ScreenShot
Created | 2024.07.11 13:35 | Machine | s1_win7_x6403 |
Filename | rev.exe | ||
Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : mailcious | ||
VT API (file) | 19 detected (AIDetectMalware, malicious, moderate confidence, score, Unsafe, Attribute, HighConfidence, Outbreak, Detected, Wacapew, Static AI, Suspicious PE, susgen, confidence) | ||
md5 | 35f6193692dc722a7b3384ccd2ab6778 | ||
sha256 | 0e9730e45457039d8ccccb70ce5bb67227bb4e10c94ced404fcc250a6732e6f6 | ||
ssdeep | 12288:8wJfSbg6CyI8nPSueJdUqmrYaKKyYIqX/6a2jsWWW72iQdlTz7Q6zP9YRaFuaicr:BkbSuYOyYlXCjQZzqRoPi9shwjVugW | ||
imphash | 4f2f006e2ecf7172ad368f8289dc96c1 | ||
impfuzzy | 24:ibVjh9wO+VuT7boVaXOr6kwmDgUPMztxdEr6tP:AwO+VUjXOmokx0oP |
Network IP location
Signature (3cnts)
Level | Description |
---|---|
watch | File has been identified by 19 AntiVirus engines on VirusTotal as malicious |
info | One or more processes crashed |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (6cnts)
Level | Name | Description | Collection |
---|---|---|---|
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | IsPE64 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x558160 WriteFile
0x558168 WriteConsoleW
0x558170 WerSetFlags
0x558178 WerGetFlags
0x558180 WaitForMultipleObjects
0x558188 WaitForSingleObject
0x558190 VirtualQuery
0x558198 VirtualFree
0x5581a0 VirtualAlloc
0x5581a8 TlsAlloc
0x5581b0 SwitchToThread
0x5581b8 SuspendThread
0x5581c0 SetWaitableTimer
0x5581c8 SetUnhandledExceptionFilter
0x5581d0 SetProcessPriorityBoost
0x5581d8 SetEvent
0x5581e0 SetErrorMode
0x5581e8 SetConsoleCtrlHandler
0x5581f0 ResumeThread
0x5581f8 RaiseFailFastException
0x558200 PostQueuedCompletionStatus
0x558208 LoadLibraryW
0x558210 LoadLibraryExW
0x558218 SetThreadContext
0x558220 GetThreadContext
0x558228 GetSystemInfo
0x558230 GetSystemDirectoryA
0x558238 GetStdHandle
0x558240 GetQueuedCompletionStatusEx
0x558248 GetProcessAffinityMask
0x558250 GetProcAddress
0x558258 GetErrorMode
0x558260 GetEnvironmentStringsW
0x558268 GetCurrentThreadId
0x558270 GetConsoleMode
0x558278 FreeEnvironmentStringsW
0x558280 ExitProcess
0x558288 DuplicateHandle
0x558290 CreateWaitableTimerExW
0x558298 CreateThread
0x5582a0 CreateIoCompletionPort
0x5582a8 CreateFileA
0x5582b0 CreateEventA
0x5582b8 CloseHandle
0x5582c0 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x558160 WriteFile
0x558168 WriteConsoleW
0x558170 WerSetFlags
0x558178 WerGetFlags
0x558180 WaitForMultipleObjects
0x558188 WaitForSingleObject
0x558190 VirtualQuery
0x558198 VirtualFree
0x5581a0 VirtualAlloc
0x5581a8 TlsAlloc
0x5581b0 SwitchToThread
0x5581b8 SuspendThread
0x5581c0 SetWaitableTimer
0x5581c8 SetUnhandledExceptionFilter
0x5581d0 SetProcessPriorityBoost
0x5581d8 SetEvent
0x5581e0 SetErrorMode
0x5581e8 SetConsoleCtrlHandler
0x5581f0 ResumeThread
0x5581f8 RaiseFailFastException
0x558200 PostQueuedCompletionStatus
0x558208 LoadLibraryW
0x558210 LoadLibraryExW
0x558218 SetThreadContext
0x558220 GetThreadContext
0x558228 GetSystemInfo
0x558230 GetSystemDirectoryA
0x558238 GetStdHandle
0x558240 GetQueuedCompletionStatusEx
0x558248 GetProcessAffinityMask
0x558250 GetProcAddress
0x558258 GetErrorMode
0x558260 GetEnvironmentStringsW
0x558268 GetCurrentThreadId
0x558270 GetConsoleMode
0x558278 FreeEnvironmentStringsW
0x558280 ExitProcess
0x558288 DuplicateHandle
0x558290 CreateWaitableTimerExW
0x558298 CreateThread
0x5582a0 CreateIoCompletionPort
0x5582a8 CreateFileA
0x5582b0 CreateEventA
0x5582b8 CloseHandle
0x5582c0 AddVectoredExceptionHandler
EAT(Export Address Table) is none