ScreenShot
| Created | 2024.09.17 13:40 | Machine | s1_win7_x6401 |
| Filename | cmd.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 61 detected (AIDetectMalware, CobaltStrike, Malicious, score, Cometer, Dump, Beacon, Marte, Unsafe, confidence, 100%, CobalStrike, Cobalt, Windows, Artifact, CLASSIC, AGEN, Meterpreter, COBEACON, Static AI, Malicious PE, Detected, Kryptik, Eldorado, R611870, FWTM, GdSda) | ||
| md5 | 567381ee89c758794e9c619262885899 | ||
| sha256 | 8b3f9e03355126225924ed8112b7916e0dddc260dee74c4fb72b02f6ea76bb58 | ||
| ssdeep | 6144:sIwCP2l6T3Sxa3Kv/iSFA3OsRlPno0xwCQQr61CGcHKN32jdVG5UrrSD:Qbu3oDiSubFwCQQjdVear | ||
| imphash | 147442e63270e287ed57d33257638324 | ||
| impfuzzy | 24:Q2kfg1JlDzncJ9aa0mezlMG95XGDZykoDquQZn:gfg1jcJbezlRJGVykoqz | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 61 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Queries for the computername |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x454224 CloseHandle
0x45422c ConnectNamedPipe
0x454234 CreateFileA
0x45423c CreateNamedPipeA
0x454244 CreateThread
0x45424c DeleteCriticalSection
0x454254 EnterCriticalSection
0x45425c GetCurrentProcess
0x454264 GetCurrentProcessId
0x45426c GetCurrentThreadId
0x454274 GetLastError
0x45427c GetModuleHandleA
0x454284 GetProcAddress
0x45428c GetStartupInfoA
0x454294 GetSystemTimeAsFileTime
0x45429c GetTickCount
0x4542a4 InitializeCriticalSection
0x4542ac LeaveCriticalSection
0x4542b4 QueryPerformanceCounter
0x4542bc ReadFile
0x4542c4 RtlAddFunctionTable
0x4542cc RtlCaptureContext
0x4542d4 RtlLookupFunctionEntry
0x4542dc RtlVirtualUnwind
0x4542e4 SetUnhandledExceptionFilter
0x4542ec Sleep
0x4542f4 TerminateProcess
0x4542fc TlsGetValue
0x454304 UnhandledExceptionFilter
0x45430c VirtualAlloc
0x454314 VirtualProtect
0x45431c VirtualQuery
0x454324 WriteFile
msvcrt.dll
0x454334 __C_specific_handler
0x45433c __getmainargs
0x454344 __initenv
0x45434c __iob_func
0x454354 __lconv_init
0x45435c __set_app_type
0x454364 __setusermatherr
0x45436c _acmdln
0x454374 _amsg_exit
0x45437c _cexit
0x454384 _fmode
0x45438c _initterm
0x454394 _onexit
0x45439c abort
0x4543a4 calloc
0x4543ac exit
0x4543b4 fprintf
0x4543bc free
0x4543c4 fwrite
0x4543cc malloc
0x4543d4 memcpy
0x4543dc signal
0x4543e4 sprintf
0x4543ec strlen
0x4543f4 strncmp
0x4543fc vfprintf
EAT(Export Address Table) is none
KERNEL32.dll
0x454224 CloseHandle
0x45422c ConnectNamedPipe
0x454234 CreateFileA
0x45423c CreateNamedPipeA
0x454244 CreateThread
0x45424c DeleteCriticalSection
0x454254 EnterCriticalSection
0x45425c GetCurrentProcess
0x454264 GetCurrentProcessId
0x45426c GetCurrentThreadId
0x454274 GetLastError
0x45427c GetModuleHandleA
0x454284 GetProcAddress
0x45428c GetStartupInfoA
0x454294 GetSystemTimeAsFileTime
0x45429c GetTickCount
0x4542a4 InitializeCriticalSection
0x4542ac LeaveCriticalSection
0x4542b4 QueryPerformanceCounter
0x4542bc ReadFile
0x4542c4 RtlAddFunctionTable
0x4542cc RtlCaptureContext
0x4542d4 RtlLookupFunctionEntry
0x4542dc RtlVirtualUnwind
0x4542e4 SetUnhandledExceptionFilter
0x4542ec Sleep
0x4542f4 TerminateProcess
0x4542fc TlsGetValue
0x454304 UnhandledExceptionFilter
0x45430c VirtualAlloc
0x454314 VirtualProtect
0x45431c VirtualQuery
0x454324 WriteFile
msvcrt.dll
0x454334 __C_specific_handler
0x45433c __getmainargs
0x454344 __initenv
0x45434c __iob_func
0x454354 __lconv_init
0x45435c __set_app_type
0x454364 __setusermatherr
0x45436c _acmdln
0x454374 _amsg_exit
0x45437c _cexit
0x454384 _fmode
0x45438c _initterm
0x454394 _onexit
0x45439c abort
0x4543a4 calloc
0x4543ac exit
0x4543b4 fprintf
0x4543bc free
0x4543c4 fwrite
0x4543cc malloc
0x4543d4 memcpy
0x4543dc signal
0x4543e4 sprintf
0x4543ec strlen
0x4543f4 strncmp
0x4543fc vfprintf
EAT(Export Address Table) is none