ScreenShot
| Created | 2024.09.26 17:10 | Machine | s1_win7_x6401 |
| Filename | Lab03-01R.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 60 detected (AIDetectMalware, DarkKomet, Malicious, score, Jaik, Unsafe, Uztuby, iceq, confidence, 100%, many, Breut, high confidence, multiple detections, TrjGen, ktouq, aTi52B7gBv, Siggen3, Genome, ZAPCHAST, moderate, Static AI, Suspicious SFX, csmk, Detected, Fynloski, Malware@#ae6ry83a7u8k, Tiggre, Artemis, VBNA, Jqil, GenAsa, +1Vq5cvDPpo, susgen, WBNA) | ||
| md5 | 194c7354336c69313426c066719727a4 | ||
| sha256 | 7119a7520d128a656ed9be3e640830984baece051dd762a69621c7a28b70ae48 | ||
| ssdeep | 12288:8xaVAh64U5lygx6Ep8wSMvKviU8rxEAxDUtsT8:8xaVxr5BwE9B9C28T | ||
| imphash | 2b8c9d9ab6fefc247adaf927e83dcea6 | ||
| impfuzzy | 48:d/OaOnpwYvk1o7QWhEQN54lzvSv6pfn56UyLlotn6gxSY4jShXUXC+09ok/KA4FR:d/ZQwOV7QdTCWHdGaqUEfuKVP5D | ||
Network IP location
Signature (24cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 60 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates a windows hook that monitors keyboard input (keylogger) |
| watch | Creates known Fynloski/DarkComet files |
| watch | Installs itself for autorun at Windows startup |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | One or more potentially interesting buffers were extracted |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | This executable has a PDB path |
Rules (22cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | lnk_file_format | Microsoft Windows Shortcut File Format | binaries (download) |
| info | Lnk_Format_Zero | LNK Format | binaries (download) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
COMCTL32.dll
0x41302c InitCommonControlsEx
SHLWAPI.dll
0x4131bc SHAutoComplete
KERNEL32.dll
0x413068 DeleteFileW
0x41306c DeleteFileA
0x413070 CreateDirectoryA
0x413074 CreateDirectoryW
0x413078 FindClose
0x41307c FindNextFileA
0x413080 FindFirstFileA
0x413084 FindNextFileW
0x413088 FindFirstFileW
0x41308c GetTickCount
0x413090 WideCharToMultiByte
0x413094 GlobalAlloc
0x413098 GetVersionExW
0x41309c GetFullPathNameA
0x4130a0 GetFullPathNameW
0x4130a4 MultiByteToWideChar
0x4130a8 GetModuleFileNameW
0x4130ac FindResourceW
0x4130b0 GetModuleHandleW
0x4130b4 HeapAlloc
0x4130b8 GetProcessHeap
0x4130bc HeapFree
0x4130c0 HeapReAlloc
0x4130c4 CompareStringA
0x4130c8 ExitProcess
0x4130cc GetLocaleInfoW
0x4130d0 SetFileAttributesW
0x4130d4 DosDateTimeToFileTime
0x4130d8 GetDateFormatW
0x4130dc GetTimeFormatW
0x4130e0 FileTimeToSystemTime
0x4130e4 FileTimeToLocalFileTime
0x4130e8 ExpandEnvironmentStringsW
0x4130ec WaitForSingleObject
0x4130f0 Sleep
0x4130f4 GetExitCodeProcess
0x4130f8 GetTempPathW
0x4130fc MoveFileExW
0x413100 UnmapViewOfFile
0x413104 MapViewOfFile
0x413108 GetCommandLineW
0x41310c CreateFileMappingW
0x413110 SetEnvironmentVariableW
0x413114 OpenFileMappingW
0x413118 GetProcAddress
0x41311c LocalFileTimeToFileTime
0x413120 SystemTimeToFileTime
0x413124 GetSystemTime
0x413128 CompareStringW
0x41312c IsDBCSLeadByte
0x413130 GetCPInfo
0x413134 SetCurrentDirectoryW
0x413138 LoadLibraryW
0x41313c FreeLibrary
0x413140 SetFileAttributesA
0x413144 GetFileAttributesW
0x413148 GetFileAttributesA
0x41314c WriteFile
0x413150 GetStdHandle
0x413154 ReadFile
0x413158 CreateFileW
0x41315c GetCurrentDirectoryW
0x413160 CreateFileA
