ScreenShot
| Created | 2024.11.08 16:58 | Machine | s1_win7_x6403 |
| Filename | xloaderProtected.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 55 detected (AIDetectMalware, Injects, Malicious, score, Artemis, Zusy, Unsafe, confidence, 100%, Attribute, HighConfidence, high confidence, GenKryptik, HAOG, MalwareX, CLASSIC, vgttg, FORMBOOK, YXEKCZ, Real Protect, moderate, Static AI, Suspicious PE, Detected, AzorUlt, Malware@#2xjp76xlbkf3p, Multiverze, VBKrypt, Eldorado, Caynamer, Hider, Krypt, Chgt, Gencirc, susgen) | ||
| md5 | 0831be87ba259aeeab3021ae393ff305 | ||
| sha256 | a408401b6dd73b19e6655d6e2c68e78d5ac56dfa8cb105b7fa653b02590a949d | ||
| ssdeep | 49152:3bdYAm4zKbdYAm4zSs5XbdYAm4zabdYAm4zgmNlU+5f2QYD:LdrAdrZrdrwdrdlU6O9 | ||
| imphash | df6d1c20dc810ef2c588ac6ad8bcec75 | ||
| impfuzzy | 48:PE/1wzQNwgocw0lgRkRxkxRek3L39jwoFZqH21SJXIryxdTyrmFNjWcuxlhHw+sP:PE/1GQNfoctgRkRxkxRN7NjdFZqH2wJL | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Tries to unhook Windows functions monitored by Cuckoo |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
Rules (12cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x57b000 GetProcAddress
0x57b004 GetModuleHandleW
MSVBVM60.DLL
0x57b00c __vbaVarSub
0x57b010 _CIcos
0x57b014 _adj_fptan
0x57b018 __vbaVarMove
0x57b01c __vbaVarVargNofree
0x57b020 __vbaFreeVar
0x57b024 __vbaStrVarMove
0x57b028 __vbaLenBstr
0x57b02c None
0x57b030 __vbaFreeVarList
0x57b034 _adj_fdiv_m64
0x57b038 None
0x57b03c __vbaNextEachVar
0x57b040 __vbaFreeObjList
0x57b044 _adj_fprem1
0x57b048 None
0x57b04c __vbaStrCat
0x57b050 __vbaLsetFixstr
0x57b054 __vbaSetSystemError
0x57b058 __vbaHresultCheckObj
0x57b05c _adj_fdiv_m32
0x57b060 __vbaAryVar
0x57b064 __vbaAryDestruct
0x57b068 __vbaOnError
0x57b06c None
0x57b070 __vbaObjSet
0x57b074 _adj_fdiv_m16i
0x57b078 __vbaObjSetAddref
0x57b07c _adj_fdivr_m16i
0x57b080 __vbaRefVarAry
0x57b084 __vbaBoolVarNull
0x57b088 _CIsin
0x57b08c __vbaErase
0x57b090 __vbaVargVarMove
0x57b094 __vbaVarZero
0x57b098 __vbaVarCmpGt
0x57b09c __vbaChkstk
0x57b0a0 None
0x57b0a4 None
0x57b0a8 EVENT_SINK_AddRef
0x57b0ac None
0x57b0b0 __vbaStrCmp
0x57b0b4 __vbaVarTstEq
0x57b0b8 None
0x57b0bc DllFunctionCall
0x57b0c0 __vbaVarOr
0x57b0c4 __vbaRedimPreserve
0x57b0c8 _adj_fpatan
0x57b0cc __vbaFixstrConstruct
0x57b0d0 __vbaRedim
0x57b0d4 EVENT_SINK_Release
0x57b0d8 __vbaNew
0x57b0dc None
0x57b0e0 _CIsqrt
0x57b0e4 EVENT_SINK_QueryInterface
0x57b0e8 __vbaExceptHandler
0x57b0ec __vbaStrToUnicode
0x57b0f0 None
0x57b0f4 _adj_fprem
0x57b0f8 _adj_fdivr_m64
0x57b0fc None
0x57b100 __vbaFPException
0x57b104 None
0x57b108 __vbaStrVarVal
0x57b10c __vbaUbound
0x57b110 __vbaVarCat
0x57b114 __vbaLsetFixstrFree
0x57b118 None
0x57b11c _CIlog
0x57b120 __vbaNew2
0x57b124 _adj_fdiv_m32i
0x57b128 _adj_fdivr_m32i
0x57b12c __vbaStrCopy
0x57b130 __vbaI4Str
0x57b134 __vbaFreeStrList
