ScreenShot
| Created | 2025.04.26 14:30 | Machine | s1_win7_x6401 |
| Filename | 32ja.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 59 detected (AIDetectMalware, ShadowBrokers, Malicious, score, GenericRI, S14127141, PWSZbot, GenericKD, Unsafe, Save, confidence, 100%, Genus, Attribute, HighConfidence, high confidence, multiple detections, Tool, erpjbl, Zegost, CLOUD, bhlos, PcClient, WMINE, high, Vools, Static AI, Malicious SFX, Antavmu, AGEN, GrayWare, SafeGuard, Malware@#yv6r777s7mb6, Vindor, NoobyProtect, Detected, possible, Threat, Untrusted, Certificate, Kajl, ivI7Xr566q8) | ||
| md5 | 765e85042d83c00e6afcd972a51638d1 | ||
| sha256 | 86db694cf3e5543f9f2a405afeeb9bf113daf6b9f07ccfdb7a1f478c96e51076 | ||
| ssdeep | 98304:i5TJXv2bedNmNA9dRLC6ZfpaH/jztKgOdizi9+HnAlD/L:i1ObedNmSZZfQHO0ziQAlDj | ||
| imphash | 67d7f876c6b5aee2756e4dc028e1eaaa | ||
| impfuzzy | 48:dBN1BLR4q+X1y28cf+jOivCtd/9qL9OMtIGfSY1bLEJ6HKnBLn6g6UylFvEkRSv3:dBBLR41X198cf+jDvg/IL9OM21m6 | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 59 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| watch | Operates on local firewall's policies and settings |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Uses Sysinternals tools in order to add additional command line functionality |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks whether any human activity is being performed by constantly checking whether the foreground window changed |
| notice | Creates a service |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Foreign language identified in PE resource |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | This executable has a PDB path |
Rules (30cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_RL_Gen_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | ConfuserEx_Zero | Confuser .NET | binaries (download) |
| watch | ConfuserEx_Zero | Confuser .NET | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | ftp_command | ftp command | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | zip_file_format | ZIP file format | binaries (download) |
PE API
IAT(Import Address Table) Library
COMCTL32.dll
0x447000 InitCommonControlsEx
SHELL32.dll
0x4471cc SHBrowseForFolderW
0x4471d0 SHGetFileInfoW
0x4471d4 SHGetPathFromIDListW
0x4471d8 ShellExecuteExW
0x4471dc SHGetMalloc
0x4471e0 ShellExecuteW
0x4471e4 CommandLineToArgvW
KERNEL32.dll
0x447014 FlushFileBuffers
0x447018 WriteConsoleW
0x44701c SetStdHandle
0x447020 SetFilePointerEx
0x447024 FreeLibrary
0x447028 HeapAlloc
0x44702c HeapFree
0x447030 GetProcessHeap
0x447034 LoadLibraryW
0x447038 GetLastError
0x44703c GetProcAddress
0x447040 GetFileAttributesW
0x447044 CloseHandle
0x447048 GetCurrentProcess
0x44704c GetModuleHandleW
0x447050 GetVersionExW
0x447054 CreateProcessW
0x447058 WaitForSingleObject
0x44705c InitializeCriticalSectionAndSpinCount
0x447060 ExpandEnvironmentStringsW
0x447064 GetModuleFileNameW
0x447068 GetCurrentDirectoryW
0x44706c SetCurrentDirectoryW
0x447070 LocalFree
0x447074 SetFileApisToOEM
0x447078 GetEnvironmentVariableW
0x44707c SetPriorityClass
0x447080 GetCurrentThread
0x447084 SetThreadPriority
0x447088 GetCommandLineW
0x44708c FindFirstFileW
0x447090 FindClose
0x447094 FindNextFileW
0x447098 CreateFileW
