ScreenShot
| Created | 2024.11.07 13:06 | Machine | s1_win7_x6401 |
| Filename | Offnewhere.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 50 detected (AIDetectMalware, Amadey, GenericKD, Deyma, Doina, Unsafe, malicious, confidence, 100%, Genus, Attribute, HighConfidence, high confidence, score, ktfoir, NOjn92KW7VV, MulDrop28, Real Protect, moderate, Static AI, Malicious PE, Detected, zxrkv, Malware@#1yo3drjdyrl54, Multiverze, Eldorado, BScope, Gencirc, l2iDsWs+1R8, Chgt) | ||
| md5 | c07e06e76de584bcddd59073a4161dbb | ||
| sha256 | cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9 | ||
| ssdeep | 12288:H/RCVy1xtsmUQTXNujba1fM0HRm77vRMmg:ntsouyBM+RmnRLg | ||
| imphash | 407b29a1346b818a12b66f58555063ce | ||
| impfuzzy | 96:TXs4iGjAlw55WJcpH+r26ptWrDZsGRdFBh1:TFayWwZ9h1 | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 50 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x451060 GetFileAttributesA
0x451064 Process32NextW
0x451068 CreateFileA
0x45106c Process32FirstW
0x451070 CloseHandle
0x451074 GetSystemInfo
0x451078 CreateThread
0x45107c GetThreadContext
0x451080 GetProcAddress
0x451084 GetLastError
0x451088 RemoveDirectoryA
0x45108c ReadProcessMemory
0x451090 CreateProcessA
0x451094 CreateDirectoryA
0x451098 SetThreadContext
0x45109c SetEndOfFile
0x4510a0 HeapSize
0x4510a4 GetProcessHeap
0x4510a8 SetEnvironmentVariableW
0x4510ac Wow64RevertWow64FsRedirection
0x4510b0 GetTempPathA
0x4510b4 Sleep
0x4510b8 CreateToolhelp32Snapshot
0x4510bc OpenProcess
0x4510c0 SetCurrentDirectoryA
0x4510c4 GetModuleHandleA
0x4510c8 ResumeThread
0x4510cc GetComputerNameExW
0x4510d0 GetVersionExW
0x4510d4 WaitForSingleObject
0x4510d8 CreateMutexA
0x4510dc FindClose
0x4510e0 PeekNamedPipe
0x4510e4 CreatePipe
0x4510e8 FindNextFileA
0x4510ec VirtualAlloc
0x4510f0 Wow64DisableWow64FsRedirection
0x4510f4 WriteFile
0x4510f8 VirtualFree
0x4510fc FindFirstFileA
0x451100 SetHandleInformation
0x451104 WriteProcessMemory
0x451108 GetModuleFileNameA
0x45110c VirtualAllocEx
0x451110 ReadFile
0x451114 FreeEnvironmentStringsW
0x451118 GetEnvironmentStringsW
0x45111c GetOEMCP
0x451120 GetACP
0x451124 IsValidCodePage
0x451128 FindNextFileW
0x45112c FindFirstFileExW
0x451130 GetTimeZoneInformation
0x451134 HeapReAlloc
0x451138 ReadConsoleW
0x45113c SetStdHandle
0x451140 GetFullPathNameW
0x451144 GetCurrentDirectoryW
0x451148 DeleteFileW
0x45114c EnumSystemLocalesW
0x451150 GetUserDefaultLCID
0x451154 IsValidLocale
0x451158 GetLocaleInfoW
0x45115c LCMapStringW
0x451160 CompareStringW
0x451164 HeapAlloc
0x451168 HeapFree
0x45116c GetConsoleMode
0x451170 GetConsoleOutputCP
0x451174 FlushFileBuffers
0x451178 SetFilePointerEx
0x45117c GetFileSizeEx
0x451180 GetCommandLineW
0x451184 GetCommandLineA
0x451188 GetStdHandle
0x45118c GetModuleFileNameW
0x451190 FileTimeToSystemTime
0x451194 SystemTimeToTzSpecificLocalTime
