ScreenShot
| Created | 2024.10.21 14:36 | Machine | s1_win7_x6403 |
| Filename | file.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 54 detected (AIDetectMalware, PsDownload, Malicious, score, Unsafe, Kryptik, V9gm, confidence, 100%, Attribute, HighConfidence, high confidence, HROL, PrivateLoader, CLASSIC, AGEN, high, Static AI, Malicious PE, Detected, Eldorado, BScope, TrojanPSW, Coins, Chgt, Gencirc, susgen) | ||
| md5 | f7f61ffb8e1f1e272bdf4d326086e760 | ||
| sha256 | e98ae7f96f7cee07ef93b3c98ccae81c66b29e4ede046112e200bf7c152fa9af | ||
| ssdeep | 3072:gScZKjx60GZBXexRmPuQ+RQH+GAL+fI1dzEBKARdYChZMuqoQjn5:3jxt39TQHIzfgdSu65 | ||
| imphash | 7e3d431a1dbc2f47cc054da5d0f48777 | ||
| impfuzzy | 24:+BOja3MUw/2Au92BYYklZOfXc+MeD/6X8/l39yJEcMSOovbOwZY9Qw3hIznKZc:+BOja0LKYU4Xc+R6X8/prH3nQuh0K2 | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 54 AntiVirus engines on VirusTotal as malicious |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Powershell script has download & invoke calls |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
| info | PowershellDI | Extract Download/Invoke calls from powershell script | scripts |
PE API
IAT(Import Address Table) Library
WININET.dll
0x414160 InternetReadFile
0x414164 InternetCloseHandle
0x414168 InternetCrackUrlW
0x41416c InternetOpenW
0x414170 InternetOpenUrlW
0x414174 InternetQueryDataAvailable
SHLWAPI.dll
0x414148 wnsprintfW
0x41414c StrStrW
KERNEL32.dll
0x414014 SetFilePointerEx
0x414018 GetConsoleMode
0x41401c GetConsoleOutputCP
0x414020 FlushFileBuffers
0x414024 WriteFile
0x414028 ExpandEnvironmentStringsW
0x41402c TerminateProcess
0x414030 GetModuleFileNameW
0x414034 CreateJobObjectW
0x414038 GetEnvironmentVariableW
0x41403c CreateMutexW
0x414040 CreateFileW
0x414044 GetFileAttributesW
0x414048 GetSystemWow64DirectoryW
0x41404c GetLastError
0x414050 lstrcatW
0x414054 CloseHandle
0x414058 ExitProcess
0x41405c GetCurrentProcessId
0x414060 GetModuleHandleW
0x414064 lstrcpyW
0x414068 GetTempFileNameW
0x41406c HeapFree
0x414070 HeapReAlloc
0x414074 HeapAlloc
0x414078 GetProcessHeap
0x41407c WideCharToMultiByte
0x414080 HeapSize
0x414084 GetStringTypeW
0x414088 SetStdHandle
0x41408c WriteConsoleW
0x414090 EncodePointer
0x414094 UnhandledExceptionFilter
0x414098 EnterCriticalSection
0x41409c LeaveCriticalSection
0x4140a0 DeleteCriticalSection
0x4140a4 CreateEventW
0x4140a8 GetProcAddress
0x4140ac DecodePointer
0x4140b0 SetUnhandledExceptionFilter
0x4140b4 GetCurrentProcess
0x4140b8 IsProcessorFeaturePresent
0x4140bc IsDebuggerPresent
0x4140c0 GetStartupInfoW
0x4140c4 QueryPerformanceCounter
0x4140c8 GetCurrentThreadId
0x4140cc GetSystemTimeAsFileTime
0x4140d0 InitializeSListHead
0x4140d4 RaiseException
0x4140d8 InitializeCriticalSectionAndSpinCount
0x4140dc TlsAlloc
0x4140e0 TlsGetValue
0x4140e4 TlsSetValue
0x4140e8 TlsFree
0x4140ec FreeLibrary
0x4140f0 LoadLibraryExW
0x4140f4 SetLastError
0x4140f8 RtlUnwind
0x4140fc GetModuleHandleExW