0x57b138 _adj_fdivr_m32
0x57b13c _adj_fdiv_r
0x57b140 None
0x57b144 __vbaVarTstNe
0x57b148 __vbaI4Var
0x57b14c __vbaAryLock
0x57b150 __vbaVarAdd
0x57b154 __vbaVarDup
0x57b158 __vbaStrToAnsi
0x57b15c None
0x57b160 __vbaVarLateMemCallLd
0x57b164 __vbaVarCopy
0x57b168 None
0x57b16c _CIatan
0x57b170 __vbaStrMove
0x57b174 __vbaCastObj
0x57b178 __vbaAryCopy
0x57b17c __vbaStrVarCopy
0x57b180 __vbaForEachVar
0x57b184 _allmul
0x57b188 _CItan
0x57b18c __vbaAryUnlock
0x57b190 _CIexp
0x57b194 __vbaFreeStr
0x57b198 __vbaFreeObj
EAT(Export Address Table) is none
KERNEL32.DLL
0x57b000 GetProcAddress
0x57b004 GetModuleHandleW
MSVBVM60.DLL
0x57b00c __vbaVarSub
0x57b010 _CIcos
0x57b014 _adj_fptan
0x57b018 __vbaVarMove
0x57b01c __vbaVarVargNofree
0x57b020 __vbaFreeVar
0x57b024 __vbaStrVarMove
0x57b028 __vbaLenBstr
0x57b02c None
0x57b030 __vbaFreeVarList
0x57b034 _adj_fdiv_m64
0x57b038 None
0x57b03c __vbaNextEachVar
0x57b040 __vbaFreeObjList
0x57b044 _adj_fprem1
0x57b048 None
0x57b04c __vbaStrCat
0x57b050 __vbaLsetFixstr
0x57b054 __vbaSetSystemError
0x57b058 __vbaHresultCheckObj
0x57b05c _adj_fdiv_m32
0x57b060 __vbaAryVar
0x57b064 __vbaAryDestruct
0x57b068 __vbaOnError
0x57b06c None
0x57b070 __vbaObjSet
0x57b074 _adj_fdiv_m16i
0x57b078 __vbaObjSetAddref
0x57b07c _adj_fdivr_m16i
0x57b080 __vbaRefVarAry
0x57b084 __vbaBoolVarNull
0x57b088 _CIsin
0x57b08c __vbaErase
0x57b090 __vbaVargVarMove
0x57b094 __vbaVarZero
0x57b098 __vbaVarCmpGt
0x57b09c __vbaChkstk
0x57b0a0 None
0x57b0a4 None
0x57b0a8 EVENT_SINK_AddRef
0x57b0ac None
0x57b0b0 __vbaStrCmp
0x57b0b4 __vbaVarTstEq
0x57b0b8 None
0x57b0bc DllFunctionCall
0x57b0c0 __vbaVarOr
0x57b0c4 __vbaRedimPreserve
0x57b0c8 _adj_fpatan
0x57b0cc __vbaFixstrConstruct
0x57b0d0 __vbaRedim
0x57b0d4 EVENT_SINK_Release
0x57b0d8 __vbaNew
0x57b0dc None
0x57b0e0 _CIsqrt
0x57b0e4 EVENT_SINK_QueryInterface
0x57b0e8 __vbaExceptHandler
0x57b0ec __vbaStrToUnicode
0x57b0f0 None
0x57b0f4 _adj_fprem
0x57b0f8 _adj_fdivr_m64
0x57b0fc None
0x57b100 __vbaFPException
0x57b104 None
0x57b108 __vbaStrVarVal
0x57b10c __vbaUbound
0x57b110 __vbaVarCat
0x57b114 __vbaLsetFixstrFree
0x57b118 None
0x57b11c _CIlog
0x57b120 __vbaNew2
0x57b124 _adj_fdiv_m32i
0x57b128 _adj_fdivr_m32i
0x57b12c __vbaStrCopy
0x57b130 __vbaI4Str
0x57b134 __vbaFreeStrList
0x57b138 _adj_fdivr_m32
0x57b13c _adj_fdiv_r
0x57b140 None
0x57b144 __vbaVarTstNe
0x57b148 __vbaI4Var
0x57b14c __vbaAryLock
0x57b150 __vbaVarAdd
0x57b154 __vbaVarDup
0x57b158 __vbaStrToAnsi
0x57b15c None
0x57b160 __vbaVarLateMemCallLd
0x57b164 __vbaVarCopy
0x57b168 None
0x57b16c _CIatan
0x57b170 __vbaStrMove
0x57b174 __vbaCastObj
0x57b178 __vbaAryCopy
0x57b17c __vbaStrVarCopy
0x57b180 __vbaForEachVar
0x57b184 _allmul
0x57b188 _CItan
0x57b18c __vbaAryUnlock
0x57b190 _CIexp
0x57b194 __vbaFreeStr
0x57b198 __vbaFreeObj
EAT(Export Address Table) is none