0x413164 GetFileType
0x413168 SetEndOfFile
0x41316c SetFilePointer
0x413170 MoveFileW
0x413174 SetFileTime
0x413178 GetCurrentProcess
0x41317c CloseHandle
0x413180 SetLastError
0x413184 GetLastError
0x413188 GetNumberFormatW
USER32.dll
0x4131c4 wvsprintfA
0x4131c8 wvsprintfW
0x4131cc ReleaseDC
0x4131d0 GetDC
0x4131d4 SendMessageW
0x4131d8 SetDlgItemTextW
0x4131dc SetFocus
0x4131e0 EndDialog
0x4131e4 DestroyIcon
0x4131e8 SendDlgItemMessageW
0x4131ec GetDlgItemTextW
0x4131f0 GetClassNameW
0x4131f4 DialogBoxParamW
0x4131f8 IsWindowVisible
0x4131fc WaitForInputIdle
0x413200 SetForegroundWindow
0x413204 GetSysColor
0x413208 PostMessageW
0x41320c LoadBitmapW
0x413210 LoadIconW
0x413214 CharToOemA
0x413218 OemToCharA
0x41321c GetParent
0x413220 MapWindowPoints
0x413224 CreateWindowExW
0x413228 UpdateWindow
0x41322c LoadCursorW
0x413230 RegisterClassExW
0x413234 SetWindowLongW
0x413238 GetWindowLongW
0x41323c DefWindowProcW
0x413240 PeekMessageW
0x413244 GetMessageW
0x413248 TranslateMessage
0x41324c DispatchMessageW
0x413250 DestroyWindow
0x413254 CopyRect
0x413258 IsWindow
0x41325c CharToOemBuffW
0x413260 MessageBoxW
0x413264 ShowWindow
0x413268 GetDlgItem
0x41326c EnableWindow
0x413270 OemToCharBuffA
0x413274 CharUpperA
0x413278 CharToOemBuffA
0x41327c LoadStringW
0x413280 SetWindowPos
0x413284 GetWindowTextW
0x413288 SetWindowTextW
0x41328c GetSystemMetrics
0x413290 GetWindow
0x413294 CharUpperW
0x413298 FindWindowExW
0x41329c GetWindowRect
0x4132a0 GetClientRect
GDI32.dll
0x413044 GetDeviceCaps
0x413048 GetObjectW
0x41304c CreateCompatibleBitmap
0x413050 SelectObject
0x413054 StretchBlt
0x413058 CreateCompatibleDC
0x41305c DeleteObject
0x413060 DeleteDC
COMDLG32.dll
0x413034 GetOpenFileNameW
0x413038 CommDlgExtendedError
0x41303c GetSaveFileNameW
ADVAPI32.dll
0x413000 RegOpenKeyExW
0x413004 LookupPrivilegeValueW
0x413008 RegQueryValueExW
0x41300c RegCreateKeyExW
0x413010 RegSetValueExW
0x413014 RegCloseKey
0x413018 SetFileSecurityW
0x41301c SetFileSecurityA
0x413020 OpenProcessToken
0x413024 AdjustTokenPrivileges
SHELL32.dll
0x413198 SHChangeNotify
0x41319c ShellExecuteExW
0x4131a0 SHFileOperationW
0x4131a4 SHGetFileInfoW
0x4131a8 SHGetSpecialFolderLocation
0x4131ac SHGetMalloc
0x4131b0 SHBrowseForFolderW
0x4131b4 SHGetPathFromIDListW
ole32.dll
0x4132a8 OleUninitialize
0x4132ac OleInitialize
0x4132b0 CoCreateInstance
0x4132b4 CreateStreamOnHGlobal
0x4132b8 CLSIDFromString
OLEAUT32.dll
0x413190 VariantInit
EAT(Export Address Table) Library
COMCTL32.dll
0x41302c InitCommonControlsEx
SHLWAPI.dll
0x4131bc SHAutoComplete
KERNEL32.dll
0x413068 DeleteFileW
0x41306c DeleteFileA
0x413070 CreateDirectoryA
0x413074 CreateDirectoryW
0x413078 FindClose
0x41307c FindNextFileA
0x413080 FindFirstFileA
0x413084 FindNextFileW
0x413088 FindFirstFileW
0x41308c GetTickCount
0x413090 WideCharToMultiByte
0x413094 GlobalAlloc
0x413098 GetVersionExW
0x41309c GetFullPathNameA
0x4130a0 GetFullPathNameW
0x4130a4 MultiByteToWideChar
0x4130a8 GetModuleFileNameW
0x4130ac FindResourceW
0x4130b0 GetModuleHandleW
0x4130b4 HeapAlloc
0x4130b8 GetProcessHeap
0x4130bc HeapFree
0x4130c0 HeapReAlloc
0x4130c4 CompareStringA
0x4130c8 ExitProcess
0x4130cc GetLocaleInfoW
0x4130d0 SetFileAttributesW
0x4130d4 DosDateTimeToFileTime
0x4130d8 GetDateFormatW
0x4130dc GetTimeFormatW
