ScreenShot
| Created | 2024.11.18 09:35 | Machine | s1_win7_x6401 |
| Filename | windows_update.dll | ||
| Type | PE32+ executable (DLL) (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 31 detected (AIDetectMalware, Malicious, score, GenericKD, Unsafe, Attribute, HighConfidence, ReverseShell, MalwareX, CLOUD, Redcap, ixiwg, Generic Reputation PUA, Detected, GrayWare, Wacapew, Wacatac, Artemis, Shellcoderunner) | ||
| md5 | c65d43d62825d0941597622cc3a484ac | ||
| sha256 | 632cc311aec3726d9f6bbb89e119c0222274cc6b3837dbd0c642ce609cd056b9 | ||
| ssdeep | 3072:OYzGetsrklMyXwF/ChT6RtnBpKn418PWZ8m1Xz2Q+humtE/IGRIqBL:aeqYxIQ6RtnAYBL | ||
| imphash | d5fc466b0b3615c3f70eb9bc3d7c9199 | ||
| impfuzzy | 12:CNRJRJJoAR+hqR2qhj7s4lJYasTqa91Dvlp1FQJqcuiZZOxvI/0yon/GJ:gfjB+krjI4liHx91DvlxcqcBZZsAAn/u | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 31 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| info | Checks if process is being debugged by a debugger |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x30888e1d0 CloseHandle
0x30888e1d8 CreateProcessA
0x30888e1e0 DeleteCriticalSection
0x30888e1e8 EnterCriticalSection
0x30888e1f0 GetLastError
0x30888e1f8 InitializeCriticalSection
0x30888e200 IsDBCSLeadByteEx
0x30888e208 LeaveCriticalSection
0x30888e210 MultiByteToWideChar
0x30888e218 Sleep
0x30888e220 TlsGetValue
0x30888e228 VirtualProtect
0x30888e230 VirtualQuery
0x30888e238 WaitForSingleObject
0x30888e240 WideCharToMultiByte
msvcrt.dll
0x30888e250 ___lc_codepage_func
0x30888e258 ___mb_cur_max_func
0x30888e260 __iob_func
0x30888e268 _amsg_exit
0x30888e270 _errno
0x30888e278 _initterm
0x30888e280 _lock
0x30888e288 _unlock
0x30888e290 abort
0x30888e298 calloc
0x30888e2a0 fputc
0x30888e2a8 free
0x30888e2b0 fwrite
0x30888e2b8 localeconv
0x30888e2c0 malloc
0x30888e2c8 memcpy
0x30888e2d0 memset
0x30888e2d8 realloc
0x30888e2e0 strerror
0x30888e2e8 strlen
0x30888e2f0 strncmp
0x30888e2f8 vfprintf
0x30888e300 wcslen
WS2_32.dll
0x30888e310 WSACleanup
0x30888e318 WSAStartup
0x30888e320 closesocket
0x30888e328 connect
0x30888e330 htons
0x30888e338 inet_addr
0x30888e340 socket
EAT(Export Address Table) Library
0x3088813d4 reverse_shell
KERNEL32.dll
0x30888e1d0 CloseHandle
0x30888e1d8 CreateProcessA
0x30888e1e0 DeleteCriticalSection
0x30888e1e8 EnterCriticalSection
0x30888e1f0 GetLastError
0x30888e1f8 InitializeCriticalSection
0x30888e200 IsDBCSLeadByteEx
0x30888e208 LeaveCriticalSection
0x30888e210 MultiByteToWideChar
0x30888e218 Sleep
0x30888e220 TlsGetValue
0x30888e228 VirtualProtect
0x30888e230 VirtualQuery
0x30888e238 WaitForSingleObject
0x30888e240 WideCharToMultiByte
msvcrt.dll
0x30888e250 ___lc_codepage_func
0x30888e258 ___mb_cur_max_func
0x30888e260 __iob_func
0x30888e268 _amsg_exit
0x30888e270 _errno
0x30888e278 _initterm
0x30888e280 _lock
0x30888e288 _unlock
0x30888e290 abort
0x30888e298 calloc
0x30888e2a0 fputc
0x30888e2a8 free
0x30888e2b0 fwrite
0x30888e2b8 localeconv
0x30888e2c0 malloc
0x30888e2c8 memcpy
0x30888e2d0 memset
0x30888e2d8 realloc
0x30888e2e0 strerror
0x30888e2e8 strlen
0x30888e2f0 strncmp
0x30888e2f8 vfprintf
0x30888e300 wcslen
WS2_32.dll
0x30888e310 WSACleanup
0x30888e318 WSAStartup
0x30888e320 closesocket
0x30888e328 connect
0x30888e330 htons
0x30888e338 inet_addr
0x30888e340 socket
EAT(Export Address Table) Library
0x3088813d4 reverse_shell