ScreenShot
| Created | 2024.08.14 10:52 | Machine | s1_win7_x6401 |
| Filename | Mke%20Fallen.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 63 detected (AIDetectMalware, malicious, high confidence, score, GenericRXAE, Unsafe, Mint, Zard, MrBlack, StartServ, Heuristic131, dcnfpc, Jaik, Farfli, CLASSIC, Gen2, MulDrop11, GJ1000AC, UVPN, Real Protect, high, Static AI, Suspicious PE, bamdh, Detected, ai score=84, AGeneric, CA@6q1016, NEMT, Zegost, R117606, Genetic, Gencirc, W+qsqWX+TeU, susgen, confidence, FloodAttack) | ||
| md5 | eaeb33cc12fd71532fb6156938f46854 | ||
| sha256 | 055f7b2e38401cb201d4b594e7fe205484681495fb2393185910eb80dfaaec20 | ||
| ssdeep | 3072:2POKWROAEATTiczEJToGGhKW9o+SALvH/n2w52YGLHY:2POKWRPTDEJMhKJaf2uyLHY | ||
| imphash | 3ad350f14c2e450686dbd3fbcbe807a6 | ||
| impfuzzy | 24:ssNuMX1tIB8uQ+QzfjE0DADYp/TzebtwHzZ8x+G08wOovMRv/uQyN3BvBLBmunEg:BX1O2lCYpnebtTx+G0MrBytttjby5yN | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 63 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Creates a service |
| notice | Creates a suspicious process |
| notice | Drops an executable to the user AppData folder |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | The executable uses a known packer |
Rules (21cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x418038 GetCurrentThread
0x41803c SetPriorityClass
0x418040 GetCurrentProcess
0x418044 lstrcatA
0x418048 lstrcpyA
0x41804c GetEnvironmentVariableA
0x418050 GetShortPathNameA
0x418054 GetModuleFileNameA
0x418058 CreateMutexA
0x41805c SetThreadPriority
0x418060 GetLastError
0x418064 SetFileAttributesA
0x418068 CopyFileA
0x41806c GetModuleHandleA
0x418070 GetTickCount
0x418074 LCMapStringW
0x418078 LCMapStringA
0x41807c SetEnvironmentVariableA
0x418080 CompareStringW
0x418084 ResumeThread
0x418088 GetSystemDirectoryA
0x41808c CreateProcessA
0x418090 OpenProcess
0x418094 WaitForSingleObject
0x418098 GetSystemInfo
0x41809c LoadLibraryA
0x4180a0 GetProcAddress
0x4180a4 GlobalMemoryStatus
0x4180a8 CreateThread
0x4180ac CloseHandle
0x4180b0 ExitThread
0x4180b4 lstrlenA
0x4180b8 Sleep
0x4180bc CompareStringA
0x4180c0 GetFileAttributesA
0x4180c4 SetConsoleCtrlHandler
0x4180c8 GetOEMCP
0x4180cc GetACP
0x4180d0 GetCPInfo
0x4180d4 FlushFileBuffers
0x4180d8 IsBadCodePtr
0x4180dc IsBadReadPtr
0x4180e0 SetUnhandledExceptionFilter
0x4180e4 GetStringTypeW
0x4180e8 GetStringTypeA
0x4180ec MultiByteToWideChar
0x4180f0 RaiseException
0x4180f4 SetFilePointer
0x4180f8 WriteFile
0x4180fc GetEnvironmentStringsW
0x418100 GetEnvironmentStrings
0x418104 WideCharToMultiByte
0x418108 FreeEnvironmentStringsW
0x41810c FreeEnvironmentStringsA
0x418110 UnhandledExceptionFilter
0x418114 IsBadWritePtr
0x418118 GetTimeZoneInformation
0x41811c GetSystemTime
0x418120 GetLocalTime
0x418124 RtlUnwind
0x418128 ExitProcess
0x41812c TerminateProcess
0x418130 DuplicateHandle
0x418134 HeapFree
0x418138 HeapAlloc
0x41813c GetStartupInfoA
0x418140 GetCommandLineA
0x418144 GetVersion
0x418148 SetHandleCount
0x41814c GetStdHandle
0x418150 GetFileType
0x418154 SetStdHandle
0x418158 CreatePipe
0x41815c GetExitCodeProcess
0x418160 HeapReAlloc
0x418164 HeapSize
0x418168 GetVersionExA
0x41816c HeapDestroy
0x418170 HeapCreate
0x418174 VirtualFree
0x418178 VirtualAlloc
USER32.dll
0x418180 wsprintfA
comdlg32.dll
0x4181dc GetFileTitleA
ADVAPI32.dll
0x418000 CreateServiceA
0x418004 OpenServiceA
0x418008 StartServiceA
0x41800c RegSetValueExA
0x418010 CloseServiceHandle
0x418014 StartServiceCtrlDispatcherA
