ScreenShot
| Created | 2024.09.04 09:40 | Machine | s1_win7_x6403 |
| Filename | 2.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 55 detected (AIDetectMalware, Dump, malicious, high confidence, score, Artemis, Marte, Unsafe, Save, Attribute, HighConfidence, MalwareX, Shelm, aoig, Meterpreter, knzqsi, CLOUD, ovcfn, SWRORT, YXEFAZ, Detected, ai score=88, ABTrojan, XANZ, R633197, Chgt, Gencirc, GUXR2vUI3S4, Lotok, confidence, 100%) | ||
| md5 | 727d942e4c26b713b9498e8997fabf38 | ||
| sha256 | 9a312f6d3a5c24f60e7c5c54c3933424a3274a6ba84b03be4bf75f17aa297a93 | ||
| ssdeep | 6144:dvMtLmAKS+bKnkT2Run2qKVuIiEfHy1ivop5B6HSTj+m6mogOKPetND2orSiMW:d0UWZkqI2d85kQsmS+BmqW | ||
| imphash | 0009a11487b1cb0cc4dd5027762479f2 | ||
| impfuzzy | 24:QTF8078p8dYJgf3lDq+kEmlMblR95XG6qXZ8k1komvlxcqCZv:wn8pvGfI+kECslTJG6qJ8k1k1vkqg | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| info | One or more processes crashed |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x14000d28c CryptAcquireContextW
0x14000d294 CryptCreateHash
0x14000d29c CryptDecrypt
0x14000d2a4 CryptDeriveKey
0x14000d2ac CryptDestroyHash
0x14000d2b4 CryptDestroyKey
0x14000d2bc CryptHashData
0x14000d2c4 CryptReleaseContext
KERNEL32.dll
0x14000d2d4 DeleteCriticalSection
0x14000d2dc EnterCriticalSection
0x14000d2e4 FreeConsole
0x14000d2ec GetCurrentProcess
0x14000d2f4 GetCurrentThread
0x14000d2fc GetLastError
0x14000d304 GetModuleHandleA
0x14000d30c GetProcAddress
0x14000d314 GetStartupInfoA
0x14000d31c InitializeCriticalSection
0x14000d324 IsDBCSLeadByteEx
0x14000d32c LeaveCriticalSection
0x14000d334 MultiByteToWideChar
0x14000d33c SetUnhandledExceptionFilter
0x14000d344 Sleep
0x14000d34c TlsGetValue
0x14000d354 VirtualAlloc
0x14000d35c VirtualProtect
0x14000d364 VirtualQuery
0x14000d36c WideCharToMultiByte
msvcrt.dll
0x14000d37c __C_specific_handler
0x14000d384 ___lc_codepage_func
0x14000d38c ___mb_cur_max_func
0x14000d394 __getmainargs
0x14000d39c __initenv
0x14000d3a4 __iob_func
0x14000d3ac __lconv_init
0x14000d3b4 __set_app_type
0x14000d3bc __setusermatherr
0x14000d3c4 _acmdln
0x14000d3cc _amsg_exit
0x14000d3d4 _cexit
0x14000d3dc _commode
0x14000d3e4 _errno
0x14000d3ec _fmode
0x14000d3f4 _initterm
0x14000d3fc _lock
0x14000d404 _onexit
0x14000d40c _unlock
0x14000d414 abort
0x14000d41c calloc
0x14000d424 exit
0x14000d42c fprintf
0x14000d434 fputc
0x14000d43c free
0x14000d444 fwrite
0x14000d44c localeconv
0x14000d454 malloc
0x14000d45c memcpy
0x14000d464 signal
0x14000d46c strcmp
0x14000d474 strerror
0x14000d47c strlen
0x14000d484 strncmp
0x14000d48c vfprintf
0x14000d494 wcslen
ntdll.dll
0x14000d4a4 NtProtectVirtualMemory
EAT(Export Address Table) is none
ADVAPI32.dll
0x14000d28c CryptAcquireContextW
0x14000d294 CryptCreateHash
0x14000d29c CryptDecrypt
0x14000d2a4 CryptDeriveKey
0x14000d2ac CryptDestroyHash
0x14000d2b4 CryptDestroyKey
0x14000d2bc CryptHashData
0x14000d2c4 CryptReleaseContext
KERNEL32.dll
0x14000d2d4 DeleteCriticalSection
0x14000d2dc EnterCriticalSection
0x14000d2e4 FreeConsole
0x14000d2ec GetCurrentProcess
0x14000d2f4 GetCurrentThread
0x14000d2fc GetLastError
0x14000d304 GetModuleHandleA
0x14000d30c GetProcAddress
0x14000d314 GetStartupInfoA
0x14000d31c InitializeCriticalSection
0x14000d324 IsDBCSLeadByteEx
0x14000d32c LeaveCriticalSection
0x14000d334 MultiByteToWideChar
0x14000d33c SetUnhandledExceptionFilter
0x14000d344 Sleep
0x14000d34c TlsGetValue
0x14000d354 VirtualAlloc
0x14000d35c VirtualProtect
0x14000d364 VirtualQuery
0x14000d36c WideCharToMultiByte
msvcrt.dll
0x14000d37c __C_specific_handler
0x14000d384 ___lc_codepage_func
0x14000d38c ___mb_cur_max_func
0x14000d394 __getmainargs
0x14000d39c __initenv
0x14000d3a4 __iob_func
0x14000d3ac __lconv_init
0x14000d3b4 __set_app_type
0x14000d3bc __setusermatherr
0x14000d3c4 _acmdln
0x14000d3cc _amsg_exit
0x14000d3d4 _cexit
0x14000d3dc _commode
0x14000d3e4 _errno
0x14000d3ec _fmode
0x14000d3f4 _initterm
0x14000d3fc _lock
0x14000d404 _onexit
0x14000d40c _unlock
0x14000d414 abort
0x14000d41c calloc
0x14000d424 exit
0x14000d42c fprintf
0x14000d434 fputc
0x14000d43c free
0x14000d444 fwrite
0x14000d44c localeconv
0x14000d454 malloc
0x14000d45c memcpy
0x14000d464 signal
0x14000d46c strcmp
0x14000d474 strerror
0x14000d47c strlen
0x14000d484 strncmp
0x14000d48c vfprintf
0x14000d494 wcslen
ntdll.dll
0x14000d4a4 NtProtectVirtualMemory
EAT(Export Address Table) is none