ScreenShot
| Created | 2024.10.14 10:42 | Machine | s1_win7_x6401 |
| Filename | Updater.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 38 detected (AIDetectMalware, Fsysna, Malicious, score, Unsafe, Save, confidence, Attribute, HighConfidence, high confidence, VMProtect, BC suspicious, jxyn, Kryptik@AI, RDML, XGdsaXKnHPLcnQzQlyDttg, ClipBanker, rtyqx, Static AI, Malicious PE, Sonbokli, XYCBWH, Artemis, Outbreak, Edhl) | ||
| md5 | 9fb8cc095e016caf986f28f61a4334ca | ||
| sha256 | 369a92d10be574e4e96680100bba4bb8f1b94f23a129d04ce0cef93dbb4d92a1 | ||
| ssdeep | 98304:SA98w3AJb77ixCX3xPVLY9/zVHW2X3sANemWxOAn:x98wwJjnBPVE1zRVX8ApWbn | ||
| imphash | 13222c684d764439230ed7e1d3748c9a | ||
| impfuzzy | 96:SfCtgDc5xl3OqdQTx1AXJ4Zcp+AjGt0+lRYE:PGQ3VdQToZ4Dz | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 38 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| watch | Uses Sysinternals tools in order to add additional command line functionality |
| notice | A process created a hidden window |
| notice | Creates a suspicious process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x633000 CopyFileA
0x633004 DeleteCriticalSection
0x633008 EnterCriticalSection
0x63300c ExitProcess
0x633010 ExpandEnvironmentStringsA
0x633014 FindClose
0x633018 FindFirstFileA
0x63301c FindNextFileA
0x633020 FreeLibrary
0x633024 GetCommandLineA
0x633028 GetLastError
0x63302c GetModuleFileNameA
0x633030 GetModuleHandleA
0x633034 GetProcAddress
0x633038 GlobalAlloc
0x63303c GlobalLock
0x633040 GlobalUnlock
0x633044 InitializeCriticalSection
0x633048 LeaveCriticalSection
0x63304c LoadLibraryA
0x633050 SetUnhandledExceptionFilter
0x633054 Sleep
0x633058 TlsGetValue
0x63305c VirtualProtect
0x633060 VirtualQuery
msvcrt.dll
0x633068 _strdup
0x63306c _stricoll
msvcrt.dll
0x633074 __getmainargs
0x633078 __mb_cur_max
0x63307c __p__environ
0x633080 __p__fmode
0x633084 __set_app_type
0x633088 _cexit
0x63308c _errno
0x633090 _fpreset
0x633094 _fullpath
0x633098 _iob
0x63309c _isctype
0x6330a0 _onexit
0x6330a4 _pctype
0x6330a8 _setmode
0x6330ac abort
0x6330b0 atexit
0x6330b4 calloc
0x6330b8 free
0x6330bc fwrite
0x6330c0 malloc
0x6330c4 mbstowcs
0x6330c8 memcpy
0x6330cc realloc
0x6330d0 rename
0x6330d4 setlocale
0x6330d8 signal
0x6330dc sprintf
0x6330e0 strcoll
0x6330e4 strlen
0x6330e8 tolower
0x6330ec vfprintf
0x6330f0 wcstombs
SHELL32.DLL
0x6330f8 ShellExecuteA
USER32.dll
0x633100 CloseClipboard
0x633104 EmptyClipboard
0x633108 GetClipboardData
0x63310c OpenClipboard
0x633110 SetClipboardData
KERNEL32.dll
0x633118 GetSystemTimeAsFileTime
0x63311c CreateEventA
0x633120 GetModuleHandleA
0x633124 TerminateProcess
0x633128 GetCurrentProcess
0x63312c CreateToolhelp32Snapshot
0x633130 Thread32First
0x633134 GetCurrentProcessId
0x633138 GetCurrentThreadId
0x63313c OpenThread
0x633140 Thread32Next
0x633144 CloseHandle
0x633148 SuspendThread
0x63314c ResumeThread
0x633150 WriteProcessMemory
0x633154 GetSystemInfo
0x633158 VirtualAlloc
0x63315c VirtualProtect
0x633160 VirtualFree
0x633164 GetProcessAffinityMask
0x633168 SetProcessAffinityMask
0x63316c GetCurrentThread
