ScreenShot
| Created | 2024.07.19 13:04 | Machine | s1_win7_x6401 |
| Filename | safe_shell.shc.exe | ||
| Type | MS-DOS executable, MZ for MS-DOS | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 42 detected (AIDetectMalware, Loader, Marte, Unsafe, Androm, Vaxf, malicious, Attribute, HighConfidence, Artemis, MalwareX, vrxi, YzY0Osgm5GUpjuEX, owaro, Swrort, Nekark, Detected, ai score=86, Wacatac, ABTrojan, UUZN, Chgt, R002H09GI24, Static AI, Malicious PE, PossibleThreat, PALLAS, confidence, 100%, MSDOS, Labqct) | ||
| md5 | 0b6072d47b53fa8d3f9b28b449192dcc | ||
| sha256 | fb551ab74d9835dbaa9c305b206aa8ceec12ade2c82a947f9907d9284b3bb218 | ||
| ssdeep | 24576:GkX39LoEpiCMd/OZBsarEyAB03srHdyyt72Ph1B4JhkeXQ4p+pbReM1/:XX34wFdh/ | ||
| imphash | 71494fb0ade76fa6ddf8a602a1b6028c | ||
| impfuzzy | 24:TOK02tMSYEoeDachyJnc+plv81oIOovbOdmXuFZMv4/MtMjHrTezZHu9P1:TO+tMSGncAc+pG1e3dMuFZGo1 | ||
Network IP location
Signature (10cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 42 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1401b0000 VirtualAlloc
0x1401b0008 GetCurrentThreadId
0x1401b0010 IsDebuggerPresent
0x1401b0018 RaiseException
0x1401b0020 MultiByteToWideChar
0x1401b0028 WideCharToMultiByte
0x1401b0030 RtlCaptureContext
0x1401b0038 RtlLookupFunctionEntry
0x1401b0040 RtlVirtualUnwind
0x1401b0048 UnhandledExceptionFilter
0x1401b0050 SetUnhandledExceptionFilter
0x1401b0058 GetCurrentProcess
0x1401b0060 TerminateProcess
0x1401b0068 IsProcessorFeaturePresent
0x1401b0070 QueryPerformanceCounter
0x1401b0078 GetCurrentProcessId
0x1401b0080 GetSystemTimeAsFileTime
0x1401b0088 InitializeSListHead
0x1401b0090 GetStartupInfoW
0x1401b0098 GetModuleHandleW
0x1401b00a0 GetLastError
0x1401b00a8 HeapAlloc
0x1401b00b0 HeapFree
0x1401b00b8 GetProcessHeap
0x1401b00c0 VirtualQuery
0x1401b00c8 FreeLibrary
0x1401b00d0 GetProcAddress
0x1401b00d8 CreateFileW
0x1401b00e0 RtlUnwindEx
0x1401b00e8 InterlockedPushEntrySList
0x1401b00f0 InterlockedFlushSList
0x1401b00f8 GetModuleFileNameW
0x1401b0100 LoadLibraryExW
0x1401b0108 SetLastError
0x1401b0110 EnterCriticalSection
0x1401b0118 LeaveCriticalSection
0x1401b0120 DeleteCriticalSection
0x1401b0128 InitializeCriticalSectionAndSpinCount
0x1401b0130 TlsAlloc
0x1401b0138 TlsGetValue
0x1401b0140 TlsSetValue
0x1401b0148 TlsFree
0x1401b0150 EncodePointer
0x1401b0158 RtlPcToFileHeader
0x1401b0160 CloseHandle
0x1401b0168 DuplicateHandle
0x1401b0170 CreateProcessW
0x1401b0178 ExitProcess
0x1401b0180 GetModuleHandleExW
0x1401b0188 GetStdHandle
0x1401b0190 WriteFile
0x1401b0198 GetCommandLineA
0x1401b01a0 GetCommandLineW
0x1401b01a8 HeapSize
0x1401b01b0 HeapValidate
0x1401b01b8 GetSystemInfo
0x1401b01c0 GetTempPathW
0x1401b01c8 FlsAlloc
0x1401b01d0 FlsGetValue
0x1401b01d8 FlsSetValue
0x1401b01e0 FlsFree
0x1401b01e8 GetDateFormatW
0x1401b01f0 GetTimeFormatW
0x1401b01f8 CompareStringW
0x1401b0200 LCMapStringW
0x1401b0208 GetLocaleInfoW
0x1401b0210 IsValidLocale
0x1401b0218 GetUserDefaultLCID
0x1401b0220 EnumSystemLocalesW
0x1401b0228 GetFileType
0x1401b0230 ReadFile
0x1401b0238 GetConsoleMode
0x1401b0240 ReadConsoleW
0x1401b0248 SetStdHandle
0x1401b0250 GetConsoleOutputCP
0x1401b0258 GetCurrentThread
0x1401b0260 WaitForSingleObject
0x1401b0268 GetExitCodeProcess
0x1401b0270 GetFileAttributesExW
0x1401b0278 CreatePipe
0x1401b0280 OutputDebugStringW
0x1401b0288 WriteConsoleW
0x1401b0290 SetConsoleCtrlHandler
