ScreenShot
| Created | 2024.10.24 10:10 | Machine | s1_win7_x6401 |
| Filename | wlanext.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 44 detected (AIDetectMalware, Autoit, Malicious, score, TrojanPWS, Zbot, TrojanAitInject, Unsafe, V5qb, confidence, GenericKD, Attribute, HighConfidence, moderate confidence, FileRepMalware, Misc, Strab, GenSteal, xzkgj, moderate, Detected, Wacatac, YUAL8Y, Artemis, Chgt, Oqil, susgen, Sonbokli, A9uj) | ||
| md5 | 0369d0934ddf416abc3f1434d0a8742d | ||
| sha256 | 76e42fbca8f0727bbaf291471eda2e95d9ab28071a8d238dc55a30feff03112a | ||
| ssdeep | 12288:7ozGdX0M4ornOmZIzfMwHHQmRROXKLQqlp6SBeI21GRRUXFI9OaGU0mAdby:74GHnhIzOacQEoep1GDUW9lAlA | ||
| imphash | fc6683d30d9f25244a50fd5357825e79 | ||
| impfuzzy | 12:VA/DzqYOZkKDHLB78r4B3ExjLAkcOaiTQQnd3mxCHH:V0DBaPHLB7PxExjLAkcOV2kn | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 44 AntiVirus engines on VirusTotal as malicious |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x57bbe0 LoadLibraryA
0x57bbe4 GetProcAddress
0x57bbe8 VirtualProtect
0x57bbec VirtualAlloc
0x57bbf0 VirtualFree
0x57bbf4 ExitProcess
ADVAPI32.dll
0x57bbfc GetAce
COMCTL32.dll
0x57bc04 ImageList_Remove
COMDLG32.dll
0x57bc0c GetOpenFileNameW
GDI32.dll
0x57bc14 LineTo
IPHLPAPI.DLL
0x57bc1c IcmpSendEcho
MPR.dll
0x57bc24 WNetUseConnectionW
ole32.dll
0x57bc2c CoGetObject
OLEAUT32.dll
0x57bc34 VariantInit
PSAPI.DLL
0x57bc3c GetProcessMemoryInfo
SHELL32.dll
0x57bc44 DragFinish
USER32.dll
0x57bc4c GetDC
USERENV.dll
0x57bc54 LoadUserProfileW
UxTheme.dll
0x57bc5c IsThemeActive
VERSION.dll
0x57bc64 VerQueryValueW
WININET.dll
0x57bc6c FtpOpenFileW
WINMM.dll
0x57bc74 timeGetTime
WSOCK32.dll
0x57bc7c connect
EAT(Export Address Table) is none
KERNEL32.DLL
0x57bbe0 LoadLibraryA
0x57bbe4 GetProcAddress
0x57bbe8 VirtualProtect
0x57bbec VirtualAlloc
0x57bbf0 VirtualFree
0x57bbf4 ExitProcess
ADVAPI32.dll
0x57bbfc GetAce
COMCTL32.dll
0x57bc04 ImageList_Remove
COMDLG32.dll
0x57bc0c GetOpenFileNameW
GDI32.dll
0x57bc14 LineTo
IPHLPAPI.DLL
0x57bc1c IcmpSendEcho
MPR.dll
0x57bc24 WNetUseConnectionW
ole32.dll
0x57bc2c CoGetObject
OLEAUT32.dll
0x57bc34 VariantInit
PSAPI.DLL
0x57bc3c GetProcessMemoryInfo
SHELL32.dll
0x57bc44 DragFinish
USER32.dll
0x57bc4c GetDC
USERENV.dll
0x57bc54 LoadUserProfileW
UxTheme.dll
0x57bc5c IsThemeActive
VERSION.dll
0x57bc64 VerQueryValueW
WININET.dll
0x57bc6c FtpOpenFileW
WINMM.dll
0x57bc74 timeGetTime
WSOCK32.dll
0x57bc7c connect
EAT(Export Address Table) is none