ScreenShot
| Created | 2024.10.16 11:18 | Machine | s1_win7_x6401 |
| Filename | actives.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 63 detected (AIDetectMalware, Aenjaris, Malicious, score, TRFH11, GenericKD, Unsafe, Save, confidence, 100%, Styes, high confidence, DropperX, Dfay, Blocker, Zusy, iokixr, CLASSIC, AGEN, MulDrop16, Real Protect, high, AZXX, Static AI, Malicious PE, glre, Detected, XMRig, 1722EZK, Eldorado, R247429, GenericRXNM, BScope, GenAsa, pysX9evYScw, susgen) | ||
| md5 | 51514245009764a9f3e9455c23711df8 | ||
| sha256 | 86c8e804eeb34d0f0aff2bacb297a0c0077a7e0e3ca423609a0970b5221c13bc | ||
| ssdeep | 49152:m7MDRZ9IBVL+s0ezJGd80SHMsThF35Hj1BzuQZVkkANv494D83ppbB:QMDtIXLr06AdfEThF35Pzug | ||
| imphash | 26db5052cd8ede8ee590a842731769c5 | ||
| impfuzzy | 24:EyeO7/DoG1joX1df+eT546vPrOovuXudI3XJgvHERUg/1nQnA/EUK3dATrz07Tz:qOwX1B+eTRPah+A5//1nB/lK3GTrz03z | ||
Network IP location
Signature (25cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 63 AntiVirus engines on VirusTotal as malicious |
| watch | Creates a slightly modified copy of itself |
| watch | Creates and runs a batch file to remove the original binary |
| watch | Deletes executed files from disk |
| watch | Expresses interest in specific running processes |
| watch | Installs itself for autorun at Windows startup |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | One or more potentially interesting buffers were extracted |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable uses a known packer |
Rules (46cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | binaries (download) |
| watch | Network_Downloader | File Downloader | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Hijack_Network | Hijack network configuration | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | Is_DotNET_EXE | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x409008 CreateFileA
0x40900c LockResource
0x409010 LoadResource
0x409014 SizeofResource
0x409018 FindResourceA
0x40901c WideCharToMultiByte
0x409020 MultiByteToWideChar
0x409024 WriteFile
0x409028 DeleteFileA
0x40902c CreateDirectoryA
0x409030 GetProcAddress
0x409034 LoadLibraryA
0x409038 lstrcatA
0x40903c GetSystemTime
0x409040 GetModuleHandleA
0x409044 GetModuleFileNameA
0x409048 GetTempPathA
0x40904c GetFileSize
0x409050 WaitForSingleObject
0x409054 ResumeThread
0x409058 SetThreadPriority
0x40905c CreateThread
0x409060 GetStringTypeA
0x409064 LCMapStringW
0x409068 LCMapStringA
0x40906c SetEndOfFile
0x409070 GetOEMCP
0x409074 GetACP
0x409078 GetCPInfo
0x40907c IsBadCodePtr
0x409080 IsBadReadPtr
0x409084 FlushFileBuffers
0x409088 SetStdHandle
0x40908c SetUnhandledExceptionFilter
0x409090 GetComputerNameA
0x409094 CloseHandle
0x409098 GetFileType
0x40909c GetStdHandle
0x4090a0 HeapAlloc
0x4090a4 RtlUnwind
0x4090a8 GetStartupInfoA
0x4090ac GetCommandLineA
0x4090b0 GetVersion
