ScreenShot
| Created | 2025.02.10 16:16 | Machine | s1_win7_x6401 |
| Filename | z.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 53 detected (AIDetectMalware, PowerLoader, Malicious, score, Sabsik, GenericKD, Unsafe, Save, confidence, 100%, high confidence, MalwareX, Tinukebot, Androm, vviu, Undefined, J8X79kMbZOM, TinyNuke, gczrk, high, Static AI, Malicious PE, Detected, Malware@#phxs0pwyust1, Wacatac, CobaltStrike, KXKI7A, ABTrojan, FPMR, R691650, Artemis, Gencirc, susgen) | ||
| md5 | a6b4918f763f99f90f595c201f50239f | ||
| sha256 | c401be0d8b68307e031118653a860760842713ca9763ec55050d61a2d839fca4 | ||
| ssdeep | 12288:jtuH9x+LgvHIh+bOH1JcyDIDPc5VQHzPgjc7yYzUa4y:jto9x+LgvHI+OHPcykU0zoIdL | ||
| imphash | d5550c38a1ba1bf89267abad76b56796 | ||
| impfuzzy | 48:uh5HsMi3hgQ+vOw00KtXRdEH/LWtL95rEoSSr:uhpVi3hgbvKRRdEDcR5sK | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 53 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Creates a thread using CreateRemoteThread in a non-child process indicative of process injection |
| watch | Installs itself for autorun at Windows startup |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | One or more of the buffers contains an embedded PE file |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | Creates hidden or system file |
| notice | One or more potentially interesting buffers were extracted |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Collects information to fingerprint the system (MachineGuid |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | Network_Downloader | File Downloader | binaries (download) |
| watch | Network_Downloader | File Downloader | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ntdll.dll
0x140007360 strchr
0x140007368 _snprintf
0x140007370 strncmp
0x140007378 strncpy
0x140007380 RtlExitUserThread
0x140007388 ZwResumeThread
0x140007390 NtQueryInformationThread
0x140007398 NtQueueApcThread
0x1400073a0 strstr
0x1400073a8 tolower
0x1400073b0 isalpha
0x1400073b8 sscanf
0x1400073c0 _snwprintf
0x1400073c8 NtQueryInformationProcess
0x1400073d0 RtlRandom
0x1400073d8 __chkstk
0x1400073e0 memcpy
0x1400073e8 _stricmp
0x1400073f0 memset
0x1400073f8 __C_specific_handler
KERNEL32.dll
0x140007090 UnlockFileEx
0x140007098 lstrlenA
0x1400070a0 GlobalLock
0x1400070a8 GlobalAlloc
0x1400070b0 Sleep
0x1400070b8 GlobalUnlock
0x1400070c0 GetProcAddress
0x1400070c8 LoadLibraryA
0x1400070d0 HeapAlloc
0x1400070d8 GetProcessHeap
0x1400070e0 lstrcatA
0x1400070e8 SetFileAttributesA
0x1400070f0 ExitProcess
0x1400070f8 GetComputerNameA
0x140007100 VirtualQuery
0x140007108 lstrcpynA
0x140007110 OpenProcess
0x140007118 GetVersionExW
0x140007120 lstrcmpiA
0x140007128 GetModuleFileNameA
0x140007130 CloseHandle
0x140007138 GetCurrentProcessId
0x140007140 lstrcpyA
0x140007148 Process32First
0x140007150 VirtualFree
0x140007158 CreateRemoteThread
0x140007160 VirtualAllocEx
0x140007168 Process32Next
0x140007170 GetModuleHandleA
