ScreenShot
| Created | 2025.02.19 11:48 | Machine | s1_win7_x6401 |
| Filename | 1.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | |||
| md5 | b8930ce311970e82b7b52dbfa4d81187 | ||
| sha256 | 4f6f1b2e6fc03473bf5d66cca5013f5ed5a96df2ac46b38e525ee733d230cf88 | ||
| ssdeep | 49152:+U4K1Qy8nPDdZiBSFfscuj9ADJZlShhV7+pXLRB5TYAUhJSh7DUtiGlMlHDNuc6P:+NbrnrShj9AVYhgB5IJsnUw918Svlj | ||
| imphash | 9cbefe68f395e67356e2a5d8d1b285c0 | ||
| impfuzzy | 24:UbVjhNwO+VuT2oLtXOr6kwmDruMztxdEr6tP:KwO+VAXOmGx0oP | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects the presence of Wine emulator |
| watch | Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | One or more potentially interesting buffers were extracted |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Yara rule detected in process memory |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (27cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Client_SW_User_Data_Stealer | Client_SW_User_Data_Stealer | memory |
| danger | Win32_PWS_Loki_m_Zero | Win32 PWS Loki | memory |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| warning | infoStealer_ftpClients_Zero | ftp clients info stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | DllRegisterServer_Zero | execute regsvr32.exe | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
kernel32.dll
0x9b9ac0 WriteFile
0x9b9ac4 WriteConsoleW
0x9b9ac8 WaitForMultipleObjects
0x9b9acc WaitForSingleObject
0x9b9ad0 VirtualQuery
0x9b9ad4 VirtualFree
0x9b9ad8 VirtualAlloc
0x9b9adc SwitchToThread
0x9b9ae0 SuspendThread
0x9b9ae4 SetWaitableTimer
0x9b9ae8 SetUnhandledExceptionFilter
0x9b9aec SetProcessPriorityBoost
0x9b9af0 SetEvent
0x9b9af4 SetErrorMode
0x9b9af8 SetConsoleCtrlHandler
0x9b9afc ResumeThread
0x9b9b00 PostQueuedCompletionStatus
0x9b9b04 LoadLibraryA
0x9b9b08 LoadLibraryW
0x9b9b0c SetThreadContext
0x9b9b10 GetThreadContext
0x9b9b14 GetSystemInfo
0x9b9b18 GetSystemDirectoryA
0x9b9b1c GetStdHandle
0x9b9b20 GetQueuedCompletionStatusEx
0x9b9b24 GetProcessAffinityMask
0x9b9b28 GetProcAddress
0x9b9b2c GetEnvironmentStringsW
0x9b9b30 GetConsoleMode
0x9b9b34 FreeEnvironmentStringsW
0x9b9b38 ExitProcess
0x9b9b3c DuplicateHandle
0x9b9b40 CreateWaitableTimerExW
0x9b9b44 CreateThread
0x9b9b48 CreateIoCompletionPort
0x9b9b4c CreateFileA
0x9b9b50 CreateEventA
0x9b9b54 CloseHandle
0x9b9b58 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x9b9ac0 WriteFile
0x9b9ac4 WriteConsoleW
0x9b9ac8 WaitForMultipleObjects
0x9b9acc WaitForSingleObject
0x9b9ad0 VirtualQuery
0x9b9ad4 VirtualFree
0x9b9ad8 VirtualAlloc
0x9b9adc SwitchToThread
0x9b9ae0 SuspendThread
0x9b9ae4 SetWaitableTimer
0x9b9ae8 SetUnhandledExceptionFilter
0x9b9aec SetProcessPriorityBoost
0x9b9af0 SetEvent
0x9b9af4 SetErrorMode
0x9b9af8 SetConsoleCtrlHandler
0x9b9afc ResumeThread
0x9b9b00 PostQueuedCompletionStatus
0x9b9b04 LoadLibraryA
0x9b9b08 LoadLibraryW
0x9b9b0c SetThreadContext
0x9b9b10 GetThreadContext
0x9b9b14 GetSystemInfo
0x9b9b18 GetSystemDirectoryA
0x9b9b1c GetStdHandle
0x9b9b20 GetQueuedCompletionStatusEx
0x9b9b24 GetProcessAffinityMask
0x9b9b28 GetProcAddress
0x9b9b2c GetEnvironmentStringsW
0x9b9b30 GetConsoleMode
0x9b9b34 FreeEnvironmentStringsW
0x9b9b38 ExitProcess
0x9b9b3c DuplicateHandle
0x9b9b40 CreateWaitableTimerExW
0x9b9b44 CreateThread
0x9b9b48 CreateIoCompletionPort
0x9b9b4c CreateFileA
0x9b9b50 CreateEventA
0x9b9b54 CloseHandle
0x9b9b58 AddVectoredExceptionHandler
EAT(Export Address Table) is none