0x451198 GetFileType
0x45119c GetFileInformationByHandle
0x4511a0 GetDriveTypeW
0x4511a4 CreateFileW
0x4511a8 RaiseException
0x4511ac GetCurrentThreadId
0x4511b0 IsProcessorFeaturePresent
0x4511b4 FreeLibraryWhenCallbackReturns
0x4511b8 CreateThreadpoolWork
0x4511bc SubmitThreadpoolWork
0x4511c0 CloseThreadpoolWork
0x4511c4 GetModuleHandleExW
0x4511c8 InitializeConditionVariable
0x4511cc WakeConditionVariable
0x4511d0 WakeAllConditionVariable
0x4511d4 SleepConditionVariableCS
0x4511d8 SleepConditionVariableSRW
0x4511dc InitOnceComplete
0x4511e0 InitOnceBeginInitialize
0x4511e4 InitializeSRWLock
0x4511e8 ReleaseSRWLockExclusive
0x4511ec AcquireSRWLockExclusive
0x4511f0 EnterCriticalSection
0x4511f4 LeaveCriticalSection
0x4511f8 InitializeCriticalSectionEx
0x4511fc TryEnterCriticalSection
0x451200 DeleteCriticalSection
0x451204 WaitForSingleObjectEx
0x451208 QueryPerformanceCounter
0x45120c GetSystemTimeAsFileTime
0x451210 GetModuleHandleW
0x451214 EncodePointer
0x451218 DecodePointer
0x45121c MultiByteToWideChar
0x451220 WideCharToMultiByte
0x451224 LCMapStringEx
0x451228 GetStringTypeW
0x45122c GetCPInfo
0x451230 InitializeCriticalSectionAndSpinCount
0x451234 SetEvent
0x451238 ResetEvent
0x45123c CreateEventW
0x451240 UnhandledExceptionFilter
0x451244 SetUnhandledExceptionFilter
0x451248 GetCurrentProcess
0x45124c TerminateProcess
0x451250 IsDebuggerPresent
0x451254 GetStartupInfoW
0x451258 GetCurrentProcessId
0x45125c InitializeSListHead
0x451260 RtlUnwind
0x451264 SetLastError
0x451268 TlsAlloc
0x45126c TlsGetValue
0x451270 TlsSetValue
0x451274 TlsFree
0x451278 FreeLibrary
0x45127c LoadLibraryExW
0x451280 ExitProcess
0x451284 WriteConsoleW
USER32.dll
0x45129c GetSystemMetrics
0x4512a0 ReleaseDC
0x4512a4 GetDC
GDI32.dll
0x451048 CreateCompatibleBitmap
0x45104c SelectObject
0x451050 CreateCompatibleDC
0x451054 DeleteObject
0x451058 BitBlt
ADVAPI32.dll
0x451000 RevertToSelf
0x451004 RegCloseKey
0x451008 RegQueryInfoKeyW
0x45100c RegGetValueA
0x451010 RegQueryValueExA
0x451014 GetSidSubAuthorityCount
0x451018 GetSidSubAuthority
0x45101c GetUserNameA
0x451020 CreateProcessWithTokenW
0x451024 LookupAccountNameA
0x451028 ImpersonateLoggedOnUser
0x45102c RegSetValueExA
0x451030 OpenProcessToken
0x451034 RegOpenKeyExA
0x451038 RegEnumValueA
0x45103c DuplicateTokenEx
0x451040 GetSidIdentifierAuthority
SHELL32.dll
0x45128c SHGetFolderPathA
0x451290 ShellExecuteA
0x451294 SHFileOperationA
ole32.dll
0x45132c CoUninitialize
0x451330 CoCreateInstance
0x451334 CoInitialize
WININET.dll
0x4512ac HttpOpenRequestA
0x4512b0 InternetWriteFile
0x4512b4 InternetOpenUrlA
0x4512b8 InternetOpenW
0x4512bc HttpEndRequestW
0x4512c0 HttpAddRequestHeadersA
0x4512c4 HttpSendRequestExA
0x4512c8 InternetOpenA
0x4512cc InternetCloseHandle
0x4512d0 HttpSendRequestA
0x4512d4 InternetConnectA
0x4512d8 InternetReadFile
