ScreenShot
| Created | 2024.09.30 11:42 | Machine | s1_win7_x6403 |
| Filename | 1.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 62 detected (AIDetectMalware, CobaltStrike, Malicious, score, Dump, Marte, Unsafe, confidence, 100%, Genus, Cobalt, Windows, Artifact, CLASSIC, AGEN, COBEACON, Static AI, Malicious PE, CozyDuke, Detected, Kryptik, Malware@#1bbb05n8tpb2i, R363496, GdSda, Cobalstrike, susgen) | ||
| md5 | 5cebc6552eb1d0665391ddbe8a25bfff | ||
| sha256 | 2d4791c66db346075cc3811dedc19b66cdda13d8deb7ef3c5aa44843e8e61597 | ||
| ssdeep | 192:wV7qaCF6Op1t2dobVXujRDcBaXWQjwOT/2bG2IZB0EaFWF8qa1Dojjgi:SqaCF31cix+Dc4zjsq9aoFF46gi | ||
| imphash | 147442e63270e287ed57d33257638324 | ||
| impfuzzy | 24:Q2kfg1JlDzncJ9aa0mezlMG95XGDZykoDquQZn:gfg1jcJbezlRJGVykoqz | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 62 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| info | One or more processes crashed |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x409224 CloseHandle
0x40922c ConnectNamedPipe
0x409234 CreateFileA
0x40923c CreateNamedPipeA
0x409244 CreateThread
0x40924c DeleteCriticalSection
0x409254 EnterCriticalSection
0x40925c GetCurrentProcess
0x409264 GetCurrentProcessId
0x40926c GetCurrentThreadId
0x409274 GetLastError
0x40927c GetModuleHandleA
0x409284 GetProcAddress
0x40928c GetStartupInfoA
0x409294 GetSystemTimeAsFileTime
0x40929c GetTickCount
0x4092a4 InitializeCriticalSection
0x4092ac LeaveCriticalSection
0x4092b4 QueryPerformanceCounter
0x4092bc ReadFile
0x4092c4 RtlAddFunctionTable
0x4092cc RtlCaptureContext
0x4092d4 RtlLookupFunctionEntry
0x4092dc RtlVirtualUnwind
0x4092e4 SetUnhandledExceptionFilter
0x4092ec Sleep
0x4092f4 TerminateProcess
0x4092fc TlsGetValue
0x409304 UnhandledExceptionFilter
0x40930c VirtualAlloc
0x409314 VirtualProtect
0x40931c VirtualQuery
0x409324 WriteFile
msvcrt.dll
0x409334 __C_specific_handler
0x40933c __getmainargs
0x409344 __initenv
0x40934c __iob_func
0x409354 __lconv_init
0x40935c __set_app_type
0x409364 __setusermatherr
0x40936c _acmdln
0x409374 _amsg_exit
0x40937c _cexit
0x409384 _fmode
0x40938c _initterm
0x409394 _onexit
0x40939c abort
0x4093a4 calloc
0x4093ac exit
0x4093b4 fprintf
0x4093bc free
0x4093c4 fwrite
0x4093cc malloc
0x4093d4 memcpy
0x4093dc signal
0x4093e4 sprintf
0x4093ec strlen
0x4093f4 strncmp
0x4093fc vfprintf
EAT(Export Address Table) is none
KERNEL32.dll
0x409224 CloseHandle
0x40922c ConnectNamedPipe
0x409234 CreateFileA
0x40923c CreateNamedPipeA
0x409244 CreateThread
0x40924c DeleteCriticalSection
0x409254 EnterCriticalSection
0x40925c GetCurrentProcess
0x409264 GetCurrentProcessId
0x40926c GetCurrentThreadId
0x409274 GetLastError
0x40927c GetModuleHandleA
0x409284 GetProcAddress
0x40928c GetStartupInfoA
0x409294 GetSystemTimeAsFileTime
0x40929c GetTickCount
0x4092a4 InitializeCriticalSection
0x4092ac LeaveCriticalSection
0x4092b4 QueryPerformanceCounter
0x4092bc ReadFile
0x4092c4 RtlAddFunctionTable
0x4092cc RtlCaptureContext
0x4092d4 RtlLookupFunctionEntry
0x4092dc RtlVirtualUnwind
0x4092e4 SetUnhandledExceptionFilter
0x4092ec Sleep
0x4092f4 TerminateProcess
0x4092fc TlsGetValue
0x409304 UnhandledExceptionFilter
0x40930c VirtualAlloc
0x409314 VirtualProtect
0x40931c VirtualQuery
0x409324 WriteFile
msvcrt.dll
0x409334 __C_specific_handler
0x40933c __getmainargs
0x409344 __initenv
0x40934c __iob_func
0x409354 __lconv_init
0x40935c __set_app_type
0x409364 __setusermatherr
0x40936c _acmdln
0x409374 _amsg_exit
0x40937c _cexit
0x409384 _fmode
0x40938c _initterm
0x409394 _onexit
0x40939c abort
0x4093a4 calloc
0x4093ac exit
0x4093b4 fprintf
0x4093bc free
0x4093c4 fwrite
0x4093cc malloc
0x4093d4 memcpy
0x4093dc signal
0x4093e4 sprintf
0x4093ec strlen
0x4093f4 strncmp
0x4093fc vfprintf
EAT(Export Address Table) is none