ScreenShot
| Created | 2025.01.23 06:36 | Machine | s1_win7_x6403 |
| Filename | iviewers.dll | ||
| Type | PE32 executable (DLL) (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 07fd51e1e8368144ea403137a671b84c | ||
| sha256 | b260f38480746bb3769dbbc23802b3207b093e552d61b3e787386b94b081e31f | ||
| ssdeep | 1536:Y2ShYtT4To+GdOfoPXRr9tXLtAuQeSVdJssWdcd7IW3+ZR+ueK:Y2z0To+GdlhrbwJJ7IW3+n+ue | ||
| imphash | 7ceca204ebc32aa6a49c38b8ef6a9854 | ||
| impfuzzy | 24:DtMS1ihlJnc+pl3eDo/CYodUgOovbO9ZsvwGM8:DtMS1i5c+ppmYp36/ | ||
Network IP location
Signature (24cnts)
| Level | Description |
|---|---|
| watch | An executable file was downloaded by the process powershell.exe |
| watch | Communicates with host for which no DNS query was performed |
| watch | Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Poweshell is sending data to a remote host |
| notice | URL downloaded by powershell script |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (43cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | DllRegisterServer_Zero | execute regsvr32.exe | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | PowershellDI | Extract Download/Invoke calls from powershell script | scripts |
PE API
IAT(Import Address Table) Library
SHELL32.dll
0x1000d108 ShellExecuteA
KERNEL32.dll
0x1000d000 IsValidCodePage
0x1000d004 DecodePointer
0x1000d008 UnhandledExceptionFilter
0x1000d00c SetUnhandledExceptionFilter
0x1000d010 GetCurrentProcess
0x1000d014 TerminateProcess
0x1000d018 IsProcessorFeaturePresent
0x1000d01c QueryPerformanceCounter
0x1000d020 GetCurrentProcessId
0x1000d024 GetCurrentThreadId
0x1000d028 GetSystemTimeAsFileTime
0x1000d02c InitializeSListHead
0x1000d030 IsDebuggerPresent
0x1000d034 GetStartupInfoW
0x1000d038 GetModuleHandleW
0x1000d03c InterlockedFlushSList
0x1000d040 RtlUnwind
0x1000d044 GetLastError
0x1000d048 SetLastError
0x1000d04c EnterCriticalSection
0x1000d050 LeaveCriticalSection
0x1000d054 DeleteCriticalSection
0x1000d058 InitializeCriticalSectionAndSpinCount
0x1000d05c TlsAlloc
0x1000d060 TlsGetValue
0x1000d064 TlsSetValue
0x1000d068 TlsFree
0x1000d06c FreeLibrary
0x1000d070 GetProcAddress
0x1000d074 LoadLibraryExW
0x1000d078 EncodePointer
0x1000d07c RaiseException
0x1000d080 ExitProcess
0x1000d084 GetModuleHandleExW
0x1000d088 GetModuleFileNameW
0x1000d08c HeapAlloc
0x1000d090 HeapFree
0x1000d094 FindClose
0x1000d098 FindFirstFileExW
0x1000d09c FindNextFileW
0x1000d0a0 CloseHandle
0x1000d0a4 GetACP
0x1000d0a8 GetOEMCP
0x1000d0ac GetCPInfo
0x1000d0b0 GetCommandLineA
0x1000d0b4 GetCommandLineW
0x1000d0b8 MultiByteToWideChar
0x1000d0bc WideCharToMultiByte
0x1000d0c0 GetEnvironmentStringsW
0x1000d0c4 FreeEnvironmentStringsW
0x1000d0c8 LCMapStringW
0x1000d0cc GetProcessHeap
0x1000d0d0 GetStdHandle
0x1000d0d4 GetFileType
0x1000d0d8 GetStringTypeW
0x1000d0dc HeapSize
0x1000d0e0 HeapReAlloc
0x1000d0e4 SetStdHandle
0x1000d0e8 FlushFileBuffers
0x1000d0ec WriteFile
0x1000d0f0 GetConsoleOutputCP
0x1000d0f4 GetConsoleMode
0x1000d0f8 SetFilePointerEx
0x1000d0fc CreateFileW
0x1000d100 WriteConsoleW
EAT(Export Address Table) Library
0x10001000 DllRegisterServer
SHELL32.dll
0x1000d108 ShellExecuteA
KERNEL32.dll
0x1000d000 IsValidCodePage
0x1000d004 DecodePointer
0x1000d008 UnhandledExceptionFilter
0x1000d00c SetUnhandledExceptionFilter
0x1000d010 GetCurrentProcess
0x1000d014 TerminateProcess
0x1000d018 IsProcessorFeaturePresent
0x1000d01c QueryPerformanceCounter
0x1000d020 GetCurrentProcessId
0x1000d024 GetCurrentThreadId
0x1000d028 GetSystemTimeAsFileTime
0x1000d02c InitializeSListHead
0x1000d030 IsDebuggerPresent
0x1000d034 GetStartupInfoW
0x1000d038 GetModuleHandleW
0x1000d03c InterlockedFlushSList
0x1000d040 RtlUnwind
0x1000d044 GetLastError
0x1000d048 SetLastError
0x1000d04c EnterCriticalSection
0x1000d050 LeaveCriticalSection
0x1000d054 DeleteCriticalSection
0x1000d058 InitializeCriticalSectionAndSpinCount
0x1000d05c TlsAlloc
0x1000d060 TlsGetValue
0x1000d064 TlsSetValue
0x1000d068 TlsFree
0x1000d06c FreeLibrary
0x1000d070 GetProcAddress
0x1000d074 LoadLibraryExW
0x1000d078 EncodePointer
0x1000d07c RaiseException
0x1000d080 ExitProcess
0x1000d084 GetModuleHandleExW
0x1000d088 GetModuleFileNameW
0x1000d08c HeapAlloc
0x1000d090 HeapFree
0x1000d094 FindClose
0x1000d098 FindFirstFileExW
0x1000d09c FindNextFileW
0x1000d0a0 CloseHandle
0x1000d0a4 GetACP
0x1000d0a8 GetOEMCP
0x1000d0ac GetCPInfo
0x1000d0b0 GetCommandLineA
0x1000d0b4 GetCommandLineW
0x1000d0b8 MultiByteToWideChar
0x1000d0bc WideCharToMultiByte
0x1000d0c0 GetEnvironmentStringsW
0x1000d0c4 FreeEnvironmentStringsW
0x1000d0c8 LCMapStringW
0x1000d0cc GetProcessHeap
0x1000d0d0 GetStdHandle
0x1000d0d4 GetFileType
0x1000d0d8 GetStringTypeW
0x1000d0dc HeapSize
0x1000d0e0 HeapReAlloc
0x1000d0e4 SetStdHandle
0x1000d0e8 FlushFileBuffers
0x1000d0ec WriteFile
0x1000d0f0 GetConsoleOutputCP
0x1000d0f4 GetConsoleMode
0x1000d0f8 SetFilePointerEx
0x1000d0fc CreateFileW
0x1000d100 WriteConsoleW
EAT(Export Address Table) Library
0x10001000 DllRegisterServer