ScreenShot
Created | 2024.09.02 11:02 | Machine | s1_win7_x6403 |
Filename | random.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 31 detected (malicious, high confidence, score, IGENERICPMF, S2481492, Unsafe, Save, Genus, GenericRXWO, Tool, Lazagne, Real Protect, Generic ML PUA, Static AI, Suspicious PE, Detected, Kryptik, Eldorado, susgen, confidence) | ||
md5 | fb5e045c6e6d9f559ae90490d139c2fe | ||
sha256 | 482366a7f9d8d709043b6aadbafe9dd27f98d93522ede9b5de1dd2582ffd2f62 | ||
ssdeep | 1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfDxEi2kO+:Hq6+ouCpk2mpcWJ0r+QNTBfDB | ||
imphash | 5877688b4859ffd051f6be3b8e0cd533 | ||
impfuzzy | 48:YMaG/U3WrCpt1vJOI40EdXlqSZ/g/KA/kEUEk1WSY+09AEFXolvyAobFzGJ6tn63:YnmU3aCpt1vJh400XlZW4wvIow |
Network IP location
Signature (29cnts)
Level | Description |
---|---|
danger | Executed a process and injected code into it |
danger | File has been identified by 31 AntiVirus engines on VirusTotal as malicious |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Appends a known multi-family ransomware file extension to files that have been encrypted |
watch | Attempts to create or modify system certificates |
watch | One or more non-whitelisted processes were created |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | An application raised an exception which may be indicative of an exploit crash |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | One or more potentially interesting buffers were extracted |
notice | Potentially malicious URLs were found in the process memory dump |
notice | Steals private information from local Internet browsers |
notice | Terminates another process |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Collects information to fingerprint the system (MachineGuid |
info | One or more processes crashed |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | The executable uses a known packer |
info | Tries to locate where the browsers are installed |
Rules (40cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | RedLine_Stealer_b_Zero | RedLine stealer | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
watch | Network_Downloader | File Downloader | memory |
watch | UPX_Zero | UPX packed file | binaries (upload) |
notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
notice | Create_Service | Create a windows service | memory |
notice | Escalate_priviledges | Escalate priviledges | memory |
notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
notice | KeyLogger | Run a KeyLogger | memory |
notice | local_credential_Steal | Steal credential | memory |
notice | Network_DGA | Communication using DGA | memory |
notice | Network_DNS | Communications use DNS | memory |
notice | Network_FTP | Communications over FTP | memory |
notice | Network_HTTP | Communications over HTTP | memory |
notice | Network_P2P_Win | Communications over P2P network | memory |
notice | Network_TCP_Socket | Communications over RAW Socket | memory |
notice | ScreenShot | Take ScreenShot | memory |
notice | Sniff_Audio | Record Audio | memory |
notice | Str_Win32_Http_API | Match Windows Http API call | memory |
notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
info | anti_dbg | Checks if being debugged | memory |
info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
info | Check_Dlls | (no description) | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerCheck__RemoteAPI | (no description) | memory |