0x44709c GetLongPathNameW
0x4470a0 GetCurrentThreadId
0x4470a4 LoadLibraryExW
0x4470a8 InitializeCriticalSection
0x4470ac LeaveCriticalSection
0x4470b0 EnterCriticalSection
0x4470b4 DeleteCriticalSection
0x4470b8 FindResourceW
0x4470bc SetEndOfFile
0x4470c0 SetFileTime
0x4470c4 WriteFile
0x4470c8 VirtualAlloc
0x4470cc ResumeThread
0x4470d0 WideCharToMultiByte
0x4470d4 GetACP
0x4470d8 MultiByteToWideChar
0x4470dc GetFileSize
0x4470e0 SetFilePointer
0x4470e4 ReadFile
0x4470e8 GetFullPathNameW
0x4470ec GetTempFileNameW
0x4470f0 MoveFileExW
0x4470f4 CreateDirectoryW
0x4470f8 lstrlenW
0x4470fc GetTempPathW
0x447100 MoveFileW
0x447104 RemoveDirectoryW
0x447108 GetWindowsDirectoryW
0x44710c DeleteFileW
0x447110 SetFileAttributesW
0x447114 SetEvent
0x447118 Sleep
0x44711c ResetEvent
0x447120 CreateEventW
0x447124 FileTimeToSystemTime
0x447128 GetConsoleMode
0x44712c GetConsoleCP
0x447130 OutputDebugStringW
0x447134 LCMapStringW
0x447138 HeapReAlloc
0x44713c GetStringTypeW
0x447140 GetCPInfo
0x447144 GetOEMCP
0x447148 IsValidCodePage
0x44714c FreeEnvironmentStringsW
0x447150 GetEnvironmentStringsW
0x447154 GetCurrentProcessId
0x447158 QueryPerformanceCounter
0x44715c GetFileType
0x447160 GetStdHandle
0x447164 GetStartupInfoW
0x447168 TlsFree
0x44716c TlsSetValue
0x447170 TlsGetValue
0x447174 TlsAlloc
0x447178 TerminateProcess
0x44717c SetLastError
0x447180 InterlockedExchangeAdd
0x447184 VirtualFree
0x447188 WaitForMultipleObjects
0x44718c FormatMessageW
0x447190 SetUnhandledExceptionFilter
0x447194 UnhandledExceptionFilter
0x447198 HeapSize
0x44719c GetModuleHandleExW
0x4471a0 ExitProcess
0x4471a4 RtlUnwind
0x4471a8 RaiseException
0x4471ac EncodePointer
0x4471b0 DecodePointer
0x4471b4 IsDebuggerPresent
0x4471b8 IsProcessorFeaturePresent
0x4471bc GetSystemTimeAsFileTime
0x4471c0 CreateThread
0x4471c4 ExitThread
USER32.dll
0x4471ec KillTimer
0x4471f0 TranslateMessage
0x4471f4 IsDialogMessageW
0x4471f8 LoadIconW
0x4471fc CreateDialogParamW
0x447200 IsWindowVisible
0x447204 EnableWindow
0x447208 DispatchMessageW
0x44720c DestroyIcon
0x447210 IsWindow
0x447214 ShowWindow
0x447218 PostQuitMessage
0x44721c GetWindowRect
0x447220 PostMessageW
0x447224 DialogBoxParamW
0x447228 SetWindowPos
0x44722c GetSystemMetrics
0x447230 SetFocus
0x447234 GetWindowTextW
0x447238 GetDlgItem
0x44723c EndDialog
0x447240 SendMessageW
0x447244 SetWindowTextW
0x447248 GetMessageW
0x44724c ScreenToClient
0x447250 SetTimer
0x447254 GetDesktopWindow
0x447258 LoadStringW
0x44725c MessageBoxW
GDI32.dll
0x447008 CreateSolidBrush
0x44700c DeleteObject
ole32.dll
0x447264 CoInitialize
0x447268 CoInitializeEx
0x44726c CoUninitialize
0x447270 CoCreateInstance
EAT(Export Address Table) is none
COMCTL32.dll
0x447000 InitCommonControlsEx
SHELL32.dll
0x4471cc SHBrowseForFolderW
0x4471d0 SHGetFileInfoW
0x4471d4 SHGetPathFromIDListW
0x4471d8 ShellExecuteExW
0x4471dc SHGetMalloc
0x4471e0 ShellExecuteW
0x4471e4 CommandLineToArgvW
KERNEL32.dll
0x447014 FlushFileBuffers
0x447018 WriteConsoleW
0x44701c SetStdHandle
0x447020 SetFilePointerEx
0x447024 FreeLibrary
0x447028 HeapAlloc
0x44702c HeapFree
0x447030 GetProcessHeap
0x447034 LoadLibraryW
0x447038 GetLastError
0x44703c GetProcAddress
0x447040 GetFileAttributesW
0x447044 CloseHandle
0x447048 GetCurrentProcess
