ScreenShot
| Created | 2024.10.16 14:25 | Machine | s1_win7_x6401 |
| Filename | 63e909b3647d.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 26 detected (AIDetectMalware, Malicious, score, Unsafe, Save, confidence, Attribute, HighConfidence, high confidence, GenKryptik, HCUH, MalwareX, n0unUiw4IlQ, AGEN, DownLoader47, Real Protect, high, Generic ML PUA, Static AI, Malicious PE, GrayWare, Kryptik, gpyt, Wacatac) | ||
| md5 | 90a219fcf54c78330dc492ff89e7064d | ||
| sha256 | d76c47511e1e7bd2719d404f1e62e0e6e69ee8db631f6c19ac863a4fbd38056d | ||
| ssdeep | 12288:z4nKBBK7o35hk/w8di54n5A+LLuM+Z8GZ:zE0K7y3kvg+A+/TG | ||
| imphash | 2927377c817d8ecf7304e8505e1e4f5f | ||
| impfuzzy | 24:YRajDKAWjeD+thgGhlJEc+pl39WuPi5vNSOovbO9ZHGMA:ckWjTthgGWc+ppnaX3O | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 26 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x415000 EncodePointer
0x415004 WriteConsoleW
0x415008 CreateFileW
0x41500c HeapReAlloc
0x415010 CloseHandle
0x415014 GetCurrentThreadId
0x415018 WaitForSingleObjectEx
0x41501c GetExitCodeThread
0x415020 ReleaseSRWLockExclusive
0x415024 AcquireSRWLockExclusive
0x415028 TryAcquireSRWLockExclusive
0x41502c WakeAllConditionVariable
0x415030 QueryPerformanceCounter
0x415034 GetSystemTimeAsFileTime
0x415038 GetModuleHandleW
0x41503c GetProcAddress
0x415040 UnhandledExceptionFilter
0x415044 SetUnhandledExceptionFilter
0x415048 GetCurrentProcess
0x41504c TerminateProcess
0x415050 IsProcessorFeaturePresent
0x415054 GetCurrentProcessId
0x415058 InitializeSListHead
0x41505c IsDebuggerPresent
0x415060 GetStartupInfoW
0x415064 HeapSize
0x415068 RaiseException
0x41506c RtlUnwind
0x415070 GetLastError
0x415074 SetLastError
0x415078 DecodePointer
0x41507c EnterCriticalSection
0x415080 LeaveCriticalSection
0x415084 DeleteCriticalSection
0x415088 InitializeCriticalSectionAndSpinCount
0x41508c TlsAlloc
0x415090 TlsGetValue
0x415094 TlsSetValue
0x415098 TlsFree
0x41509c FreeLibrary
0x4150a0 LoadLibraryExW
0x4150a4 CreateThread
0x4150a8 ExitThread
0x4150ac FreeLibraryAndExitThread
0x4150b0 GetModuleHandleExW
0x4150b4 GetStdHandle
0x4150b8 WriteFile
0x4150bc GetModuleFileNameW
0x4150c0 ExitProcess
0x4150c4 HeapAlloc
0x4150c8 HeapFree
0x4150cc LCMapStringW
0x4150d0 GetFileType
0x4150d4 GetFileSizeEx
0x4150d8 SetFilePointerEx
0x4150dc FindClose
0x4150e0 FindFirstFileExW
0x4150e4 FindNextFileW
0x4150e8 IsValidCodePage
0x4150ec GetACP
0x4150f0 GetOEMCP
0x4150f4 GetCPInfo
0x4150f8 GetCommandLineA
0x4150fc GetCommandLineW
0x415100 MultiByteToWideChar
0x415104 WideCharToMultiByte
0x415108 GetEnvironmentStringsW
0x41510c FreeEnvironmentStringsW
0x415110 SetStdHandle
0x415114 GetStringTypeW
0x415118 GetProcessHeap
0x41511c FlushFileBuffers
0x415120 GetConsoleOutputCP
0x415124 GetConsoleMode
EAT(Export Address Table) is none
KERNEL32.dll
0x415000 EncodePointer
0x415004 WriteConsoleW
0x415008 CreateFileW
0x41500c HeapReAlloc
0x415010 CloseHandle
0x415014 GetCurrentThreadId
0x415018 WaitForSingleObjectEx
0x41501c GetExitCodeThread
0x415020 ReleaseSRWLockExclusive
0x415024 AcquireSRWLockExclusive
0x415028 TryAcquireSRWLockExclusive
0x41502c WakeAllConditionVariable
0x415030 QueryPerformanceCounter
0x415034 GetSystemTimeAsFileTime
0x415038 GetModuleHandleW
0x41503c GetProcAddress
0x415040 UnhandledExceptionFilter
0x415044 SetUnhandledExceptionFilter
0x415048 GetCurrentProcess
0x41504c TerminateProcess
0x415050 IsProcessorFeaturePresent
0x415054 GetCurrentProcessId
0x415058 InitializeSListHead
0x41505c IsDebuggerPresent
0x415060 GetStartupInfoW
0x415064 HeapSize
0x415068 RaiseException
0x41506c RtlUnwind
0x415070 GetLastError
0x415074 SetLastError
0x415078 DecodePointer
0x41507c EnterCriticalSection
0x415080 LeaveCriticalSection
0x415084 DeleteCriticalSection
0x415088 InitializeCriticalSectionAndSpinCount
0x41508c TlsAlloc
0x415090 TlsGetValue
0x415094 TlsSetValue
0x415098 TlsFree
0x41509c FreeLibrary
0x4150a0 LoadLibraryExW
0x4150a4 CreateThread
0x4150a8 ExitThread
0x4150ac FreeLibraryAndExitThread
0x4150b0 GetModuleHandleExW
0x4150b4 GetStdHandle
0x4150b8 WriteFile
0x4150bc GetModuleFileNameW
0x4150c0 ExitProcess
0x4150c4 HeapAlloc
0x4150c8 HeapFree
0x4150cc LCMapStringW
0x4150d0 GetFileType
0x4150d4 GetFileSizeEx
0x4150d8 SetFilePointerEx
0x4150dc FindClose
0x4150e0 FindFirstFileExW
0x4150e4 FindNextFileW
0x4150e8 IsValidCodePage
0x4150ec GetACP
0x4150f0 GetOEMCP
0x4150f4 GetCPInfo
0x4150f8 GetCommandLineA
0x4150fc GetCommandLineW
0x415100 MultiByteToWideChar
0x415104 WideCharToMultiByte
0x415108 GetEnvironmentStringsW
0x41510c FreeEnvironmentStringsW
0x415110 SetStdHandle
0x415114 GetStringTypeW
0x415118 GetProcessHeap
0x41511c FlushFileBuffers
0x415120 GetConsoleOutputCP
0x415124 GetConsoleMode
EAT(Export Address Table) is none