ScreenShot
| Created | 2024.09.04 10:09 | Machine | s1_win7_x6403 |
| Filename | chrome.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 55 detected (AIDetectMalware, Cobalt, malicious, high confidence, score, Artemis, GenericKD, Unsafe, Save, Attribute, HighConfidence, InjectorX, Havoc, FmKscZQWeQD, CobaltSC, cjfbz, Static AI, Suspicious PE, Detected, ai score=87, CobaltStrike, ABTrojan, SQOE, R633197, Shellcoderunner, Chgt, Gencirc, LauVnyVY, susgen, PossibleThreat, confidence) | ||
| md5 | 67407557dfbdd3d71436f89d6d47897a | ||
| sha256 | a243e961a6855e3f81b913151a7bf96c82c4789b115c945d9f4cfb67cd704cfc | ||
| ssdeep | 12288:DC6OEfK2z1NfW+hvTYbMfd+sjjhtLpjES2XmemukxIz4mcpe2xt+:rOyK2z1NO+lYIfd+CjhtLpjgWnukI | ||
| imphash | bc3dde5bfd8628ae140056ffcca67115 | ||
| impfuzzy | 48:wn8pvzfMP+kp6kSslTJG6qTU3zk61vm/Gwbqgss60OI:wn8p7fMPrp6kSYTJGhojkM+bqgsJa | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x140120464 CryptAcquireContextW
0x14012046c CryptCreateHash
0x140120474 CryptDecrypt
0x14012047c CryptDeriveKey
0x140120484 CryptDestroyHash
0x14012048c CryptDestroyKey
0x140120494 CryptHashData
0x14012049c CryptReleaseContext
KERNEL32.dll
0x1401204ac CloseHandle
0x1401204b4 CreateSemaphoreW
0x1401204bc DeleteCriticalSection
0x1401204c4 EnterCriticalSection
0x1401204cc FreeConsole
0x1401204d4 GetCurrentProcess
0x1401204dc GetCurrentThreadId
0x1401204e4 GetLastError
0x1401204ec GetModuleHandleA
0x1401204f4 GetModuleHandleW
0x1401204fc GetProcAddress
0x140120504 GetStartupInfoA
0x14012050c InitializeCriticalSection
0x140120514 IsDBCSLeadByteEx
0x14012051c LeaveCriticalSection
0x140120524 LoadLibraryW
0x14012052c MultiByteToWideChar
0x140120534 RaiseException
0x14012053c ReleaseSemaphore
0x140120544 RtlCaptureContext
0x14012054c RtlLookupFunctionEntry
0x140120554 RtlUnwindEx
0x14012055c RtlVirtualUnwind
0x140120564 SetLastError
0x14012056c SetUnhandledExceptionFilter
0x140120574 Sleep
0x14012057c TlsAlloc
0x140120584 TlsFree
0x14012058c TlsGetValue
0x140120594 TlsSetValue
0x14012059c VirtualProtect
0x1401205a4 VirtualQuery
0x1401205ac WaitForSingleObject
0x1401205b4 WideCharToMultiByte
msvcrt.dll
0x1401205c4 __C_specific_handler
0x1401205cc ___lc_codepage_func
0x1401205d4 ___mb_cur_max_func
0x1401205dc __getmainargs
0x1401205e4 __initenv
0x1401205ec __iob_func
0x1401205f4 __lconv_init
0x1401205fc __set_app_type
0x140120604 __setusermatherr
0x14012060c _acmdln
0x140120614 _amsg_exit
0x14012061c _cexit
0x140120624 _commode
0x14012062c _errno
0x140120634 _filelengthi64
0x14012063c _fileno
0x140120644 _fmode
0x14012064c _fstat64
0x140120654 _initterm
0x14012065c _lock
0x140120664 _lseeki64
0x14012066c _onexit
0x140120674 _strnicmp
0x14012067c _unlock
0x140120684 _wfopen
0x14012068c abort
0x140120694 calloc
0x14012069c exit
0x1401206a4 fclose
0x1401206ac fflush
0x1401206b4 fgetpos
0x1401206bc fopen
0x1401206c4 fprintf
0x1401206cc fputc
0x1401206d4 fputs
0x1401206dc fread
0x1401206e4 free
0x1401206ec fsetpos
0x1401206f4 fwrite
0x1401206fc getc
0x140120704 getwc
0x14012070c isspace
0x140120714 iswctype
0x14012071c localeconv
0x140120724 malloc
0x14012072c memchr
0x140120734 memcmp
0x14012073c memcpy
0x140120744 memmove
0x14012074c memset
0x140120754 putc
0x14012075c putwc
0x140120764 realloc
0x14012076c setlocale
0x140120774 setvbuf
0x14012077c signal
0x140120784 strcmp
0x14012078c strcoll
0x140120794 strerror
0x14012079c strftime
0x1401207a4 strlen
0x1401207ac strncmp
0x1401207b4 strxfrm
0x1401207bc towlower
