ScreenShot
| Created | 2025.04.29 10:28 | Machine | s1_win7_x6403 |
| Filename | file4.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 63 detected (AIDetectMalware, Malicious, score, Vbinder, VirRansom, DarkyLock, Unsafe, Save, confidence, 100%, Binder, HackTool, Attribute, HighConfidence, Windows, Asyncrat, MalwareX, Misc, DarkKomet, NanoBot, hmqoyu, CLASSIC, MulDrop2, FYNLOS, Real Protect, high, ransomware, Backdr, Static AI, Malicious PE, Detected, cls@4m6ovz, Swisyn, FVDJ, R12127, FDDZ, Celesty, Dorv, IMtdREcP3, CoinMiner, Stub) | ||
| md5 | e08bd789d9f45b08fe924d94b955d869 | ||
| sha256 | 2cc9a71b892bfa00b5b457b391683b6dffde83cbf2360ad7111f2b0a934ddbc0 | ||
| ssdeep | 24576:7j+KZ1xuVVjfFoynPaVBUR8f+kN10EBRgGApfkxI:7j+aQDgok30UjAL | ||
| imphash | 9222d372923baed7aa9dfa28449a94ea | ||
| impfuzzy | 24:9H9DopK7yJlv1OovAZtQlqlEcfL7/J3IP8RyvkT4JQ:9grItZt5ecf50kcJQ | ||
Network IP location
Signature (36cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 63 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | A process attempted to delay the analysis task. |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to remove evidence of file being downloaded from the Internet |
| watch | Created a process named as a common system process |
| watch | Creates a windows hook that monitors keyboard input (keylogger) |
| watch | Creates known Fynloski/DarkComet files |
| watch | Disables Windows' Task Manager |
| watch | Installs itself for autorun at Windows startup |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Checks whether any human activity is being performed by constantly checking whether the foreground window changed |
| notice | Connects to a Dynamic DNS Domain |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | One or more potentially interesting buffers were extracted |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (58cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | AsyncRat | AsyncRat Payload | binaries (download) |
| danger | AsyncRat | AsyncRat Payload | binaries (upload) |
| danger | Win_Backdoor_njRAT_Zero | Win Backdoor njRAT | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | ASPack_Zero | ASPack packed file | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | Network_Downloader | File Downloader | binaries (download) |
| watch | Network_Downloader | File Downloader | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | schtasks_Zero | task schedule | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| watch | Win32_Trojan_PWS_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (download) |
| watch | Win32_Trojan_PWS_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | Is_DotNET_EXE | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | mzp_file_format | MZP(Delphi) file format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x409000 CreateFileA
0x409004 FindResourceA
0x409008 FreeLibrary
0x40900c LoadResource
0x409010 WriteFile
0x409014 SizeofResource
0x409018 GetProcAddress
0x40901c LoadLibraryA
0x409020 LockResource
0x409024 EnumResourceNamesA
0x409028 CloseHandle
0x40902c FreeResource
0x409030 GetWindowsDirectoryA
0x409034 OutputDebugStringA
0x409038 GetTempPathA
0x40903c GetModuleHandleW
0x409040 ExitProcess
0x409044 DecodePointer
