ScreenShot
| Created | 2024.08.05 09:34 | Machine | s1_win7_x6401 |
| Filename | RingQ.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 43 detected (AIDetectMalware, Windows, Hacktool, RingQ, Malicious, score, Unsafe, GenericKD, V0lh, Attribute, HighConfidence, DropperX, MalwareX, SjRX8iBEshN, ynwlh, R002C0DH124, Detected, ai score=81, GrayWare, Wacapew, Graftor, ABTrojan, NJBI, GdSda, Gencirc, confidence) | ||
| md5 | 37dee1de8dfc6871a92f48937810af37 | ||
| sha256 | c5004bdf7845cddf0075a993b6f8ea8103c6d8fc76ccedc973e2a2bbf465bf9c | ||
| ssdeep | 6144:hQoiDwTbrIZWpyboi2E79IX28mAQmFpPuNftHG0CLipmdRR8A/RRcdSd9JwjmXfV:hIDctycgIX/PuNFwLPJwmfLY/ | ||
| imphash | a1c7e2ca2d789f3f7ea35f0e2afce0c9 | ||
| impfuzzy | 48:hWMroQCcOh1rDhC0xQxoIDmQpmJlL6exz9zJhHkM/2zoaqgbZK:hWmoQCcOh1rDhC0xQxoICvJx6exZtlk4 | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
| notice | A process attempted to delay the analysis task. |
| notice | Foreign language identified in PE resource |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x14001de68 AcquireSRWLockExclusive
0x14001de70 CloseHandle
0x14001de78 CompareStringEx
0x14001de80 CreateFileA
0x14001de88 DecodePointer
0x14001de90 DeleteCriticalSection
0x14001de98 EncodePointer
0x14001dea0 EnterCriticalSection
0x14001dea8 ExitProcess
0x14001deb0 FreeLibrary
0x14001deb8 GetCPInfo
0x14001dec0 GetCurrentDirectoryA
0x14001dec8 GetCurrentProcess
0x14001ded0 GetCurrentProcessId
0x14001ded8 GetCurrentThreadId
0x14001dee0 GetLocaleInfoEx
0x14001dee8 GetModuleHandleA
0x14001def0 GetModuleHandleExW
0x14001def8 GetModuleHandleW
0x14001df00 GetProcAddress
0x14001df08 GetSystemTimeAsFileTime
0x14001df10 InitializeCriticalSectionEx
0x14001df18 InitializeSListHead
0x14001df20 IsDebuggerPresent
0x14001df28 IsProcessorFeaturePresent
0x14001df30 LCIDToLocaleName
0x14001df38 LCMapStringEx
0x14001df40 LeaveCriticalSection
0x14001df48 LoadLibraryA
0x14001df50 MultiByteToWideChar
0x14001df58 QueryPerformanceCounter
0x14001df60 QueryPerformanceFrequency
0x14001df68 RaiseException
0x14001df70 ReleaseSRWLockExclusive
0x14001df78 RtlCaptureContext
0x14001df80 RtlLookupFunctionEntry
0x14001df88 RtlUnwindEx
0x14001df90 RtlVirtualUnwind
0x14001df98 SetUnhandledExceptionFilter
0x14001dfa0 Sleep
0x14001dfa8 SleepConditionVariableSRW
0x14001dfb0 TerminateProcess
0x14001dfb8 UnhandledExceptionFilter
0x14001dfc0 VirtualProtect
0x14001dfc8 VirtualQuery
0x14001dfd0 WakeAllConditionVariable
0x14001dfd8 WideCharToMultiByte
0x14001dfe0 WriteFile
0x14001dfe8 WriteProcessMemory
USER32.dll
0x14001dff8 LoadStringW
WININET.dll
0x14001e008 InternetCloseHandle
0x14001e010 InternetOpenUrlA
0x14001e018 InternetOpenW
0x14001e020 InternetReadFile
msvcrt.dll
0x14001e030 ?_set_new_mode@@YAHH@Z
0x14001e038 ?terminate@@YAXXZ
0x14001e040 _CxxThrowException
0x14001e048 _XcptFilter
0x14001e050 __C_specific_handler
0x14001e058 __CxxFrameHandler3
0x14001e060 __DestructExceptionObject
0x14001e068 ___lc_codepage_func
0x14001e070 ___lc_collate_cp_func
0x14001e078 ___lc_handle_func
0x14001e080 __argc
0x14001e088 __argv
0x14001e090 __getmainargs
0x14001e098 __pctype_func
0x14001e0a0 __set_app_type
0x14001e0a8 __strncnt
0x14001e0b0 __uncaught_exception
0x14001e0b8 _amsg_exit
0x14001e0c0 _callnewh
0x14001e0c8 _commode
0x14001e0d0 _environ
0x14001e0d8 _errno
0x14001e0e0 _fileno
0x14001e0e8 _fseeki64
0x14001e0f0 _fsopen
0x14001e0f8 _initterm
0x14001e100 _initterm_e
0x14001e108 _iob
0x14001e110 _isatty
0x14001e118 _local_unwind
0x14001e120 _lock
0x14001e128 _msize
0x14001e130 _set_fmode
0x14001e138 _time64
0x14001e140 _unlock
0x14001e148 _wcsdup
0x14001e150 abort
0x14001e158 calloc
0x14001e160 fclose
