ScreenShot
| Created | 2024.10.18 10:01 | Machine | s1_win7_x6403 |
| Filename | ywx.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 49 detected (AIDetectMalware, Amadey, Malicious, score, Zusy, Unsafe, Save, confidence, Delf, Attribute, HighConfidence, high confidence, MalwareX, Deyma, Bobik, CLOUD, Redcap, cqflk, Real Protect, high, Static AI, Malicious PE, Detected, Wacatac, Eldorado, Artemis, BScope, Chgt, Simw, susgen) | ||
| md5 | 4dba58c6e9f435c1cca607525760d0fd | ||
| sha256 | d2886d86ef67a3550a4aadcf623aa785fddcd3af754b3035229647f186005b1c | ||
| ssdeep | 12288:lP83dF+mKpRp++vNPokdXG78m8AfJJdI:4KpzPW8mllI | ||
| imphash | d9a5f4c55bbbe3c1ce16a8560ae80827 | ||
| impfuzzy | 96:PXs4iGjAlw55WJcpH+r26ptWrDZsGRdFBh1:PFayWwZ9h1 | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 49 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x450060 GetFileAttributesA
0x450064 Process32NextW
0x450068 CreateFileA
0x45006c Process32FirstW
0x450070 CloseHandle
0x450074 GetSystemInfo
0x450078 CreateThread
0x45007c GetLocalTime
0x450080 GetThreadContext
0x450084 GetProcAddress
0x450088 GetLastError
0x45008c RemoveDirectoryA
0x450090 ReadProcessMemory
0x450094 CreateProcessA
0x450098 CreateDirectoryA
0x45009c SetThreadContext
0x4500a0 SetEndOfFile
0x4500a4 HeapSize
0x4500a8 GetProcessHeap
0x4500ac SetEnvironmentVariableW
0x4500b0 Wow64RevertWow64FsRedirection
0x4500b4 GetTempPathA
0x4500b8 Sleep
0x4500bc CreateToolhelp32Snapshot
0x4500c0 OpenProcess
0x4500c4 SetCurrentDirectoryA
0x4500c8 GetModuleHandleA
0x4500cc ResumeThread
0x4500d0 GetComputerNameExW
0x4500d4 GetVersionExW
0x4500d8 WaitForSingleObject
0x4500dc CreateMutexA
0x4500e0 FindClose
0x4500e4 PeekNamedPipe
0x4500e8 CreatePipe
0x4500ec FindNextFileA
0x4500f0 VirtualAlloc
0x4500f4 Wow64DisableWow64FsRedirection
0x4500f8 WriteFile
0x4500fc VirtualFree
0x450100 FindFirstFileA
0x450104 SetHandleInformation
0x450108 WriteProcessMemory
0x45010c GetModuleFileNameA
0x450110 VirtualAllocEx
0x450114 ReadFile
0x450118 FreeEnvironmentStringsW
0x45011c GetEnvironmentStringsW
0x450120 GetOEMCP
0x450124 GetACP
0x450128 IsValidCodePage
0x45012c FindNextFileW
0x450130 FindFirstFileExW
0x450134 GetTimeZoneInformation
0x450138 HeapReAlloc
0x45013c ReadConsoleW
0x450140 SetStdHandle
0x450144 GetFullPathNameW
0x450148 GetCurrentDirectoryW
0x45014c DeleteFileW
0x450150 EnumSystemLocalesW
0x450154 GetUserDefaultLCID
0x450158 IsValidLocale
0x45015c GetLocaleInfoW
0x450160 LCMapStringW
0x450164 CompareStringW
0x450168 HeapAlloc
0x45016c HeapFree
0x450170 GetConsoleMode
0x450174 GetConsoleOutputCP
0x450178 FlushFileBuffers
0x45017c SetFilePointerEx
0x450180 GetFileSizeEx
0x450184 GetCommandLineW
0x450188 GetCommandLineA
0x45018c GetStdHandle
0x450190 GetModuleFileNameW
0x450194 FileTimeToSystemTime
0x450198 SystemTimeToTzSpecificLocalTime
0x45019c GetFileType