info | DebuggerException__ConsoleCtrl | (no description) | memory |
info | DebuggerException__SetConsoleCtrl | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
info | win_hook | Affect hook table | memory |
PE API
IAT(Import Address Table) Library
MSVCRT.dll
0x417470 memset
0x417474 wcsncmp
0x417478 memmove
0x41747c wcsncpy
0x417480 wcsstr
0x417484 _wcsnicmp
0x417488 _wcsdup
0x41748c free
0x417490 _wcsicmp
0x417494 wcslen
0x417498 wcscpy
0x41749c wcscmp
0x4174a0 memcpy
0x4174a4 tolower
0x4174a8 wcscat
0x4174ac malloc
KERNEL32.dll
0x4174b4 GetModuleHandleW
0x4174b8 HeapCreate
0x4174bc GetStdHandle
0x4174c0 HeapDestroy
0x4174c4 ExitProcess
0x4174c8 WriteFile
0x4174cc GetTempFileNameW
0x4174d0 LoadLibraryExW
0x4174d4 EnumResourceTypesW
0x4174d8 FreeLibrary
0x4174dc RemoveDirectoryW
0x4174e0 GetExitCodeProcess
0x4174e4 EnumResourceNamesW
0x4174e8 GetCommandLineW
0x4174ec LoadResource
0x4174f0 SizeofResource
0x4174f4 FreeResource
0x4174f8 FindResourceW
0x4174fc GetNativeSystemInfo
0x417500 GetShortPathNameW
0x417504 GetWindowsDirectoryW
0x417508 GetSystemDirectoryW
0x41750c EnterCriticalSection
0x417510 CloseHandle
0x417514 LeaveCriticalSection
0x417518 InitializeCriticalSection
0x41751c WaitForSingleObject
0x417520 TerminateThread
0x417524 CreateThread
0x417528 Sleep
0x41752c GetProcAddress
0x417530 GetVersionExW
0x417534 WideCharToMultiByte
0x417538 HeapAlloc
0x41753c HeapFree
0x417540 LoadLibraryW
0x417544 GetCurrentProcessId
0x417548 GetCurrentThreadId
0x41754c GetModuleFileNameW
0x417550 GetEnvironmentVariableW
0x417554 SetEnvironmentVariableW
0x417558 GetCurrentProcess
0x41755c TerminateProcess
0x417560 SetUnhandledExceptionFilter
0x417564 HeapSize
0x417568 MultiByteToWideChar
0x41756c CreateDirectoryW
0x417570 SetFileAttributesW
0x417574 GetTempPathW
0x417578 DeleteFileW
0x41757c GetCurrentDirectoryW
0x417580 SetCurrentDirectoryW
0x417584 CreateFileW
0x417588 SetFilePointer
0x41758c TlsFree
0x417590 TlsGetValue
0x417594 TlsSetValue
0x417598 TlsAlloc
0x41759c HeapReAlloc
0x4175a0 DeleteCriticalSection
0x4175a4 InterlockedCompareExchange
0x4175a8 InterlockedExchange
0x4175ac GetLastError
0x4175b0 SetLastError
0x4175b4 UnregisterWait
0x4175b8 GetCurrentThread
0x4175bc DuplicateHandle
0x4175c0 RegisterWaitForSingleObject
USER32.DLL
0x4175c8 CharUpperW
0x4175cc CharLowerW
0x4175d0 MessageBoxW
0x4175d4 DefWindowProcW
0x4175d8 DestroyWindow
0x4175dc GetWindowLongW
0x4175e0 GetWindowTextLengthW
0x4175e4 GetWindowTextW
0x4175e8 UnregisterClassW
0x4175ec LoadIconW
0x4175f0 LoadCursorW
0x4175f4 RegisterClassExW
0x4175f8 IsWindowEnabled
0x4175fc EnableWindow
0x417600 GetSystemMetrics
0x417604 CreateWindowExW
0x417608 SetWindowLongW
0x41760c SendMessageW
0x417610 SetFocus
0x417614 CreateAcceleratorTableW
0x417618 SetForegroundWindow
0x41761c BringWindowToTop
0x417620 GetMessageW
0x417624 TranslateAcceleratorW
0x417628 TranslateMessage
0x41762c DispatchMessageW
0x417630 DestroyAcceleratorTable
0x417634 PostMessageW
0x417638 GetForegroundWindow
0x41763c GetWindowThreadProcessId
0x417640 IsWindowVisible
0x417644 EnumWindows
0x417648 SetWindowPos
GDI32.DLL
0x417650 GetStockObject
COMCTL32.DLL
0x417658 InitCommonControlsEx
SHELL32.DLL
0x417660 ShellExecuteExW
0x417664 SHGetFolderLocation
0x417668 SHGetPathFromIDListW
WINMM.DLL
0x417670 timeBeginPeriod
OLE32.DLL
0x417678 CoInitialize
0x41767c CoTaskMemFree
SHLWAPI.DLL
0x417684 PathAddBackslashW