0x140007178 CreateToolhelp32Snapshot
0x140007180 WriteProcessMemory
0x140007188 GetCurrentProcess
0x140007190 WaitForSingleObject
0x140007198 VirtualProtectEx
0x1400071a0 VirtualProtect
0x1400071a8 HeapReAlloc
0x1400071b0 HeapFree
0x1400071b8 VirtualAlloc
0x1400071c0 lstrcmpA
0x1400071c8 ExitThread
0x1400071d0 GetLastError
0x1400071d8 SetLastError
0x1400071e0 GetTempFileNameA
0x1400071e8 WinExec
0x1400071f0 GetTempPathA
0x1400071f8 CreateFileA
0x140007200 GetFileSize
0x140007208 SetFilePointer
0x140007210 MoveFileExA
0x140007218 SetEndOfFile
0x140007220 GetTickCount
0x140007228 WriteFile
0x140007230 ReadFile
0x140007238 FlushInstructionCache
0x140007240 LockFileEx
0x140007248 OpenMutexA
0x140007250 LocalAlloc
0x140007258 GetExitCodeThread
0x140007260 GetSystemInfo
0x140007268 CreateMutexA
0x140007270 GetVersionExA
0x140007278 LocalFree
0x140007280 DeleteFileA
0x140007288 CreateThread
USER32.dll
0x1400072f8 GetForegroundWindow
0x140007300 GetSystemMetrics
ADVAPI32.dll
0x140007000 RegSetValueExW
0x140007008 CheckTokenMembership
0x140007010 FreeSid
0x140007018 AllocateAndInitializeSid
0x140007020 RegOpenKeyExA
0x140007028 GetTokenInformation
0x140007030 GetSidSubAuthorityCount
0x140007038 GetSidSubAuthority
0x140007040 RegSetValueExA
0x140007048 RegOpenKeyExW
0x140007050 RegDeleteKeyW
0x140007058 AdjustTokenPrivileges
0x140007060 LookupPrivilegeValueA
0x140007068 OpenProcessToken
0x140007070 RegCloseKey
0x140007078 RegCreateKeyExA
0x140007080 RegQueryValueExA
SHLWAPI.dll
0x1400072c8 PathCombineA
0x1400072d0 UrlGetPartA
0x1400072d8 PathFindFileNameA
0x1400072e0 StrToIntA
0x1400072e8 StrStrIA
SHELL32.dll
0x1400072b0 ShellExecuteExA
0x1400072b8 SHGetFolderPathA
PSAPI.DLL
0x140007298 GetModuleFileNameExA
0x1400072a0 GetProcessImageFileNameA
WININET.dll
0x140007310 InternetCrackUrlA
0x140007318 InternetSetOptionA
0x140007320 HttpQueryInfoA
0x140007328 HttpSendRequestA
0x140007330 InternetConnectA
0x140007338 InternetOpenA
0x140007340 HttpOpenRequestA
0x140007348 InternetCloseHandle
0x140007350 InternetReadFile
urlmon.dll
0x140007408 URLDownloadToFileA
EAT(Export Address Table) Library
0x14000486c DownloadRunExeId
0x1400047c0 DownloadRunExeUrl
0x1400048f4 DownloadRunModId
0x1400049b0 DownloadUpdateMain
0x140002608 InjectApcRoutine
0x1400025f0 InjectNormalRoutine
0x140004a74 SendLogs
0x140004a64 WriteConfigString
ntdll.dll
0x140007360 strchr
0x140007368 _snprintf
0x140007370 strncmp
0x140007378 strncpy
0x140007380 RtlExitUserThread
0x140007388 ZwResumeThread
0x140007390 NtQueryInformationThread
0x140007398 NtQueueApcThread
0x1400073a0 strstr
0x1400073a8 tolower
0x1400073b0 isalpha
0x1400073b8 sscanf
0x1400073c0 _snwprintf
0x1400073c8 NtQueryInformationProcess
0x1400073d0 RtlRandom
0x1400073d8 __chkstk
0x1400073e0 memcpy
0x1400073e8 _stricmp
0x1400073f0 memset
0x1400073f8 __C_specific_handler
KERNEL32.dll
0x140007090 UnlockFileEx
0x140007098 lstrlenA
0x1400070a0 GlobalLock
0x1400070a8 GlobalAlloc
0x1400070b0 Sleep