0x4501a0 GetFileInformationByHandle
0x4501a4 GetDriveTypeW
0x4501a8 CreateFileW
0x4501ac RaiseException
0x4501b0 GetCurrentThreadId
0x4501b4 IsProcessorFeaturePresent
0x4501b8 FreeLibraryWhenCallbackReturns
0x4501bc CreateThreadpoolWork
0x4501c0 SubmitThreadpoolWork
0x4501c4 CloseThreadpoolWork
0x4501c8 GetModuleHandleExW
0x4501cc InitializeConditionVariable
0x4501d0 WakeConditionVariable
0x4501d4 WakeAllConditionVariable
0x4501d8 SleepConditionVariableCS
0x4501dc SleepConditionVariableSRW
0x4501e0 InitOnceComplete
0x4501e4 InitOnceBeginInitialize
0x4501e8 InitializeSRWLock
0x4501ec ReleaseSRWLockExclusive
0x4501f0 AcquireSRWLockExclusive
0x4501f4 EnterCriticalSection
0x4501f8 LeaveCriticalSection
0x4501fc InitializeCriticalSectionEx
0x450200 TryEnterCriticalSection
0x450204 DeleteCriticalSection
0x450208 WaitForSingleObjectEx
0x45020c QueryPerformanceCounter
0x450210 GetSystemTimeAsFileTime
0x450214 GetModuleHandleW
0x450218 EncodePointer
0x45021c DecodePointer
0x450220 MultiByteToWideChar
0x450224 WideCharToMultiByte
0x450228 LCMapStringEx
0x45022c GetStringTypeW
0x450230 GetCPInfo
0x450234 InitializeCriticalSectionAndSpinCount
0x450238 SetEvent
0x45023c ResetEvent
0x450240 CreateEventW
0x450244 UnhandledExceptionFilter
0x450248 SetUnhandledExceptionFilter
0x45024c GetCurrentProcess
0x450250 TerminateProcess
0x450254 IsDebuggerPresent
0x450258 GetStartupInfoW
0x45025c GetCurrentProcessId
0x450260 InitializeSListHead
0x450264 RtlUnwind
0x450268 SetLastError
0x45026c TlsAlloc
0x450270 TlsGetValue
0x450274 TlsSetValue
0x450278 TlsFree
0x45027c FreeLibrary
0x450280 LoadLibraryExW
0x450284 ExitProcess
0x450288 WriteConsoleW
USER32.dll
0x4502a0 GetSystemMetrics
0x4502a4 ReleaseDC
0x4502a8 GetDC
GDI32.dll
0x450048 CreateCompatibleBitmap
0x45004c SelectObject
0x450050 CreateCompatibleDC
0x450054 DeleteObject
0x450058 BitBlt
ADVAPI32.dll
0x450000 RevertToSelf
0x450004 RegCloseKey
0x450008 RegQueryInfoKeyW
0x45000c RegGetValueA
0x450010 RegQueryValueExA
0x450014 GetSidSubAuthorityCount
0x450018 GetSidSubAuthority
0x45001c GetUserNameA
0x450020 CreateProcessWithTokenW
0x450024 LookupAccountNameA
0x450028 ImpersonateLoggedOnUser
0x45002c RegSetValueExA
0x450030 OpenProcessToken
0x450034 RegOpenKeyExA
0x450038 RegEnumValueA
0x45003c DuplicateTokenEx
0x450040 GetSidIdentifierAuthority
SHELL32.dll
0x450290 SHGetFolderPathA
0x450294 ShellExecuteA
0x450298 SHFileOperationA
ole32.dll
0x450330 CoUninitialize
0x450334 CoCreateInstance
0x450338 CoInitialize
WININET.dll
0x4502b0 HttpOpenRequestA
0x4502b4 InternetWriteFile
0x4502b8 InternetOpenUrlA
0x4502bc InternetOpenW
0x4502c0 HttpEndRequestW
0x4502c4 HttpAddRequestHeadersA
0x4502c8 HttpSendRequestExA
0x4502cc InternetOpenA
0x4502d0 InternetCloseHandle
0x4502d4 HttpSendRequestA
0x4502d8 InternetConnectA
0x4502dc InternetReadFile
gdiplus.dll