gdiplus.dll
0x45130c GdiplusStartup
0x451310 GdipSaveImageToFile
0x451314 GdipGetImageEncodersSize
0x451318 GdiplusShutdown
0x45131c GdipGetImageEncoders
0x451320 GdipCreateBitmapFromHBITMAP
0x451324 GdipDisposeImage
WS2_32.dll
0x4512e0 closesocket
0x4512e4 inet_pton
0x4512e8 getaddrinfo
0x4512ec WSAStartup
0x4512f0 send
0x4512f4 socket
0x4512f8 connect
0x4512fc recv
0x451300 htons
0x451304 freeaddrinfo
EAT(Export Address Table) is none
KERNEL32.dll
0x451060 GetFileAttributesA
0x451064 Process32NextW
0x451068 CreateFileA
0x45106c Process32FirstW
0x451070 CloseHandle
0x451074 GetSystemInfo
0x451078 CreateThread
0x45107c GetThreadContext
0x451080 GetProcAddress
0x451084 GetLastError
0x451088 RemoveDirectoryA
0x45108c ReadProcessMemory
0x451090 CreateProcessA
0x451094 CreateDirectoryA
0x451098 SetThreadContext
0x45109c SetEndOfFile
0x4510a0 HeapSize
0x4510a4 GetProcessHeap
0x4510a8 SetEnvironmentVariableW
0x4510ac Wow64RevertWow64FsRedirection
0x4510b0 GetTempPathA
0x4510b4 Sleep
0x4510b8 CreateToolhelp32Snapshot
0x4510bc OpenProcess
0x4510c0 SetCurrentDirectoryA
0x4510c4 GetModuleHandleA
0x4510c8 ResumeThread
0x4510cc GetComputerNameExW
0x4510d0 GetVersionExW
0x4510d4 WaitForSingleObject
0x4510d8 CreateMutexA
0x4510dc FindClose
0x4510e0 PeekNamedPipe
0x4510e4 CreatePipe
0x4510e8 FindNextFileA
0x4510ec VirtualAlloc
0x4510f0 Wow64DisableWow64FsRedirection
0x4510f4 WriteFile
0x4510f8 VirtualFree
0x4510fc FindFirstFileA
0x451100 SetHandleInformation
0x451104 WriteProcessMemory
0x451108 GetModuleFileNameA
0x45110c VirtualAllocEx
0x451110 ReadFile
0x451114 FreeEnvironmentStringsW
0x451118 GetEnvironmentStringsW
0x45111c GetOEMCP
0x451120 GetACP
0x451124 IsValidCodePage
0x451128 FindNextFileW
0x45112c FindFirstFileExW
0x451130 GetTimeZoneInformation
0x451134 HeapReAlloc
0x451138 ReadConsoleW
0x45113c SetStdHandle
0x451140 GetFullPathNameW
0x451144 GetCurrentDirectoryW
0x451148 DeleteFileW
0x45114c EnumSystemLocalesW
0x451150 GetUserDefaultLCID
0x451154 IsValidLocale
0x451158 GetLocaleInfoW
0x45115c LCMapStringW
0x451160 CompareStringW
0x451164 HeapAlloc
0x451168 HeapFree
0x45116c GetConsoleMode
0x451170 GetConsoleOutputCP
0x451174 FlushFileBuffers
0x451178 SetFilePointerEx
0x45117c GetFileSizeEx
0x451180 GetCommandLineW
0x451184 GetCommandLineA
0x451188 GetStdHandle
0x45118c GetModuleFileNameW
0x451190 FileTimeToSystemTime
0x451194 SystemTimeToTzSpecificLocalTime
0x451198 GetFileType
0x45119c GetFileInformationByHandle
0x4511a0 GetDriveTypeW
0x4511a4 CreateFileW
0x4511a8 RaiseException
0x4511ac GetCurrentThreadId
0x4511b0 IsProcessorFeaturePresent
0x4511b4 FreeLibraryWhenCallbackReturns
0x4511b8 CreateThreadpoolWork
0x4511bc SubmitThreadpoolWork
0x4511c0 CloseThreadpoolWork
0x4511c4 GetModuleHandleExW
0x4511c8 InitializeConditionVariable
0x4511cc WakeConditionVariable
0x4511d0 WakeAllConditionVariable
