ScreenShot
| Created | 2024.08.15 15:20 | Machine | s1_win7_x6403 |
| Filename | b | ||
| Type | PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 50 detected (AIDetectMalware, Windows, CobaltStrike, Malicious, score, Dump, Beacon, Marte, Unsafe, Zusy, Cobalt, Artifact, CLASSIC, AGEN, COBEACON, Static AI, Malicious PE, Detected, ai score=84, R374111, GdSda, susgen, confidence, 100%) | ||
| md5 | e744a3ee4380bc4eadddeca8fa99e593 | ||
| sha256 | 28635585ae474cc5739242aae4844736e27e95a0cb368ebe48e36ead2407574a | ||
| ssdeep | 6144:O+1V7mmvm0j2Uhq0tK/Bf1+MqBdg9XhpWyO:1m0jVhqT/Lkd4vO | ||
| imphash | a17186a0dbc86b565628d4a9b8c9cc17 | ||
| impfuzzy | 12:QB8wRJR+5TZnJ2cDkiiARZqRJh7aa0uPXJNiXJGqYU4aRa91KpJqiGxiZn:Q2kfg1JlDdncJ9aa0mez4P91OqiGQZn | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 50 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | DllRegisterServer_Zero | execute regsvr32.exe | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DROP Spamhaus DROP Listed Traffic Inbound group 3
ET MALWARE Cobalt Strike Beacon Observed
ET MALWARE Cobalt Strike Beacon Observed
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x6bb0c1cc CloseHandle
0x6bb0c1d4 ConnectNamedPipe
0x6bb0c1dc CreateFileA
0x6bb0c1e4 CreateNamedPipeA
0x6bb0c1ec CreateThread
0x6bb0c1f4 DeleteCriticalSection
0x6bb0c1fc EnterCriticalSection
0x6bb0c204 GetCurrentProcess
0x6bb0c20c GetCurrentProcessId
0x6bb0c214 GetCurrentThreadId
0x6bb0c21c GetLastError
0x6bb0c224 GetModuleHandleA
0x6bb0c22c GetProcAddress
0x6bb0c234 GetSystemTimeAsFileTime
0x6bb0c23c GetTickCount
0x6bb0c244 InitializeCriticalSection
0x6bb0c24c LeaveCriticalSection
0x6bb0c254 QueryPerformanceCounter
0x6bb0c25c ReadFile
0x6bb0c264 RtlAddFunctionTable
0x6bb0c26c RtlCaptureContext
0x6bb0c274 RtlLookupFunctionEntry
0x6bb0c27c RtlVirtualUnwind
0x6bb0c284 SetUnhandledExceptionFilter
0x6bb0c28c Sleep
0x6bb0c294 TerminateProcess
0x6bb0c29c TlsGetValue
0x6bb0c2a4 UnhandledExceptionFilter
0x6bb0c2ac VirtualAlloc
0x6bb0c2b4 VirtualProtect
0x6bb0c2bc VirtualQuery
0x6bb0c2c4 WriteFile
msvcrt.dll
0x6bb0c2d4 __iob_func
0x6bb0c2dc _amsg_exit
0x6bb0c2e4 _initterm
0x6bb0c2ec _lock
0x6bb0c2f4 _unlock
0x6bb0c2fc abort
0x6bb0c304 calloc
0x6bb0c30c free
0x6bb0c314 fwrite
0x6bb0c31c malloc
0x6bb0c324 realloc
0x6bb0c32c signal
0x6bb0c334 sprintf
0x6bb0c33c strlen
0x6bb0c344 strncmp
0x6bb0c34c vfprintf
EAT(Export Address Table) Library
0x6bac169b DllGetClassObject
0x6bac1657 DllMain
0x6bac1695 DllRegisterServer
0x6bac1698 DllUnregisterServer
0x6bac16a4 StartW
KERNEL32.dll
0x6bb0c1cc CloseHandle
0x6bb0c1d4 ConnectNamedPipe
0x6bb0c1dc CreateFileA
0x6bb0c1e4 CreateNamedPipeA
0x6bb0c1ec CreateThread
0x6bb0c1f4 DeleteCriticalSection
0x6bb0c1fc EnterCriticalSection
0x6bb0c204 GetCurrentProcess
0x6bb0c20c GetCurrentProcessId
0x6bb0c214 GetCurrentThreadId
0x6bb0c21c GetLastError
0x6bb0c224 GetModuleHandleA
0x6bb0c22c GetProcAddress
0x6bb0c234 GetSystemTimeAsFileTime
0x6bb0c23c GetTickCount
0x6bb0c244 InitializeCriticalSection
0x6bb0c24c LeaveCriticalSection
0x6bb0c254 QueryPerformanceCounter
0x6bb0c25c ReadFile
0x6bb0c264 RtlAddFunctionTable
0x6bb0c26c RtlCaptureContext
0x6bb0c274 RtlLookupFunctionEntry
0x6bb0c27c RtlVirtualUnwind
0x6bb0c284 SetUnhandledExceptionFilter
0x6bb0c28c Sleep
0x6bb0c294 TerminateProcess
0x6bb0c29c TlsGetValue
0x6bb0c2a4 UnhandledExceptionFilter
0x6bb0c2ac VirtualAlloc
0x6bb0c2b4 VirtualProtect
0x6bb0c2bc VirtualQuery
0x6bb0c2c4 WriteFile
msvcrt.dll
0x6bb0c2d4 __iob_func
0x6bb0c2dc _amsg_exit
0x6bb0c2e4 _initterm
0x6bb0c2ec _lock
0x6bb0c2f4 _unlock
0x6bb0c2fc abort
0x6bb0c304 calloc
0x6bb0c30c free
0x6bb0c314 fwrite
0x6bb0c31c malloc
0x6bb0c324 realloc
0x6bb0c32c signal
0x6bb0c334 sprintf
0x6bb0c33c strlen
0x6bb0c344 strncmp
0x6bb0c34c vfprintf
EAT(Export Address Table) Library
0x6bac169b DllGetClassObject
0x6bac1657 DllMain
0x6bac1695 DllRegisterServer
0x6bac1698 DllUnregisterServer
0x6bac16a4 StartW