ScreenShot
| Created | 2024.09.30 12:00 | Machine | s1_win7_x6403 |
| Filename | whoami-unencrypted.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 45 detected (AIDetectMalware, Meterpreter, Malicious, score, Infected, Unsafe, Veat, confidence, 100%, high confidence, MsfEncode, Metasploit, CLOUD, XPACK, R002C0DIR24, Swrort, Detected, Expiro, rsrc, HeurC, KVMH008, 4GKWGU, Rozena, Eldorado, R291649, GenericRXAA, TScope, Probably Heur, ExeHeaderL, Gencirc, PossibleThreat) | ||
| md5 | 29130d815c8858e5b133a2157ae90b91 | ||
| sha256 | 33021e02da3993c8d5f3cbddd73f10f5aac3dc29f8ca1a7d756ea2feadfe7483 | ||
| ssdeep | 768:7loK+uJzmK9+jvRpBq1RnvCKlA9idnvCKG:7eKrdmc+HB1KlAHKG | ||
| imphash | 0e73ec669a8245790d02f257deaa91e9 | ||
| impfuzzy | 24:vo2Es6etKPz59Uso5wBsvHExOGOoveRvtXDooB:Q2EB5b59KWBsBxFB | ||
Network IP location
Signature (3cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 45 AntiVirus engines on VirusTotal as malicious |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x1001000 IsValidSid
0x1001004 LookupPrivilegeDisplayNameW
0x1001008 LookupAccountSidW
0x100100c GetSidSubAuthority
0x1001010 GetSidSubAuthorityCount
0x1001014 GetSidIdentifierAuthority
0x1001018 LookupPrivilegeNameW
0x100101c CopySid
0x1001020 GetLengthSid
0x1001024 GetTokenInformation
0x1001028 OpenProcessToken
KERNEL32.dll
0x1001030 FormatMessageW
0x1001034 LoadLibraryExW
0x1001038 GetLastError
0x100103c CloseHandle
0x1001040 GetCurrentProcess
0x1001044 GetVersion
0x1001048 ExitProcess
0x100104c TerminateProcess
0x1001050 HeapFree
0x1001054 HeapReAlloc
0x1001058 HeapAlloc
0x100105c MultiByteToWideChar
0x1001060 RtlUnwind
0x1001064 UnhandledExceptionFilter
0x1001068 GetModuleFileNameW
0x100106c FreeEnvironmentStringsA
0x1001070 FreeEnvironmentStringsW
0x1001074 GetEnvironmentStrings
0x1001078 GetEnvironmentStringsW
0x100107c WideCharToMultiByte
0x1001080 GetCommandLineW
0x1001084 GetCommandLineA
0x1001088 SetHandleCount
0x100108c GetStdHandle
0x1001090 GetFileType
0x1001094 GetStartupInfoA
0x1001098 HeapDestroy
0x100109c HeapCreate
0x10010a0 VirtualFree
0x10010a4 WriteFile
0x10010a8 GetModuleFileNameA
0x10010ac VirtualAlloc
0x10010b0 GetProcAddress
0x10010b4 LoadLibraryA
0x10010b8 LCMapStringA
0x10010bc LCMapStringW
0x10010c0 FlushFileBuffers
0x10010c4 SetFilePointer
0x10010c8 GetStringTypeA
0x10010cc GetStringTypeW
0x10010d0 SetStdHandle
EAT(Export Address Table) is none
ADVAPI32.dll
0x1001000 IsValidSid
0x1001004 LookupPrivilegeDisplayNameW
0x1001008 LookupAccountSidW
0x100100c GetSidSubAuthority
0x1001010 GetSidSubAuthorityCount
0x1001014 GetSidIdentifierAuthority
0x1001018 LookupPrivilegeNameW
0x100101c CopySid
0x1001020 GetLengthSid
0x1001024 GetTokenInformation
0x1001028 OpenProcessToken
KERNEL32.dll
0x1001030 FormatMessageW
0x1001034 LoadLibraryExW
0x1001038 GetLastError
0x100103c CloseHandle
0x1001040 GetCurrentProcess
0x1001044 GetVersion
0x1001048 ExitProcess
0x100104c TerminateProcess
0x1001050 HeapFree
0x1001054 HeapReAlloc
0x1001058 HeapAlloc
0x100105c MultiByteToWideChar
0x1001060 RtlUnwind
0x1001064 UnhandledExceptionFilter
0x1001068 GetModuleFileNameW
0x100106c FreeEnvironmentStringsA
0x1001070 FreeEnvironmentStringsW
0x1001074 GetEnvironmentStrings
0x1001078 GetEnvironmentStringsW
0x100107c WideCharToMultiByte
0x1001080 GetCommandLineW
0x1001084 GetCommandLineA
0x1001088 SetHandleCount
0x100108c GetStdHandle
0x1001090 GetFileType
0x1001094 GetStartupInfoA
0x1001098 HeapDestroy
0x100109c HeapCreate
0x10010a0 VirtualFree
0x10010a4 WriteFile
0x10010a8 GetModuleFileNameA
0x10010ac VirtualAlloc
0x10010b0 GetProcAddress
0x10010b4 LoadLibraryA
0x10010b8 LCMapStringA
0x10010bc LCMapStringW
0x10010c0 FlushFileBuffers
0x10010c4 SetFilePointer
0x10010c8 GetStringTypeA
0x10010cc GetStringTypeW
0x10010d0 SetStdHandle
EAT(Export Address Table) is none