0x633170 SetThreadAffinityMask
0x633174 Sleep
0x633178 LoadLibraryA
0x63317c FreeLibrary
0x633180 GetTickCount
0x633184 SystemTimeToFileTime
0x633188 FileTimeToSystemTime
0x63318c GlobalFree
0x633190 HeapAlloc
0x633194 HeapFree
0x633198 GetProcAddress
0x63319c ExitProcess
0x6331a0 EnterCriticalSection
0x6331a4 LeaveCriticalSection
0x6331a8 InitializeCriticalSection
0x6331ac DeleteCriticalSection
0x6331b0 MultiByteToWideChar
0x6331b4 GetModuleHandleW
0x6331b8 LoadResource
0x6331bc FindResourceExW
0x6331c0 FindResourceExA
0x6331c4 WideCharToMultiByte
0x6331c8 GetThreadLocale
0x6331cc GetUserDefaultLCID
0x6331d0 GetSystemDefaultLCID
0x6331d4 EnumResourceNamesA
0x6331d8 EnumResourceNamesW
0x6331dc EnumResourceLanguagesA
0x6331e0 EnumResourceLanguagesW
0x6331e4 EnumResourceTypesA
0x6331e8 EnumResourceTypesW
0x6331ec CreateFileW
0x6331f0 LoadLibraryW
0x6331f4 GetLastError
0x6331f8 GetCommandLineA
0x6331fc GetCPInfo
0x633200 InterlockedIncrement
0x633204 InterlockedDecrement
0x633208 GetACP
0x63320c GetOEMCP
0x633210 IsValidCodePage
0x633214 TlsGetValue
0x633218 TlsAlloc
0x63321c TlsSetValue
0x633220 TlsFree
0x633224 SetLastError
0x633228 UnhandledExceptionFilter
0x63322c SetUnhandledExceptionFilter
0x633230 IsDebuggerPresent
0x633234 RaiseException
0x633238 LCMapStringA
0x63323c LCMapStringW
0x633240 SetHandleCount
0x633244 GetStdHandle
0x633248 GetFileType
0x63324c GetStartupInfoA
0x633250 GetModuleFileNameA
0x633254 FreeEnvironmentStringsA
0x633258 GetEnvironmentStrings
0x63325c FreeEnvironmentStringsW
0x633260 GetEnvironmentStringsW
0x633264 HeapCreate
0x633268 HeapDestroy
0x63326c QueryPerformanceCounter
0x633270 HeapReAlloc
0x633274 GetStringTypeA
0x633278 GetStringTypeW
0x63327c GetLocaleInfoA
0x633280 HeapSize
0x633284 WriteFile
0x633288 RtlUnwind
0x63328c SetFilePointer
0x633290 GetConsoleCP
0x633294 GetConsoleMode
0x633298 InitializeCriticalSectionAndSpinCount
0x63329c SetStdHandle
0x6332a0 WriteConsoleA
0x6332a4 GetConsoleOutputCP
0x6332a8 WriteConsoleW
0x6332ac CreateFileA
0x6332b0 FlushFileBuffers
0x6332b4 VirtualQuery
EAT(Export Address Table) is none
KERNEL32.dll
0x633000 CopyFileA
0x633004 DeleteCriticalSection
0x633008 EnterCriticalSection
0x63300c ExitProcess
0x633010 ExpandEnvironmentStringsA
0x633014 FindClose
0x633018 FindFirstFileA
0x63301c FindNextFileA
0x633020 FreeLibrary
0x633024 GetCommandLineA
0x633028 GetLastError
0x63302c GetModuleFileNameA
0x633030 GetModuleHandleA
0x633034 GetProcAddress
0x633038 GlobalAlloc
0x63303c GlobalLock
0x633040 GlobalUnlock
0x633044 InitializeCriticalSection
0x633048 LeaveCriticalSection
0x63304c LoadLibraryA
0x633050 SetUnhandledExceptionFilter
0x633054 Sleep
0x633058 TlsGetValue
0x63305c VirtualProtect
0x633060 VirtualQuery
msvcrt.dll
0x633068 _strdup
0x63306c _stricoll
msvcrt.dll
0x633074 __getmainargs
0x633078 __mb_cur_max
0x63307c __p__environ
0x633080 __p__fmode
0x633084 __set_app_type
0x633088 _cexit
0x63308c _errno
0x633090 _fpreset
0x633094 _fullpath
0x633098 _iob
0x63309c _isctype
0x6330a0 _onexit
0x6330a4 _pctype
0x6330a8 _setmode
0x6330ac abort
0x6330b0 atexit
0x6330b4 calloc
