ScreenShot
| Created | 2025.02.19 11:25 | Machine | s1_win7_x6403 |
| Filename | bea.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | |||
| md5 | e3a004b573f3b6a8e32a6cf74e63c9d2 | ||
| sha256 | 2b4a222f385c2367518a3c8d5794219af21376850133208b63c0914e89527e59 | ||
| ssdeep | 6144:NBdk28ScNZKfK66ATbNDUwAz2AZzCBP6J9xdy/6htW70+wTl/YAkKWS:Nn/cxNoU/cPQdX3dTl/YAF | ||
| imphash | 9133e54115603c0107b8f985598440d0 | ||
| impfuzzy | 24:Q2kfg1JlDzncJ9aa0mezlMC95XGDZ8k1koDquQZn:gfg1jcJbezlzJGV8k1koqz | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Queries for the computername |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x45d23c CloseHandle
0x45d244 ConnectNamedPipe
0x45d24c CreateFileA
0x45d254 CreateNamedPipeA
0x45d25c CreateThread
0x45d264 DeleteCriticalSection
0x45d26c EnterCriticalSection
0x45d274 GetCurrentProcess
0x45d27c GetCurrentProcessId
0x45d284 GetCurrentThreadId
0x45d28c GetLastError
0x45d294 GetModuleHandleA
0x45d29c GetProcAddress
0x45d2a4 GetStartupInfoA
0x45d2ac GetSystemTimeAsFileTime
0x45d2b4 GetTickCount
0x45d2bc InitializeCriticalSection
0x45d2c4 LeaveCriticalSection
0x45d2cc QueryPerformanceCounter
0x45d2d4 ReadFile
0x45d2dc RtlAddFunctionTable
0x45d2e4 RtlCaptureContext
0x45d2ec RtlLookupFunctionEntry
0x45d2f4 RtlVirtualUnwind
0x45d2fc SetUnhandledExceptionFilter
0x45d304 Sleep
0x45d30c TerminateProcess
0x45d314 TlsGetValue
0x45d31c UnhandledExceptionFilter
0x45d324 VirtualAlloc
0x45d32c VirtualProtect
0x45d334 VirtualQuery
0x45d33c WriteFile
msvcrt.dll
0x45d34c __C_specific_handler
0x45d354 __dllonexit
0x45d35c __getmainargs
0x45d364 __initenv
0x45d36c __iob_func
0x45d374 __lconv_init
0x45d37c __set_app_type
0x45d384 __setusermatherr
0x45d38c _acmdln
0x45d394 _amsg_exit
0x45d39c _cexit
0x45d3a4 _fmode
0x45d3ac _initterm
0x45d3b4 _lock
0x45d3bc _onexit
0x45d3c4 _unlock
0x45d3cc abort
0x45d3d4 calloc
0x45d3dc exit
0x45d3e4 fprintf
0x45d3ec free
0x45d3f4 fwrite
0x45d3fc malloc
0x45d404 memcpy
0x45d40c signal
0x45d414 sprintf
0x45d41c strlen
0x45d424 strncmp
0x45d42c vfprintf
EAT(Export Address Table) is none
KERNEL32.dll
0x45d23c CloseHandle
0x45d244 ConnectNamedPipe
0x45d24c CreateFileA
0x45d254 CreateNamedPipeA
0x45d25c CreateThread
0x45d264 DeleteCriticalSection
0x45d26c EnterCriticalSection
0x45d274 GetCurrentProcess
0x45d27c GetCurrentProcessId
0x45d284 GetCurrentThreadId
0x45d28c GetLastError
0x45d294 GetModuleHandleA
0x45d29c GetProcAddress
0x45d2a4 GetStartupInfoA
0x45d2ac GetSystemTimeAsFileTime
0x45d2b4 GetTickCount
0x45d2bc InitializeCriticalSection
0x45d2c4 LeaveCriticalSection
0x45d2cc QueryPerformanceCounter
0x45d2d4 ReadFile
0x45d2dc RtlAddFunctionTable
0x45d2e4 RtlCaptureContext
0x45d2ec RtlLookupFunctionEntry
0x45d2f4 RtlVirtualUnwind
0x45d2fc SetUnhandledExceptionFilter
0x45d304 Sleep
0x45d30c TerminateProcess
0x45d314 TlsGetValue
0x45d31c UnhandledExceptionFilter
0x45d324 VirtualAlloc
0x45d32c VirtualProtect
0x45d334 VirtualQuery
0x45d33c WriteFile
msvcrt.dll
0x45d34c __C_specific_handler
0x45d354 __dllonexit
0x45d35c __getmainargs
0x45d364 __initenv
0x45d36c __iob_func
0x45d374 __lconv_init
0x45d37c __set_app_type
0x45d384 __setusermatherr
0x45d38c _acmdln
0x45d394 _amsg_exit
0x45d39c _cexit
0x45d3a4 _fmode
0x45d3ac _initterm
0x45d3b4 _lock
0x45d3bc _onexit
0x45d3c4 _unlock
0x45d3cc abort
0x45d3d4 calloc
0x45d3dc exit
0x45d3e4 fprintf
0x45d3ec free
0x45d3f4 fwrite
0x45d3fc malloc
0x45d404 memcpy
0x45d40c signal
0x45d414 sprintf
0x45d41c strlen
0x45d424 strncmp
0x45d42c vfprintf
EAT(Export Address Table) is none