0x1401b0298 FindClose
0x1401b02a0 FindFirstFileExW
0x1401b02a8 FindNextFileW
0x1401b02b0 IsValidCodePage
0x1401b02b8 GetACP
0x1401b02c0 GetOEMCP
0x1401b02c8 GetCPInfo
0x1401b02d0 GetEnvironmentStringsW
0x1401b02d8 FreeEnvironmentStringsW
0x1401b02e0 SetEnvironmentVariableW
0x1401b02e8 GetStringTypeW
0x1401b02f0 HeapReAlloc
0x1401b02f8 HeapQueryInformation
0x1401b0300 FlushFileBuffers
0x1401b0308 SetFilePointerEx
0x1401b0310 GetFileSizeEx
0x1401b0318 RtlUnwind
EAT(Export Address Table) is none
KERNEL32.dll
0x1401b0000 VirtualAlloc
0x1401b0008 GetCurrentThreadId
0x1401b0010 IsDebuggerPresent
0x1401b0018 RaiseException
0x1401b0020 MultiByteToWideChar
0x1401b0028 WideCharToMultiByte
0x1401b0030 RtlCaptureContext
0x1401b0038 RtlLookupFunctionEntry
0x1401b0040 RtlVirtualUnwind
0x1401b0048 UnhandledExceptionFilter
0x1401b0050 SetUnhandledExceptionFilter
0x1401b0058 GetCurrentProcess
0x1401b0060 TerminateProcess
0x1401b0068 IsProcessorFeaturePresent
0x1401b0070 QueryPerformanceCounter
0x1401b0078 GetCurrentProcessId
0x1401b0080 GetSystemTimeAsFileTime
0x1401b0088 InitializeSListHead
0x1401b0090 GetStartupInfoW
0x1401b0098 GetModuleHandleW
0x1401b00a0 GetLastError
0x1401b00a8 HeapAlloc
0x1401b00b0 HeapFree
0x1401b00b8 GetProcessHeap
0x1401b00c0 VirtualQuery
0x1401b00c8 FreeLibrary
0x1401b00d0 GetProcAddress
0x1401b00d8 CreateFileW
0x1401b00e0 RtlUnwindEx
0x1401b00e8 InterlockedPushEntrySList
0x1401b00f0 InterlockedFlushSList
0x1401b00f8 GetModuleFileNameW
0x1401b0100 LoadLibraryExW
0x1401b0108 SetLastError
0x1401b0110 EnterCriticalSection
0x1401b0118 LeaveCriticalSection
0x1401b0120 DeleteCriticalSection
0x1401b0128 InitializeCriticalSectionAndSpinCount
0x1401b0130 TlsAlloc
0x1401b0138 TlsGetValue
0x1401b0140 TlsSetValue
0x1401b0148 TlsFree
0x1401b0150 EncodePointer
0x1401b0158 RtlPcToFileHeader
0x1401b0160 CloseHandle
0x1401b0168 DuplicateHandle
0x1401b0170 CreateProcessW
0x1401b0178 ExitProcess
0x1401b0180 GetModuleHandleExW
0x1401b0188 GetStdHandle
0x1401b0190 WriteFile
0x1401b0198 GetCommandLineA
0x1401b01a0 GetCommandLineW
0x1401b01a8 HeapSize
0x1401b01b0 HeapValidate
0x1401b01b8 GetSystemInfo
0x1401b01c0 GetTempPathW
0x1401b01c8 FlsAlloc
0x1401b01d0 FlsGetValue
0x1401b01d8 FlsSetValue
0x1401b01e0 FlsFree
0x1401b01e8 GetDateFormatW
0x1401b01f0 GetTimeFormatW
0x1401b01f8 CompareStringW
0x1401b0200 LCMapStringW
0x1401b0208 GetLocaleInfoW
0x1401b0210 IsValidLocale
0x1401b0218 GetUserDefaultLCID
0x1401b0220 EnumSystemLocalesW
0x1401b0228 GetFileType
0x1401b0230 ReadFile
0x1401b0238 GetConsoleMode
0x1401b0240 ReadConsoleW
0x1401b0248 SetStdHandle
0x1401b0250 GetConsoleOutputCP
0x1401b0258 GetCurrentThread
0x1401b0260 WaitForSingleObject
0x1401b0268 GetExitCodeProcess
0x1401b0270 GetFileAttributesExW
0x1401b0278 CreatePipe
0x1401b0280 OutputDebugStringW
0x1401b0288 WriteConsoleW
0x1401b0290 SetConsoleCtrlHandler
0x1401b0298 FindClose
0x1401b02a0 FindFirstFileExW
0x1401b02a8 FindNextFileW
0x1401b02b0 IsValidCodePage
0x1401b02b8 GetACP
0x1401b02c0 GetOEMCP
0x1401b02c8 GetCPInfo
0x1401b02d0 GetEnvironmentStringsW
0x1401b02d8 FreeEnvironmentStringsW
0x1401b02e0 SetEnvironmentVariableW
0x1401b02e8 GetStringTypeW
0x1401b02f0 HeapReAlloc
0x1401b02f8 HeapQueryInformation
0x1401b0300 FlushFileBuffers
0x1401b0308 SetFilePointerEx
0x1401b0310 GetFileSizeEx
0x1401b0318 RtlUnwind
EAT(Export Address Table) is none