0x4090b4 ExitProcess
0x4090b8 HeapFree
0x4090bc RaiseException
0x4090c0 GetLastError
0x4090c4 HeapDestroy
0x4090c8 HeapCreate
0x4090cc VirtualFree
0x4090d0 VirtualAlloc
0x4090d4 HeapReAlloc
0x4090d8 IsBadWritePtr
0x4090dc ReadFile
0x4090e0 TerminateProcess
0x4090e4 GetCurrentProcess
0x4090e8 SetFilePointer
0x4090ec HeapSize
0x4090f0 UnhandledExceptionFilter
0x4090f4 FreeEnvironmentStringsA
0x4090f8 FreeEnvironmentStringsW
0x4090fc GetEnvironmentStrings
0x409100 GetEnvironmentStringsW
0x409104 SetHandleCount
0x409108 GetStringTypeW
USER32.dll
0x409120 DefWindowProcA
0x409124 PostQuitMessage
0x409128 DestroyWindow
0x40912c CreateWindowExA
0x409130 ShowWindow
0x409134 GetMessageA
0x409138 TranslateMessage
0x40913c DispatchMessageA
0x409140 GetDesktopWindow
0x409144 RegisterClassExA
SHELL32.dll
0x409110 SHGetSpecialFolderPathA
ADVAPI32.dll
0x409000 GetUserNameA
SHLWAPI.dll
0x409118 PathFileExistsA
EAT(Export Address Table) is none
KERNEL32.dll
0x409008 CreateFileA
0x40900c LockResource
0x409010 LoadResource
0x409014 SizeofResource
0x409018 FindResourceA
0x40901c WideCharToMultiByte
0x409020 MultiByteToWideChar
0x409024 WriteFile
0x409028 DeleteFileA
0x40902c CreateDirectoryA
0x409030 GetProcAddress
0x409034 LoadLibraryA
0x409038 lstrcatA
0x40903c GetSystemTime
0x409040 GetModuleHandleA
0x409044 GetModuleFileNameA
0x409048 GetTempPathA
0x40904c GetFileSize
0x409050 WaitForSingleObject
0x409054 ResumeThread
0x409058 SetThreadPriority
0x40905c CreateThread
0x409060 GetStringTypeA
0x409064 LCMapStringW
0x409068 LCMapStringA
0x40906c SetEndOfFile
0x409070 GetOEMCP
0x409074 GetACP
0x409078 GetCPInfo
0x40907c IsBadCodePtr
0x409080 IsBadReadPtr
0x409084 FlushFileBuffers
0x409088 SetStdHandle
0x40908c SetUnhandledExceptionFilter
0x409090 GetComputerNameA
0x409094 CloseHandle
0x409098 GetFileType
0x40909c GetStdHandle
0x4090a0 HeapAlloc
0x4090a4 RtlUnwind
0x4090a8 GetStartupInfoA
0x4090ac GetCommandLineA
0x4090b0 GetVersion
0x4090b4 ExitProcess
0x4090b8 HeapFree
0x4090bc RaiseException
0x4090c0 GetLastError
0x4090c4 HeapDestroy
0x4090c8 HeapCreate
0x4090cc VirtualFree
0x4090d0 VirtualAlloc
0x4090d4 HeapReAlloc
0x4090d8 IsBadWritePtr
0x4090dc ReadFile
0x4090e0 TerminateProcess
0x4090e4 GetCurrentProcess
0x4090e8 SetFilePointer
0x4090ec HeapSize
0x4090f0 UnhandledExceptionFilter
0x4090f4 FreeEnvironmentStringsA
0x4090f8 FreeEnvironmentStringsW
0x4090fc GetEnvironmentStrings
0x409100 GetEnvironmentStringsW
0x409104 SetHandleCount
0x409108 GetStringTypeW
USER32.dll
0x409120 DefWindowProcA
0x409124 PostQuitMessage
0x409128 DestroyWindow
0x40912c CreateWindowExA
0x409130 ShowWindow
0x409134 GetMessageA
0x409138 TranslateMessage
0x40913c DispatchMessageA
0x409140 GetDesktopWindow
0x409144 RegisterClassExA
SHELL32.dll
0x409110 SHGetSpecialFolderPathA
ADVAPI32.dll
0x409000 GetUserNameA
SHLWAPI.dll
0x409118 PathFileExistsA
EAT(Export Address Table) is none