ScreenShot
| Created | 2024.08.15 11:12 | Machine | s1_win7_x6401 |
| Filename | a.exe | ||
| Type | PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 23 detected (AIDetectMalware, malicious, high confidence, Whisperer, CobaltStrike, Static AI, Suspicious PE, Detected, ai score=80, confidence, 100%) | ||
| md5 | 299d90fd59dde6708ece0a0f73423997 | ||
| sha256 | da80befcb4b78abaac8632becec8c6ac0d8a3ed57104be2cc2579912ec446cc8 | ||
| ssdeep | 768:bj9EaiyURDkkxPt5NmVrSG+et/GWFQrhwEr0dmw9wxNs8U:l9URDkWPteQG++/GwQrhw80qxI | ||
| imphash | 6d8e187825cbe7dbdc0aff9da7ee9481 | ||
| impfuzzy | 12:YRJR+iJ2cDKjAR+hqR2qhj7s4lJYasTqa91Dvlp1FQJq/huiZQT:8ftlDK4+krjI4liHx91DvlxcqpBZ4 | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 23 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Network activity contains more than one unique useragent |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| info | Queries for the computername |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| info | DllRegisterServer_Zero | execute regsvr32.exe | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x2fbad11c8 DeleteCriticalSection
0x2fbad11d0 EnterCriticalSection
0x2fbad11d8 GetCurrentProcess
0x2fbad11e0 GetLastError
0x2fbad11e8 GetModuleHandleA
0x2fbad11f0 GetProcAddress
0x2fbad11f8 GetTickCount
0x2fbad1200 HeapAlloc
0x2fbad1208 HeapCreate
0x2fbad1210 HeapReAlloc
0x2fbad1218 InitializeCriticalSection
0x2fbad1220 IsDBCSLeadByteEx
0x2fbad1228 LeaveCriticalSection
0x2fbad1230 MultiByteToWideChar
0x2fbad1238 Sleep
0x2fbad1240 TlsGetValue
0x2fbad1248 VirtualProtect
0x2fbad1250 VirtualQuery
0x2fbad1258 WaitForSingleObject
0x2fbad1260 WideCharToMultiByte
msvcrt.dll
0x2fbad1270 ___lc_codepage_func
0x2fbad1278 ___mb_cur_max_func
0x2fbad1280 __iob_func
0x2fbad1288 _amsg_exit
0x2fbad1290 _errno
0x2fbad1298 _initterm
0x2fbad12a0 _lock
0x2fbad12a8 _unlock
0x2fbad12b0 abort
0x2fbad12b8 calloc
0x2fbad12c0 fputc
0x2fbad12c8 free
0x2fbad12d0 fwrite
0x2fbad12d8 localeconv
0x2fbad12e0 malloc
0x2fbad12e8 mbstowcs
0x2fbad12f0 memcpy
0x2fbad12f8 memset
0x2fbad1300 rand
0x2fbad1308 realloc
0x2fbad1310 strerror
0x2fbad1318 strlen
0x2fbad1320 strncmp
0x2fbad1328 vfprintf
0x2fbad1330 wcslen
0x2fbad1338 wcsncat
0x2fbad1340 wcsncpy
EAT(Export Address Table) Library
0x2fbac2631 DllGetClassObject
0x2fbac25c7 DllMain
0x2fbac262b DllRegisterServer
0x2fbac262e DllUnregisterServer
0x2fbac263a StartW
KERNEL32.dll
0x2fbad11c8 DeleteCriticalSection
0x2fbad11d0 EnterCriticalSection
0x2fbad11d8 GetCurrentProcess
0x2fbad11e0 GetLastError
0x2fbad11e8 GetModuleHandleA
0x2fbad11f0 GetProcAddress
0x2fbad11f8 GetTickCount
0x2fbad1200 HeapAlloc
0x2fbad1208 HeapCreate
0x2fbad1210 HeapReAlloc
0x2fbad1218 InitializeCriticalSection
0x2fbad1220 IsDBCSLeadByteEx
0x2fbad1228 LeaveCriticalSection
0x2fbad1230 MultiByteToWideChar
0x2fbad1238 Sleep
0x2fbad1240 TlsGetValue
0x2fbad1248 VirtualProtect
0x2fbad1250 VirtualQuery
0x2fbad1258 WaitForSingleObject
0x2fbad1260 WideCharToMultiByte
msvcrt.dll
0x2fbad1270 ___lc_codepage_func
0x2fbad1278 ___mb_cur_max_func
0x2fbad1280 __iob_func
0x2fbad1288 _amsg_exit
0x2fbad1290 _errno
0x2fbad1298 _initterm
0x2fbad12a0 _lock
0x2fbad12a8 _unlock
0x2fbad12b0 abort
0x2fbad12b8 calloc
0x2fbad12c0 fputc
0x2fbad12c8 free
0x2fbad12d0 fwrite
0x2fbad12d8 localeconv
0x2fbad12e0 malloc
0x2fbad12e8 mbstowcs
0x2fbad12f0 memcpy
0x2fbad12f8 memset
0x2fbad1300 rand
0x2fbad1308 realloc
0x2fbad1310 strerror
0x2fbad1318 strlen
0x2fbad1320 strncmp
0x2fbad1328 vfprintf
0x2fbad1330 wcslen
0x2fbad1338 wcsncat
0x2fbad1340 wcsncpy
EAT(Export Address Table) Library
0x2fbac2631 DllGetClassObject
0x2fbac25c7 DllMain
0x2fbac262b DllRegisterServer
0x2fbac262e DllUnregisterServer
0x2fbac263a StartW