ScreenShot
| Created | 2024.11.11 09:44 | Machine | s1_win7_x6401 |
| Filename | Responder.exe | ||
| Type | PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 44 detected (Hacktool, Responder, Malicious, score, GenericPMF, S3018656, HTool, Marte, Unsafe, confidence, 100%, Python, PrivacyRisk, Tool, atph, Detected, APT40, Presenoker, Eldorado, Neshta, FileInfector, Bnhl) | ||
| md5 | c808d2ed8bb6b2e3c06c907a01b73d06 | ||
| sha256 | 47d121087c05568fe90a25ef921f9e35d40bc6bec969e33e75337fc9b580f0e8 | ||
| ssdeep | 98304:WZAsErGdEvDnybZ9m4LnHxY0pl+WKl/J4M/on7vm:BPQonug4LHLG2won7+ | ||
| imphash | be10bb45cef8dcc6869b921dd20884ae | ||
| impfuzzy | 48:IfrZ93D1wcnNebJGpJu8I/saeBFO5yqfZD:IfrZR1wcnNebJGpA82UAMqRD | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 44 AntiVirus engines on VirusTotal as malicious |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Command line console output was observed |
Rules (12cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | Is_DotNET_DLL | (no description) | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41e218 CreateProcessW
0x41e21c DeleteCriticalSection
0x41e220 EnterCriticalSection
0x41e224 ExpandEnvironmentStringsW
0x41e228 FormatMessageA
0x41e22c GetCommandLineW
0x41e230 GetCurrentProcess
0x41e234 GetCurrentProcessId
0x41e238 GetCurrentThreadId
0x41e23c GetEnvironmentVariableW
0x41e240 GetExitCodeProcess
0x41e244 GetLastError
0x41e248 GetModuleFileNameW
0x41e24c GetModuleHandleA
0x41e250 GetProcAddress
0x41e254 GetShortPathNameW
0x41e258 GetStartupInfoW
0x41e25c GetSystemTimeAsFileTime
0x41e260 GetTempPathW
0x41e264 GetTickCount
0x41e268 InitializeCriticalSection
0x41e26c LeaveCriticalSection
0x41e270 LoadLibraryA
0x41e274 LoadLibraryExW
0x41e278 MultiByteToWideChar
0x41e27c QueryPerformanceCounter
0x41e280 SetDllDirectoryW
0x41e284 SetEnvironmentVariableW
0x41e288 SetUnhandledExceptionFilter
0x41e28c Sleep
0x41e290 TerminateProcess
0x41e294 TlsGetValue
0x41e298 UnhandledExceptionFilter
0x41e29c VirtualProtect
0x41e2a0 VirtualQuery
0x41e2a4 WaitForSingleObject
0x41e2a8 WideCharToMultiByte
msvcrt.dll
0x41e2b0 __argc
0x41e2b4 __dllonexit
0x41e2b8 __lconv_init
0x41e2bc __set_app_type
0x41e2c0 __setusermatherr
0x41e2c4 __wargv
0x41e2c8 __wgetmainargs
0x41e2cc __winitenv
0x41e2d0 _amsg_exit
0x41e2d4 _cexit
0x41e2d8 _findclose
0x41e2dc _fileno
0x41e2e0 _fmode
0x41e2e4 _fullpath
0x41e2e8 _get_osfhandle
0x41e2ec _initterm
0x41e2f0 _iob
0x41e2f4 _lock
0x41e2f8 _getpid
0x41e2fc _onexit
0x41e300 _setmode
0x41e304 _stat
0x41e308 _strdup
0x41e30c _unlock
0x41e310 _vsnprintf
0x41e314 _vsnwprintf
0x41e318 _wcmdln
0x41e31c _wfindfirst
0x41e320 _wfindnext
0x41e324 _wfopen
0x41e328 _wmkdir
0x41e32c _wremove
0x41e330 _wrmdir
0x41e334 _wstat
0x41e338 _wtempnam
0x41e33c abort
0x41e340 calloc
0x41e344 clearerr
0x41e348 exit
0x41e34c fclose
0x41e350 feof
0x41e354 ferror
0x41e358 fflush
0x41e35c fprintf
