ScreenShot
| Created | 2024.08.11 15:27 | Machine | s1_win7_x6401 |
| Filename | RingQ.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 45 detected (Common, Windows, Hacktool, RingQ, Malicious, score, GenericKD, Unsafe, Vh13, Attribute, HighConfidence, Artemis, MalwareX, YzY0OkbSCjZNi71T, AGen, rwtxt, Detected, ai score=89, ABApplication, LMFF, R002H09G524, Gencirc, Constructor, PossibleThreat, PALLAS, confidence, 100%) | ||
| md5 | 2c3beb9c17ad530a2b049b64ff2aae66 | ||
| sha256 | c100328f17768d45c867809a82a174acc6f0e0a6ad0e68b3c427559727e4a780 | ||
| ssdeep | 6144:S9fw1zT0vOMuu2zJ2Tk6j3H47oEFfU8qEW:Mwti3uN6jX47oEFfU8E | ||
| imphash | 252aaf4d65762ac2b5694c34eed6007d | ||
| impfuzzy | 48:hWVQCcK1rvhC8xQxoIDmQpmJlL6exzOzJhHkM/2zoaqTbZK:hWVQCcK1rvhC8xQxoICvJx6exytlkMeB | ||
Network IP location
Signature (2cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 45 AntiVirus engines on VirusTotal as malicious |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140013df8 AcquireSRWLockExclusive
0x140013e00 CloseHandle
0x140013e08 CreateFileA
0x140013e10 CreateFileMappingW
0x140013e18 DecodePointer
0x140013e20 DeleteCriticalSection
0x140013e28 EncodePointer
0x140013e30 EnterCriticalSection
0x140013e38 ExitProcess
0x140013e40 FreeLibrary
0x140013e48 GetCurrentProcess
0x140013e50 GetCurrentProcessId
0x140013e58 GetCurrentThreadId
0x140013e60 GetLocaleInfoEx
0x140013e68 GetModuleHandleA
0x140013e70 GetModuleHandleExW
0x140013e78 GetModuleHandleW
0x140013e80 GetProcAddress
0x140013e88 GetSystemTimeAsFileTime
0x140013e90 InitializeCriticalSectionEx
0x140013e98 InitializeSListHead
0x140013ea0 IsDebuggerPresent
0x140013ea8 IsProcessorFeaturePresent
0x140013eb0 K32GetModuleInformation
0x140013eb8 LCIDToLocaleName
0x140013ec0 LCMapStringEx
0x140013ec8 LeaveCriticalSection
0x140013ed0 LoadLibraryA
0x140013ed8 MapViewOfFile
0x140013ee0 MultiByteToWideChar
0x140013ee8 QueryPerformanceCounter
0x140013ef0 QueryPerformanceFrequency
0x140013ef8 RaiseException
0x140013f00 ReleaseSRWLockExclusive
0x140013f08 RtlCaptureContext
0x140013f10 RtlLookupFunctionEntry
0x140013f18 RtlUnwindEx
0x140013f20 RtlVirtualUnwind
0x140013f28 SetUnhandledExceptionFilter
0x140013f30 Sleep
0x140013f38 SleepConditionVariableSRW
0x140013f40 TerminateProcess
0x140013f48 UnhandledExceptionFilter
0x140013f50 VirtualProtect
0x140013f58 VirtualQuery
0x140013f60 WakeAllConditionVariable
0x140013f68 WideCharToMultiByte
0x140013f70 WriteFile
0x140013f78 WriteProcessMemory
USER32.dll
0x140013f88 LoadStringW
WININET.dll
0x140013f98 InternetCloseHandle
0x140013fa0 InternetOpenUrlA
0x140013fa8 InternetOpenW
0x140013fb0 InternetReadFile
msvcrt.dll
0x140013fc0 ?_set_new_mode@@YAHH@Z
0x140013fc8 ?terminate@@YAXXZ
0x140013fd0 _CxxThrowException
0x140013fd8 _XcptFilter
0x140013fe0 __C_specific_handler
0x140013fe8 __CxxFrameHandler3
0x140013ff0 __DestructExceptionObject
0x140013ff8 ___lc_codepage_func
0x140014000 ___lc_handle_func
0x140014008 __argc
0x140014010 __argv
0x140014018 __getmainargs
0x140014020 __pctype_func
0x140014028 __set_app_type
0x140014030 __strncnt
0x140014038 __uncaught_exception
0x140014040 _amsg_exit
0x140014048 _callnewh
0x140014050 _commode
0x140014058 _environ
0x140014060 _errno
0x140014068 _fileno
0x140014070 _fseeki64
0x140014078 _fsopen
0x140014080 _initterm
0x140014088 _initterm_e
0x140014090 _iob
0x140014098 _isatty
0x1400140a0 _local_unwind
0x1400140a8 _lock
0x1400140b0 _msize
0x1400140b8 _set_fmode
0x1400140c0 _time64
0x1400140c8 _unlock
0x1400140d0 _wcsdup
0x1400140d8 abort
0x1400140e0 calloc
0x1400140e8 fclose
0x1400140f0 fflush
