ScreenShot
| Created | 2024.08.02 09:50 | Machine | s1_win7_x6402 |
| Filename | sos.txt.exe | ||
| Type | PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 8 detected (AIDetectMalware, malicious, high confidence, Detected, WinGo, Reverseshell, confidence) | ||
| md5 | 184303252d69a1ca88ece7779af9c82f | ||
| sha256 | fa3654b740b3d7b6ab2e097b262f1e4ec70f48a8f76d385fb08c9a66ed0c161d | ||
| ssdeep | 49152:Q4bunF3torb/TEvO90d7HjmAFd4A64nsfJViThgXvXjiSI2QD1:QP3K | ||
| imphash | 9cbefe68f395e67356e2a5d8d1b285c0 | ||
| impfuzzy | 24:UbVjhNwO+VuT2oLtXOr6kwmDruMztxdEr6tP:KwO+VAXOmGx0oP | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects the presence of Wine emulator |
| notice | File has been identified by 8 AntiVirus engines on VirusTotal as malicious |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
kernel32.dll
0x5ce0e0 WriteFile
0x5ce0e8 WriteConsoleW
0x5ce0f0 WaitForMultipleObjects
0x5ce0f8 WaitForSingleObject
0x5ce100 VirtualQuery
0x5ce108 VirtualFree
0x5ce110 VirtualAlloc
0x5ce118 SwitchToThread
0x5ce120 SuspendThread
0x5ce128 SetWaitableTimer
0x5ce130 SetUnhandledExceptionFilter
0x5ce138 SetProcessPriorityBoost
0x5ce140 SetEvent
0x5ce148 SetErrorMode
0x5ce150 SetConsoleCtrlHandler
0x5ce158 ResumeThread
0x5ce160 PostQueuedCompletionStatus
0x5ce168 LoadLibraryA
0x5ce170 LoadLibraryW
0x5ce178 SetThreadContext
0x5ce180 GetThreadContext
0x5ce188 GetSystemInfo
0x5ce190 GetSystemDirectoryA
0x5ce198 GetStdHandle
0x5ce1a0 GetQueuedCompletionStatusEx
0x5ce1a8 GetProcessAffinityMask
0x5ce1b0 GetProcAddress
0x5ce1b8 GetEnvironmentStringsW
0x5ce1c0 GetConsoleMode
0x5ce1c8 FreeEnvironmentStringsW
0x5ce1d0 ExitProcess
0x5ce1d8 DuplicateHandle
0x5ce1e0 CreateWaitableTimerExW
0x5ce1e8 CreateThread
0x5ce1f0 CreateIoCompletionPort
0x5ce1f8 CreateFileA
0x5ce200 CreateEventA
0x5ce208 CloseHandle
0x5ce210 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x5ce0e0 WriteFile
0x5ce0e8 WriteConsoleW
0x5ce0f0 WaitForMultipleObjects
0x5ce0f8 WaitForSingleObject
0x5ce100 VirtualQuery
0x5ce108 VirtualFree
0x5ce110 VirtualAlloc
0x5ce118 SwitchToThread
0x5ce120 SuspendThread
0x5ce128 SetWaitableTimer
0x5ce130 SetUnhandledExceptionFilter
0x5ce138 SetProcessPriorityBoost
0x5ce140 SetEvent
0x5ce148 SetErrorMode
0x5ce150 SetConsoleCtrlHandler
0x5ce158 ResumeThread
0x5ce160 PostQueuedCompletionStatus
0x5ce168 LoadLibraryA
0x5ce170 LoadLibraryW
0x5ce178 SetThreadContext
0x5ce180 GetThreadContext
0x5ce188 GetSystemInfo
0x5ce190 GetSystemDirectoryA
0x5ce198 GetStdHandle
0x5ce1a0 GetQueuedCompletionStatusEx
0x5ce1a8 GetProcessAffinityMask
0x5ce1b0 GetProcAddress
0x5ce1b8 GetEnvironmentStringsW
0x5ce1c0 GetConsoleMode
0x5ce1c8 FreeEnvironmentStringsW
0x5ce1d0 ExitProcess
0x5ce1d8 DuplicateHandle
0x5ce1e0 CreateWaitableTimerExW
0x5ce1e8 CreateThread
0x5ce1f0 CreateIoCompletionPort
0x5ce1f8 CreateFileA
0x5ce200 CreateEventA
0x5ce208 CloseHandle
0x5ce210 AddVectoredExceptionHandler
EAT(Export Address Table) is none