ScreenShot
| Created | 2024.10.20 10:22 | Machine | s1_win7_x6403 |
| Filename | shell_reverse_msf_encoded_embedded.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 60 detected (AIDetectMalware, Swrort, Malicious, score, CryptZ, Marte, Unsafe, Vi4z, confidence, 100%, Rozena, Attribute, HighConfidence, high confidence, SwPatch, MSShellcode, CobaltStrike, ccmw, HackTool, CLASSIC, Gen2, moderate, EncPk, Static AI, Suspicious PE, Detected, A@4jwdqr, Eldorado, Genetic, Us8ps3WctgA, Meterpreter, susgen) | ||
| md5 | c23d75e9e8ad5d82bdec4103543caec5 | ||
| sha256 | f601f30bcd007dee299435211bebb1768971b23bc137c09d37e725f380e20ac4 | ||
| ssdeep | 6144:1byhkT9bBU5Fk1j8Mf1u88ngIskEPJp6rL0WoABqzMoRXZWd2:1byhkT96MleEkQpIEFZ | ||
| imphash | 58e6707dda8020468bb8f9a4f9194e0a | ||
| impfuzzy | 48:YIKjZE+Xv0RLAcvcepldc5U69ysNSREhQYmOLOePOFhqaemF:PKjudHc5XbNSREh356ePIymF | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 60 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x437000 RegCloseKey
0x437004 RegQueryValueExA
0x437008 RegOpenKeyA
0x43700c GetUserNameA
0x437010 CopySid
0x437014 GetLengthSid
0x437018 RegCreateKeyA
0x43701c RegSetValueExA
USER32.dll
0x4371b0 MsgWaitForMultipleObjects
0x4371b4 PeekMessageA
0x4371b8 SendMessageA
0x4371bc FindWindowA
0x4371c0 GetForegroundWindow
0x4371c4 GetCapture
0x4371c8 GetClipboardOwner
0x4371cc GetQueueStatus
0x4371d0 GetCursorPos
KERNEL32.dll
0x437024 SetEndOfFile
0x437028 SetEnvironmentVariableA
0x43702c CompareStringW
0x437030 CompareStringA
0x437034 HeapSize
0x437038 InterlockedExchange
0x43703c RtlUnwind
0x437040 GetLocaleInfoA
0x437044 SetFilePointer
0x437048 GetCPInfo
0x43704c GetOEMCP
0x437050 GetTickCount
0x437054 ReadFile
0x437058 SetConsoleMode
0x43705c GetConsoleMode
0x437060 GetStdHandle
0x437064 WriteFile
0x437068 FreeLibrary
0x43706c LoadLibraryA
0x437070 GetProcAddress
0x437074 CloseHandle
0x437078 SetEvent
0x43707c GetOverlappedResult
0x437080 WaitForSingleObject
0x437084 GetLastError
0x437088 CreateEventA
0x43708c CreateThread
0x437090 GetVersionExA
0x437094 GetSystemDirectoryA
0x437098 FormatMessageA
0x43709c GetSystemTimeAdjustment
0x4370a0 GetSystemTime
0x4370a4 GetProcessTimes
0x4370a8 GetCurrentProcess
0x4370ac GetThreadTimes
0x4370b0 GetCurrentThread
0x4370b4 GlobalMemoryStatus
0x4370b8 QueryPerformanceCounter
0x4370bc GetCurrentProcessId
0x4370c0 FindClose
0x4370c4 FindNextFileA
0x4370c8 FindFirstFileA
0x4370cc GetWindowsDirectoryA
0x4370d0 LocalFree
0x4370d4 LocalAlloc
0x4370d8 OpenProcess
0x4370dc UnmapViewOfFile
0x4370e0 MapViewOfFile
0x4370e4 CreateFileMappingA
0x4370e8 GetCurrentThreadId
0x4370ec GetFileType
0x4370f0 CreateProcessA
0x4370f4 SetHandleInformation
0x4370f8 CreatePipe
0x4370fc ClearCommBreak
0x437100 SetCommTimeouts
0x437104 SetCommState
0x437108 GetCommState
0x43710c CreateFileA
0x437110 SetCommBreak
0x437114 DeleteFileA
0x437118 GetEnvironmentVariableA
0x43711c GetLocalTime
0x437120 GetModuleFileNameA
0x437124 GetTimeFormatA
0x437128 GetDateFormatA
0x43712c HeapAlloc
0x437130 HeapReAlloc
0x437134 HeapFree
0x437138 ExitProcess
0x43713c GetModuleHandleA
0x437140 TerminateProcess
0x437144 GetSystemTimeAsFileTime
0x437148 GetCommandLineA
0x43714c GetStringTypeA
0x437150 MultiByteToWideChar
0x437154 GetStringTypeW
0x437158 FlushFileBuffers
0x43715c WideCharToMultiByte
0x437160 GetTimeZoneInformation
