ScreenShot
| Created | 2024.10.13 17:55 | Machine | s1_win7_x6403 |
| Filename | 4.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 47 detected (AIDetectMalware, CryptBot, Malicious, score, GenericKDZ, Unsafe, Kryptik, V5at, confidence, Attribute, HighConfidence, high confidence, GenKryptik, HBZR, CrypterX, 25KWoxie6RB, nefer, Detected, GrayWare, Wacapew, ABTrojan, GEDZ, Artemis, GdSda, R002H01JC24, Dflw, AZ8PHU) | ||
| md5 | 49d7ba824b7249c26927e8a086eb879b | ||
| sha256 | a10386e4d53db8a045aedf7261adfbe05c0afd80a2550b7ad856cec3663cc66d | ||
| ssdeep | 49152:3tjeRpHpc4WLvHplR6mNwZ5bj/pZx2m3v/Ps8Mow1dCSzbL7YI4chxGuevH3nUk4:3QHy4g78kw | ||
| imphash | 41db2083dac89343aef584a51a80b293 | ||
| impfuzzy | 24:QT/gfiFAD1vOBoIkLyJdfpTX5XG0bEKkxJgr6vlbDcqSZ9FZGXZ2:9fiIooIk0xTXJG0bNkxJgr6vRwqoFZGM | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 47 AntiVirus engines on VirusTotal as malicious |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| info | Checks amount of memory in system |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0xa9621c CryptAcquireContextA
0xa96220 CryptGenRandom
0xa96224 CryptReleaseContext
KERNEL32.dll
0xa9622c DeleteCriticalSection
0xa96230 EnterCriticalSection
0xa96234 FreeLibrary
0xa96238 GetLastError
0xa9623c GetModuleHandleA
0xa96240 GetModuleHandleW
0xa96244 GetNativeSystemInfo
0xa96248 GetProcAddress
0xa9624c GetProcessHeap
0xa96250 GetStartupInfoA
0xa96254 GetThreadLocale
0xa96258 HeapAlloc
0xa9625c HeapFree
0xa96260 InitializeCriticalSection
0xa96264 IsBadReadPtr
0xa96268 IsDBCSLeadByteEx
0xa9626c LeaveCriticalSection
0xa96270 LoadLibraryA
0xa96274 MultiByteToWideChar
0xa96278 SetLastError
0xa9627c SetUnhandledExceptionFilter
0xa96280 Sleep
0xa96284 TlsGetValue
0xa96288 VirtualAlloc
0xa9628c VirtualFree
0xa96290 VirtualProtect
0xa96294 VirtualQuery
0xa96298 WideCharToMultiByte
0xa9629c lstrlenA
msvcrt.dll
0xa962a4 __getmainargs
0xa962a8 __initenv
0xa962ac __mb_cur_max
0xa962b0 __p__acmdln
0xa962b4 __p__commode
0xa962b8 __p__fmode
0xa962bc __set_app_type
0xa962c0 __setusermatherr
0xa962c4 _amsg_exit
0xa962c8 _assert
0xa962cc _cexit
0xa962d0 _errno
0xa962d4 _chsize
0xa962d8 _exit
0xa962dc _filelengthi64
0xa962e0 _fileno
0xa962e4 _initterm
0xa962e8 _iob
0xa962ec _lock
0xa962f0 _onexit
0xa962f4 _unlock
0xa962f8 _wcsnicmp
0xa962fc abort
0xa96300 atoi
0xa96304 search
0xa96308 calloc
0xa9630c exit
0xa96310 fclose
0xa96314 fflush
0xa96318 fgetpos
0xa9631c fopen
0xa96320 fputc
0xa96324 fread
0xa96328 free
0xa9632c freopen
0xa96330 fsetpos
0xa96334 fwrite
0xa96338 getc
0xa9633c islower
0xa96340 isspace
0xa96344 isupper
0xa96348 isxdigit
0xa9634c localeconv
0xa96350 malloc
0xa96354 mbstowcs
0xa96358 memcmp
0xa9635c memcpy
0xa96360 memmove
0xa96364 memset
0xa96368 mktime
