ScreenShot
| Created | 2024.09.30 09:30 | Machine | s1_win7_x6401 |
| Filename | selena2.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 42 detected (AIDetectMalware, Havoc, Artemis, Unsafe, Vo2t, malicious, confidence, Attribute, HighConfidence, high confidence, score, Generic Reputation PUA, yzifm, Wacatac, TBBDIJ, Detected, R633197, Gencirc) | ||
| md5 | 229111fbcdda2ea5c476e2a405cf6f37 | ||
| sha256 | b24e7c066b84d327678fea4ddefafb2db2fe2002e17a81845ad5f2fb38d4f444 | ||
| ssdeep | 12288:rg32CTDjNG89PdJvG74VeCzuKVICp5qN2W3eqSQA/JfkQAOVmzW5/:rS2CT3NLVJO74VrqSQAVFArk/ | ||
| imphash | db4c8e921a38f2717d51d8f93919459b | ||
| impfuzzy | 48:wn8pvMf39KgG+kubkCxOslJJGfqTU/k61vm/Giaqgsl6qOI:wn8pUf3dGrubkCoYJJGyo/kMYaqgs4w | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 42 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x140100478 CryptAcquireContextW
0x140100480 CryptCreateHash
0x140100488 CryptDecrypt
0x140100490 CryptDeriveKey
0x140100498 CryptDestroyHash
0x1401004a0 CryptDestroyKey
0x1401004a8 CryptHashData
0x1401004b0 CryptReleaseContext
KERNEL32.dll
0x1401004c0 CloseHandle
0x1401004c8 DeleteCriticalSection
0x1401004d0 EnterCriticalSection
0x1401004d8 FormatMessageA
0x1401004e0 FreeConsole
0x1401004e8 GetCurrentProcess
0x1401004f0 GetLastError
0x1401004f8 GetModuleHandleA
0x140100500 GetModuleHandleW
0x140100508 GetProcAddress
0x140100510 GetSystemTimeAsFileTime
0x140100518 GetThreadId
0x140100520 InitializeConditionVariable
0x140100528 InitializeCriticalSection
0x140100530 IsDBCSLeadByteEx
0x140100538 LeaveCriticalSection
0x140100540 LoadLibraryW
0x140100548 LocalFree
0x140100550 MultiByteToWideChar
0x140100558 RaiseException
0x140100560 RtlCaptureContext
0x140100568 RtlLookupFunctionEntry
0x140100570 RtlUnwindEx
0x140100578 RtlVirtualUnwind
0x140100580 SetLastError
0x140100588 SetUnhandledExceptionFilter
0x140100590 Sleep
0x140100598 SleepConditionVariableCS
0x1401005a0 TlsAlloc
0x1401005a8 TlsFree
0x1401005b0 TlsGetValue
0x1401005b8 TlsSetValue
0x1401005c0 TryEnterCriticalSection
0x1401005c8 VirtualProtect
0x1401005d0 VirtualQuery
0x1401005d8 WakeAllConditionVariable
0x1401005e0 WakeConditionVariable
0x1401005e8 WideCharToMultiByte
msvcrt.dll
0x1401005f8 __C_specific_handler
0x140100600 ___lc_codepage_func
0x140100608 ___mb_cur_max_func
0x140100610 __getmainargs
0x140100618 __initenv
0x140100620 __iob_func
0x140100628 __set_app_type
0x140100630 __setusermatherr
0x140100638 _amsg_exit
0x140100640 _cexit
0x140100648 _commode
0x140100650 _errno
0x140100658 _filelengthi64
0x140100660 _fileno
0x140100668 _fmode
0x140100670 _fstat64
0x140100678 _initterm
0x140100680 _lock
0x140100688 _lseeki64
0x140100690 _onexit
0x140100698 _unlock
0x1401006a0 _wfopen
0x1401006a8 abort
0x1401006b0 calloc
0x1401006b8 exit
0x1401006c0 fclose
0x1401006c8 fflush
0x1401006d0 fgetpos
0x1401006d8 fopen
0x1401006e0 fprintf
0x1401006e8 fputc
0x1401006f0 fputs
0x1401006f8 fread
0x140100700 free
0x140100708 fsetpos
0x140100710 fwrite
0x140100718 getc
0x140100720 getenv
0x140100728 getwc
0x140100730 iswctype
0x140100738 localeconv
0x140100740 malloc
0x140100748 memchr
0x140100750 memcmp
0x140100758 memcpy
0x140100760 memmove
0x140100768 memset
0x140100770 putc
0x140100778 putwc
0x140100780 realloc
0x140100788 setlocale
0x140100790 setvbuf
0x140100798 signal
0x1401007a0 strchr
0x1401007a8 strcmp
0x1401007b0 strcoll
0x1401007b8 strerror
0x1401007c0 strftime
0x1401007c8 strlen
0x1401007d0 strncmp
0x1401007d8 strtoul
0x1401007e0 strxfrm
0x1401007e8 towlower
0x1401007f0 towupper