0x14001e168 fflush
0x14001e170 fgetc
0x14001e178 fgetpos
0x14001e180 fread
0x14001e188 free
0x14001e190 fseek
0x14001e198 fsetpos
0x14001e1a0 islower
0x14001e1a8 isupper
0x14001e1b0 malloc
0x14001e1b8 memchr
0x14001e1c0 memcmp
0x14001e1c8 memcpy
0x14001e1d0 memmove
0x14001e1d8 memset
0x14001e1e0 rand
0x14001e1e8 realloc
0x14001e1f0 setvbuf
0x14001e1f8 srand
0x14001e200 strchr
0x14001e208 strcpy_s
0x14001e210 strlen
0x14001e218 ungetc
0x14001e220 wcslen
0x14001e228 wcsrchr
EAT(Export Address Table) is none
KERNEL32.dll
0x14001de68 AcquireSRWLockExclusive
0x14001de70 CloseHandle
0x14001de78 CompareStringEx
0x14001de80 CreateFileA
0x14001de88 DecodePointer
0x14001de90 DeleteCriticalSection
0x14001de98 EncodePointer
0x14001dea0 EnterCriticalSection
0x14001dea8 ExitProcess
0x14001deb0 FreeLibrary
0x14001deb8 GetCPInfo
0x14001dec0 GetCurrentDirectoryA
0x14001dec8 GetCurrentProcess
0x14001ded0 GetCurrentProcessId
0x14001ded8 GetCurrentThreadId
0x14001dee0 GetLocaleInfoEx
0x14001dee8 GetModuleHandleA
0x14001def0 GetModuleHandleExW
0x14001def8 GetModuleHandleW
0x14001df00 GetProcAddress
0x14001df08 GetSystemTimeAsFileTime
0x14001df10 InitializeCriticalSectionEx
0x14001df18 InitializeSListHead
0x14001df20 IsDebuggerPresent
0x14001df28 IsProcessorFeaturePresent
0x14001df30 LCIDToLocaleName
0x14001df38 LCMapStringEx
0x14001df40 LeaveCriticalSection
0x14001df48 LoadLibraryA
0x14001df50 MultiByteToWideChar
0x14001df58 QueryPerformanceCounter
0x14001df60 QueryPerformanceFrequency
0x14001df68 RaiseException
0x14001df70 ReleaseSRWLockExclusive
0x14001df78 RtlCaptureContext
0x14001df80 RtlLookupFunctionEntry
0x14001df88 RtlUnwindEx
0x14001df90 RtlVirtualUnwind
0x14001df98 SetUnhandledExceptionFilter
0x14001dfa0 Sleep
0x14001dfa8 SleepConditionVariableSRW
0x14001dfb0 TerminateProcess
0x14001dfb8 UnhandledExceptionFilter
0x14001dfc0 VirtualProtect
0x14001dfc8 VirtualQuery
0x14001dfd0 WakeAllConditionVariable
0x14001dfd8 WideCharToMultiByte
0x14001dfe0 WriteFile
0x14001dfe8 WriteProcessMemory
USER32.dll
0x14001dff8 LoadStringW
WININET.dll
0x14001e008 InternetCloseHandle
0x14001e010 InternetOpenUrlA
0x14001e018 InternetOpenW
0x14001e020 InternetReadFile
msvcrt.dll
0x14001e030 ?_set_new_mode@@YAHH@Z
0x14001e038 ?terminate@@YAXXZ
0x14001e040 _CxxThrowException
0x14001e048 _XcptFilter
0x14001e050 __C_specific_handler
0x14001e058 __CxxFrameHandler3
0x14001e060 __DestructExceptionObject
0x14001e068 ___lc_codepage_func
0x14001e070 ___lc_collate_cp_func
0x14001e078 ___lc_handle_func
0x14001e080 __argc
0x14001e088 __argv
0x14001e090 __getmainargs
0x14001e098 __pctype_func
0x14001e0a0 __set_app_type
0x14001e0a8 __strncnt
0x14001e0b0 __uncaught_exception
0x14001e0b8 _amsg_exit
0x14001e0c0 _callnewh
0x14001e0c8 _commode
0x14001e0d0 _environ
0x14001e0d8 _errno
0x14001e0e0 _fileno
0x14001e0e8 _fseeki64
0x14001e0f0 _fsopen
0x14001e0f8 _initterm
0x14001e100 _initterm_e
0x14001e108 _iob
0x14001e110 _isatty
0x14001e118 _local_unwind
0x14001e120 _lock
0x14001e128 _msize
0x14001e130 _set_fmode
0x14001e138 _time64
0x14001e140 _unlock
0x14001e148 _wcsdup
0x14001e150 abort
0x14001e158 calloc
0x14001e160 fclose
0x14001e168 fflush
0x14001e170 fgetc
0x14001e178 fgetpos
0x14001e180 fread
0x14001e188 free
0x14001e190 fseek
0x14001e198 fsetpos
0x14001e1a0 islower
0x14001e1a8 isupper
0x14001e1b0 malloc
0x14001e1b8 memchr
0x14001e1c0 memcmp
0x14001e1c8 memcpy
0x14001e1d0 memmove
0x14001e1d8 memset
0x14001e1e0 rand
0x14001e1e8 realloc
0x14001e1f0 setvbuf
0x14001e1f8 srand
0x14001e200 strchr
0x14001e208 strcpy_s
0x14001e210 strlen
0x14001e218 ungetc
0x14001e220 wcslen
0x14001e228 wcsrchr
EAT(Export Address Table) is none