ScreenShot
| Created | 2024.07.30 13:57 | Machine | s1_win7_x6402 |
| Filename | ms2.bin_dec.dll | ||
| Type | PE32+ executable (DLL) (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 36 detected (AIDetectMalware, malicious, high confidence, score, GenericKD, Unsafe, Artemis, MalwareX, Quasar, CLOUD, pmtbl, R014C0XGQ24, Detected, ai score=82, Wacapew, ABTrojan, OSWN, Gencirc, susgen, confidence) | ||
| md5 | 81e9262f4a1fb09caf782d12339c4b9d | ||
| sha256 | cb2d14cc82e19f4cc17d52e84083ef2e83ad5d271f33a493e98f13e87166550a | ||
| ssdeep | 98304:Q7BfZzoU5Kjj5zfsKOs8PJbdAYmDFyoD:Q7BfZkwKjJsxPJ6HR | ||
| imphash | eb596fc515d9f07ea83f140a5c4c78cc | ||
| impfuzzy | 24:TgdBV0DoOFmyIc5jVE02toS1KzYYYl39qojvcjMvZuOovbOwJzKQXuKmD1G:EDVjc4toS1SlYpYkD3wKQeKaQ | ||
Network IP location
Signature (20cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 36 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Installs itself for autorun at Windows startup |
| watch | Installs itself in AppInit to inject into new processes |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | Foreign language identified in PE resource |
| notice | One or more potentially interesting buffers were extracted |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (30cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | schtasks_Zero | task schedule | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x180018020 ReadFile
0x180018028 CloseHandle
0x180018030 SetFilePointer
0x180018038 WriteFile
0x180018040 RaiseException
0x180018048 GetLastError
0x180018050 InitializeCriticalSectionEx
0x180018058 DeleteCriticalSection
0x180018060 GetProcAddress
0x180018068 LoadLibraryW
0x180018070 HeapDestroy
0x180018078 HeapAlloc
0x180018080 HeapFree
0x180018088 HeapReAlloc
0x180018090 CreateFileW
0x180018098 GetProcessHeap
0x1800180a0 GetTempPathA
0x1800180a8 GetModuleHandleW
0x1800180b0 SizeofResource
0x1800180b8 FreeResource
0x1800180c0 LockResource
0x1800180c8 LoadResource
0x1800180d0 FindResourceW
0x1800180d8 ReadConsoleW
0x1800180e0 SetEndOfFile
0x1800180e8 GetModuleFileNameW
0x1800180f0 MultiByteToWideChar
0x1800180f8 HeapSize
0x180018100 FlushFileBuffers
0x180018108 WriteConsoleW
0x180018110 SetFilePointerEx
0x180018118 SetStdHandle
0x180018120 GetStringTypeW
0x180018128 EnterCriticalSection
0x180018130 LeaveCriticalSection
0x180018138 SetEvent
0x180018140 ResetEvent
0x180018148 WaitForSingleObjectEx
0x180018150 CreateEventW
0x180018158 RtlCaptureContext
0x180018160 RtlLookupFunctionEntry
0x180018168 RtlVirtualUnwind
0x180018170 UnhandledExceptionFilter
0x180018178 SetUnhandledExceptionFilter
0x180018180 GetCurrentProcess
0x180018188 TerminateProcess
0x180018190 IsProcessorFeaturePresent
0x180018198 IsDebuggerPresent
0x1800181a0 GetStartupInfoW
0x1800181a8 QueryPerformanceCounter
0x1800181b0 GetCurrentProcessId
0x1800181b8 GetCurrentThreadId
0x1800181c0 GetSystemTimeAsFileTime
0x1800181c8 InitializeSListHead
0x1800181d0 OutputDebugStringW
0x1800181d8 RtlPcToFileHeader
0x1800181e0 EncodePointer
0x1800181e8 RtlUnwindEx
0x1800181f0 InitializeCriticalSectionAndSpinCount
0x1800181f8 TlsAlloc
0x180018200 TlsGetValue
0x180018208 TlsSetValue
0x180018210 TlsFree
0x180018218 FreeLibrary
0x180018220 LoadLibraryExW
0x180018228 InterlockedFlushSList
0x180018230 ExitProcess
0x180018238 GetModuleHandleExW
