ScreenShot
| Created | 2024.07.20 20:01 | Machine | s1_win7_x6401 |
| Filename | mimispool.dll | ||
| Type | PE32 executable (DLL) (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 58 detected (AIDetectMalware, Mimikatz, malicious, high confidence, score, Generic PWS, GenericKD, Unsafe, Genus, Hacktool, CVE-2021-1675, TrojanPSW, jsofqy, Z7hKCBfrpcB, Tool, HKTL, Detected, ai score=100, Wacatac, ApplicUnwnt@#4mbx9xtgpfrg, ABTrojan, JRAC, R445129, ZedlaF, au8@amD1SJii, Gencirc, confidence, 100%) | ||
| md5 | dab7a18b02399053ba3ff1e568789fce | ||
| sha256 | 05842de51ede327c0f55df963f6de4e32ab88f43a73b9e0e1d827bc70199eff0 | ||
| ssdeep | 192:I191rqbIcL9uD3nhKlWUEHRl1RtnIDKwIb/DtC0uolZC7:RRgDXhKAUQlftO6tC0uols | ||
| imphash | 3d9268f54e37cd480a12f0595aa6b437 | ||
| impfuzzy | 12:otNPKjDBIz0syVJMLkt8Fsu8wQTZBzhPPXJwGJVXJUwTdYwd9+V1sJqMD:oK6z0sAJMLk65Q1Bz9/JVJRdcEq2 | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 58 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x10002000 CreateProcessAsUserW
0x10002004 SetTokenInformation
0x10002008 DuplicateTokenEx
0x1000200c OpenProcessToken
USERENV.dll
0x10002054 CreateEnvironmentBlock
0x10002058 DestroyEnvironmentBlock
WINSTA.dll
0x10002060 WinStationEnumerateW
0x10002064 WinStationFreeMemory
KERNEL32.dll
0x10002014 GetCurrentProcessId
0x10002018 GetCurrentThreadId
0x1000201c GetTickCount
0x10002020 QueryPerformanceCounter
0x10002024 SetUnhandledExceptionFilter
0x10002028 GetCurrentProcess
0x1000202c SetLastError
0x10002030 CloseHandle
0x10002034 UnhandledExceptionFilter
0x10002038 TerminateProcess
0x1000203c InterlockedCompareExchange
0x10002040 Sleep
0x10002044 InterlockedExchange
0x10002048 RtlUnwind
0x1000204c GetSystemTimeAsFileTime
msvcrt.dll
0x1000206c memset
0x10002070 _XcptFilter
0x10002074 malloc
0x10002078 free
0x1000207c _initterm
0x10002080 _amsg_exit
EAT(Export Address Table) Library
0x10001012 DrvDisableDriver
0x1000104c DrvEnableDriver
0x10001013 DrvQueryDriverInfo
0x10001012 DrvResetConfigCache
0x1000107e GenerateCopyFilePaths
0x10001083 SpoolerCopyFileEvent
ADVAPI32.dll
0x10002000 CreateProcessAsUserW
0x10002004 SetTokenInformation
0x10002008 DuplicateTokenEx
0x1000200c OpenProcessToken
USERENV.dll
0x10002054 CreateEnvironmentBlock
0x10002058 DestroyEnvironmentBlock
WINSTA.dll
0x10002060 WinStationEnumerateW
0x10002064 WinStationFreeMemory
KERNEL32.dll
0x10002014 GetCurrentProcessId
0x10002018 GetCurrentThreadId
0x1000201c GetTickCount
0x10002020 QueryPerformanceCounter
0x10002024 SetUnhandledExceptionFilter
0x10002028 GetCurrentProcess
0x1000202c SetLastError
0x10002030 CloseHandle
0x10002034 UnhandledExceptionFilter
0x10002038 TerminateProcess
0x1000203c InterlockedCompareExchange
0x10002040 Sleep
0x10002044 InterlockedExchange
0x10002048 RtlUnwind
0x1000204c GetSystemTimeAsFileTime
msvcrt.dll
0x1000206c memset
0x10002070 _XcptFilter
0x10002074 malloc
0x10002078 free
0x1000207c _initterm
0x10002080 _amsg_exit
EAT(Export Address Table) Library
0x10001012 DrvDisableDriver
0x1000104c DrvEnableDriver
0x10001013 DrvQueryDriverInfo
0x10001012 DrvResetConfigCache
0x1000107e GenerateCopyFilePaths
0x10001083 SpoolerCopyFileEvent