0x414100 GetStdHandle
0x414104 FindClose
0x414108 FindFirstFileExW
0x41410c FindNextFileW
0x414110 IsValidCodePage
0x414114 GetACP
0x414118 GetOEMCP
0x41411c GetCPInfo
0x414120 GetCommandLineA
0x414124 GetCommandLineW
0x414128 MultiByteToWideChar
0x41412c GetEnvironmentStringsW
0x414130 FreeEnvironmentStringsW
0x414134 LCMapStringW
0x414138 GetFileType
USER32.dll
0x414154 MessageBoxA
0x414158 wsprintfW
ADVAPI32.dll
0x414000 GetSidSubAuthority
0x414004 OpenProcessToken
0x414008 GetTokenInformation
0x41400c GetSidSubAuthorityCount
SHELL32.dll
0x414140 ShellExecuteW
EAT(Export Address Table) is none
WININET.dll
0x414160 InternetReadFile
0x414164 InternetCloseHandle
0x414168 InternetCrackUrlW
0x41416c InternetOpenW
0x414170 InternetOpenUrlW
0x414174 InternetQueryDataAvailable
SHLWAPI.dll
0x414148 wnsprintfW
0x41414c StrStrW
KERNEL32.dll
0x414014 SetFilePointerEx
0x414018 GetConsoleMode
0x41401c GetConsoleOutputCP
0x414020 FlushFileBuffers
0x414024 WriteFile
0x414028 ExpandEnvironmentStringsW
0x41402c TerminateProcess
0x414030 GetModuleFileNameW
0x414034 CreateJobObjectW
0x414038 GetEnvironmentVariableW
0x41403c CreateMutexW
0x414040 CreateFileW
0x414044 GetFileAttributesW
0x414048 GetSystemWow64DirectoryW
0x41404c GetLastError
0x414050 lstrcatW
0x414054 CloseHandle
0x414058 ExitProcess
0x41405c GetCurrentProcessId
0x414060 GetModuleHandleW
0x414064 lstrcpyW
0x414068 GetTempFileNameW
0x41406c HeapFree
0x414070 HeapReAlloc
0x414074 HeapAlloc
0x414078 GetProcessHeap
0x41407c WideCharToMultiByte
0x414080 HeapSize
0x414084 GetStringTypeW
0x414088 SetStdHandle
0x41408c WriteConsoleW
0x414090 EncodePointer
0x414094 UnhandledExceptionFilter
0x414098 EnterCriticalSection
0x41409c LeaveCriticalSection
0x4140a0 DeleteCriticalSection
0x4140a4 CreateEventW
0x4140a8 GetProcAddress
0x4140ac DecodePointer
0x4140b0 SetUnhandledExceptionFilter
0x4140b4 GetCurrentProcess
0x4140b8 IsProcessorFeaturePresent
0x4140bc IsDebuggerPresent
0x4140c0 GetStartupInfoW
0x4140c4 QueryPerformanceCounter
0x4140c8 GetCurrentThreadId
0x4140cc GetSystemTimeAsFileTime
0x4140d0 InitializeSListHead
0x4140d4 RaiseException
0x4140d8 InitializeCriticalSectionAndSpinCount
0x4140dc TlsAlloc
0x4140e0 TlsGetValue
0x4140e4 TlsSetValue
0x4140e8 TlsFree
0x4140ec FreeLibrary
0x4140f0 LoadLibraryExW
0x4140f4 SetLastError
0x4140f8 RtlUnwind
0x4140fc GetModuleHandleExW
0x414100 GetStdHandle
0x414104 FindClose
0x414108 FindFirstFileExW
0x41410c FindNextFileW
0x414110 IsValidCodePage
0x414114 GetACP
0x414118 GetOEMCP
0x41411c GetCPInfo
0x414120 GetCommandLineA
0x414124 GetCommandLineW
0x414128 MultiByteToWideChar
0x41412c GetEnvironmentStringsW
0x414130 FreeEnvironmentStringsW
0x414134 LCMapStringW
0x414138 GetFileType
USER32.dll
0x414154 MessageBoxA
0x414158 wsprintfW
ADVAPI32.dll
0x414000 GetSidSubAuthority
0x414004 OpenProcessToken
0x414008 GetTokenInformation
0x41400c GetSidSubAuthorityCount
SHELL32.dll
0x414140 ShellExecuteW
EAT(Export Address Table) is none