ScreenShot
| Created | 2024.08.11 15:23 | Machine | s1_win7_x6403 |
| Filename | ActiveMQ-RCE.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 5 detected (AIDetectMalware, Detected, Wacapew, MALICIOUS, WinGo, Rozena) | ||
| md5 | 4ba8f3acf74baeaf5db40372f0c70e9d | ||
| sha256 | 7ddbd321db79dc901f4da4a2307b89f182a37c7c93f5e9d7da50a695673fa5ea | ||
| ssdeep | 98304:LXTREiuLEdWfUWQxSHI8VZIByEjpzTSmQH:LjGiuYdN2ZFEF0 | ||
| imphash | c2d457ad8ac36fc9f18d45bffcd450c2 | ||
| impfuzzy | 24:ibVjh9wOuuTkkboVaXOr6kwmDgUPMztxdEr6tl:AwOuUjXOmokx0ol | ||
Network IP location
Signature (3cnts)
| Level | Description |
|---|---|
| notice | File has been identified by 5 AntiVirus engines on VirusTotal as malicious |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x780160 WriteFile
0x780168 WriteConsoleW
0x780170 WerSetFlags
0x780178 WerGetFlags
0x780180 WaitForMultipleObjects
0x780188 WaitForSingleObject
0x780190 VirtualQuery
0x780198 VirtualFree
0x7801a0 VirtualAlloc
0x7801a8 TlsAlloc
0x7801b0 SwitchToThread
0x7801b8 SuspendThread
0x7801c0 SetWaitableTimer
0x7801c8 SetProcessPriorityBoost
0x7801d0 SetEvent
0x7801d8 SetErrorMode
0x7801e0 SetConsoleCtrlHandler
0x7801e8 RtlVirtualUnwind
0x7801f0 RtlLookupFunctionEntry
0x7801f8 ResumeThread
0x780200 RaiseFailFastException
0x780208 PostQueuedCompletionStatus
0x780210 LoadLibraryW
0x780218 LoadLibraryExW
0x780220 SetThreadContext
0x780228 GetThreadContext
0x780230 GetSystemInfo
0x780238 GetSystemDirectoryA
0x780240 GetStdHandle
0x780248 GetQueuedCompletionStatusEx
0x780250 GetProcessAffinityMask
0x780258 GetProcAddress
0x780260 GetErrorMode
0x780268 GetEnvironmentStringsW
0x780270 GetCurrentThreadId
0x780278 GetConsoleMode
0x780280 FreeEnvironmentStringsW
0x780288 ExitProcess
0x780290 DuplicateHandle
0x780298 CreateWaitableTimerExW
0x7802a0 CreateThread
0x7802a8 CreateIoCompletionPort
0x7802b0 CreateFileA
0x7802b8 CreateEventA
0x7802c0 CloseHandle
0x7802c8 AddVectoredExceptionHandler
0x7802d0 AddVectoredContinueHandler
EAT(Export Address Table) is none
kernel32.dll
0x780160 WriteFile
0x780168 WriteConsoleW
0x780170 WerSetFlags
0x780178 WerGetFlags
0x780180 WaitForMultipleObjects
0x780188 WaitForSingleObject
0x780190 VirtualQuery
0x780198 VirtualFree
0x7801a0 VirtualAlloc
0x7801a8 TlsAlloc
0x7801b0 SwitchToThread
0x7801b8 SuspendThread
0x7801c0 SetWaitableTimer
0x7801c8 SetProcessPriorityBoost
0x7801d0 SetEvent
0x7801d8 SetErrorMode
0x7801e0 SetConsoleCtrlHandler
0x7801e8 RtlVirtualUnwind
0x7801f0 RtlLookupFunctionEntry
0x7801f8 ResumeThread
0x780200 RaiseFailFastException
0x780208 PostQueuedCompletionStatus
0x780210 LoadLibraryW
0x780218 LoadLibraryExW
0x780220 SetThreadContext
0x780228 GetThreadContext
0x780230 GetSystemInfo
0x780238 GetSystemDirectoryA
0x780240 GetStdHandle
0x780248 GetQueuedCompletionStatusEx
0x780250 GetProcessAffinityMask
0x780258 GetProcAddress
0x780260 GetErrorMode
0x780268 GetEnvironmentStringsW
0x780270 GetCurrentThreadId
0x780278 GetConsoleMode
0x780280 FreeEnvironmentStringsW
0x780288 ExitProcess
0x780290 DuplicateHandle
0x780298 CreateWaitableTimerExW
0x7802a0 CreateThread
0x7802a8 CreateIoCompletionPort
0x7802b0 CreateFileA
0x7802b8 CreateEventA
0x7802c0 CloseHandle
0x7802c8 AddVectoredExceptionHandler
0x7802d0 AddVectoredContinueHandler
EAT(Export Address Table) is none