0x1400070b8 GlobalUnlock
0x1400070c0 GetProcAddress
0x1400070c8 LoadLibraryA
0x1400070d0 HeapAlloc
0x1400070d8 GetProcessHeap
0x1400070e0 lstrcatA
0x1400070e8 SetFileAttributesA
0x1400070f0 ExitProcess
0x1400070f8 GetComputerNameA
0x140007100 VirtualQuery
0x140007108 lstrcpynA
0x140007110 OpenProcess
0x140007118 GetVersionExW
0x140007120 lstrcmpiA
0x140007128 GetModuleFileNameA
0x140007130 CloseHandle
0x140007138 GetCurrentProcessId
0x140007140 lstrcpyA
0x140007148 Process32First
0x140007150 VirtualFree
0x140007158 CreateRemoteThread
0x140007160 VirtualAllocEx
0x140007168 Process32Next
0x140007170 GetModuleHandleA
0x140007178 CreateToolhelp32Snapshot
0x140007180 WriteProcessMemory
0x140007188 GetCurrentProcess
0x140007190 WaitForSingleObject
0x140007198 VirtualProtectEx
0x1400071a0 VirtualProtect
0x1400071a8 HeapReAlloc
0x1400071b0 HeapFree
0x1400071b8 VirtualAlloc
0x1400071c0 lstrcmpA
0x1400071c8 ExitThread
0x1400071d0 GetLastError
0x1400071d8 SetLastError
0x1400071e0 GetTempFileNameA
0x1400071e8 WinExec
0x1400071f0 GetTempPathA
0x1400071f8 CreateFileA
0x140007200 GetFileSize
0x140007208 SetFilePointer
0x140007210 MoveFileExA
0x140007218 SetEndOfFile
0x140007220 GetTickCount
0x140007228 WriteFile
0x140007230 ReadFile
0x140007238 FlushInstructionCache
0x140007240 LockFileEx
0x140007248 OpenMutexA
0x140007250 LocalAlloc
0x140007258 GetExitCodeThread
0x140007260 GetSystemInfo
0x140007268 CreateMutexA
0x140007270 GetVersionExA
0x140007278 LocalFree
0x140007280 DeleteFileA
0x140007288 CreateThread
USER32.dll
0x1400072f8 GetForegroundWindow
0x140007300 GetSystemMetrics
ADVAPI32.dll
0x140007000 RegSetValueExW
0x140007008 CheckTokenMembership
0x140007010 FreeSid
0x140007018 AllocateAndInitializeSid
0x140007020 RegOpenKeyExA
0x140007028 GetTokenInformation
0x140007030 GetSidSubAuthorityCount
0x140007038 GetSidSubAuthority
0x140007040 RegSetValueExA
0x140007048 RegOpenKeyExW
0x140007050 RegDeleteKeyW
0x140007058 AdjustTokenPrivileges
0x140007060 LookupPrivilegeValueA
0x140007068 OpenProcessToken
0x140007070 RegCloseKey
0x140007078 RegCreateKeyExA
0x140007080 RegQueryValueExA
SHLWAPI.dll
0x1400072c8 PathCombineA
0x1400072d0 UrlGetPartA
0x1400072d8 PathFindFileNameA
0x1400072e0 StrToIntA
0x1400072e8 StrStrIA
SHELL32.dll
0x1400072b0 ShellExecuteExA
0x1400072b8 SHGetFolderPathA
PSAPI.DLL
0x140007298 GetModuleFileNameExA
0x1400072a0 GetProcessImageFileNameA
WININET.dll
0x140007310 InternetCrackUrlA
0x140007318 InternetSetOptionA
0x140007320 HttpQueryInfoA
0x140007328 HttpSendRequestA
0x140007330 InternetConnectA
0x140007338 InternetOpenA
0x140007340 HttpOpenRequestA
0x140007348 InternetCloseHandle
0x140007350 InternetReadFile
urlmon.dll
0x140007408 URLDownloadToFileA
EAT(Export Address Table) Library
0x14000486c DownloadRunExeId
0x1400047c0 DownloadRunExeUrl
0x1400048f4 DownloadRunModId
0x1400049b0 DownloadUpdateMain
0x140002608 InjectApcRoutine
0x1400025f0 InjectNormalRoutine
0x140004a74 SendLogs
0x140004a64 WriteConfigString