0x418018 RegisterServiceCtrlHandlerA
0x41801c SetServiceStatus
0x418020 RegOpenKeyExA
0x418024 RegOpenKeyA
0x418028 RegQueryValueExA
0x41802c RegCloseKey
0x418030 OpenSCManagerA
WS2_32.dll
0x418188 WSAGetLastError
0x41818c gethostname
0x418190 select
0x418194 __WSAFDIsSet
0x418198 recv
0x41819c WSAIoctl
0x4181a0 connect
0x4181a4 send
0x4181a8 socket
0x4181ac WSAStartup
0x4181b0 inet_ntoa
0x4181b4 setsockopt
0x4181b8 sendto
0x4181bc closesocket
0x4181c0 WSACleanup
0x4181c4 ntohl
0x4181c8 htons
0x4181cc inet_addr
0x4181d0 gethostbyname
0x4181d4 WSASocketA
iphlpapi.dll
0x4181e4 GetIfTable
EAT(Export Address Table) is none
KERNEL32.dll
0x418038 GetCurrentThread
0x41803c SetPriorityClass
0x418040 GetCurrentProcess
0x418044 lstrcatA
0x418048 lstrcpyA
0x41804c GetEnvironmentVariableA
0x418050 GetShortPathNameA
0x418054 GetModuleFileNameA
0x418058 CreateMutexA
0x41805c SetThreadPriority
0x418060 GetLastError
0x418064 SetFileAttributesA
0x418068 CopyFileA
0x41806c GetModuleHandleA
0x418070 GetTickCount
0x418074 LCMapStringW
0x418078 LCMapStringA
0x41807c SetEnvironmentVariableA
0x418080 CompareStringW
0x418084 ResumeThread
0x418088 GetSystemDirectoryA
0x41808c CreateProcessA
0x418090 OpenProcess
0x418094 WaitForSingleObject
0x418098 GetSystemInfo
0x41809c LoadLibraryA
0x4180a0 GetProcAddress
0x4180a4 GlobalMemoryStatus
0x4180a8 CreateThread
0x4180ac CloseHandle
0x4180b0 ExitThread
0x4180b4 lstrlenA
0x4180b8 Sleep
0x4180bc CompareStringA
0x4180c0 GetFileAttributesA
0x4180c4 SetConsoleCtrlHandler
0x4180c8 GetOEMCP
0x4180cc GetACP
0x4180d0 GetCPInfo
0x4180d4 FlushFileBuffers
0x4180d8 IsBadCodePtr
0x4180dc IsBadReadPtr
0x4180e0 SetUnhandledExceptionFilter
0x4180e4 GetStringTypeW
0x4180e8 GetStringTypeA
0x4180ec MultiByteToWideChar
0x4180f0 RaiseException
0x4180f4 SetFilePointer
0x4180f8 WriteFile
0x4180fc GetEnvironmentStringsW
0x418100 GetEnvironmentStrings
0x418104 WideCharToMultiByte
0x418108 FreeEnvironmentStringsW
0x41810c FreeEnvironmentStringsA
0x418110 UnhandledExceptionFilter
0x418114 IsBadWritePtr
0x418118 GetTimeZoneInformation
0x41811c GetSystemTime
0x418120 GetLocalTime
0x418124 RtlUnwind
0x418128 ExitProcess
0x41812c TerminateProcess
0x418130 DuplicateHandle
0x418134 HeapFree
0x418138 HeapAlloc
0x41813c GetStartupInfoA
0x418140 GetCommandLineA
0x418144 GetVersion
0x418148 SetHandleCount
0x41814c GetStdHandle
0x418150 GetFileType
0x418154 SetStdHandle
0x418158 CreatePipe
0x41815c GetExitCodeProcess
0x418160 HeapReAlloc
0x418164 HeapSize
0x418168 GetVersionExA
0x41816c HeapDestroy
0x418170 HeapCreate
0x418174 VirtualFree
0x418178 VirtualAlloc
USER32.dll
0x418180 wsprintfA
comdlg32.dll
0x4181dc GetFileTitleA
ADVAPI32.dll
0x418000 CreateServiceA
0x418004 OpenServiceA
0x418008 StartServiceA
0x41800c RegSetValueExA
0x418010 CloseServiceHandle
0x418014 StartServiceCtrlDispatcherA
0x418018 RegisterServiceCtrlHandlerA
0x41801c SetServiceStatus
0x418020 RegOpenKeyExA
0x418024 RegOpenKeyA
0x418028 RegQueryValueExA
0x41802c RegCloseKey
0x418030 OpenSCManagerA
WS2_32.dll
0x418188 WSAGetLastError
0x41818c gethostname
0x418190 select
0x418194 __WSAFDIsSet
0x418198 recv
0x41819c WSAIoctl
0x4181a0 connect
0x4181a4 send
0x4181a8 socket
0x4181ac WSAStartup
0x4181b0 inet_ntoa
0x4181b4 setsockopt
0x4181b8 sendto
0x4181bc closesocket
0x4181c0 WSACleanup
0x4181c4 ntohl
0x4181c8 htons
0x4181cc inet_addr
0x4181d0 gethostbyname
0x4181d4 WSASocketA
iphlpapi.dll
0x4181e4 GetIfTable
EAT(Export Address Table) is none