0x417688 PathRenameExtensionW
0x41768c PathQuoteSpacesW
0x417690 PathRemoveArgsW
0x417694 PathRemoveBackslashW
EAT(Export Address Table) is none
MSVCRT.dll
0x417470 memset
0x417474 wcsncmp
0x417478 memmove
0x41747c wcsncpy
0x417480 wcsstr
0x417484 _wcsnicmp
0x417488 _wcsdup
0x41748c free
0x417490 _wcsicmp
0x417494 wcslen
0x417498 wcscpy
0x41749c wcscmp
0x4174a0 memcpy
0x4174a4 tolower
0x4174a8 wcscat
0x4174ac malloc
KERNEL32.dll
0x4174b4 GetModuleHandleW
0x4174b8 HeapCreate
0x4174bc GetStdHandle
0x4174c0 HeapDestroy
0x4174c4 ExitProcess
0x4174c8 WriteFile
0x4174cc GetTempFileNameW
0x4174d0 LoadLibraryExW
0x4174d4 EnumResourceTypesW
0x4174d8 FreeLibrary
0x4174dc RemoveDirectoryW
0x4174e0 GetExitCodeProcess
0x4174e4 EnumResourceNamesW
0x4174e8 GetCommandLineW
0x4174ec LoadResource
0x4174f0 SizeofResource
0x4174f4 FreeResource
0x4174f8 FindResourceW
0x4174fc GetNativeSystemInfo
0x417500 GetShortPathNameW
0x417504 GetWindowsDirectoryW
0x417508 GetSystemDirectoryW
0x41750c EnterCriticalSection
0x417510 CloseHandle
0x417514 LeaveCriticalSection
0x417518 InitializeCriticalSection
0x41751c WaitForSingleObject
0x417520 TerminateThread
0x417524 CreateThread
0x417528 Sleep
0x41752c GetProcAddress
0x417530 GetVersionExW
0x417534 WideCharToMultiByte
0x417538 HeapAlloc
0x41753c HeapFree
0x417540 LoadLibraryW
0x417544 GetCurrentProcessId
0x417548 GetCurrentThreadId
0x41754c GetModuleFileNameW
0x417550 GetEnvironmentVariableW
0x417554 SetEnvironmentVariableW
0x417558 GetCurrentProcess
0x41755c TerminateProcess
0x417560 SetUnhandledExceptionFilter
0x417564 HeapSize
0x417568 MultiByteToWideChar
0x41756c CreateDirectoryW
0x417570 SetFileAttributesW
0x417574 GetTempPathW
0x417578 DeleteFileW
0x41757c GetCurrentDirectoryW
0x417580 SetCurrentDirectoryW
0x417584 CreateFileW
0x417588 SetFilePointer
0x41758c TlsFree
0x417590 TlsGetValue
0x417594 TlsSetValue
0x417598 TlsAlloc
0x41759c HeapReAlloc
0x4175a0 DeleteCriticalSection
0x4175a4 InterlockedCompareExchange
0x4175a8 InterlockedExchange
0x4175ac GetLastError
0x4175b0 SetLastError
0x4175b4 UnregisterWait
0x4175b8 GetCurrentThread
0x4175bc DuplicateHandle
0x4175c0 RegisterWaitForSingleObject
USER32.DLL
0x4175c8 CharUpperW
0x4175cc CharLowerW
0x4175d0 MessageBoxW
0x4175d4 DefWindowProcW
0x4175d8 DestroyWindow
0x4175dc GetWindowLongW
0x4175e0 GetWindowTextLengthW
0x4175e4 GetWindowTextW
0x4175e8 UnregisterClassW
0x4175ec LoadIconW
0x4175f0 LoadCursorW
0x4175f4 RegisterClassExW
0x4175f8 IsWindowEnabled
0x4175fc EnableWindow
0x417600 GetSystemMetrics
0x417604 CreateWindowExW
0x417608 SetWindowLongW
0x41760c SendMessageW
0x417610 SetFocus
0x417614 CreateAcceleratorTableW
0x417618 SetForegroundWindow
0x41761c BringWindowToTop
0x417620 GetMessageW
0x417624 TranslateAcceleratorW
0x417628 TranslateMessage
0x41762c DispatchMessageW
0x417630 DestroyAcceleratorTable
0x417634 PostMessageW
0x417638 GetForegroundWindow
0x41763c GetWindowThreadProcessId
0x417640 IsWindowVisible
0x417644 EnumWindows
0x417648 SetWindowPos
GDI32.DLL
0x417650 GetStockObject
COMCTL32.DLL
0x417658 InitCommonControlsEx
SHELL32.DLL
0x417660 ShellExecuteExW
0x417664 SHGetFolderLocation
0x417668 SHGetPathFromIDListW
WINMM.DLL
0x417670 timeBeginPeriod
OLE32.DLL
0x417678 CoInitialize
0x41767c CoTaskMemFree
SHLWAPI.DLL
0x417684 PathAddBackslashW
0x417688 PathRenameExtensionW
0x41768c PathQuoteSpacesW
0x417690 PathRemoveArgsW
0x417694 PathRemoveBackslashW
EAT(Export Address Table) is none