0x4130e0 FileTimeToSystemTime
0x4130e4 FileTimeToLocalFileTime
0x4130e8 ExpandEnvironmentStringsW
0x4130ec WaitForSingleObject
0x4130f0 Sleep
0x4130f4 GetExitCodeProcess
0x4130f8 GetTempPathW
0x4130fc MoveFileExW
0x413100 UnmapViewOfFile
0x413104 MapViewOfFile
0x413108 GetCommandLineW
0x41310c CreateFileMappingW
0x413110 SetEnvironmentVariableW
0x413114 OpenFileMappingW
0x413118 GetProcAddress
0x41311c LocalFileTimeToFileTime
0x413120 SystemTimeToFileTime
0x413124 GetSystemTime
0x413128 CompareStringW
0x41312c IsDBCSLeadByte
0x413130 GetCPInfo
0x413134 SetCurrentDirectoryW
0x413138 LoadLibraryW
0x41313c FreeLibrary
0x413140 SetFileAttributesA
0x413144 GetFileAttributesW
0x413148 GetFileAttributesA
0x41314c WriteFile
0x413150 GetStdHandle
0x413154 ReadFile
0x413158 CreateFileW
0x41315c GetCurrentDirectoryW
0x413160 CreateFileA
0x413164 GetFileType
0x413168 SetEndOfFile
0x41316c SetFilePointer
0x413170 MoveFileW
0x413174 SetFileTime
0x413178 GetCurrentProcess
0x41317c CloseHandle
0x413180 SetLastError
0x413184 GetLastError
0x413188 GetNumberFormatW
USER32.dll
0x4131c4 wvsprintfA
0x4131c8 wvsprintfW
0x4131cc ReleaseDC
0x4131d0 GetDC
0x4131d4 SendMessageW
0x4131d8 SetDlgItemTextW
0x4131dc SetFocus
0x4131e0 EndDialog
0x4131e4 DestroyIcon
0x4131e8 SendDlgItemMessageW
0x4131ec GetDlgItemTextW
0x4131f0 GetClassNameW
0x4131f4 DialogBoxParamW
0x4131f8 IsWindowVisible
0x4131fc WaitForInputIdle
0x413200 SetForegroundWindow
0x413204 GetSysColor
0x413208 PostMessageW
0x41320c LoadBitmapW
0x413210 LoadIconW
0x413214 CharToOemA
0x413218 OemToCharA
0x41321c GetParent
0x413220 MapWindowPoints
0x413224 CreateWindowExW
0x413228 UpdateWindow
0x41322c LoadCursorW
0x413230 RegisterClassExW
0x413234 SetWindowLongW
0x413238 GetWindowLongW
0x41323c DefWindowProcW
0x413240 PeekMessageW
0x413244 GetMessageW
0x413248 TranslateMessage
0x41324c DispatchMessageW
0x413250 DestroyWindow
0x413254 CopyRect
0x413258 IsWindow
0x41325c CharToOemBuffW
0x413260 MessageBoxW
0x413264 ShowWindow
0x413268 GetDlgItem
0x41326c EnableWindow
0x413270 OemToCharBuffA
0x413274 CharUpperA
0x413278 CharToOemBuffA
0x41327c LoadStringW
0x413280 SetWindowPos
0x413284 GetWindowTextW
0x413288 SetWindowTextW
0x41328c GetSystemMetrics
0x413290 GetWindow
0x413294 CharUpperW
0x413298 FindWindowExW
0x41329c GetWindowRect
0x4132a0 GetClientRect
GDI32.dll
0x413044 GetDeviceCaps
0x413048 GetObjectW
0x41304c CreateCompatibleBitmap
0x413050 SelectObject
0x413054 StretchBlt
0x413058 CreateCompatibleDC
0x41305c DeleteObject
0x413060 DeleteDC
COMDLG32.dll
0x413034 GetOpenFileNameW
0x413038 CommDlgExtendedError
0x41303c GetSaveFileNameW
ADVAPI32.dll
0x413000 RegOpenKeyExW
0x413004 LookupPrivilegeValueW
0x413008 RegQueryValueExW
0x41300c RegCreateKeyExW
0x413010 RegSetValueExW
0x413014 RegCloseKey
0x413018 SetFileSecurityW
0x41301c SetFileSecurityA
0x413020 OpenProcessToken
0x413024 AdjustTokenPrivileges
SHELL32.dll
0x413198 SHChangeNotify
0x41319c ShellExecuteExW
0x4131a0 SHFileOperationW
0x4131a4 SHGetFileInfoW
0x4131a8 SHGetSpecialFolderLocation
0x4131ac SHGetMalloc
0x4131b0 SHBrowseForFolderW
0x4131b4 SHGetPathFromIDListW
ole32.dll
0x4132a8 OleUninitialize
0x4132ac OleInitialize
0x4132b0 CoCreateInstance
0x4132b4 CreateStreamOnHGlobal
0x4132b8 CLSIDFromString
OLEAUT32.dll
0x413190 VariantInit
EAT(Export Address Table) Library