0x6330b8 free
0x6330bc fwrite
0x6330c0 malloc
0x6330c4 mbstowcs
0x6330c8 memcpy
0x6330cc realloc
0x6330d0 rename
0x6330d4 setlocale
0x6330d8 signal
0x6330dc sprintf
0x6330e0 strcoll
0x6330e4 strlen
0x6330e8 tolower
0x6330ec vfprintf
0x6330f0 wcstombs
SHELL32.DLL
0x6330f8 ShellExecuteA
USER32.dll
0x633100 CloseClipboard
0x633104 EmptyClipboard
0x633108 GetClipboardData
0x63310c OpenClipboard
0x633110 SetClipboardData
KERNEL32.dll
0x633118 GetSystemTimeAsFileTime
0x63311c CreateEventA
0x633120 GetModuleHandleA
0x633124 TerminateProcess
0x633128 GetCurrentProcess
0x63312c CreateToolhelp32Snapshot
0x633130 Thread32First
0x633134 GetCurrentProcessId
0x633138 GetCurrentThreadId
0x63313c OpenThread
0x633140 Thread32Next
0x633144 CloseHandle
0x633148 SuspendThread
0x63314c ResumeThread
0x633150 WriteProcessMemory
0x633154 GetSystemInfo
0x633158 VirtualAlloc
0x63315c VirtualProtect
0x633160 VirtualFree
0x633164 GetProcessAffinityMask
0x633168 SetProcessAffinityMask
0x63316c GetCurrentThread
0x633170 SetThreadAffinityMask
0x633174 Sleep
0x633178 LoadLibraryA
0x63317c FreeLibrary
0x633180 GetTickCount
0x633184 SystemTimeToFileTime
0x633188 FileTimeToSystemTime
0x63318c GlobalFree
0x633190 HeapAlloc
0x633194 HeapFree
0x633198 GetProcAddress
0x63319c ExitProcess
0x6331a0 EnterCriticalSection
0x6331a4 LeaveCriticalSection
0x6331a8 InitializeCriticalSection
0x6331ac DeleteCriticalSection
0x6331b0 MultiByteToWideChar
0x6331b4 GetModuleHandleW
0x6331b8 LoadResource
0x6331bc FindResourceExW
0x6331c0 FindResourceExA
0x6331c4 WideCharToMultiByte
0x6331c8 GetThreadLocale
0x6331cc GetUserDefaultLCID
0x6331d0 GetSystemDefaultLCID
0x6331d4 EnumResourceNamesA
0x6331d8 EnumResourceNamesW
0x6331dc EnumResourceLanguagesA
0x6331e0 EnumResourceLanguagesW
0x6331e4 EnumResourceTypesA
0x6331e8 EnumResourceTypesW
0x6331ec CreateFileW
0x6331f0 LoadLibraryW
0x6331f4 GetLastError
0x6331f8 GetCommandLineA
0x6331fc GetCPInfo
0x633200 InterlockedIncrement
0x633204 InterlockedDecrement
0x633208 GetACP
0x63320c GetOEMCP
0x633210 IsValidCodePage
0x633214 TlsGetValue
0x633218 TlsAlloc
0x63321c TlsSetValue
0x633220 TlsFree
0x633224 SetLastError
0x633228 UnhandledExceptionFilter
0x63322c SetUnhandledExceptionFilter
0x633230 IsDebuggerPresent
0x633234 RaiseException
0x633238 LCMapStringA
0x63323c LCMapStringW
0x633240 SetHandleCount
0x633244 GetStdHandle
0x633248 GetFileType
0x63324c GetStartupInfoA
0x633250 GetModuleFileNameA
0x633254 FreeEnvironmentStringsA
0x633258 GetEnvironmentStrings
0x63325c FreeEnvironmentStringsW
0x633260 GetEnvironmentStringsW
0x633264 HeapCreate
0x633268 HeapDestroy
0x63326c QueryPerformanceCounter
0x633270 HeapReAlloc
0x633274 GetStringTypeA
0x633278 GetStringTypeW
0x63327c GetLocaleInfoA
0x633280 HeapSize
0x633284 WriteFile
0x633288 RtlUnwind
0x63328c SetFilePointer
0x633290 GetConsoleCP
0x633294 GetConsoleMode
0x633298 InitializeCriticalSectionAndSpinCount
0x63329c SetStdHandle
0x6332a0 WriteConsoleA
0x6332a4 GetConsoleOutputCP
0x6332a8 WriteConsoleW
0x6332ac CreateFileA
0x6332b0 FlushFileBuffers
0x6332b4 VirtualQuery
EAT(Export Address Table) is none