0x450310 GdiplusStartup
0x450314 GdipSaveImageToFile
0x450318 GdipGetImageEncodersSize
0x45031c GdiplusShutdown
0x450320 GdipGetImageEncoders
0x450324 GdipCreateBitmapFromHBITMAP
0x450328 GdipDisposeImage
WS2_32.dll
0x4502e4 closesocket
0x4502e8 inet_pton
0x4502ec getaddrinfo
0x4502f0 WSAStartup
0x4502f4 send
0x4502f8 socket
0x4502fc connect
0x450300 recv
0x450304 htons
0x450308 freeaddrinfo
EAT(Export Address Table) is none
KERNEL32.dll
0x450060 GetFileAttributesA
0x450064 Process32NextW
0x450068 CreateFileA
0x45006c Process32FirstW
0x450070 CloseHandle
0x450074 GetSystemInfo
0x450078 CreateThread
0x45007c GetLocalTime
0x450080 GetThreadContext
0x450084 GetProcAddress
0x450088 GetLastError
0x45008c RemoveDirectoryA
0x450090 ReadProcessMemory
0x450094 CreateProcessA
0x450098 CreateDirectoryA
0x45009c SetThreadContext
0x4500a0 SetEndOfFile
0x4500a4 HeapSize
0x4500a8 GetProcessHeap
0x4500ac SetEnvironmentVariableW
0x4500b0 Wow64RevertWow64FsRedirection
0x4500b4 GetTempPathA
0x4500b8 Sleep
0x4500bc CreateToolhelp32Snapshot
0x4500c0 OpenProcess
0x4500c4 SetCurrentDirectoryA
0x4500c8 GetModuleHandleA
0x4500cc ResumeThread
0x4500d0 GetComputerNameExW
0x4500d4 GetVersionExW
0x4500d8 WaitForSingleObject
0x4500dc CreateMutexA
0x4500e0 FindClose
0x4500e4 PeekNamedPipe
0x4500e8 CreatePipe
0x4500ec FindNextFileA
0x4500f0 VirtualAlloc
0x4500f4 Wow64DisableWow64FsRedirection
0x4500f8 WriteFile
0x4500fc VirtualFree
0x450100 FindFirstFileA
0x450104 SetHandleInformation
0x450108 WriteProcessMemory
0x45010c GetModuleFileNameA
0x450110 VirtualAllocEx
0x450114 ReadFile
0x450118 FreeEnvironmentStringsW
0x45011c GetEnvironmentStringsW
0x450120 GetOEMCP
0x450124 GetACP
0x450128 IsValidCodePage
0x45012c FindNextFileW
0x450130 FindFirstFileExW
0x450134 GetTimeZoneInformation
0x450138 HeapReAlloc
0x45013c ReadConsoleW
0x450140 SetStdHandle
0x450144 GetFullPathNameW
0x450148 GetCurrentDirectoryW
0x45014c DeleteFileW
0x450150 EnumSystemLocalesW
0x450154 GetUserDefaultLCID
0x450158 IsValidLocale
0x45015c GetLocaleInfoW
0x450160 LCMapStringW
0x450164 CompareStringW
0x450168 HeapAlloc
0x45016c HeapFree
0x450170 GetConsoleMode
0x450174 GetConsoleOutputCP
0x450178 FlushFileBuffers
0x45017c SetFilePointerEx
0x450180 GetFileSizeEx
0x450184 GetCommandLineW
0x450188 GetCommandLineA
0x45018c GetStdHandle
0x450190 GetModuleFileNameW
0x450194 FileTimeToSystemTime
0x450198 SystemTimeToTzSpecificLocalTime
0x45019c GetFileType
0x4501a0 GetFileInformationByHandle
0x4501a4 GetDriveTypeW
0x4501a8 CreateFileW
0x4501ac RaiseException
0x4501b0 GetCurrentThreadId
0x4501b4 IsProcessorFeaturePresent
0x4501b8 FreeLibraryWhenCallbackReturns
0x4501bc CreateThreadpoolWork
0x4501c0 SubmitThreadpoolWork
0x4501c4 CloseThreadpoolWork
0x4501c8 GetModuleHandleExW
0x4501cc InitializeConditionVariable
0x4501d0 WakeConditionVariable
0x4501d4 WakeAllConditionVariable