0x1400140f8 fgetc
0x140014100 fgetpos
0x140014108 fread
0x140014110 free
0x140014118 fseek
0x140014120 fsetpos
0x140014128 islower
0x140014130 isupper
0x140014138 malloc
0x140014140 memcpy
0x140014148 memmove
0x140014150 memset
0x140014158 rand
0x140014160 realloc
0x140014168 setvbuf
0x140014170 srand
0x140014178 strchr
0x140014180 strcmp
0x140014188 strcpy_s
0x140014190 strlen
0x140014198 ungetc
0x1400141a0 wcslen
0x1400141a8 wcsrchr
EAT(Export Address Table) is none
KERNEL32.dll
0x140013df8 AcquireSRWLockExclusive
0x140013e00 CloseHandle
0x140013e08 CreateFileA
0x140013e10 CreateFileMappingW
0x140013e18 DecodePointer
0x140013e20 DeleteCriticalSection
0x140013e28 EncodePointer
0x140013e30 EnterCriticalSection
0x140013e38 ExitProcess
0x140013e40 FreeLibrary
0x140013e48 GetCurrentProcess
0x140013e50 GetCurrentProcessId
0x140013e58 GetCurrentThreadId
0x140013e60 GetLocaleInfoEx
0x140013e68 GetModuleHandleA
0x140013e70 GetModuleHandleExW
0x140013e78 GetModuleHandleW
0x140013e80 GetProcAddress
0x140013e88 GetSystemTimeAsFileTime
0x140013e90 InitializeCriticalSectionEx
0x140013e98 InitializeSListHead
0x140013ea0 IsDebuggerPresent
0x140013ea8 IsProcessorFeaturePresent
0x140013eb0 K32GetModuleInformation
0x140013eb8 LCIDToLocaleName
0x140013ec0 LCMapStringEx
0x140013ec8 LeaveCriticalSection
0x140013ed0 LoadLibraryA
0x140013ed8 MapViewOfFile
0x140013ee0 MultiByteToWideChar
0x140013ee8 QueryPerformanceCounter
0x140013ef0 QueryPerformanceFrequency
0x140013ef8 RaiseException
0x140013f00 ReleaseSRWLockExclusive
0x140013f08 RtlCaptureContext
0x140013f10 RtlLookupFunctionEntry
0x140013f18 RtlUnwindEx
0x140013f20 RtlVirtualUnwind
0x140013f28 SetUnhandledExceptionFilter
0x140013f30 Sleep
0x140013f38 SleepConditionVariableSRW
0x140013f40 TerminateProcess
0x140013f48 UnhandledExceptionFilter
0x140013f50 VirtualProtect
0x140013f58 VirtualQuery
0x140013f60 WakeAllConditionVariable
0x140013f68 WideCharToMultiByte
0x140013f70 WriteFile
0x140013f78 WriteProcessMemory
USER32.dll
0x140013f88 LoadStringW
WININET.dll
0x140013f98 InternetCloseHandle
0x140013fa0 InternetOpenUrlA
0x140013fa8 InternetOpenW
0x140013fb0 InternetReadFile
msvcrt.dll
0x140013fc0 ?_set_new_mode@@YAHH@Z
0x140013fc8 ?terminate@@YAXXZ
0x140013fd0 _CxxThrowException
0x140013fd8 _XcptFilter
0x140013fe0 __C_specific_handler
0x140013fe8 __CxxFrameHandler3
0x140013ff0 __DestructExceptionObject
0x140013ff8 ___lc_codepage_func
0x140014000 ___lc_handle_func
0x140014008 __argc
0x140014010 __argv
0x140014018 __getmainargs
0x140014020 __pctype_func
0x140014028 __set_app_type
0x140014030 __strncnt
0x140014038 __uncaught_exception
0x140014040 _amsg_exit
0x140014048 _callnewh
0x140014050 _commode
0x140014058 _environ
0x140014060 _errno
0x140014068 _fileno
0x140014070 _fseeki64
0x140014078 _fsopen
0x140014080 _initterm
0x140014088 _initterm_e
0x140014090 _iob
0x140014098 _isatty
0x1400140a0 _local_unwind
0x1400140a8 _lock
0x1400140b0 _msize
0x1400140b8 _set_fmode
0x1400140c0 _time64
0x1400140c8 _unlock
0x1400140d0 _wcsdup
0x1400140d8 abort
0x1400140e0 calloc
0x1400140e8 fclose
0x1400140f0 fflush
0x1400140f8 fgetc
0x140014100 fgetpos
0x140014108 fread
0x140014110 free
0x140014118 fseek
0x140014120 fsetpos
0x140014128 islower
0x140014130 isupper
0x140014138 malloc
0x140014140 memcpy
0x140014148 memmove
0x140014150 memset
0x140014158 rand
0x140014160 realloc
0x140014168 setvbuf
0x140014170 srand
0x140014178 strchr
0x140014180 strcmp
0x140014188 strcpy_s
0x140014190 strlen
0x140014198 ungetc
0x1400141a0 wcslen
0x1400141a8 wcsrchr
EAT(Export Address Table) is none