0x41e360 fread
0x41e364 free
0x41e368 fseek
0x41e36c ftell
0x41e370 fwrite
0x41e374 getenv
0x41e378 malloc
0x41e37c mbstowcs
0x41e380 memcpy
0x41e384 memset
0x41e388 setbuf
0x41e38c setlocale
0x41e390 signal
0x41e394 sprintf
0x41e398 strcat
0x41e39c strchr
0x41e3a0 strcmp
0x41e3a4 strcpy
0x41e3a8 strlen
0x41e3ac strncat
0x41e3b0 strncmp
0x41e3b4 strncpy
0x41e3b8 strrchr
0x41e3bc strtok
0x41e3c0 vfprintf
0x41e3c4 wcscat
0x41e3c8 wcscmp
0x41e3cc wcscpy
0x41e3d0 wcslen
WS2_32.dll
0x41e3d8 ntohl
EAT(Export Address Table) is none
KERNEL32.dll
0x41e218 CreateProcessW
0x41e21c DeleteCriticalSection
0x41e220 EnterCriticalSection
0x41e224 ExpandEnvironmentStringsW
0x41e228 FormatMessageA
0x41e22c GetCommandLineW
0x41e230 GetCurrentProcess
0x41e234 GetCurrentProcessId
0x41e238 GetCurrentThreadId
0x41e23c GetEnvironmentVariableW
0x41e240 GetExitCodeProcess
0x41e244 GetLastError
0x41e248 GetModuleFileNameW
0x41e24c GetModuleHandleA
0x41e250 GetProcAddress
0x41e254 GetShortPathNameW
0x41e258 GetStartupInfoW
0x41e25c GetSystemTimeAsFileTime
0x41e260 GetTempPathW
0x41e264 GetTickCount
0x41e268 InitializeCriticalSection
0x41e26c LeaveCriticalSection
0x41e270 LoadLibraryA
0x41e274 LoadLibraryExW
0x41e278 MultiByteToWideChar
0x41e27c QueryPerformanceCounter
0x41e280 SetDllDirectoryW
0x41e284 SetEnvironmentVariableW
0x41e288 SetUnhandledExceptionFilter
0x41e28c Sleep
0x41e290 TerminateProcess
0x41e294 TlsGetValue
0x41e298 UnhandledExceptionFilter
0x41e29c VirtualProtect
0x41e2a0 VirtualQuery
0x41e2a4 WaitForSingleObject
0x41e2a8 WideCharToMultiByte
msvcrt.dll
0x41e2b0 __argc
0x41e2b4 __dllonexit
0x41e2b8 __lconv_init
0x41e2bc __set_app_type
0x41e2c0 __setusermatherr
0x41e2c4 __wargv
0x41e2c8 __wgetmainargs
0x41e2cc __winitenv
0x41e2d0 _amsg_exit
0x41e2d4 _cexit
0x41e2d8 _findclose
0x41e2dc _fileno
0x41e2e0 _fmode
0x41e2e4 _fullpath
0x41e2e8 _get_osfhandle
0x41e2ec _initterm
0x41e2f0 _iob
0x41e2f4 _lock
0x41e2f8 _getpid
0x41e2fc _onexit
0x41e300 _setmode
0x41e304 _stat
0x41e308 _strdup
0x41e30c _unlock
0x41e310 _vsnprintf
0x41e314 _vsnwprintf
0x41e318 _wcmdln
0x41e31c _wfindfirst
0x41e320 _wfindnext
0x41e324 _wfopen
0x41e328 _wmkdir
0x41e32c _wremove
0x41e330 _wrmdir
0x41e334 _wstat
0x41e338 _wtempnam
0x41e33c abort
0x41e340 calloc
0x41e344 clearerr
0x41e348 exit
0x41e34c fclose
0x41e350 feof
0x41e354 ferror
0x41e358 fflush
0x41e35c fprintf
0x41e360 fread
0x41e364 free
0x41e368 fseek
0x41e36c ftell
0x41e370 fwrite
0x41e374 getenv
0x41e378 malloc
0x41e37c mbstowcs
0x41e380 memcpy
0x41e384 memset
0x41e388 setbuf
0x41e38c setlocale
0x41e390 signal
0x41e394 sprintf
0x41e398 strcat
0x41e39c strchr
0x41e3a0 strcmp
0x41e3a4 strcpy
0x41e3a8 strlen
0x41e3ac strncat
0x41e3b0 strncmp
0x41e3b4 strncpy
0x41e3b8 strrchr
0x41e3bc strtok
0x41e3c0 vfprintf
0x41e3c4 wcscat
0x41e3c8 wcscmp
0x41e3cc wcscpy
0x41e3d0 wcslen
WS2_32.dll
0x41e3d8 ntohl
EAT(Export Address Table) is none