ScreenShot
| Created | 2024.11.11 10:13 | Machine | s1_win7_x6401 |
| Filename | Lee.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 63 detected (AIDetectMalware, CobaltStrike, Malicious, score, CobaltStr, S17675256, Zusy, Unsafe, confidence, 100%, CbltStrkT, Cobalt, gen1, Windows, Artifact, HacktoolX, CozyDuke, kostpq, CLASSIC, AGEN, COBEACON, Static AI, Malicious PE, fsici, Detected, Malware@#4bd1nrck0jd1, NDUI, R356638, FSXF, Infiltration, GenAsa, ZICJWVi3Ujg, susgen) | ||
| md5 | a7fcb5ec6dfef33922b57a9fb7251743 | ||
| sha256 | fe3848b53bf6701306cb0fa9618527dbad319a882d2d1307f8693f005c61c772 | ||
| ssdeep | 6144:GCvy+QJCWgFnl0ql59dHjNvSLjAdkKzTbXx4utYhFK:RyVJCrl0qLPHjsPzmTbBu | ||
| imphash | 17b461a082950fc6332228572138b80c | ||
| impfuzzy | 24:Q2kfg1JlDzncLb9aa0mezlMC95XGDZ8k1koDquQZn:gfg1jc/bezlzJGV8k1koqz | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 63 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Queries for the computername |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x44b244 CloseHandle
0x44b24c ConnectNamedPipe
0x44b254 CreateFileA
0x44b25c CreateNamedPipeA
0x44b264 CreateThread
0x44b26c DeleteCriticalSection
0x44b274 EnterCriticalSection
0x44b27c GetCurrentProcess
0x44b284 GetCurrentProcessId
0x44b28c GetCurrentThreadId
0x44b294 GetLastError
0x44b29c GetModuleHandleA
0x44b2a4 GetProcAddress
0x44b2ac GetStartupInfoA
0x44b2b4 GetSystemTimeAsFileTime
0x44b2bc GetTickCount
0x44b2c4 InitializeCriticalSection
0x44b2cc LeaveCriticalSection
0x44b2d4 LoadLibraryW
0x44b2dc QueryPerformanceCounter
0x44b2e4 ReadFile
0x44b2ec RtlAddFunctionTable
0x44b2f4 RtlCaptureContext
0x44b2fc RtlLookupFunctionEntry
0x44b304 RtlVirtualUnwind
0x44b30c SetUnhandledExceptionFilter
0x44b314 Sleep
0x44b31c TerminateProcess
0x44b324 TlsGetValue
0x44b32c UnhandledExceptionFilter
0x44b334 VirtualAlloc
0x44b33c VirtualProtect
0x44b344 VirtualQuery
0x44b34c WriteFile
msvcrt.dll
0x44b35c __C_specific_handler
0x44b364 __dllonexit
0x44b36c __getmainargs
0x44b374 __initenv
0x44b37c __iob_func
0x44b384 __lconv_init
0x44b38c __set_app_type
0x44b394 __setusermatherr
0x44b39c _acmdln
0x44b3a4 _amsg_exit
0x44b3ac _cexit
0x44b3b4 _fmode
0x44b3bc _initterm
0x44b3c4 _lock
0x44b3cc _onexit
0x44b3d4 _unlock
0x44b3dc abort
0x44b3e4 calloc
0x44b3ec exit
0x44b3f4 fprintf
0x44b3fc free
0x44b404 fwrite
0x44b40c malloc
0x44b414 memcpy
0x44b41c signal
0x44b424 sprintf
0x44b42c strlen
0x44b434 strncmp
0x44b43c vfprintf
EAT(Export Address Table) is none
KERNEL32.dll
0x44b244 CloseHandle
0x44b24c ConnectNamedPipe
0x44b254 CreateFileA
0x44b25c CreateNamedPipeA
0x44b264 CreateThread
0x44b26c DeleteCriticalSection
0x44b274 EnterCriticalSection
0x44b27c GetCurrentProcess
0x44b284 GetCurrentProcessId
0x44b28c GetCurrentThreadId
0x44b294 GetLastError
0x44b29c GetModuleHandleA
0x44b2a4 GetProcAddress
0x44b2ac GetStartupInfoA
0x44b2b4 GetSystemTimeAsFileTime
0x44b2bc GetTickCount
0x44b2c4 InitializeCriticalSection
0x44b2cc LeaveCriticalSection
0x44b2d4 LoadLibraryW
0x44b2dc QueryPerformanceCounter
0x44b2e4 ReadFile
0x44b2ec RtlAddFunctionTable
0x44b2f4 RtlCaptureContext
0x44b2fc RtlLookupFunctionEntry
0x44b304 RtlVirtualUnwind
0x44b30c SetUnhandledExceptionFilter
0x44b314 Sleep
0x44b31c TerminateProcess
0x44b324 TlsGetValue
0x44b32c UnhandledExceptionFilter
0x44b334 VirtualAlloc
0x44b33c VirtualProtect
0x44b344 VirtualQuery
0x44b34c WriteFile
msvcrt.dll
0x44b35c __C_specific_handler
0x44b364 __dllonexit
0x44b36c __getmainargs
0x44b374 __initenv
0x44b37c __iob_func
0x44b384 __lconv_init
0x44b38c __set_app_type
0x44b394 __setusermatherr
0x44b39c _acmdln
0x44b3a4 _amsg_exit
0x44b3ac _cexit
0x44b3b4 _fmode
0x44b3bc _initterm
0x44b3c4 _lock
0x44b3cc _onexit
0x44b3d4 _unlock
0x44b3dc abort
0x44b3e4 calloc
0x44b3ec exit
0x44b3f4 fprintf
0x44b3fc free
0x44b404 fwrite
0x44b40c malloc
0x44b414 memcpy
0x44b41c signal
0x44b424 sprintf
0x44b42c strlen
0x44b434 strncmp
0x44b43c vfprintf
EAT(Export Address Table) is none