0x1401207c4 towupper
0x1401207cc ungetc
0x1401207d4 ungetwc
0x1401207dc vfprintf
0x1401207e4 wcscoll
0x1401207ec wcsftime
0x1401207f4 wcslen
0x1401207fc wcsxfrm
0x140120804 _write
0x14012080c _read
0x140120814 _fileno
0x14012081c _fdopen
0x140120824 _close
ntdll.dll
0x140120834 NtAllocateVirtualMemory
0x14012083c NtClose
0x140120844 NtCreateThreadEx
0x14012084c NtWaitForSingleObject
0x140120854 NtWriteVirtualMemory
EAT(Export Address Table) is none
ADVAPI32.dll
0x140120464 CryptAcquireContextW
0x14012046c CryptCreateHash
0x140120474 CryptDecrypt
0x14012047c CryptDeriveKey
0x140120484 CryptDestroyHash
0x14012048c CryptDestroyKey
0x140120494 CryptHashData
0x14012049c CryptReleaseContext
KERNEL32.dll
0x1401204ac CloseHandle
0x1401204b4 CreateSemaphoreW
0x1401204bc DeleteCriticalSection
0x1401204c4 EnterCriticalSection
0x1401204cc FreeConsole
0x1401204d4 GetCurrentProcess
0x1401204dc GetCurrentThreadId
0x1401204e4 GetLastError
0x1401204ec GetModuleHandleA
0x1401204f4 GetModuleHandleW
0x1401204fc GetProcAddress
0x140120504 GetStartupInfoA
0x14012050c InitializeCriticalSection
0x140120514 IsDBCSLeadByteEx
0x14012051c LeaveCriticalSection
0x140120524 LoadLibraryW
0x14012052c MultiByteToWideChar
0x140120534 RaiseException
0x14012053c ReleaseSemaphore
0x140120544 RtlCaptureContext
0x14012054c RtlLookupFunctionEntry
0x140120554 RtlUnwindEx
0x14012055c RtlVirtualUnwind
0x140120564 SetLastError
0x14012056c SetUnhandledExceptionFilter
0x140120574 Sleep
0x14012057c TlsAlloc
0x140120584 TlsFree
0x14012058c TlsGetValue
0x140120594 TlsSetValue
0x14012059c VirtualProtect
0x1401205a4 VirtualQuery
0x1401205ac WaitForSingleObject
0x1401205b4 WideCharToMultiByte
msvcrt.dll
0x1401205c4 __C_specific_handler
0x1401205cc ___lc_codepage_func
0x1401205d4 ___mb_cur_max_func
0x1401205dc __getmainargs
0x1401205e4 __initenv
0x1401205ec __iob_func
0x1401205f4 __lconv_init
0x1401205fc __set_app_type
0x140120604 __setusermatherr
0x14012060c _acmdln
0x140120614 _amsg_exit
0x14012061c _cexit
0x140120624 _commode
0x14012062c _errno
0x140120634 _filelengthi64
0x14012063c _fileno
0x140120644 _fmode
0x14012064c _fstat64
0x140120654 _initterm
0x14012065c _lock
0x140120664 _lseeki64
0x14012066c _onexit
0x140120674 _strnicmp
0x14012067c _unlock
0x140120684 _wfopen
0x14012068c abort
0x140120694 calloc
0x14012069c exit
0x1401206a4 fclose
0x1401206ac fflush
0x1401206b4 fgetpos
0x1401206bc fopen
0x1401206c4 fprintf
0x1401206cc fputc
0x1401206d4 fputs
0x1401206dc fread
0x1401206e4 free
0x1401206ec fsetpos
0x1401206f4 fwrite
0x1401206fc getc
0x140120704 getwc
0x14012070c isspace
0x140120714 iswctype
0x14012071c localeconv
0x140120724 malloc
0x14012072c memchr
0x140120734 memcmp
0x14012073c memcpy
0x140120744 memmove
0x14012074c memset
0x140120754 putc
0x14012075c putwc
0x140120764 realloc
0x14012076c setlocale
0x140120774 setvbuf
0x14012077c signal
0x140120784 strcmp
0x14012078c strcoll
0x140120794 strerror
0x14012079c strftime
0x1401207a4 strlen
0x1401207ac strncmp
0x1401207b4 strxfrm
0x1401207bc towlower
0x1401207c4 towupper
0x1401207cc ungetc
0x1401207d4 ungetwc
0x1401207dc vfprintf
0x1401207e4 wcscoll
0x1401207ec wcsftime
0x1401207f4 wcslen
0x1401207fc wcsxfrm
0x140120804 _write
0x14012080c _read
0x140120814 _fileno
0x14012081c _fdopen
0x140120824 _close
ntdll.dll
0x140120834 NtAllocateVirtualMemory
0x14012083c NtClose
0x140120844 NtCreateThreadEx
0x14012084c NtWaitForSingleObject
0x140120854 NtWriteVirtualMemory
EAT(Export Address Table) is none