ScreenShot
| Created | 2025.05.07 10:48 | Machine | s1_win7_x6403 |
| Filename | 555.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 17 detected (malicious, confidence, MalwareX, gCcZotw6NvJ, kmqar, Malgent, Wacatac, M7YQWK, Artemis, Oader, Xdkl) | ||
| md5 | de6af1eafe53bd667bb1f8af8b216278 | ||
| sha256 | 8e483c74f3ae9b8e4b3321a2a639d272cf15845957b14f82ac297fb6c7ab63a8 | ||
| ssdeep | 3072:DyKSmX8M5mlhzgEXbDTBhBOMZUMLEcg63tXjwy5AoUytnRPF9EVnb43jaI5grk:DvzX8ymlhzgEXbDYMZUMgc3RAojtnRPT | ||
| imphash | bafa80c3a38668b486cc90952176fceb | ||
| impfuzzy | 24:Wj702tMS17BgdlJeDc+pl3eDoLoBUSOovbO9Ziv8GGMM:0tMS17Bgic+ppXX3Ac | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| watch | File has been identified by 17 AntiVirus engines on VirusTotal as malicious |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (19cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | ASPack_Zero | ASPack packed file | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140014000 WaitForSingleObject
0x140014008 Sleep
0x140014010 CloseHandle
0x140014018 GetExitCodeProcess
0x140014020 WriteConsoleW
0x140014028 CreateFileW
0x140014030 RtlCaptureContext
0x140014038 RtlLookupFunctionEntry
0x140014040 RtlVirtualUnwind
0x140014048 UnhandledExceptionFilter
0x140014050 SetUnhandledExceptionFilter
0x140014058 GetCurrentProcess
0x140014060 TerminateProcess
0x140014068 IsProcessorFeaturePresent
0x140014070 QueryPerformanceCounter
0x140014078 GetCurrentProcessId
0x140014080 GetCurrentThreadId
0x140014088 GetSystemTimeAsFileTime
0x140014090 InitializeSListHead
0x140014098 IsDebuggerPresent
0x1400140a0 GetStartupInfoW
0x1400140a8 GetModuleHandleW
0x1400140b0 RtlUnwindEx
0x1400140b8 RtlPcToFileHeader
0x1400140c0 RaiseException
0x1400140c8 GetLastError
0x1400140d0 SetLastError
0x1400140d8 EncodePointer
0x1400140e0 EnterCriticalSection
0x1400140e8 LeaveCriticalSection
0x1400140f0 DeleteCriticalSection
0x1400140f8 InitializeCriticalSectionAndSpinCount
0x140014100 TlsAlloc
0x140014108 TlsGetValue
0x140014110 TlsSetValue
0x140014118 TlsFree
0x140014120 FreeLibrary
0x140014128 GetProcAddress
0x140014130 LoadLibraryExW
0x140014138 GetStdHandle
0x140014140 WriteFile
0x140014148 GetModuleFileNameW
0x140014150 ExitProcess
0x140014158 GetModuleHandleExW
0x140014160 HeapAlloc
0x140014168 HeapFree
0x140014170 FindClose
0x140014178 FindFirstFileExW
0x140014180 FindNextFileW
0x140014188 IsValidCodePage
0x140014190 GetACP
0x140014198 GetOEMCP
0x1400141a0 GetCPInfo
0x1400141a8 GetCommandLineA
0x1400141b0 GetCommandLineW
0x1400141b8 MultiByteToWideChar
0x1400141c0 WideCharToMultiByte
0x1400141c8 GetEnvironmentStringsW
0x1400141d0 FreeEnvironmentStringsW
0x1400141d8 SetStdHandle
0x1400141e0 GetFileType
0x1400141e8 GetStringTypeW
0x1400141f0 FlsAlloc
0x1400141f8 FlsGetValue
0x140014200 FlsSetValue
0x140014208 FlsFree
0x140014210 LCMapStringW
0x140014218 GetProcessHeap
0x140014220 HeapSize
0x140014228 HeapReAlloc
0x140014230 FlushFileBuffers
0x140014238 GetConsoleOutputCP
0x140014240 GetConsoleMode
0x140014248 SetFilePointerEx
SHELL32.dll
0x140014258 ShellExecuteExW
EAT(Export Address Table) is none
KERNEL32.dll
0x140014000 WaitForSingleObject
0x140014008 Sleep
0x140014010 CloseHandle
0x140014018 GetExitCodeProcess
0x140014020 WriteConsoleW
0x140014028 CreateFileW
0x140014030 RtlCaptureContext
0x140014038 RtlLookupFunctionEntry
0x140014040 RtlVirtualUnwind
0x140014048 UnhandledExceptionFilter
0x140014050 SetUnhandledExceptionFilter
0x140014058 GetCurrentProcess
0x140014060 TerminateProcess
0x140014068 IsProcessorFeaturePresent
0x140014070 QueryPerformanceCounter
0x140014078 GetCurrentProcessId
0x140014080 GetCurrentThreadId
0x140014088 GetSystemTimeAsFileTime
0x140014090 InitializeSListHead
0x140014098 IsDebuggerPresent
0x1400140a0 GetStartupInfoW
0x1400140a8 GetModuleHandleW
0x1400140b0 RtlUnwindEx
0x1400140b8 RtlPcToFileHeader
0x1400140c0 RaiseException
0x1400140c8 GetLastError
0x1400140d0 SetLastError
0x1400140d8 EncodePointer
0x1400140e0 EnterCriticalSection
0x1400140e8 LeaveCriticalSection
0x1400140f0 DeleteCriticalSection
0x1400140f8 InitializeCriticalSectionAndSpinCount
0x140014100 TlsAlloc
0x140014108 TlsGetValue
0x140014110 TlsSetValue
0x140014118 TlsFree
0x140014120 FreeLibrary
0x140014128 GetProcAddress
0x140014130 LoadLibraryExW
0x140014138 GetStdHandle
0x140014140 WriteFile
0x140014148 GetModuleFileNameW
0x140014150 ExitProcess
0x140014158 GetModuleHandleExW
0x140014160 HeapAlloc
0x140014168 HeapFree
0x140014170 FindClose
0x140014178 FindFirstFileExW
0x140014180 FindNextFileW
0x140014188 IsValidCodePage
0x140014190 GetACP
0x140014198 GetOEMCP
0x1400141a0 GetCPInfo
0x1400141a8 GetCommandLineA
0x1400141b0 GetCommandLineW
0x1400141b8 MultiByteToWideChar
0x1400141c0 WideCharToMultiByte
0x1400141c8 GetEnvironmentStringsW
0x1400141d0 FreeEnvironmentStringsW
0x1400141d8 SetStdHandle
0x1400141e0 GetFileType
0x1400141e8 GetStringTypeW
0x1400141f0 FlsAlloc
0x1400141f8 FlsGetValue
0x140014200 FlsSetValue
0x140014208 FlsFree
0x140014210 LCMapStringW
0x140014218 GetProcessHeap
0x140014220 HeapSize
0x140014228 HeapReAlloc
0x140014230 FlushFileBuffers
0x140014238 GetConsoleOutputCP
0x140014240 GetConsoleMode
0x140014248 SetFilePointerEx
SHELL32.dll
0x140014258 ShellExecuteExW
EAT(Export Address Table) is none