0x4511d4 SleepConditionVariableCS
0x4511d8 SleepConditionVariableSRW
0x4511dc InitOnceComplete
0x4511e0 InitOnceBeginInitialize
0x4511e4 InitializeSRWLock
0x4511e8 ReleaseSRWLockExclusive
0x4511ec AcquireSRWLockExclusive
0x4511f0 EnterCriticalSection
0x4511f4 LeaveCriticalSection
0x4511f8 InitializeCriticalSectionEx
0x4511fc TryEnterCriticalSection
0x451200 DeleteCriticalSection
0x451204 WaitForSingleObjectEx
0x451208 QueryPerformanceCounter
0x45120c GetSystemTimeAsFileTime
0x451210 GetModuleHandleW
0x451214 EncodePointer
0x451218 DecodePointer
0x45121c MultiByteToWideChar
0x451220 WideCharToMultiByte
0x451224 LCMapStringEx
0x451228 GetStringTypeW
0x45122c GetCPInfo
0x451230 InitializeCriticalSectionAndSpinCount
0x451234 SetEvent
0x451238 ResetEvent
0x45123c CreateEventW
0x451240 UnhandledExceptionFilter
0x451244 SetUnhandledExceptionFilter
0x451248 GetCurrentProcess
0x45124c TerminateProcess
0x451250 IsDebuggerPresent
0x451254 GetStartupInfoW
0x451258 GetCurrentProcessId
0x45125c InitializeSListHead
0x451260 RtlUnwind
0x451264 SetLastError
0x451268 TlsAlloc
0x45126c TlsGetValue
0x451270 TlsSetValue
0x451274 TlsFree
0x451278 FreeLibrary
0x45127c LoadLibraryExW
0x451280 ExitProcess
0x451284 WriteConsoleW
USER32.dll
0x45129c GetSystemMetrics
0x4512a0 ReleaseDC
0x4512a4 GetDC
GDI32.dll
0x451048 CreateCompatibleBitmap
0x45104c SelectObject
0x451050 CreateCompatibleDC
0x451054 DeleteObject
0x451058 BitBlt
ADVAPI32.dll
0x451000 RevertToSelf
0x451004 RegCloseKey
0x451008 RegQueryInfoKeyW
0x45100c RegGetValueA
0x451010 RegQueryValueExA
0x451014 GetSidSubAuthorityCount
0x451018 GetSidSubAuthority
0x45101c GetUserNameA
0x451020 CreateProcessWithTokenW
0x451024 LookupAccountNameA
0x451028 ImpersonateLoggedOnUser
0x45102c RegSetValueExA
0x451030 OpenProcessToken
0x451034 RegOpenKeyExA
0x451038 RegEnumValueA
0x45103c DuplicateTokenEx
0x451040 GetSidIdentifierAuthority
SHELL32.dll
0x45128c SHGetFolderPathA
0x451290 ShellExecuteA
0x451294 SHFileOperationA
ole32.dll
0x45132c CoUninitialize
0x451330 CoCreateInstance
0x451334 CoInitialize
WININET.dll
0x4512ac HttpOpenRequestA
0x4512b0 InternetWriteFile
0x4512b4 InternetOpenUrlA
0x4512b8 InternetOpenW
0x4512bc HttpEndRequestW
0x4512c0 HttpAddRequestHeadersA
0x4512c4 HttpSendRequestExA
0x4512c8 InternetOpenA
0x4512cc InternetCloseHandle
0x4512d0 HttpSendRequestA
0x4512d4 InternetConnectA
0x4512d8 InternetReadFile
gdiplus.dll
0x45130c GdiplusStartup
0x451310 GdipSaveImageToFile
0x451314 GdipGetImageEncodersSize
0x451318 GdiplusShutdown
0x45131c GdipGetImageEncoders
0x451320 GdipCreateBitmapFromHBITMAP
0x451324 GdipDisposeImage
WS2_32.dll
0x4512e0 closesocket
0x4512e4 inet_pton
0x4512e8 getaddrinfo
0x4512ec WSAStartup
0x4512f0 send
0x4512f4 socket
0x4512f8 connect
0x4512fc recv
0x451300 htons
0x451304 freeaddrinfo
EAT(Export Address Table) is none