ScreenShot
| Created | 2024.08.15 11:10 | Machine | s1_win7_x6401 |
| Filename | s.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 20 detected (AIDetectMalware, Whisperer, malicious, Kryptik, AGen, CobaltStrike, Detected, ai score=86, confidence, 100%) | ||
| md5 | b43e3cb0e1e8afd9f97b7471d3a15652 | ||
| sha256 | 9c9fd30f71a39829fc250a49a38cd55d112d2fe2a11cec5a64ccb30ff29f73a2 | ||
| ssdeep | 768:rvMhIV8gLaimkrcmK7NmDbG39sjZQlNmrD3k2mwYidZz/zw7N:r3ZL9mkQmKwnG3yjZQPmrD3kF | ||
| imphash | 2fe71839ceddb4efe940c5cf91ea178e | ||
| impfuzzy | 24:8ftlDK4+kEqjIlMblRf5XGfqXZykomvlxcqdZ4:8f5+kEJslJJGfqJyk1vkqM | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 20 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Network activity contains more than one unique useragent |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| info | Queries for the computername |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140010218 DeleteCriticalSection
0x140010220 EnterCriticalSection
0x140010228 GetCurrentProcess
0x140010230 GetLastError
0x140010238 GetModuleHandleA
0x140010240 GetProcAddress
0x140010248 GetTickCount
0x140010250 HeapAlloc
0x140010258 HeapCreate
0x140010260 HeapReAlloc
0x140010268 InitializeCriticalSection
0x140010270 IsDBCSLeadByteEx
0x140010278 LeaveCriticalSection
0x140010280 MultiByteToWideChar
0x140010288 SetUnhandledExceptionFilter
0x140010290 Sleep
0x140010298 TlsGetValue
0x1400102a0 VirtualProtect
0x1400102a8 VirtualQuery
0x1400102b0 WaitForSingleObject
0x1400102b8 WideCharToMultiByte
msvcrt.dll
0x1400102c8 __C_specific_handler
0x1400102d0 ___lc_codepage_func
0x1400102d8 ___mb_cur_max_func
0x1400102e0 __getmainargs
0x1400102e8 __initenv
0x1400102f0 __iob_func
0x1400102f8 __set_app_type
0x140010300 __setusermatherr
0x140010308 _amsg_exit
0x140010310 _cexit
0x140010318 _commode
0x140010320 _errno
0x140010328 _fmode
0x140010330 _initterm
0x140010338 _onexit
0x140010340 abort
0x140010348 calloc
0x140010350 exit
0x140010358 fprintf
0x140010360 fputc
0x140010368 free
0x140010370 fwrite
0x140010378 localeconv
0x140010380 malloc
0x140010388 mbstowcs
0x140010390 memcpy
0x140010398 memset
0x1400103a0 rand
0x1400103a8 signal
0x1400103b0 strerror
0x1400103b8 strlen
0x1400103c0 strncmp
0x1400103c8 vfprintf
0x1400103d0 wcslen
0x1400103d8 wcsncat
0x1400103e0 wcsncpy
EAT(Export Address Table) is none
KERNEL32.dll
0x140010218 DeleteCriticalSection
0x140010220 EnterCriticalSection
0x140010228 GetCurrentProcess
0x140010230 GetLastError
0x140010238 GetModuleHandleA
0x140010240 GetProcAddress
0x140010248 GetTickCount
0x140010250 HeapAlloc
0x140010258 HeapCreate
0x140010260 HeapReAlloc
0x140010268 InitializeCriticalSection
0x140010270 IsDBCSLeadByteEx
0x140010278 LeaveCriticalSection
0x140010280 MultiByteToWideChar
0x140010288 SetUnhandledExceptionFilter
0x140010290 Sleep
0x140010298 TlsGetValue
0x1400102a0 VirtualProtect
0x1400102a8 VirtualQuery
0x1400102b0 WaitForSingleObject
0x1400102b8 WideCharToMultiByte
msvcrt.dll
0x1400102c8 __C_specific_handler
0x1400102d0 ___lc_codepage_func
0x1400102d8 ___mb_cur_max_func
0x1400102e0 __getmainargs
0x1400102e8 __initenv
0x1400102f0 __iob_func
0x1400102f8 __set_app_type
0x140010300 __setusermatherr
0x140010308 _amsg_exit
0x140010310 _cexit
0x140010318 _commode
0x140010320 _errno
0x140010328 _fmode
0x140010330 _initterm
0x140010338 _onexit
0x140010340 abort
0x140010348 calloc
0x140010350 exit
0x140010358 fprintf
0x140010360 fputc
0x140010368 free
0x140010370 fwrite
0x140010378 localeconv
0x140010380 malloc
0x140010388 mbstowcs
0x140010390 memcpy
0x140010398 memset
0x1400103a0 rand
0x1400103a8 signal
0x1400103b0 strerror
0x1400103b8 strlen
0x1400103c0 strncmp
0x1400103c8 vfprintf
0x1400103d0 wcslen
0x1400103d8 wcsncat
0x1400103e0 wcsncpy
EAT(Export Address Table) is none