ScreenShot
| Created | 2024.11.19 19:19 | Machine | s1_win7_x6401 |
| Filename | 6e1ed6447607ab4c30b3f389a53675e9.bin.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 31 detected (AIDetectMalware, Stealerc, VirusWinExpiro, Artemis, Unsafe, Save, malicious, confidence, 100%, Lazy, Attribute, HighConfidence, high confidence, GenKryptik, HDXO, FileRepMalware, Stelpak, CLOUD, Static AI, Malicious PE, Caynamer, Iflw) | ||
| md5 | 6e1ed6447607ab4c30b3f389a53675e9 | ||
| sha256 | a69c11ca0cdbf0c75ac031ad24cb8c0ca88fbec1cfee5e26a9bbc3a64dc436b1 | ||
| ssdeep | 24576:T1V5bEb5v837jDHNCFYC/kNMqc5wwcotkPh2sQNxPkd5zwdSNLD2:ZfxCFNGMql5PnQNCrzy+ | ||
| imphash | 20773d4ea10b15590a06df441c9fd5be | ||
| impfuzzy | 24:UFWDCejtWOovbOGMUD1uUvgmWDQyl3LPOTqwu9VJUsO:UFQCKx361PIhbOucsO | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 31 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x49ad28 CloseHandle
0x49ad2c CompareStringW
0x49ad30 CreateFileA
0x49ad34 CreateFileW
0x49ad38 DecodePointer
0x49ad3c DeleteCriticalSection
0x49ad40 EncodePointer
0x49ad44 EnterCriticalSection
0x49ad48 ExitProcess
0x49ad4c FindClose
0x49ad50 FindFirstFileExW
0x49ad54 FindNextFileW
0x49ad58 FlushFileBuffers
0x49ad5c FreeEnvironmentStringsW
0x49ad60 FreeLibrary
0x49ad64 GetACP
0x49ad68 GetCPInfo
0x49ad6c GetCommandLineA
0x49ad70 GetCommandLineW
0x49ad74 GetConsoleMode
0x49ad78 GetConsoleOutputCP
0x49ad7c GetCurrentProcess
0x49ad80 GetCurrentProcessId
0x49ad84 GetCurrentThreadId
0x49ad88 GetEnvironmentStringsW
0x49ad8c GetFileSize
0x49ad90 GetFileSizeEx
0x49ad94 GetFileType
0x49ad98 GetLastError
0x49ad9c GetModuleFileNameW
0x49ada0 GetModuleHandleExW
0x49ada4 GetModuleHandleW
0x49ada8 GetOEMCP
0x49adac GetProcAddress
0x49adb0 GetProcessHeap
0x49adb4 GetStartupInfoW
0x49adb8 GetStdHandle
0x49adbc GetStringTypeW
0x49adc0 GetSystemTimeAsFileTime
0x49adc4 HeapAlloc
0x49adc8 HeapFree
0x49adcc HeapReAlloc
0x49add0 HeapSize
0x49add4 InitializeCriticalSectionAndSpinCount
0x49add8 InitializeSListHead
0x49addc IsDebuggerPresent
0x49ade0 IsProcessorFeaturePresent
0x49ade4 IsValidCodePage
0x49ade8 LCMapStringW
0x49adec LeaveCriticalSection
0x49adf0 LoadLibraryExW
0x49adf4 MultiByteToWideChar
0x49adf8 QueryPerformanceCounter
0x49adfc RaiseException
0x49ae00 ReadFile
0x49ae04 RtlUnwind
0x49ae08 SetEnvironmentVariableW
0x49ae0c SetFilePointerEx
0x49ae10 SetLastError
0x49ae14 SetStdHandle
0x49ae18 SetUnhandledExceptionFilter
0x49ae1c TerminateProcess
0x49ae20 TlsAlloc
0x49ae24 TlsFree
0x49ae28 TlsGetValue
0x49ae2c TlsSetValue
0x49ae30 UnhandledExceptionFilter
0x49ae34 WideCharToMultiByte
0x49ae38 WriteConsoleW
0x49ae3c WriteFile
EAT(Export Address Table) is none
KERNEL32.dll
0x49ad28 CloseHandle
0x49ad2c CompareStringW
0x49ad30 CreateFileA
0x49ad34 CreateFileW
0x49ad38 DecodePointer
0x49ad3c DeleteCriticalSection
0x49ad40 EncodePointer
0x49ad44 EnterCriticalSection
0x49ad48 ExitProcess
0x49ad4c FindClose
0x49ad50 FindFirstFileExW
0x49ad54 FindNextFileW
0x49ad58 FlushFileBuffers
0x49ad5c FreeEnvironmentStringsW
0x49ad60 FreeLibrary
0x49ad64 GetACP
0x49ad68 GetCPInfo
0x49ad6c GetCommandLineA
0x49ad70 GetCommandLineW
0x49ad74 GetConsoleMode
0x49ad78 GetConsoleOutputCP
0x49ad7c GetCurrentProcess
0x49ad80 GetCurrentProcessId
0x49ad84 GetCurrentThreadId
0x49ad88 GetEnvironmentStringsW
0x49ad8c GetFileSize
0x49ad90 GetFileSizeEx
0x49ad94 GetFileType
0x49ad98 GetLastError
0x49ad9c GetModuleFileNameW
0x49ada0 GetModuleHandleExW
0x49ada4 GetModuleHandleW
0x49ada8 GetOEMCP
0x49adac GetProcAddress
0x49adb0 GetProcessHeap
0x49adb4 GetStartupInfoW
0x49adb8 GetStdHandle
0x49adbc GetStringTypeW
0x49adc0 GetSystemTimeAsFileTime
0x49adc4 HeapAlloc
0x49adc8 HeapFree
0x49adcc HeapReAlloc
0x49add0 HeapSize
0x49add4 InitializeCriticalSectionAndSpinCount
0x49add8 InitializeSListHead
0x49addc IsDebuggerPresent
0x49ade0 IsProcessorFeaturePresent
0x49ade4 IsValidCodePage
0x49ade8 LCMapStringW
0x49adec LeaveCriticalSection
0x49adf0 LoadLibraryExW
0x49adf4 MultiByteToWideChar
0x49adf8 QueryPerformanceCounter
0x49adfc RaiseException
0x49ae00 ReadFile
0x49ae04 RtlUnwind
0x49ae08 SetEnvironmentVariableW
0x49ae0c SetFilePointerEx
0x49ae10 SetLastError
0x49ae14 SetStdHandle
0x49ae18 SetUnhandledExceptionFilter
0x49ae1c TerminateProcess
0x49ae20 TlsAlloc
0x49ae24 TlsFree
0x49ae28 TlsGetValue
0x49ae2c TlsSetValue
0x49ae30 UnhandledExceptionFilter
0x49ae34 WideCharToMultiByte
0x49ae38 WriteConsoleW
0x49ae3c WriteFile
EAT(Export Address Table) is none