess
0x140016238 TerminateProcess
0x140016240 GetModuleHandleExW
0x140016248 GetCommandLineA
0x140016250 GetCommandLineW
0x140016258 GetACP
0x140016260 HeapAlloc
0x140016268 HeapFree
0x140016270 CompareStringW
0x140016278 LCMapStringW
0x140016280 GetFileType
0x140016288 FindClose
0x140016290 FindFirstFileExW
0x140016298 FindNextFileW
0x1400162a0 IsValidCodePage
0x1400162a8 GetOEMCP
EAT(Export Address Table) is none
ntdll.dll
0x140016318 RtlAdjustPrivilege
0x140016320 NtQueryInformationProcess
0x140016328 RtlEqualString
0x140016330 NtQuerySystemInformation
0x140016338 RtlGetNtVersionNumbers
advapi32.dll
0x1400162f8 A_SHAInit
0x140016300 A_SHAUpdate
0x140016308 A_SHAFinal
ADVAPI32.dll
0x140016000 IsTextUnicode
0x140016008 CredFree
0x140016010 CredUnmarshalCredentialW
0x140016018 ConvertSidToStringSidW
0x140016020 GetUserNameW
0x140016028 CredIsMarshaledCredentialW
RPCRT4.dll
0x1400162b8 NdrMesTypeDecode2
0x1400162c0 NdrMesTypeFree2
0x1400162c8 MesHandleFree
0x1400162d0 MesIncrementalHandleReset
0x1400162d8 MesDecodeIncrementalHandleCreate
USER32.dll
0x1400162e8 IsCharAlphaNumericW
KERNEL32.dll
0x140016038 HeapReAlloc
0x140016040 SetFilePointerEx
0x140016048 GetConsoleMode
0x140016050 WriteConsoleW
0x140016058 CreateFileW
0x140016060 GetSystemInfo
0x140016068 VirtualQuery
0x140016070 LoadLibraryExA
0x140016078 HeapSize
0x140016080 DeleteCriticalSection
0x140016088 GetConsoleCP
0x140016090 FlushFileBuffers
0x140016098 GetProcessHeap
0x1400160a0 GetStringTypeW
0x1400160a8 SetStdHandle
0x1400160b0 SetEnvironmentVariableW
0x1400160b8 FreeEnvironmentStringsW
0x1400160c0 GetEnvironmentStringsW
0x1400160c8 VirtualProtect
0x1400160d0 GetCurrentProcess
0x1400160d8 LocalAlloc
0x1400160e0 OpenProcess
0x1400160e8 GetLastError
0x1400160f0 FileTimeToSystemTime
0x1400160f8 CloseHandle
0x140016100 FileTimeToLocalFileTime
0x140016108 LocalFree
0x140016110 GetTimeFormatW
0x140016118 ReadProcessMemory
0x140016120 FreeLibrary
0x140016128 GetDateFormatW
0x140016130 QueryPerformanceCounter
0x140016138 GetCurrentProcessId
0x140016140 GetCurrentThreadId
0x140016148 GetSystemTimeAsFileTime
0x140016150 InitializeSListHead
0x140016158 RtlCaptureContext
0x140016160 RtlLookupFunctionEntry
0x140016168 RtlVirtualUnwind
0x140016170 IsDebuggerPresent
0x140016178 UnhandledExceptionFilter
0x140016180 SetUnhandledExceptionFilter
0x140016188 GetStartupInfoW
0x140016190 IsProcessorFeaturePresent
0x140016198 GetModuleHandleW
0x1400161a0 GetCPInfo
0x1400161a8 RtlUnwindEx
0x1400161b0 SetLastError
0x1400161b8 EnterCriticalSection
0x1400161c0 LeaveCriticalSection
0x1400161c8 InitializeCriticalSectionAndSpinCount
0x1400161d0 TlsAlloc
0x1400161d8 TlsGetValue
0x1400161e0 TlsSetValue
0x1400161e8 TlsFree
0x1400161f0 GetProcAddress
0x1400161f8 LoadLibraryExW
0x140016200 RaiseException
0x140016208 GetStdHandle
0x140016210 WriteFile
0x140016218 GetModuleFileNameW
0x140016220 MultiByteToWideChar
0x140016228 WideCharToMultiByte
0x140016230 ExitProcess
0x140016238 TerminateProcess
0x140016240 GetModuleHandleExW
0x140016248 GetCommandLineA
0x140016250 GetCommandLineW
0x140016258 GetACP
0x140016260 HeapAlloc
0x140016268 HeapFree
0x140016270 CompareStringW
0x140016278 LCMapStringW
0x140016280 GetFileType
0x140016288 FindClose
0x140016290 FindFirstFileExW
0x140016298 FindNextFileW
0x1400162a0 IsValidCodePage
0x1400162a8 GetOEMCP
EAT(Export Address Table) is none