ScreenShot
| Created | 2024.09.30 12:00 | Machine | s1_win7_x6401 |
| Filename | pesinislem.dll | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 5 detected (Malicious, score, Unsafe, Static AI, Suspicious PE) | ||
| md5 | 408cbd2f988947ba74b8b3deb531ff7c | ||
| sha256 | 82ab4c103d39070ab26850aef58cf8c7616570ace5f6c5e847c94bee8da2b8fc | ||
| ssdeep | 6144:rnjG8uzTkT5JuHzBvG4PoXSTI6ihhglofiyLp7f:YzgT6tXQiM6ihJayLpD | ||
| imphash | f00e92ab26ebbca78896863837da549f | ||
| impfuzzy | 12:lYO/69ORA/D8RovfWqRifROReOoARL9nRgFd1sQo6:lJ10D2ovfJi5+eOBL9nMd1v | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | File has been identified by 5 AntiVirus engines on VirusTotal as malicious |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | DllRegisterServer_Zero | execute regsvr32.exe | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
MSVCR71.dll
0xcff2048 _onexit
0xcff204c __dllonexit
0xcff2050 _except_handler3
0xcff2054 __CppXcptFilter
0xcff2058 _adjust_fdiv
0xcff205c malloc
0xcff2060 _initterm
0xcff2064 free
0xcff2068 _mbsrchr
0xcff206c _access
0xcff2070 isspace
KERNEL32.dll
0xcff2010 GetModuleFileNameA
0xcff2014 LoadLibraryA
0xcff2018 GetProcAddress
0xcff201c GetSystemDirectoryA
0xcff2020 lstrcatA
0xcff2024 GetCurrentDirectoryA
0xcff2028 lstrcpyA
0xcff202c LeaveCriticalSection
0xcff2030 FreeLibrary
0xcff2034 EnterCriticalSection
0xcff2038 DeleteCriticalSection
0xcff203c DisableThreadLibraryCalls
0xcff2040 InitializeCriticalSection
USER32.dll
0xcff2078 LoadStringA
ADVAPI32.dll
0xcff2000 RegCloseKey
0xcff2004 RegOpenKeyA
0xcff2008 RegQueryValueA
ole32.dll
0xcff2080 CoFreeUnusedLibraries
EAT(Export Address Table) Library
0xcff110d DllCanUnloadNow
0xcff1526 DllGetClassObject
0xcff1574 DllRegisterServer
0xcff159f DllUnregisterServer
MSVCR71.dll
0xcff2048 _onexit
0xcff204c __dllonexit
0xcff2050 _except_handler3
0xcff2054 __CppXcptFilter
0xcff2058 _adjust_fdiv
0xcff205c malloc
0xcff2060 _initterm
0xcff2064 free
0xcff2068 _mbsrchr
0xcff206c _access
0xcff2070 isspace
KERNEL32.dll
0xcff2010 GetModuleFileNameA
0xcff2014 LoadLibraryA
0xcff2018 GetProcAddress
0xcff201c GetSystemDirectoryA
0xcff2020 lstrcatA
0xcff2024 GetCurrentDirectoryA
0xcff2028 lstrcpyA
0xcff202c LeaveCriticalSection
0xcff2030 FreeLibrary
0xcff2034 EnterCriticalSection
0xcff2038 DeleteCriticalSection
0xcff203c DisableThreadLibraryCalls
0xcff2040 InitializeCriticalSection
USER32.dll
0xcff2078 LoadStringA
ADVAPI32.dll
0xcff2000 RegCloseKey
0xcff2004 RegOpenKeyA
0xcff2008 RegQueryValueA
ole32.dll
0xcff2080 CoFreeUnusedLibraries
EAT(Export Address Table) Library
0xcff110d DllCanUnloadNow
0xcff1526 DllGetClassObject
0xcff1574 DllRegisterServer
0xcff159f DllUnregisterServer