ScreenShot
| Created | 2024.10.27 11:48 | Machine | s1_win7_x6403 |
| Filename | interactivePS-ruy-lopez.exe | ||
| Type | PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 42 detected (AIDetectMalware, Dacic, Malicious, score, Vq2c, confidence, Attribute, HighConfidence, moderate confidence, MalwareX, Kryptik, hzKgty1bItV, AGEN, Generic Reputation PUA, Static AI, Suspicious PE, Detected, Wacapew, ABTrojan, AVEP, CobaltStrike, Artemis, Outbreak, Chgt, R002H09JQ24, Dwnw) | ||
| md5 | e68e0c467ecfbb9f0c6e5c8359f81b09 | ||
| sha256 | ec6c410d323de0552b1cda52bbbbecdb504985994291a387b06525afa26807be | ||
| ssdeep | 6144:xHuGnkJ7WtBOxxaNIfm8vlnPJJJ655ZZo:gGnmhxaNIfm8v | ||
| imphash | e16254f44ddd98c690f5ad4d0a981e4a | ||
| impfuzzy | 24:8fiFlDq+kLEfBlMblR95XG6qKZ86d1TomvlxXUqCvZy:8fiG+k4zslTJG6qA86d1T1vcqC4 | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 42 AntiVirus engines on VirusTotal as malicious |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x14004e24c DeleteCriticalSection
0x14004e254 EnterCriticalSection
0x14004e25c FreeLibrary
0x14004e264 GetLastError
0x14004e26c GetModuleHandleA
0x14004e274 GetProcAddress
0x14004e27c GetStartupInfoA
0x14004e284 InitializeCriticalSection
0x14004e28c IsDBCSLeadByteEx
0x14004e294 LeaveCriticalSection
0x14004e29c LoadLibraryA
0x14004e2a4 MultiByteToWideChar
0x14004e2ac SetUnhandledExceptionFilter
0x14004e2b4 Sleep
0x14004e2bc TlsGetValue
0x14004e2c4 VirtualAlloc
0x14004e2cc VirtualFree
0x14004e2d4 VirtualProtect
0x14004e2dc VirtualQuery
0x14004e2e4 WideCharToMultiByte
msvcrt.dll
0x14004e2f4 __C_specific_handler
0x14004e2fc ___lc_codepage_func
0x14004e304 ___mb_cur_max_func
0x14004e30c __getmainargs
0x14004e314 __initenv
0x14004e31c __iob_func
0x14004e324 __lconv_init
0x14004e32c __set_app_type
0x14004e334 __setusermatherr
0x14004e33c _acmdln
0x14004e344 _amsg_exit
0x14004e34c _cexit
0x14004e354 _commode
0x14004e35c _errno
0x14004e364 _fileno
0x14004e36c _fmode
0x14004e374 _initterm
0x14004e37c _lock
0x14004e384 _onexit
0x14004e38c _setjmp
0x14004e394 _setmode
0x14004e39c _unlock
0x14004e3a4 abort
0x14004e3ac calloc
0x14004e3b4 exit
0x14004e3bc fflush
0x14004e3c4 fprintf
0x14004e3cc fputc
0x14004e3d4 free
0x14004e3dc fwrite
0x14004e3e4 localeconv
0x14004e3ec longjmp
0x14004e3f4 malloc
0x14004e3fc memchr
0x14004e404 memcpy
0x14004e40c memset
0x14004e414 signal
0x14004e41c strcmp
0x14004e424 strerror
0x14004e42c strlen
0x14004e434 strncmp
0x14004e43c strstr
0x14004e444 vfprintf
0x14004e44c wcslen
EAT(Export Address Table) is none
KERNEL32.dll
0x14004e24c DeleteCriticalSection
0x14004e254 EnterCriticalSection
0x14004e25c FreeLibrary
0x14004e264 GetLastError
0x14004e26c GetModuleHandleA
0x14004e274 GetProcAddress
0x14004e27c GetStartupInfoA
0x14004e284 InitializeCriticalSection
0x14004e28c IsDBCSLeadByteEx
0x14004e294 LeaveCriticalSection
0x14004e29c LoadLibraryA
0x14004e2a4 MultiByteToWideChar
0x14004e2ac SetUnhandledExceptionFilter
0x14004e2b4 Sleep
0x14004e2bc TlsGetValue
0x14004e2c4 VirtualAlloc
0x14004e2cc VirtualFree
0x14004e2d4 VirtualProtect
0x14004e2dc VirtualQuery
0x14004e2e4 WideCharToMultiByte
msvcrt.dll
0x14004e2f4 __C_specific_handler
0x14004e2fc ___lc_codepage_func
0x14004e304 ___mb_cur_max_func
0x14004e30c __getmainargs
0x14004e314 __initenv
0x14004e31c __iob_func
0x14004e324 __lconv_init
0x14004e32c __set_app_type
0x14004e334 __setusermatherr
0x14004e33c _acmdln
0x14004e344 _amsg_exit
0x14004e34c _cexit
0x14004e354 _commode
0x14004e35c _errno
0x14004e364 _fileno
0x14004e36c _fmode
0x14004e374 _initterm
0x14004e37c _lock
0x14004e384 _onexit
0x14004e38c _setjmp
0x14004e394 _setmode
0x14004e39c _unlock
0x14004e3a4 abort
0x14004e3ac calloc
0x14004e3b4 exit
0x14004e3bc fflush
0x14004e3c4 fprintf
0x14004e3cc fputc
0x14004e3d4 free
0x14004e3dc fwrite
0x14004e3e4 localeconv
0x14004e3ec longjmp
0x14004e3f4 malloc
0x14004e3fc memchr
0x14004e404 memcpy
0x14004e40c memset
0x14004e414 signal
0x14004e41c strcmp
0x14004e424 strerror
0x14004e42c strlen
0x14004e434 strncmp
0x14004e43c strstr
0x14004e444 vfprintf
0x14004e44c wcslen
EAT(Export Address Table) is none