ScreenShot
| Created | 2024.10.12 18:49 | Machine | s1_win7_x6401 |
| Filename | 670937a58778f_LisioFirendes.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 42 detected (AIDetectMalware, Malicious, score, Artemis, Unsafe, Kryptik, V6up, confidence, 100%, Fragtor, Attribute, HighConfidence, high confidence, GenKryptik, HCOM, MalwareX, ccmw, CLASSIC, gzald, Inject5, Static AI, Malicious PE, Detected, StealerC, LummaC, B2PJVE, Eldorado, R671869, Outbreak, FalseSign, Usmw, AZS2XJC) | ||
| md5 | de14925632f91bdb33ca3333a51c20c0 | ||
| sha256 | e872fb46fab0d28820724db2eeb713034898a37fd329c864c3ce6d81bc9f5a77 | ||
| ssdeep | 12288:MUy3mrhjemAXqXS09B9AqIQrWeHo+y4dfU0uOPgkXwB7sGYtBA:Ml3YCOAqvHoAUInXEn | ||
| imphash | 123e239a3e28f0916ec222eaf58ca968 | ||
| impfuzzy | 24:cpOcpVWZttlS14GhlJBlTeDYoBDZMv5GMAkpOovbOPZu:3cpVettlS14GnlLKZGk3k | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 42 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
USER32.dll
0x42312c ShowWindow
KERNEL32.dll
0x423000 LoadLibraryExW
0x423004 CreateFileW
0x423008 GetConsoleWindow
0x42300c TlsGetValue
0x423010 MultiByteToWideChar
0x423014 GetStringTypeW
0x423018 WideCharToMultiByte
0x42301c EnterCriticalSection
0x423020 LeaveCriticalSection
0x423024 InitializeCriticalSectionEx
0x423028 DeleteCriticalSection
0x42302c EncodePointer
0x423030 DecodePointer
0x423034 LCMapStringEx
0x423038 GetCPInfo
0x42303c IsProcessorFeaturePresent
0x423040 UnhandledExceptionFilter
0x423044 SetUnhandledExceptionFilter
0x423048 GetCurrentProcess
0x42304c TerminateProcess
0x423050 QueryPerformanceCounter
0x423054 GetCurrentProcessId
0x423058 GetCurrentThreadId
0x42305c GetSystemTimeAsFileTime
0x423060 InitializeSListHead
0x423064 IsDebuggerPresent
0x423068 GetStartupInfoW
0x42306c GetModuleHandleW
0x423070 HeapSize
0x423074 RaiseException
0x423078 RtlUnwind
0x42307c GetLastError
0x423080 SetLastError
0x423084 InitializeCriticalSectionAndSpinCount
0x423088 TlsAlloc
0x42308c TlsSetValue
0x423090 TlsFree
0x423094 FreeLibrary
0x423098 GetProcAddress
0x42309c WriteConsoleW
0x4230a0 GetStdHandle
0x4230a4 WriteFile
0x4230a8 GetModuleFileNameW
0x4230ac ExitProcess
0x4230b0 GetModuleHandleExW
0x4230b4 HeapAlloc
0x4230b8 HeapFree
0x4230bc LCMapStringW
0x4230c0 GetLocaleInfoW
0x4230c4 IsValidLocale
0x4230c8 GetUserDefaultLCID
0x4230cc EnumSystemLocalesW
0x4230d0 GetFileType
0x4230d4 CloseHandle
0x4230d8 FlushFileBuffers
0x4230dc GetConsoleOutputCP
0x4230e0 GetConsoleMode
0x4230e4 ReadFile
0x4230e8 GetFileSizeEx
0x4230ec SetFilePointerEx
0x4230f0 ReadConsoleW
0x4230f4 HeapReAlloc
0x4230f8 FindClose
0x4230fc FindFirstFileExW
0x423100 FindNextFileW
0x423104 IsValidCodePage
0x423108 GetACP
0x42310c GetOEMCP
0x423110 GetCommandLineA
0x423114 GetCommandLineW
0x423118 GetEnvironmentStringsW
0x42311c FreeEnvironmentStringsW
0x423120 SetStdHandle
0x423124 GetProcessHeap
EAT(Export Address Table) is none
USER32.dll
0x42312c ShowWindow
KERNEL32.dll
0x423000 LoadLibraryExW
0x423004 CreateFileW
0x423008 GetConsoleWindow
0x42300c TlsGetValue
0x423010 MultiByteToWideChar
0x423014 GetStringTypeW
0x423018 WideCharToMultiByte
0x42301c EnterCriticalSection
0x423020 LeaveCriticalSection
0x423024 InitializeCriticalSectionEx
0x423028 DeleteCriticalSection
0x42302c EncodePointer
0x423030 DecodePointer
0x423034 LCMapStringEx
0x423038 GetCPInfo
0x42303c IsProcessorFeaturePresent
0x423040 UnhandledExceptionFilter
0x423044 SetUnhandledExceptionFilter
0x423048 GetCurrentProcess
0x42304c TerminateProcess
0x423050 QueryPerformanceCounter
0x423054 GetCurrentProcessId
0x423058 GetCurrentThreadId
0x42305c GetSystemTimeAsFileTime
0x423060 InitializeSListHead
0x423064 IsDebuggerPresent
0x423068 GetStartupInfoW
0x42306c GetModuleHandleW
0x423070 HeapSize
0x423074 RaiseException
0x423078 RtlUnwind
0x42307c GetLastError
0x423080 SetLastError
0x423084 InitializeCriticalSectionAndSpinCount
0x423088 TlsAlloc
0x42308c TlsSetValue
0x423090 TlsFree
0x423094 FreeLibrary
0x423098 GetProcAddress
0x42309c WriteConsoleW
0x4230a0 GetStdHandle
0x4230a4 WriteFile
0x4230a8 GetModuleFileNameW
0x4230ac ExitProcess
0x4230b0 GetModuleHandleExW
0x4230b4 HeapAlloc
0x4230b8 HeapFree
0x4230bc LCMapStringW
0x4230c0 GetLocaleInfoW
0x4230c4 IsValidLocale
0x4230c8 GetUserDefaultLCID
0x4230cc EnumSystemLocalesW
0x4230d0 GetFileType
0x4230d4 CloseHandle
0x4230d8 FlushFileBuffers
0x4230dc GetConsoleOutputCP
0x4230e0 GetConsoleMode
0x4230e4 ReadFile
0x4230e8 GetFileSizeEx
0x4230ec SetFilePointerEx
0x4230f0 ReadConsoleW
0x4230f4 HeapReAlloc
0x4230f8 FindClose
0x4230fc FindFirstFileExW
0x423100 FindNextFileW
0x423104 IsValidCodePage
0x423108 GetACP
0x42310c GetOEMCP
0x423110 GetCommandLineA
0x423114 GetCommandLineW
0x423118 GetEnvironmentStringsW
0x42311c FreeEnvironmentStringsW
0x423120 SetStdHandle
0x423124 GetProcessHeap
EAT(Export Address Table) is none