ScreenShot
| Created | 2024.08.12 09:14 | Machine | s1_win7_x6401 |
| Filename | Setup.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 55 detected (AIDetectMalware, Lockbit, malicious, high confidence, score, Razy, Unsafe, Vwda, Blackmatter, Kryptik, AGen, Artemis, MalwareX, Kryptik@AI, RDML, Yjj4FgJW1YhDtI3uWnkt0w, canmb, R002C0DHA24, Detected, ai score=84, ABRisk, NKFI, Injection, ZexaF, ByW@a4R@, BScope, Genetic, Pzfl, confidence, 100%, HM8PHU) | ||
| md5 | 95d8ef6aaeae33dae91636b2bde473b8 | ||
| sha256 | 05f9891bb4ca2b87b476e3d3f415e329a547d3cb65741b908cd570eb96575767 | ||
| ssdeep | 6144:XsaeVjbUSAODc/mDHJKzBJvPKcQQfHAijx7TSig0yw6J:XsamHDDpuBhKX2jlGiyw6 | ||
| imphash | 9929f072e286c8009cb223299a367762 | ||
| impfuzzy | 24:dj0DYc+9JBlWvS1GtAGo9Lovv4jM+apOovbOPZu:1c+JoS1GtAGoJCa3Y | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x410000 GetLastError
0x410004 LoadLibraryA
0x410008 GetProcAddress
0x41000c GetModuleHandleW
0x410010 WideCharToMultiByte
0x410014 EnterCriticalSection
0x410018 LeaveCriticalSection
0x41001c DeleteCriticalSection
0x410020 SetLastError
0x410024 InitializeCriticalSectionAndSpinCount
0x410028 TlsAlloc
0x41002c TlsGetValue
0x410030 TlsSetValue
0x410034 TlsFree
0x410038 GetSystemTimeAsFileTime
0x41003c EncodePointer
0x410040 DecodePointer
0x410044 MultiByteToWideChar
0x410048 LCMapStringW
0x41004c GetStringTypeW
0x410050 GetCPInfo
0x410054 QueryPerformanceCounter
0x410058 GetCurrentProcessId
0x41005c GetCurrentThreadId
0x410060 InitializeSListHead
0x410064 IsDebuggerPresent
0x410068 UnhandledExceptionFilter
0x41006c SetUnhandledExceptionFilter
0x410070 GetStartupInfoW
0x410074 IsProcessorFeaturePresent
0x410078 GetCurrentProcess
0x41007c TerminateProcess
0x410080 WriteConsoleW
0x410084 RaiseException
0x410088 RtlUnwind
0x41008c FreeLibrary
0x410090 LoadLibraryExW
0x410094 GetStdHandle
0x410098 WriteFile
0x41009c GetModuleFileNameW
0x4100a0 ExitProcess
0x4100a4 GetModuleHandleExW
0x4100a8 SetFilePointerEx
0x4100ac GetFileType
0x4100b0 HeapAlloc
0x4100b4 FlushFileBuffers
0x4100b8 GetConsoleCP
0x4100bc GetConsoleMode
0x4100c0 HeapFree
0x4100c4 CloseHandle
0x4100c8 HeapReAlloc
0x4100cc FindClose
0x4100d0 FindFirstFileExW
0x4100d4 FindNextFileW
0x4100d8 IsValidCodePage
0x4100dc GetACP
0x4100e0 GetOEMCP
0x4100e4 GetCommandLineA
0x4100e8 GetCommandLineW
0x4100ec GetEnvironmentStringsW
0x4100f0 FreeEnvironmentStringsW
0x4100f4 SetStdHandle
0x4100f8 GetProcessHeap
0x4100fc CreateFileW
0x410100 HeapSize
EAT(Export Address Table) is none
KERNEL32.dll
0x410000 GetLastError
0x410004 LoadLibraryA
0x410008 GetProcAddress
0x41000c GetModuleHandleW
0x410010 WideCharToMultiByte
0x410014 EnterCriticalSection
0x410018 LeaveCriticalSection
0x41001c DeleteCriticalSection
0x410020 SetLastError
0x410024 InitializeCriticalSectionAndSpinCount
0x410028 TlsAlloc
0x41002c TlsGetValue
0x410030 TlsSetValue
0x410034 TlsFree
0x410038 GetSystemTimeAsFileTime
0x41003c EncodePointer
0x410040 DecodePointer
0x410044 MultiByteToWideChar
0x410048 LCMapStringW
0x41004c GetStringTypeW
0x410050 GetCPInfo
0x410054 QueryPerformanceCounter
0x410058 GetCurrentProcessId
0x41005c GetCurrentThreadId
0x410060 InitializeSListHead
0x410064 IsDebuggerPresent
0x410068 UnhandledExceptionFilter
0x41006c SetUnhandledExceptionFilter
0x410070 GetStartupInfoW
0x410074 IsProcessorFeaturePresent
0x410078 GetCurrentProcess
0x41007c TerminateProcess
0x410080 WriteConsoleW
0x410084 RaiseException
0x410088 RtlUnwind
0x41008c FreeLibrary
0x410090 LoadLibraryExW
0x410094 GetStdHandle
0x410098 WriteFile
0x41009c GetModuleFileNameW
0x4100a0 ExitProcess
0x4100a4 GetModuleHandleExW
0x4100a8 SetFilePointerEx
0x4100ac GetFileType
0x4100b0 HeapAlloc
0x4100b4 FlushFileBuffers
0x4100b8 GetConsoleCP
0x4100bc GetConsoleMode
0x4100c0 HeapFree
0x4100c4 CloseHandle
0x4100c8 HeapReAlloc
0x4100cc FindClose
0x4100d0 FindFirstFileExW
0x4100d4 FindNextFileW
0x4100d8 IsValidCodePage
0x4100dc GetACP
0x4100e0 GetOEMCP
0x4100e4 GetCommandLineA
0x4100e8 GetCommandLineW
0x4100ec GetEnvironmentStringsW
0x4100f0 FreeEnvironmentStringsW
0x4100f4 SetStdHandle
0x4100f8 GetProcessHeap
0x4100fc CreateFileW
0x410100 HeapSize
EAT(Export Address Table) is none