ScreenShot
| Created | 2024.11.08 17:09 | Machine | s1_win7_x6401 |
| Filename | ResOO.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 30 detected (AIDetectMalware, Unsafe, malicious, confidence, GenericKD, a variant of Generik, DSFMISL, MalwareX, LUMMASTEALER, YXEKGZ, Detected, GrayWare, Wacapew, Wacatac, 497GYW, Lumma, susgen, PossibleThreat) | ||
| md5 | 826ac9d03e37048df300b013335098d9 | ||
| sha256 | a0aeb837cb5e762fc0b7d657c71d343e765cccb5780cd315756f682418b3cdfe | ||
| ssdeep | 3072:ORIhf/ay4MQGyEDmGg9m5mZcErtLk0m/USg:vhf/ay4MQGAm5mZHV3b | ||
| imphash | 398697f041e256fb6c451f1966f76316 | ||
| impfuzzy | 24:802tMS17mlJnc+pl3eDo/CuyoEOovbOI2jKRZHu93v8R3GM8:UtMS17kc+ppmuyc3zEK | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 30 AntiVirus engines on VirusTotal as malicious |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140013000 RtlCaptureContext
0x140013008 RtlLookupFunctionEntry
0x140013010 RtlVirtualUnwind
0x140013018 UnhandledExceptionFilter
0x140013020 SetUnhandledExceptionFilter
0x140013028 GetCurrentProcess
0x140013030 TerminateProcess
0x140013038 IsProcessorFeaturePresent
0x140013040 QueryPerformanceCounter
0x140013048 GetCurrentProcessId
0x140013050 GetCurrentThreadId
0x140013058 GetSystemTimeAsFileTime
0x140013060 InitializeSListHead
0x140013068 IsDebuggerPresent
0x140013070 GetStartupInfoW
0x140013078 GetModuleHandleW
0x140013080 RtlUnwindEx
0x140013088 GetLastError
0x140013090 SetLastError
0x140013098 EnterCriticalSection
0x1400130a0 LeaveCriticalSection
0x1400130a8 DeleteCriticalSection
0x1400130b0 InitializeCriticalSectionAndSpinCount
0x1400130b8 TlsAlloc
0x1400130c0 TlsGetValue
0x1400130c8 TlsSetValue
0x1400130d0 TlsFree
0x1400130d8 FreeLibrary
0x1400130e0 GetProcAddress
0x1400130e8 LoadLibraryExW
0x1400130f0 EncodePointer
0x1400130f8 RaiseException
0x140013100 RtlPcToFileHeader
0x140013108 GetStdHandle
0x140013110 WriteFile
0x140013118 GetModuleFileNameW
0x140013120 ExitProcess
0x140013128 GetModuleHandleExW
0x140013130 GetCommandLineA
0x140013138 GetCommandLineW
0x140013140 HeapFree
0x140013148 CloseHandle
0x140013150 WaitForSingleObject
0x140013158 GetExitCodeProcess
0x140013160 CreateProcessW
0x140013168 GetFileAttributesExW
0x140013170 HeapAlloc
0x140013178 FindClose
0x140013180 FindFirstFileExW
0x140013188 FindNextFileW
0x140013190 IsValidCodePage
0x140013198 GetACP
0x1400131a0 GetOEMCP
0x1400131a8 GetCPInfo
0x1400131b0 MultiByteToWideChar
0x1400131b8 WideCharToMultiByte
0x1400131c0 GetEnvironmentStringsW
0x1400131c8 FreeEnvironmentStringsW
0x1400131d0 SetEnvironmentVariableW
0x1400131d8 SetStdHandle
0x1400131e0 GetFileType
0x1400131e8 GetStringTypeW
0x1400131f0 FlsAlloc
0x1400131f8 FlsGetValue
0x140013200 FlsSetValue
0x140013208 FlsFree
0x140013210 CompareStringW
0x140013218 LCMapStringW
0x140013220 GetProcessHeap
0x140013228 HeapSize
0x140013230 HeapReAlloc
0x140013238 FlushFileBuffers
0x140013240 GetConsoleOutputCP
0x140013248 GetConsoleMode
0x140013250 SetFilePointerEx
0x140013258 CreateFileW
0x140013260 WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x140013000 RtlCaptureContext
0x140013008 RtlLookupFunctionEntry
0x140013010 RtlVirtualUnwind
0x140013018 UnhandledExceptionFilter
0x140013020 SetUnhandledExceptionFilter
0x140013028 GetCurrentProcess
0x140013030 TerminateProcess
0x140013038 IsProcessorFeaturePresent
0x140013040 QueryPerformanceCounter
0x140013048 GetCurrentProcessId
0x140013050 GetCurrentThreadId
0x140013058 GetSystemTimeAsFileTime
0x140013060 InitializeSListHead
0x140013068 IsDebuggerPresent
0x140013070 GetStartupInfoW
0x140013078 GetModuleHandleW
0x140013080 RtlUnwindEx
0x140013088 GetLastError
0x140013090 SetLastError
0x140013098 EnterCriticalSection
0x1400130a0 LeaveCriticalSection
0x1400130a8 DeleteCriticalSection
0x1400130b0 InitializeCriticalSectionAndSpinCount
0x1400130b8 TlsAlloc
0x1400130c0 TlsGetValue
0x1400130c8 TlsSetValue
0x1400130d0 TlsFree
0x1400130d8 FreeLibrary
0x1400130e0 GetProcAddress
0x1400130e8 LoadLibraryExW
0x1400130f0 EncodePointer
0x1400130f8 RaiseException
0x140013100 RtlPcToFileHeader
0x140013108 GetStdHandle
0x140013110 WriteFile
0x140013118 GetModuleFileNameW
0x140013120 ExitProcess
0x140013128 GetModuleHandleExW
0x140013130 GetCommandLineA
0x140013138 GetCommandLineW
0x140013140 HeapFree
0x140013148 CloseHandle
0x140013150 WaitForSingleObject
0x140013158 GetExitCodeProcess
0x140013160 CreateProcessW
0x140013168 GetFileAttributesExW
0x140013170 HeapAlloc
0x140013178 FindClose
0x140013180 FindFirstFileExW
0x140013188 FindNextFileW
0x140013190 IsValidCodePage
0x140013198 GetACP
0x1400131a0 GetOEMCP
0x1400131a8 GetCPInfo
0x1400131b0 MultiByteToWideChar
0x1400131b8 WideCharToMultiByte
0x1400131c0 GetEnvironmentStringsW
0x1400131c8 FreeEnvironmentStringsW
0x1400131d0 SetEnvironmentVariableW
0x1400131d8 SetStdHandle
0x1400131e0 GetFileType
0x1400131e8 GetStringTypeW
0x1400131f0 FlsAlloc
0x1400131f8 FlsGetValue
0x140013200 FlsSetValue
0x140013208 FlsFree
0x140013210 CompareStringW
0x140013218 LCMapStringW
0x140013220 GetProcessHeap
0x140013228 HeapSize
0x140013230 HeapReAlloc
0x140013238 FlushFileBuffers
0x140013240 GetConsoleOutputCP
0x140013248 GetConsoleMode
0x140013250 SetFilePointerEx
0x140013258 CreateFileW
0x140013260 WriteConsoleW
EAT(Export Address Table) is none