0x4501d8 SleepConditionVariableCS
0x4501dc SleepConditionVariableSRW
0x4501e0 InitOnceComplete
0x4501e4 InitOnceBeginInitialize
0x4501e8 InitializeSRWLock
0x4501ec ReleaseSRWLockExclusive
0x4501f0 AcquireSRWLockExclusive
0x4501f4 EnterCriticalSection
0x4501f8 LeaveCriticalSection
0x4501fc InitializeCriticalSectionEx
0x450200 TryEnterCriticalSection
0x450204 DeleteCriticalSection
0x450208 WaitForSingleObjectEx
0x45020c QueryPerformanceCounter
0x450210 GetSystemTimeAsFileTime
0x450214 GetModuleHandleW
0x450218 EncodePointer
0x45021c DecodePointer
0x450220 MultiByteToWideChar
0x450224 WideCharToMultiByte
0x450228 LCMapStringEx
0x45022c GetStringTypeW
0x450230 GetCPInfo
0x450234 InitializeCriticalSectionAndSpinCount
0x450238 SetEvent
0x45023c ResetEvent
0x450240 CreateEventW
0x450244 UnhandledExceptionFilter
0x450248 SetUnhandledExceptionFilter
0x45024c GetCurrentProcess
0x450250 TerminateProcess
0x450254 IsDebuggerPresent
0x450258 GetStartupInfoW
0x45025c GetCurrentProcessId
0x450260 InitializeSListHead
0x450264 RtlUnwind
0x450268 SetLastError
0x45026c TlsAlloc
0x450270 TlsGetValue
0x450274 TlsSetValue
0x450278 TlsFree
0x45027c FreeLibrary
0x450280 LoadLibraryExW
0x450284 ExitProcess
0x450288 WriteConsoleW
USER32.dll
0x4502a0 GetSystemMetrics
0x4502a4 ReleaseDC
0x4502a8 GetDC
GDI32.dll
0x450048 CreateCompatibleBitmap
0x45004c SelectObject
0x450050 CreateCompatibleDC
0x450054 DeleteObject
0x450058 BitBlt
ADVAPI32.dll
0x450000 RevertToSelf
0x450004 RegCloseKey
0x450008 RegQueryInfoKeyW
0x45000c RegGetValueA
0x450010 RegQueryValueExA
0x450014 GetSidSubAuthorityCount
0x450018 GetSidSubAuthority
0x45001c GetUserNameA
0x450020 CreateProcessWithTokenW
0x450024 LookupAccountNameA
0x450028 ImpersonateLoggedOnUser
0x45002c RegSetValueExA
0x450030 OpenProcessToken
0x450034 RegOpenKeyExA
0x450038 RegEnumValueA
0x45003c DuplicateTokenEx
0x450040 GetSidIdentifierAuthority
SHELL32.dll
0x450290 SHGetFolderPathA
0x450294 ShellExecuteA
0x450298 SHFileOperationA
ole32.dll
0x450330 CoUninitialize
0x450334 CoCreateInstance
0x450338 CoInitialize
WININET.dll
0x4502b0 HttpOpenRequestA
0x4502b4 InternetWriteFile
0x4502b8 InternetOpenUrlA
0x4502bc InternetOpenW
0x4502c0 HttpEndRequestW
0x4502c4 HttpAddRequestHeadersA
0x4502c8 HttpSendRequestExA
0x4502cc InternetOpenA
0x4502d0 InternetCloseHandle
0x4502d4 HttpSendRequestA
0x4502d8 InternetConnectA
0x4502dc InternetReadFile
gdiplus.dll
0x450310 GdiplusStartup
0x450314 GdipSaveImageToFile
0x450318 GdipGetImageEncodersSize
0x45031c GdiplusShutdown
0x450320 GdipGetImageEncoders
0x450324 GdipCreateBitmapFromHBITMAP
0x450328 GdipDisposeImage
WS2_32.dll
0x4502e4 closesocket
0x4502e8 inet_pton
0x4502ec getaddrinfo
0x4502f0 WSAStartup
0x4502f4 send
0x4502f8 socket
0x4502fc connect
0x450300 recv
0x450304 htons
0x450308 freeaddrinfo
EAT(Export Address Table) is none