ScreenShot
| Created | 2024.10.10 20:19 | Machine | s1_win7_x6401 |
| Filename | ngrok.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 25 detected (Common, Artemis, Unsafe, malicious, high confidence, a variant of WinGo, Ngrok, B potentially unsafe, NetTool, kpzzkb, Tool, Malware@#2bp5lll9ahpmh, BXHR66, susgen, Proxytool, Golang) | ||
| md5 | d0b7c78ee341e83d50b03cbd31e085ad | ||
| sha256 | d50c84c1fca607a10250be1d2e22ec95dfe48a1abfbff56ef0e2ca7160e26f78 | ||
| ssdeep | 393216:69q1NHrHlC/47rSfHocR5mMf31I/HXZlT12VQir+FKeLf:Iq1NHrFC/47r/tf | ||
| imphash | 07361a3a7f515bf56ca93120b2aca73b | ||
| impfuzzy | 24:ibVjh9wOcX13uTkkboVaXOr6kwmDgUPMztxdD1tr6tl:AwOcX13UjXOmokxp1Zol | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 25 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to create or modify system certificates |
| watch | Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe |
| watch | Wscript.exe initiated network communications indicative of a script based payload download |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Performs some HTTP requests |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (8cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | ftp_command | ftp command | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | wget_command | wget command | binaries (upload) |
PE API
IAT(Import Address Table) Library
kernel32.dll
0x1ec40a0 WriteFile
0x1ec40a8 WriteConsoleW
0x1ec40b0 WerSetFlags
0x1ec40b8 WerGetFlags
0x1ec40c0 WaitForMultipleObjects
0x1ec40c8 WaitForSingleObject
0x1ec40d0 VirtualQuery
0x1ec40d8 VirtualFree
0x1ec40e0 VirtualAlloc
0x1ec40e8 TlsAlloc
0x1ec40f0 SwitchToThread
0x1ec40f8 SuspendThread
0x1ec4100 SetWaitableTimer
0x1ec4108 SetThreadPriority
0x1ec4110 SetProcessPriorityBoost
0x1ec4118 SetEvent
0x1ec4120 SetErrorMode
0x1ec4128 SetConsoleCtrlHandler
0x1ec4130 RtlVirtualUnwind
0x1ec4138 RtlLookupFunctionEntry
0x1ec4140 ResumeThread
0x1ec4148 RaiseFailFastException
0x1ec4150 PostQueuedCompletionStatus
0x1ec4158 LoadLibraryW
0x1ec4160 LoadLibraryExW
0x1ec4168 SetThreadContext
0x1ec4170 GetThreadContext
0x1ec4178 GetSystemInfo
0x1ec4180 GetSystemDirectoryA
0x1ec4188 GetStdHandle
0x1ec4190 GetQueuedCompletionStatusEx
0x1ec4198 GetProcessAffinityMask
0x1ec41a0 GetProcAddress
0x1ec41a8 GetErrorMode
0x1ec41b0 GetEnvironmentStringsW
0x1ec41b8 GetCurrentThreadId
0x1ec41c0 GetConsoleMode
0x1ec41c8 FreeEnvironmentStringsW
0x1ec41d0 ExitProcess
0x1ec41d8 DuplicateHandle
0x1ec41e0 CreateWaitableTimerExW
0x1ec41e8 CreateWaitableTimerA
0x1ec41f0 CreateThread
0x1ec41f8 CreateIoCompletionPort
0x1ec4200 CreateFileA
0x1ec4208 CreateEventA
0x1ec4210 CloseHandle
0x1ec4218 AddVectoredExceptionHandler
0x1ec4220 AddVectoredContinueHandler
EAT(Export Address Table) is none
kernel32.dll
0x1ec40a0 WriteFile
0x1ec40a8 WriteConsoleW
0x1ec40b0 WerSetFlags
0x1ec40b8 WerGetFlags
0x1ec40c0 WaitForMultipleObjects
0x1ec40c8 WaitForSingleObject
0x1ec40d0 VirtualQuery
0x1ec40d8 VirtualFree
0x1ec40e0 VirtualAlloc
0x1ec40e8 TlsAlloc
0x1ec40f0 SwitchToThread
0x1ec40f8 SuspendThread
0x1ec4100 SetWaitableTimer
0x1ec4108 SetThreadPriority
0x1ec4110 SetProcessPriorityBoost
0x1ec4118 SetEvent
0x1ec4120 SetErrorMode
0x1ec4128 SetConsoleCtrlHandler
0x1ec4130 RtlVirtualUnwind
0x1ec4138 RtlLookupFunctionEntry
0x1ec4140 ResumeThread
0x1ec4148 RaiseFailFastException
0x1ec4150 PostQueuedCompletionStatus
0x1ec4158 LoadLibraryW
0x1ec4160 LoadLibraryExW
0x1ec4168 SetThreadContext
0x1ec4170 GetThreadContext
0x1ec4178 GetSystemInfo
0x1ec4180 GetSystemDirectoryA
0x1ec4188 GetStdHandle
0x1ec4190 GetQueuedCompletionStatusEx
0x1ec4198 GetProcessAffinityMask
0x1ec41a0 GetProcAddress
0x1ec41a8 GetErrorMode
0x1ec41b0 GetEnvironmentStringsW
0x1ec41b8 GetCurrentThreadId
0x1ec41c0 GetConsoleMode
0x1ec41c8 FreeEnvironmentStringsW
0x1ec41d0 ExitProcess
0x1ec41d8 DuplicateHandle
0x1ec41e0 CreateWaitableTimerExW
0x1ec41e8 CreateWaitableTimerA
0x1ec41f0 CreateThread
0x1ec41f8 CreateIoCompletionPort
0x1ec4200 CreateFileA
0x1ec4208 CreateEventA
0x1ec4210 CloseHandle
0x1ec4218 AddVectoredExceptionHandler
0x1ec4220 AddVectoredContinueHandler
EAT(Export Address Table) is none