0x180018240 WideCharToMultiByte
0x180018248 GetACP
0x180018250 GetStdHandle
0x180018258 GetFileType
0x180018260 GetConsoleCP
0x180018268 GetConsoleMode
0x180018270 LCMapStringW
0x180018278 IsValidCodePage
0x180018280 GetOEMCP
0x180018288 GetCPInfo
0x180018290 GetEnvironmentStringsW
0x180018298 FreeEnvironmentStringsW
0x1800182a0 GetCommandLineA
0x1800182a8 GetCommandLineW
0x1800182b0 SetLastError
USER32.dll
0x1800182c0 wsprintfA
0x1800182c8 wsprintfW
ADVAPI32.dll
0x180018000 SystemFunction036
0x180018008 RegSetValueExW
0x180018010 RegOpenKeyExW
ole32.dll
0x1800182d8 CoUninitialize
0x1800182e0 CoInitializeEx
0x1800182e8 CoGetObject
EAT(Export Address Table) Library
0x1800021a0 in
0x180002150 out
KERNEL32.dll
0x180018020 ReadFile
0x180018028 CloseHandle
0x180018030 SetFilePointer
0x180018038 WriteFile
0x180018040 RaiseException
0x180018048 GetLastError
0x180018050 InitializeCriticalSectionEx
0x180018058 DeleteCriticalSection
0x180018060 GetProcAddress
0x180018068 LoadLibraryW
0x180018070 HeapDestroy
0x180018078 HeapAlloc
0x180018080 HeapFree
0x180018088 HeapReAlloc
0x180018090 CreateFileW
0x180018098 GetProcessHeap
0x1800180a0 GetTempPathA
0x1800180a8 GetModuleHandleW
0x1800180b0 SizeofResource
0x1800180b8 FreeResource
0x1800180c0 LockResource
0x1800180c8 LoadResource
0x1800180d0 FindResourceW
0x1800180d8 ReadConsoleW
0x1800180e0 SetEndOfFile
0x1800180e8 GetModuleFileNameW
0x1800180f0 MultiByteToWideChar
0x1800180f8 HeapSize
0x180018100 FlushFileBuffers
0x180018108 WriteConsoleW
0x180018110 SetFilePointerEx
0x180018118 SetStdHandle
0x180018120 GetStringTypeW
0x180018128 EnterCriticalSection
0x180018130 LeaveCriticalSection
0x180018138 SetEvent
0x180018140 ResetEvent
0x180018148 WaitForSingleObjectEx
0x180018150 CreateEventW
0x180018158 RtlCaptureContext
0x180018160 RtlLookupFunctionEntry
0x180018168 RtlVirtualUnwind
0x180018170 UnhandledExceptionFilter
0x180018178 SetUnhandledExceptionFilter
0x180018180 GetCurrentProcess
0x180018188 TerminateProcess
0x180018190 IsProcessorFeaturePresent
0x180018198 IsDebuggerPresent
0x1800181a0 GetStartupInfoW
0x1800181a8 QueryPerformanceCounter
0x1800181b0 GetCurrentProcessId
0x1800181b8 GetCurrentThreadId
0x1800181c0 GetSystemTimeAsFileTime
0x1800181c8 InitializeSListHead
0x1800181d0 OutputDebugStringW
0x1800181d8 RtlPcToFileHeader
0x1800181e0 EncodePointer
0x1800181e8 RtlUnwindEx
0x1800181f0 InitializeCriticalSectionAndSpinCount
0x1800181f8 TlsAlloc
0x180018200 TlsGetValue
0x180018208 TlsSetValue
0x180018210 TlsFree
0x180018218 FreeLibrary
0x180018220 LoadLibraryExW
0x180018228 InterlockedFlushSList
0x180018230 ExitProcess
0x180018238 GetModuleHandleExW
0x180018240 WideCharToMultiByte
0x180018248 GetACP
0x180018250 GetStdHandle
0x180018258 GetFileType
0x180018260 GetConsoleCP
0x180018268 GetConsoleMode
0x180018270 LCMapStringW
0x180018278 IsValidCodePage
0x180018280 GetOEMCP
0x180018288 GetCPInfo
0x180018290 GetEnvironmentStringsW
0x180018298 FreeEnvironmentStringsW
0x1800182a0 GetCommandLineA
0x1800182a8 GetCommandLineW
0x1800182b0 SetLastError
USER32.dll
0x1800182c0 wsprintfA
0x1800182c8 wsprintfW
ADVAPI32.dll
0x180018000 SystemFunction036
0x180018008 RegSetValueExW
0x180018010 RegOpenKeyExW
ole32.dll
0x1800182d8 CoUninitialize
0x1800182e0 CoInitializeEx
0x1800182e8 CoGetObject
EAT(Export Address Table) Library
0x1800021a0 in
0x180002150 out