0x1401007f8 ungetc
0x140100800 ungetwc
0x140100808 vfprintf
0x140100810 wcscoll
0x140100818 wcsftime
0x140100820 wcslen
0x140100828 wcsxfrm
0x140100830 _write
0x140100838 _read
0x140100840 _fileno
0x140100848 _fdopen
ntdll.dll
0x140100858 NtAllocateVirtualMemory
0x140100860 NtClose
0x140100868 NtCreateThreadEx
0x140100870 NtWaitForSingleObject
0x140100878 NtWriteVirtualMemory
EAT(Export Address Table) is none
ADVAPI32.dll
0x140100478 CryptAcquireContextW
0x140100480 CryptCreateHash
0x140100488 CryptDecrypt
0x140100490 CryptDeriveKey
0x140100498 CryptDestroyHash
0x1401004a0 CryptDestroyKey
0x1401004a8 CryptHashData
0x1401004b0 CryptReleaseContext
KERNEL32.dll
0x1401004c0 CloseHandle
0x1401004c8 DeleteCriticalSection
0x1401004d0 EnterCriticalSection
0x1401004d8 FormatMessageA
0x1401004e0 FreeConsole
0x1401004e8 GetCurrentProcess
0x1401004f0 GetLastError
0x1401004f8 GetModuleHandleA
0x140100500 GetModuleHandleW
0x140100508 GetProcAddress
0x140100510 GetSystemTimeAsFileTime
0x140100518 GetThreadId
0x140100520 InitializeConditionVariable
0x140100528 InitializeCriticalSection
0x140100530 IsDBCSLeadByteEx
0x140100538 LeaveCriticalSection
0x140100540 LoadLibraryW
0x140100548 LocalFree
0x140100550 MultiByteToWideChar
0x140100558 RaiseException
0x140100560 RtlCaptureContext
0x140100568 RtlLookupFunctionEntry
0x140100570 RtlUnwindEx
0x140100578 RtlVirtualUnwind
0x140100580 SetLastError
0x140100588 SetUnhandledExceptionFilter
0x140100590 Sleep
0x140100598 SleepConditionVariableCS
0x1401005a0 TlsAlloc
0x1401005a8 TlsFree
0x1401005b0 TlsGetValue
0x1401005b8 TlsSetValue
0x1401005c0 TryEnterCriticalSection
0x1401005c8 VirtualProtect
0x1401005d0 VirtualQuery
0x1401005d8 WakeAllConditionVariable
0x1401005e0 WakeConditionVariable
0x1401005e8 WideCharToMultiByte
msvcrt.dll
0x1401005f8 __C_specific_handler
0x140100600 ___lc_codepage_func
0x140100608 ___mb_cur_max_func
0x140100610 __getmainargs
0x140100618 __initenv
0x140100620 __iob_func
0x140100628 __set_app_type
0x140100630 __setusermatherr
0x140100638 _amsg_exit
0x140100640 _cexit
0x140100648 _commode
0x140100650 _errno
0x140100658 _filelengthi64
0x140100660 _fileno
0x140100668 _fmode
0x140100670 _fstat64
0x140100678 _initterm
0x140100680 _lock
0x140100688 _lseeki64
0x140100690 _onexit
0x140100698 _unlock
0x1401006a0 _wfopen
0x1401006a8 abort
0x1401006b0 calloc
0x1401006b8 exit
0x1401006c0 fclose
0x1401006c8 fflush
0x1401006d0 fgetpos
0x1401006d8 fopen
0x1401006e0 fprintf
0x1401006e8 fputc
0x1401006f0 fputs
0x1401006f8 fread
0x140100700 free
0x140100708 fsetpos
0x140100710 fwrite
0x140100718 getc
0x140100720 getenv
0x140100728 getwc
0x140100730 iswctype
0x140100738 localeconv
0x140100740 malloc
0x140100748 memchr
0x140100750 memcmp
0x140100758 memcpy
0x140100760 memmove
0x140100768 memset
0x140100770 putc
0x140100778 putwc
0x140100780 realloc
0x140100788 setlocale
0x140100790 setvbuf
0x140100798 signal
0x1401007a0 strchr
0x1401007a8 strcmp
0x1401007b0 strcoll
0x1401007b8 strerror
0x1401007c0 strftime
0x1401007c8 strlen
0x1401007d0 strncmp
0x1401007d8 strtoul
0x1401007e0 strxfrm
0x1401007e8 towlower
0x1401007f0 towupper
0x1401007f8 ungetc
0x140100800 ungetwc
0x140100808 vfprintf
0x140100810 wcscoll
0x140100818 wcsftime
0x140100820 wcslen
0x140100828 wcsxfrm
0x140100830 _write
0x140100838 _read
0x140100840 _fileno
0x140100848 _fdopen
ntdll.dll
0x140100858 NtAllocateVirtualMemory
0x140100860 NtClose
0x140100868 NtCreateThreadEx
0x140100870 NtWaitForSingleObject
0x140100878 NtWriteVirtualMemory
EAT(Export Address Table) is none