ScreenShot
| Created | 2025.02.11 13:30 | Machine | s1_win7_x6403 |
| Filename | 13Z5sqy.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 55 detected (AIDetectMalware, tsd0, Artemis, Unsafe, GenericKD, Vtwt, malicious, confidence, 100%, Genus, high confidence, a variant of WinGo, aqieu, ShellCodeRunner, CLASSIC, cvukx, Lumma, AMADEY, YXFAZZ, score, Raccoon, Detected, Wacatac, ABTrojan, QTAR, BScope, TrojanPSW, WinGo, Chgt, Pzfl, susgen, aeRks) | ||
| md5 | db3632ef37d9e27dfa2fd76f320540ca | ||
| sha256 | 0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d | ||
| ssdeep | 98304:IWlC18CzkF6kJdZi/lBMoo6Yc3A2o5APDm5:PlW1BMoOED | ||
| imphash | 9cbefe68f395e67356e2a5d8d1b285c0 | ||
| impfuzzy | 24:UbVjhNwO+VuT2oLtXOr6kwmDruMztxdEr6tP:KwO+VAXOmGx0oP | ||
Network IP location
Signature (10cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Detects the presence of Wine emulator |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | One or more potentially interesting buffers were extracted |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Yara rule detected in process memory |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (24cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | DllRegisterServer_Zero | execute regsvr32.exe | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0xd4fae0 WriteFile
0xd4fae4 WriteConsoleW
0xd4fae8 WaitForMultipleObjects
0xd4faec WaitForSingleObject
0xd4faf0 VirtualQuery
0xd4faf4 VirtualFree
0xd4faf8 VirtualAlloc
0xd4fafc SwitchToThread
0xd4fb00 SuspendThread
0xd4fb04 SetWaitableTimer
0xd4fb08 SetUnhandledExceptionFilter
0xd4fb0c SetProcessPriorityBoost
0xd4fb10 SetEvent
0xd4fb14 SetErrorMode
0xd4fb18 SetConsoleCtrlHandler
0xd4fb1c ResumeThread
0xd4fb20 PostQueuedCompletionStatus
0xd4fb24 LoadLibraryA
0xd4fb28 LoadLibraryW
0xd4fb2c SetThreadContext
0xd4fb30 GetThreadContext
0xd4fb34 GetSystemInfo
0xd4fb38 GetSystemDirectoryA
0xd4fb3c GetStdHandle
0xd4fb40 GetQueuedCompletionStatusEx
0xd4fb44 GetProcessAffinityMask
0xd4fb48 GetProcAddress
0xd4fb4c GetEnvironmentStringsW
0xd4fb50 GetConsoleMode
0xd4fb54 FreeEnvironmentStringsW
0xd4fb58 ExitProcess
0xd4fb5c DuplicateHandle
0xd4fb60 CreateWaitableTimerExW
0xd4fb64 CreateThread
0xd4fb68 CreateIoCompletionPort
0xd4fb6c CreateFileA
0xd4fb70 CreateEventA
0xd4fb74 CloseHandle
0xd4fb78 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0xd4fae0 WriteFile
0xd4fae4 WriteConsoleW
0xd4fae8 WaitForMultipleObjects
0xd4faec WaitForSingleObject
0xd4faf0 VirtualQuery
0xd4faf4 VirtualFree
0xd4faf8 VirtualAlloc
0xd4fafc SwitchToThread
0xd4fb00 SuspendThread
0xd4fb04 SetWaitableTimer
0xd4fb08 SetUnhandledExceptionFilter
0xd4fb0c SetProcessPriorityBoost
0xd4fb10 SetEvent
0xd4fb14 SetErrorMode
0xd4fb18 SetConsoleCtrlHandler
0xd4fb1c ResumeThread
0xd4fb20 PostQueuedCompletionStatus
0xd4fb24 LoadLibraryA
0xd4fb28 LoadLibraryW
0xd4fb2c SetThreadContext
0xd4fb30 GetThreadContext
0xd4fb34 GetSystemInfo
0xd4fb38 GetSystemDirectoryA
0xd4fb3c GetStdHandle
0xd4fb40 GetQueuedCompletionStatusEx
0xd4fb44 GetProcessAffinityMask
0xd4fb48 GetProcAddress
0xd4fb4c GetEnvironmentStringsW
0xd4fb50 GetConsoleMode
0xd4fb54 FreeEnvironmentStringsW
0xd4fb58 ExitProcess
0xd4fb5c DuplicateHandle
0xd4fb60 CreateWaitableTimerExW
0xd4fb64 CreateThread
0xd4fb68 CreateIoCompletionPort
0xd4fb6c CreateFileA
0xd4fb70 CreateEventA
0xd4fb74 CloseHandle
0xd4fb78 AddVectoredExceptionHandler
EAT(Export Address Table) is none