ScreenShot
| Created | 2024.08.05 16:27 | Machine | s1_win7_x6401 |
| Filename | demo.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 50 detected (AIDetectMalware, CobaltStrike, malicious, high confidence, score, Infected, Zusy, Kryptik, V3o0, Attribute, HighConfidence, GenKryptik, FWMV, Artemis, Kryplod, AImjlJANoeK, PatchedWinSwrort, ckfiy, Meterpreter, Outbreak, PatchedWinSwro, Detected, ai score=80, AMBA, GdSda, AZHO3DGW) | ||
| md5 | edf60741d8f0f84ac05c3c3abe96f531 | ||
| sha256 | c8009295795a41ddf450d7e6fd947d17f0a344aedb28cb1f1d00d5b28d225acd | ||
| ssdeep | 3072:JLCP23GB0kWd9F4VhNvmvM1wnTqHcXFI:JWSY0o/vmvBn9XF | ||
| imphash | 826994b0b08f6b39dd6e5d89103ca266 | ||
| impfuzzy | 24:2kftalDK4+kMLqj1lMblRf5XGfqXZykomvlxcqAZy:Hfg+k8IlslJJGfqJyk1vkqZ | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 50 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| info | One or more processes crashed |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x14000d230 CloseHandle
0x14000d238 CreateFileA
0x14000d240 CreateMailslotA
0x14000d248 CreateThread
0x14000d250 DeleteCriticalSection
0x14000d258 EnterCriticalSection
0x14000d260 GetCurrentProcess
0x14000d268 GetLastError
0x14000d270 GetMailslotInfo
0x14000d278 GetModuleHandleA
0x14000d280 GetProcAddress
0x14000d288 GetTickCount
0x14000d290 HeapAlloc
0x14000d298 HeapCreate
0x14000d2a0 HeapReAlloc
0x14000d2a8 InitializeCriticalSection
0x14000d2b0 IsDBCSLeadByteEx
0x14000d2b8 LeaveCriticalSection
0x14000d2c0 MultiByteToWideChar
0x14000d2c8 ReadFile
0x14000d2d0 SetUnhandledExceptionFilter
0x14000d2d8 Sleep
0x14000d2e0 TlsGetValue
0x14000d2e8 VirtualProtect
0x14000d2f0 VirtualQuery
0x14000d2f8 WaitForSingleObject
0x14000d300 WideCharToMultiByte
0x14000d308 WriteFile
msvcrt.dll
0x14000d318 __C_specific_handler
0x14000d320 ___lc_codepage_func
0x14000d328 ___mb_cur_max_func
0x14000d330 __getmainargs
0x14000d338 __initenv
0x14000d340 __iob_func
0x14000d348 __set_app_type
0x14000d350 __setusermatherr
0x14000d358 _amsg_exit
0x14000d360 _cexit
0x14000d368 _commode
0x14000d370 _errno
0x14000d378 _fmode
0x14000d380 _initterm
0x14000d388 _onexit
0x14000d390 abort
0x14000d398 calloc
0x14000d3a0 exit
0x14000d3a8 fprintf
0x14000d3b0 fputc
0x14000d3b8 free
0x14000d3c0 fwrite
0x14000d3c8 localeconv
0x14000d3d0 malloc
0x14000d3d8 memcpy
0x14000d3e0 memset
0x14000d3e8 signal
0x14000d3f0 strerror
0x14000d3f8 strlen
0x14000d400 strncmp
0x14000d408 vfprintf
0x14000d410 wcslen
EAT(Export Address Table) is none
KERNEL32.dll
0x14000d230 CloseHandle
0x14000d238 CreateFileA
0x14000d240 CreateMailslotA
0x14000d248 CreateThread
0x14000d250 DeleteCriticalSection
0x14000d258 EnterCriticalSection
0x14000d260 GetCurrentProcess
0x14000d268 GetLastError
0x14000d270 GetMailslotInfo
0x14000d278 GetModuleHandleA
0x14000d280 GetProcAddress
0x14000d288 GetTickCount
0x14000d290 HeapAlloc
0x14000d298 HeapCreate
0x14000d2a0 HeapReAlloc
0x14000d2a8 InitializeCriticalSection
0x14000d2b0 IsDBCSLeadByteEx
0x14000d2b8 LeaveCriticalSection
0x14000d2c0 MultiByteToWideChar
0x14000d2c8 ReadFile
0x14000d2d0 SetUnhandledExceptionFilter
0x14000d2d8 Sleep
0x14000d2e0 TlsGetValue
0x14000d2e8 VirtualProtect
0x14000d2f0 VirtualQuery
0x14000d2f8 WaitForSingleObject
0x14000d300 WideCharToMultiByte
0x14000d308 WriteFile
msvcrt.dll
0x14000d318 __C_specific_handler
0x14000d320 ___lc_codepage_func
0x14000d328 ___mb_cur_max_func
0x14000d330 __getmainargs
0x14000d338 __initenv
0x14000d340 __iob_func
0x14000d348 __set_app_type
0x14000d350 __setusermatherr
0x14000d358 _amsg_exit
0x14000d360 _cexit
0x14000d368 _commode
0x14000d370 _errno
0x14000d378 _fmode
0x14000d380 _initterm
0x14000d388 _onexit
0x14000d390 abort
0x14000d398 calloc
0x14000d3a0 exit
0x14000d3a8 fprintf
0x14000d3b0 fputc
0x14000d3b8 free
0x14000d3c0 fwrite
0x14000d3c8 localeconv
0x14000d3d0 malloc
0x14000d3d8 memcpy
0x14000d3e0 memset
0x14000d3e8 signal
0x14000d3f0 strerror
0x14000d3f8 strlen
0x14000d400 strncmp
0x14000d408 vfprintf
0x14000d410 wcslen
EAT(Export Address Table) is none