ScreenShot
| Created | 2024.08.01 08:41 | Machine | s1_win7_x6403 |
| Filename | random.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | ad1dde8691f26ca55a64c3a8d1adaa7f | ||
| sha256 | d461839fe85a8194cd4d39cbd184c451e371facfee373e2d69859ab706c05947 | ||
| ssdeep | 98304:O38dlhNBcSw4et7YG71yZRK2LyAM3XFXU8iSY2XSEJ7D9vNnk:0wlmr4aYG7ARjLaVXdzXSS/V | ||
| imphash | 575f114892de1c92166348318b11cdb5 | ||
| impfuzzy | 12:EcDvZGqA9AwDXRgKQckKK2C0xDr96LkviE:7DRdWAwDO+40xDp6LkKE | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Appends a known multi-family ransomware file extension to files that have been encrypted |
| watch | Attempts to create or modify system certificates |
| watch | One or more non-whitelisted processes were created |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An application raised an exception which may be indicative of an exploit crash |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (17cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_b_Zero | RedLine stealer | binaries (download) |
| warning | EnigmaProtector_IN | EnigmaProtector | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
kernel32.dll
0xcc8ef8 GetModuleHandleA
0xcc8efc GetProcAddress
0xcc8f00 ExitProcess
0xcc8f04 LoadLibraryA
user32.dll
0xcc8f0c MessageBoxA
advapi32.dll
0xcc8f14 RegCloseKey
oleaut32.dll
0xcc8f1c SysFreeString
gdi32.dll
0xcc8f24 CreateFontA
shell32.dll
0xcc8f2c ShellExecuteA
version.dll
0xcc8f34 GetFileVersionInfoA
WSOCK32.dll
0xcc8f3c gethostbyname
WINMM.dll
0xcc8f44 timeGetTime
COMCTL32.dll
0xcc8f4c ImageList_ReplaceIcon
MPR.dll
0xcc8f54 WNetGetConnectionW
WININET.dll
0xcc8f5c HttpOpenRequestW
PSAPI.DLL
0xcc8f64 GetProcessMemoryInfo
IPHLPAPI.DLL
0xcc8f6c IcmpSendEcho
USERENV.dll
0xcc8f74 DestroyEnvironmentBlock
UxTheme.dll
0xcc8f7c IsThemeActive
COMDLG32.dll
0xcc8f84 GetSaveFileNameW
ole32.dll
0xcc8f8c CoTaskMemAlloc
EAT(Export Address Table) Library
kernel32.dll
0xcc8ef8 GetModuleHandleA
0xcc8efc GetProcAddress
0xcc8f00 ExitProcess
0xcc8f04 LoadLibraryA
user32.dll
0xcc8f0c MessageBoxA
advapi32.dll
0xcc8f14 RegCloseKey
oleaut32.dll
0xcc8f1c SysFreeString
gdi32.dll
0xcc8f24 CreateFontA
shell32.dll
0xcc8f2c ShellExecuteA
version.dll
0xcc8f34 GetFileVersionInfoA
WSOCK32.dll
0xcc8f3c gethostbyname
WINMM.dll
0xcc8f44 timeGetTime
COMCTL32.dll
0xcc8f4c ImageList_ReplaceIcon
MPR.dll
0xcc8f54 WNetGetConnectionW
WININET.dll
0xcc8f5c HttpOpenRequestW
PSAPI.DLL
0xcc8f64 GetProcessMemoryInfo
IPHLPAPI.DLL
0xcc8f6c IcmpSendEcho
USERENV.dll
0xcc8f74 DestroyEnvironmentBlock
UxTheme.dll
0xcc8f7c IsThemeActive
COMDLG32.dll
0xcc8f84 GetSaveFileNameW
ole32.dll
0xcc8f8c CoTaskMemAlloc
EAT(Export Address Table) Library