ScreenShot
| Created | 2024.10.27 11:49 | Machine | s1_win7_x6401 |
| Filename | interactivePS-ruy-lopez.dll | ||
| Type | PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 13 detected (Malicious, score, Ramnit, Attribute, HighConfidence, high confidence, Kryptik, JN7h59ZJssG, Wacapew, Outbreak, Agow) | ||
| md5 | 2ebf32f4a6b63b8dad4dac4bddf1cbee | ||
| sha256 | fde4f048bb013ec3caabbe5862dcb8df0f701659bc9ac04e5bb1c5a3eee58b61 | ||
| ssdeep | 6144:ycPbDxd4SjM1N2GZpnqQs8vlOIUtUCHBYcHvG23JJJ655ZZo:hFjEASqN8vQIGCcH | ||
| imphash | 9dee5c6e2779603605dedf99c35cff63 | ||
| impfuzzy | 12:YRJRibJ2cDzAR+hqRLAFCq/4lJYasTvRaAGd1Tvlp1FXoJqb//ZJVZy:8fiFlDI+kLaB4liHMjd1TvlxXUq7RvZy | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| watch | File has been identified by 13 AntiVirus engines on VirusTotal as malicious |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
Rules (17cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | DllRegisterServer_Zero | execute regsvr32.exe | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x3576771e4 DeleteCriticalSection
0x3576771ec EnterCriticalSection
0x3576771f4 FreeLibrary
0x3576771fc GetLastError
0x357677204 GetModuleHandleA
0x35767720c GetProcAddress
0x357677214 InitializeCriticalSection
0x35767721c IsDBCSLeadByteEx
0x357677224 LeaveCriticalSection
0x35767722c LoadLibraryA
0x357677234 MultiByteToWideChar
0x35767723c Sleep
0x357677244 TlsGetValue
0x35767724c VirtualAlloc
0x357677254 VirtualFree
0x35767725c VirtualProtect
0x357677264 VirtualQuery
0x35767726c WideCharToMultiByte
msvcrt.dll
0x35767727c ___lc_codepage_func
0x357677284 ___mb_cur_max_func
0x35767728c __iob_func
0x357677294 _amsg_exit
0x35767729c _errno
0x3576772a4 _fileno
0x3576772ac _initterm
0x3576772b4 _lock
0x3576772bc _setjmp
0x3576772c4 _setmode
0x3576772cc _unlock
0x3576772d4 abort
0x3576772dc calloc
0x3576772e4 exit
0x3576772ec fflush
0x3576772f4 fputc
0x3576772fc free
0x357677304 fwrite
0x35767730c localeconv
0x357677314 longjmp
0x35767731c malloc
0x357677324 memchr
0x35767732c memcpy
0x357677334 memset
0x35767733c realloc
0x357677344 signal
0x35767734c strcmp
0x357677354 strerror
0x35767735c strlen
0x357677364 strncmp
0x35767736c strstr
0x357677374 vfprintf
0x35767737c wcslen
EAT(Export Address Table) Library
0x35763ebd0 DllInstall
0x35763eb70 DllRegisterServer
0x35763eba0 DllUnregisterServer
0x35763eb40 NimMain
0x357648640 main
KERNEL32.dll
0x3576771e4 DeleteCriticalSection
0x3576771ec EnterCriticalSection
0x3576771f4 FreeLibrary
0x3576771fc GetLastError
0x357677204 GetModuleHandleA
0x35767720c GetProcAddress
0x357677214 InitializeCriticalSection
0x35767721c IsDBCSLeadByteEx
0x357677224 LeaveCriticalSection
0x35767722c LoadLibraryA
0x357677234 MultiByteToWideChar
0x35767723c Sleep
0x357677244 TlsGetValue
0x35767724c VirtualAlloc
0x357677254 VirtualFree
0x35767725c VirtualProtect
0x357677264 VirtualQuery
0x35767726c WideCharToMultiByte
msvcrt.dll
0x35767727c ___lc_codepage_func
0x357677284 ___mb_cur_max_func
0x35767728c __iob_func
0x357677294 _amsg_exit
0x35767729c _errno
0x3576772a4 _fileno
0x3576772ac _initterm
0x3576772b4 _lock
0x3576772bc _setjmp
0x3576772c4 _setmode
0x3576772cc _unlock
0x3576772d4 abort
0x3576772dc calloc
0x3576772e4 exit
0x3576772ec fflush
0x3576772f4 fputc
0x3576772fc free
0x357677304 fwrite
0x35767730c localeconv
0x357677314 longjmp
0x35767731c malloc
0x357677324 memchr
0x35767732c memcpy
0x357677334 memset
0x35767733c realloc
0x357677344 signal
0x35767734c strcmp
0x357677354 strerror
0x35767735c strlen
0x357677364 strncmp
0x35767736c strstr
0x357677374 vfprintf
0x35767737c wcslen
EAT(Export Address Table) Library
0x35763ebd0 DllInstall
0x35763eb70 DllRegisterServer
0x35763eba0 DllUnregisterServer
0x35763eb40 NimMain
0x357648640 main