0x437164 VirtualProtect
0x437168 VirtualAlloc
0x43716c GetSystemInfo
0x437170 VirtualQuery
0x437174 LCMapStringA
0x437178 LCMapStringW
0x43717c SetHandleCount
0x437180 GetStartupInfoA
0x437184 HeapDestroy
0x437188 HeapCreate
0x43718c VirtualFree
0x437190 UnhandledExceptionFilter
0x437194 FreeEnvironmentStringsA
0x437198 GetEnvironmentStrings
0x43719c FreeEnvironmentStringsW
0x4371a0 GetEnvironmentStringsW
0x4371a4 SetStdHandle
0x4371a8 GetACP
EAT(Export Address Table) is none
ADVAPI32.dll
0x437000 RegCloseKey
0x437004 RegQueryValueExA
0x437008 RegOpenKeyA
0x43700c GetUserNameA
0x437010 CopySid
0x437014 GetLengthSid
0x437018 RegCreateKeyA
0x43701c RegSetValueExA
USER32.dll
0x4371b0 MsgWaitForMultipleObjects
0x4371b4 PeekMessageA
0x4371b8 SendMessageA
0x4371bc FindWindowA
0x4371c0 GetForegroundWindow
0x4371c4 GetCapture
0x4371c8 GetClipboardOwner
0x4371cc GetQueueStatus
0x4371d0 GetCursorPos
KERNEL32.dll
0x437024 SetEndOfFile
0x437028 SetEnvironmentVariableA
0x43702c CompareStringW
0x437030 CompareStringA
0x437034 HeapSize
0x437038 InterlockedExchange
0x43703c RtlUnwind
0x437040 GetLocaleInfoA
0x437044 SetFilePointer
0x437048 GetCPInfo
0x43704c GetOEMCP
0x437050 GetTickCount
0x437054 ReadFile
0x437058 SetConsoleMode
0x43705c GetConsoleMode
0x437060 GetStdHandle
0x437064 WriteFile
0x437068 FreeLibrary
0x43706c LoadLibraryA
0x437070 GetProcAddress
0x437074 CloseHandle
0x437078 SetEvent
0x43707c GetOverlappedResult
0x437080 WaitForSingleObject
0x437084 GetLastError
0x437088 CreateEventA
0x43708c CreateThread
0x437090 GetVersionExA
0x437094 GetSystemDirectoryA
0x437098 FormatMessageA
0x43709c GetSystemTimeAdjustment
0x4370a0 GetSystemTime
0x4370a4 GetProcessTimes
0x4370a8 GetCurrentProcess
0x4370ac GetThreadTimes
0x4370b0 GetCurrentThread
0x4370b4 GlobalMemoryStatus
0x4370b8 QueryPerformanceCounter
0x4370bc GetCurrentProcessId
0x4370c0 FindClose
0x4370c4 FindNextFileA
0x4370c8 FindFirstFileA
0x4370cc GetWindowsDirectoryA
0x4370d0 LocalFree
0x4370d4 LocalAlloc
0x4370d8 OpenProcess
0x4370dc UnmapViewOfFile
0x4370e0 MapViewOfFile
0x4370e4 CreateFileMappingA
0x4370e8 GetCurrentThreadId
0x4370ec GetFileType
0x4370f0 CreateProcessA
0x4370f4 SetHandleInformation
0x4370f8 CreatePipe
0x4370fc ClearCommBreak
0x437100 SetCommTimeouts
0x437104 SetCommState
0x437108 GetCommState
0x43710c CreateFileA
0x437110 SetCommBreak
0x437114 DeleteFileA
0x437118 GetEnvironmentVariableA
0x43711c GetLocalTime
0x437120 GetModuleFileNameA
0x437124 GetTimeFormatA
0x437128 GetDateFormatA
0x43712c HeapAlloc
0x437130 HeapReAlloc
0x437134 HeapFree
0x437138 ExitProcess
0x43713c GetModuleHandleA
0x437140 TerminateProcess
0x437144 GetSystemTimeAsFileTime
0x437148 GetCommandLineA
0x43714c GetStringTypeA
0x437150 MultiByteToWideChar
0x437154 GetStringTypeW
0x437158 FlushFileBuffers
0x43715c WideCharToMultiByte
0x437160 GetTimeZoneInformation
0x437164 VirtualProtect
0x437168 VirtualAlloc
0x43716c GetSystemInfo
0x437170 VirtualQuery
0x437174 LCMapStringA
0x437178 LCMapStringW
0x43717c SetHandleCount
0x437180 GetStartupInfoA
0x437184 HeapDestroy
0x437188 HeapCreate
0x43718c VirtualFree
0x437190 UnhandledExceptionFilter
0x437194 FreeEnvironmentStringsA
0x437198 GetEnvironmentStrings
0x43719c FreeEnvironmentStringsW
0x4371a0 GetEnvironmentStringsW
0x4371a4 SetStdHandle
0x4371a8 GetACP
EAT(Export Address Table) is none