0x44704c GetModuleHandleW
0x447050 GetVersionExW
0x447054 CreateProcessW
0x447058 WaitForSingleObject
0x44705c InitializeCriticalSectionAndSpinCount
0x447060 ExpandEnvironmentStringsW
0x447064 GetModuleFileNameW
0x447068 GetCurrentDirectoryW
0x44706c SetCurrentDirectoryW
0x447070 LocalFree
0x447074 SetFileApisToOEM
0x447078 GetEnvironmentVariableW
0x44707c SetPriorityClass
0x447080 GetCurrentThread
0x447084 SetThreadPriority
0x447088 GetCommandLineW
0x44708c FindFirstFileW
0x447090 FindClose
0x447094 FindNextFileW
0x447098 CreateFileW
0x44709c GetLongPathNameW
0x4470a0 GetCurrentThreadId
0x4470a4 LoadLibraryExW
0x4470a8 InitializeCriticalSection
0x4470ac LeaveCriticalSection
0x4470b0 EnterCriticalSection
0x4470b4 DeleteCriticalSection
0x4470b8 FindResourceW
0x4470bc SetEndOfFile
0x4470c0 SetFileTime
0x4470c4 WriteFile
0x4470c8 VirtualAlloc
0x4470cc ResumeThread
0x4470d0 WideCharToMultiByte
0x4470d4 GetACP
0x4470d8 MultiByteToWideChar
0x4470dc GetFileSize
0x4470e0 SetFilePointer
0x4470e4 ReadFile
0x4470e8 GetFullPathNameW
0x4470ec GetTempFileNameW
0x4470f0 MoveFileExW
0x4470f4 CreateDirectoryW
0x4470f8 lstrlenW
0x4470fc GetTempPathW
0x447100 MoveFileW
0x447104 RemoveDirectoryW
0x447108 GetWindowsDirectoryW
0x44710c DeleteFileW
0x447110 SetFileAttributesW
0x447114 SetEvent
0x447118 Sleep
0x44711c ResetEvent
0x447120 CreateEventW
0x447124 FileTimeToSystemTime
0x447128 GetConsoleMode
0x44712c GetConsoleCP
0x447130 OutputDebugStringW
0x447134 LCMapStringW
0x447138 HeapReAlloc
0x44713c GetStringTypeW
0x447140 GetCPInfo
0x447144 GetOEMCP
0x447148 IsValidCodePage
0x44714c FreeEnvironmentStringsW
0x447150 GetEnvironmentStringsW
0x447154 GetCurrentProcessId
0x447158 QueryPerformanceCounter
0x44715c GetFileType
0x447160 GetStdHandle
0x447164 GetStartupInfoW
0x447168 TlsFree
0x44716c TlsSetValue
0x447170 TlsGetValue
0x447174 TlsAlloc
0x447178 TerminateProcess
0x44717c SetLastError
0x447180 InterlockedExchangeAdd
0x447184 VirtualFree
0x447188 WaitForMultipleObjects
0x44718c FormatMessageW
0x447190 SetUnhandledExceptionFilter
0x447194 UnhandledExceptionFilter
0x447198 HeapSize
0x44719c GetModuleHandleExW
0x4471a0 ExitProcess
0x4471a4 RtlUnwind
0x4471a8 RaiseException
0x4471ac EncodePointer
0x4471b0 DecodePointer
0x4471b4 IsDebuggerPresent
0x4471b8 IsProcessorFeaturePresent
0x4471bc GetSystemTimeAsFileTime
0x4471c0 CreateThread
0x4471c4 ExitThread
USER32.dll
0x4471ec KillTimer
0x4471f0 TranslateMessage
0x4471f4 IsDialogMessageW
0x4471f8 LoadIconW
0x4471fc CreateDialogParamW
0x447200 IsWindowVisible
0x447204 EnableWindow
0x447208 DispatchMessageW
0x44720c DestroyIcon
0x447210 IsWindow
0x447214 ShowWindow
0x447218 PostQuitMessage
0x44721c GetWindowRect
0x447220 PostMessageW
0x447224 DialogBoxParamW
0x447228 SetWindowPos
0x44722c GetSystemMetrics
0x447230 SetFocus
0x447234 GetWindowTextW
0x447238 GetDlgItem
0x44723c EndDialog
0x447240 SendMessageW
0x447244 SetWindowTextW
0x447248 GetMessageW
0x44724c ScreenToClient
0x447250 SetTimer
0x447254 GetDesktopWindow
0x447258 LoadStringW
0x44725c MessageBoxW
GDI32.dll
0x447008 CreateSolidBrush
0x44700c DeleteObject
ole32.dll
0x447264 CoInitialize
0x447268 CoInitializeEx
0x44726c CoUninitialize
0x447270 CoCreateInstance
EAT(Export Address Table) is none