0xa9636c localtime
0xa96370 difftime
0xa96374 _mkdir
0xa96378 perror
0xa9637c qsort
0xa96380 realloc
0xa96384 remove
0xa96388 setlocale
0xa9638c signal
0xa96390 strchr
0xa96394 strcmp
0xa96398 strerror
0xa9639c strlen
0xa963a0 strncmp
0xa963a4 strncpy
0xa963a8 strtol
0xa963ac strtoul
0xa963b0 tolower
0xa963b4 ungetc
0xa963b8 vfprintf
0xa963bc time
0xa963c0 wcslen
0xa963c4 wcstombs
0xa963c8 _stat
0xa963cc _write
0xa963d0 _utime
0xa963d4 _open
0xa963d8 _fileno
0xa963dc _close
0xa963e0 _chmod
EAT(Export Address Table) is none
ADVAPI32.dll
0xa9621c CryptAcquireContextA
0xa96220 CryptGenRandom
0xa96224 CryptReleaseContext
KERNEL32.dll
0xa9622c DeleteCriticalSection
0xa96230 EnterCriticalSection
0xa96234 FreeLibrary
0xa96238 GetLastError
0xa9623c GetModuleHandleA
0xa96240 GetModuleHandleW
0xa96244 GetNativeSystemInfo
0xa96248 GetProcAddress
0xa9624c GetProcessHeap
0xa96250 GetStartupInfoA
0xa96254 GetThreadLocale
0xa96258 HeapAlloc
0xa9625c HeapFree
0xa96260 InitializeCriticalSection
0xa96264 IsBadReadPtr
0xa96268 IsDBCSLeadByteEx
0xa9626c LeaveCriticalSection
0xa96270 LoadLibraryA
0xa96274 MultiByteToWideChar
0xa96278 SetLastError
0xa9627c SetUnhandledExceptionFilter
0xa96280 Sleep
0xa96284 TlsGetValue
0xa96288 VirtualAlloc
0xa9628c VirtualFree
0xa96290 VirtualProtect
0xa96294 VirtualQuery
0xa96298 WideCharToMultiByte
0xa9629c lstrlenA
msvcrt.dll
0xa962a4 __getmainargs
0xa962a8 __initenv
0xa962ac __mb_cur_max
0xa962b0 __p__acmdln
0xa962b4 __p__commode
0xa962b8 __p__fmode
0xa962bc __set_app_type
0xa962c0 __setusermatherr
0xa962c4 _amsg_exit
0xa962c8 _assert
0xa962cc _cexit
0xa962d0 _errno
0xa962d4 _chsize
0xa962d8 _exit
0xa962dc _filelengthi64
0xa962e0 _fileno
0xa962e4 _initterm
0xa962e8 _iob
0xa962ec _lock
0xa962f0 _onexit
0xa962f4 _unlock
0xa962f8 _wcsnicmp
0xa962fc abort
0xa96300 atoi
0xa96304 search
0xa96308 calloc
0xa9630c exit
0xa96310 fclose
0xa96314 fflush
0xa96318 fgetpos
0xa9631c fopen
0xa96320 fputc
0xa96324 fread
0xa96328 free
0xa9632c freopen
0xa96330 fsetpos
0xa96334 fwrite
0xa96338 getc
0xa9633c islower
0xa96340 isspace
0xa96344 isupper
0xa96348 isxdigit
0xa9634c localeconv
0xa96350 malloc
0xa96354 mbstowcs
0xa96358 memcmp
0xa9635c memcpy
0xa96360 memmove
0xa96364 memset
0xa96368 mktime
0xa9636c localtime
0xa96370 difftime
0xa96374 _mkdir
0xa96378 perror
0xa9637c qsort
0xa96380 realloc
0xa96384 remove
0xa96388 setlocale
0xa9638c signal
0xa96390 strchr
0xa96394 strcmp
0xa96398 strerror
0xa9639c strlen
0xa963a0 strncmp
0xa963a4 strncpy
0xa963a8 strtol
0xa963ac strtoul
0xa963b0 tolower
0xa963b4 ungetc
0xa963b8 vfprintf
0xa963bc time
0xa963c0 wcslen
0xa963c4 wcstombs
0xa963c8 _stat
0xa963cc _write
0xa963d0 _utime
0xa963d4 _open
0xa963d8 _fileno
0xa963dc _close
0xa963e0 _chmod
EAT(Export Address Table) is none