0x409048 EncodePointer
0x40904c GetCommandLineA
0x409050 HeapSetInformation
0x409054 GetStartupInfoW
0x409058 RaiseException
0x40905c TerminateProcess
0x409060 GetCurrentProcess
0x409064 UnhandledExceptionFilter
0x409068 SetUnhandledExceptionFilter
0x40906c IsDebuggerPresent
0x409070 HeapAlloc
0x409074 GetLastError
0x409078 HeapFree
0x40907c IsProcessorFeaturePresent
0x409080 InitializeCriticalSectionAndSpinCount
0x409084 DeleteCriticalSection
0x409088 LeaveCriticalSection
0x40908c EnterCriticalSection
0x409090 LoadLibraryW
0x409094 TlsAlloc
0x409098 TlsGetValue
0x40909c TlsSetValue
0x4090a0 TlsFree
0x4090a4 InterlockedIncrement
0x4090a8 SetLastError
0x4090ac GetCurrentThreadId
0x4090b0 InterlockedDecrement
0x4090b4 GetStdHandle
0x4090b8 GetModuleFileNameW
0x4090bc Sleep
0x4090c0 HeapSize
0x4090c4 GetModuleFileNameA
0x4090c8 FreeEnvironmentStringsW
0x4090cc WideCharToMultiByte
0x4090d0 GetEnvironmentStringsW
0x4090d4 SetHandleCount
0x4090d8 GetFileType
0x4090dc HeapCreate
0x4090e0 QueryPerformanceCounter
0x4090e4 GetTickCount
0x4090e8 GetCurrentProcessId
0x4090ec GetSystemTimeAsFileTime
0x4090f0 RtlUnwind
0x4090f4 GetCPInfo
0x4090f8 GetACP
0x4090fc GetOEMCP
0x409100 IsValidCodePage
0x409104 HeapReAlloc
0x409108 LCMapStringW
0x40910c MultiByteToWideChar
0x409110 GetStringTypeW
SHELL32.dll
0x409118 ShellExecuteA
0x40911c SHGetSpecialFolderPathA
EAT(Export Address Table) is none
KERNEL32.dll
0x409000 CreateFileA
0x409004 FindResourceA
0x409008 FreeLibrary
0x40900c LoadResource
0x409010 WriteFile
0x409014 SizeofResource
0x409018 GetProcAddress
0x40901c LoadLibraryA
0x409020 LockResource
0x409024 EnumResourceNamesA
0x409028 CloseHandle
0x40902c FreeResource
0x409030 GetWindowsDirectoryA
0x409034 OutputDebugStringA
0x409038 GetTempPathA
0x40903c GetModuleHandleW
0x409040 ExitProcess
0x409044 DecodePointer
0x409048 EncodePointer
0x40904c GetCommandLineA
0x409050 HeapSetInformation
0x409054 GetStartupInfoW
0x409058 RaiseException
0x40905c TerminateProcess
0x409060 GetCurrentProcess
0x409064 UnhandledExceptionFilter
0x409068 SetUnhandledExceptionFilter
0x40906c IsDebuggerPresent
0x409070 HeapAlloc
0x409074 GetLastError
0x409078 HeapFree
0x40907c IsProcessorFeaturePresent
0x409080 InitializeCriticalSectionAndSpinCount
0x409084 DeleteCriticalSection
0x409088 LeaveCriticalSection
0x40908c EnterCriticalSection
0x409090 LoadLibraryW
0x409094 TlsAlloc
0x409098 TlsGetValue
0x40909c TlsSetValue
0x4090a0 TlsFree
0x4090a4 InterlockedIncrement
0x4090a8 SetLastError
0x4090ac GetCurrentThreadId
0x4090b0 InterlockedDecrement
0x4090b4 GetStdHandle
0x4090b8 GetModuleFileNameW
0x4090bc Sleep
0x4090c0 HeapSize
0x4090c4 GetModuleFileNameA
0x4090c8 FreeEnvironmentStringsW
0x4090cc WideCharToMultiByte
0x4090d0 GetEnvironmentStringsW
0x4090d4 SetHandleCount
0x4090d8 GetFileType
0x4090dc HeapCreate
0x4090e0 QueryPerformanceCounter
0x4090e4 GetTickCount
0x4090e8 GetCurrentProcessId
0x4090ec GetSystemTimeAsFileTime
0x4090f0 RtlUnwind
0x4090f4 GetCPInfo
0x4090f8 GetACP
0x4090fc GetOEMCP
0x409100 IsValidCodePage
0x409104 HeapReAlloc
0x409108 LCMapStringW
0x40910c MultiByteToWideChar
0x409110 GetStringTypeW
SHELL32.dll
0x409118 ShellExecuteA
0x40911c SHGetSpecialFolderPathA
EAT(Export Address Table) is none