ScreenShot
| Created | 2021.03.11 13:35 | Machine | s1_win7_x6401 |
| Filename | filename.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 24 detected (AIDetect, malware1, malicious, high confidence, Unsafe, Save, Hacktool, confidence, ZexaF, Ju0@aWn51NlG, Attribute, HighConfidence, MalwareX, Static AI, Malicious PE, Score, Wacatac, ET#95%, RDMK, cmRtazrCAqgEcpNxoaRl60nAsve8, QVM10) | ||
| md5 | 02727fe935a761d930148ecc949f502d | ||
| sha256 | 9e67dfe0cfdc5f3e79728201c36800984d2bf1d13aed19635cfc52e3c2260bfc | ||
| ssdeep | 12288:zpYDcS5l0S4UdqhP0MqTSWrAmNYqdgjb:ze9l0zIrUjjb | ||
| imphash | cc4b17d0e5d5a1e26966b8ee27266b0b | ||
| impfuzzy | 24:0kaqPtjkFuoDFTni7OOtjoNcJTR8/wuHRIlyv9EJwjMkyx2xEPF:39vKOtsNcJV8I5K9gDN | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 24 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (47cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | create_service | Create a windows service | memory |
| info | cred_local | Steal credential | memory |
| info | escalate_priv | Escalade priviledges | memory |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | keylogger | Run a keylogger | memory |
| info | migrate_apc | APC queue tasks migration | memory |
| info | network_dga | Communication using dga | memory |
| info | network_dns | Communications use DNS | memory |
| info | network_dropper | File downloader/dropper | memory |
| info | network_ftp | Communications over FTP | memory |
| info | network_http | Communications over HTTP | memory |
| info | network_p2p_win | Communications over P2P network | memory |
| info | network_tcp_listen | Listen for incoming communication | memory |
| info | network_tcp_socket | Communications over RAW socket | memory |
| info | network_udp_sock | Communications over UDP network | memory |
| info | screenshot | Take screenshot | memory |
| info | sniff_audio | Record Audio | memory |
| info | spreading_share | Malware can spread east-west using share drive | memory |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_files_operation | Affect private profile | memory |
| info | win_mutex | Create or check mutex | memory |
| info | win_private_profile | Affect private profile | memory |
| info | win_registry | Affect system registries | memory |
| info | win_token | Affect system token | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x46d000 HeapReAlloc
0x46d004 GetModuleHandleExA
0x46d008 SetEndOfFile
0x46d00c MapUserPhysicalPages
0x46d010 InterlockedIncrement
0x46d014 MapViewOfFileEx
0x46d018 GetModuleHandleW
0x46d01c ActivateActCtx
0x46d020 SizeofResource
0x46d024 ReadConsoleOutputW
0x46d028 HeapValidate
0x46d02c GetCompressedFileSizeA
0x46d030 ExitThread
0x46d034 FindNextVolumeMountPointW
0x46d038 GetLastError
0x46d03c ChangeTimerQueueTimer
0x46d040 GetProcAddress
0x46d044 GetAtomNameA
0x46d048 SetConsoleCtrlHandler
0x46d04c SetConsoleCursorInfo
0x46d050 GetModuleHandleA
0x46d054 lstrcatW
0x46d058 EraseTape
0x46d05c VirtualProtect
0x46d060 LCMapStringW
0x46d064 GetCommandLineW
0x46d068 HeapSetInformation
0x46d06c GetStartupInfoW
0x46d070 TerminateProcess
0x46d074 GetCurrentProcess
0x46d078 UnhandledExceptionFilter
0x46d07c SetUnhandledExceptionFilter
0x46d080 IsDebuggerPresent
0x46d084 DecodePointer
0x46d088 EncodePointer
0x46d08c GetModuleFileNameW
0x46d090 IsBadReadPtr
0x46d094 EnterCriticalSection
0x46d098 LeaveCriticalSection
0x46d09c QueryPerformanceCounter
0x46d0a0 GetTickCount
0x46d0a4 GetCurrentThreadId
0x46d0a8 GetCurrentProcessId
0x46d0ac GetSystemTimeAsFileTime
0x46d0b0 InterlockedDecrement
0x46d0b4 ExitProcess
0x46d0b8 FreeEnvironmentStringsW
0x46d0bc GetEnvironmentStringsW
0x46d0c0 SetHandleCount
0x46d0c4 GetStdHandle
0x46d0c8 InitializeCriticalSectionAndSpinCount
0x46d0cc GetFileType
0x46d0d0 DeleteCriticalSection
0x46d0d4 TlsAlloc
0x46d0d8 TlsGetValue
0x46d0dc TlsSetValue
0x46d0e0 TlsFree
0x46d0e4 SetLastError
0x46d0e8 HeapCreate
0x46d0ec WriteFile
0x46d0f0 SetFilePointer
0x46d0f4 WideCharToMultiByte
0x46d0f8 GetConsoleCP
0x46d0fc GetConsoleMode
0x46d100 GetACP
0x46d104 GetOEMCP
0x46d108 GetCPInfo
0x46d10c IsValidCodePage
0x46d110 OutputDebugStringA
0x46d114 WriteConsoleW
0x46d118 OutputDebugStringW
0x46d11c LoadLibraryW
0x46d120 HeapAlloc
0x46d124 GetModuleFileNameA
0x46d128 HeapSize
0x46d12c HeapQueryInformation
0x46d130 HeapFree
0x46d134 RtlUnwind
0x46d138 MultiByteToWideChar
0x46d13c SetStdHandle
0x46d140 GetStringTypeW
0x46d144 IsProcessorFeaturePresent
0x46d148 FlushFileBuffers
0x46d14c ReadFile
0x46d150 CreateFileW
0x46d154 CloseHandle
0x46d158 RaiseException
EAT(Export Address Table) is none
KERNEL32.dll
0x46d000 HeapReAlloc
0x46d004 GetModuleHandleExA
0x46d008 SetEndOfFile
0x46d00c MapUserPhysicalPages
0x46d010 InterlockedIncrement
0x46d014 MapViewOfFileEx
0x46d018 GetModuleHandleW
0x46d01c ActivateActCtx
0x46d020 SizeofResource
0x46d024 ReadConsoleOutputW
0x46d028 HeapValidate
0x46d02c GetCompressedFileSizeA
0x46d030 ExitThread
0x46d034 FindNextVolumeMountPointW
0x46d038 GetLastError
0x46d03c ChangeTimerQueueTimer
0x46d040 GetProcAddress
0x46d044 GetAtomNameA
0x46d048 SetConsoleCtrlHandler
0x46d04c SetConsoleCursorInfo
0x46d050 GetModuleHandleA
0x46d054 lstrcatW
0x46d058 EraseTape
0x46d05c VirtualProtect
0x46d060 LCMapStringW
0x46d064 GetCommandLineW
0x46d068 HeapSetInformation
0x46d06c GetStartupInfoW
0x46d070 TerminateProcess
0x46d074 GetCurrentProcess
0x46d078 UnhandledExceptionFilter
0x46d07c SetUnhandledExceptionFilter
0x46d080 IsDebuggerPresent
0x46d084 DecodePointer
0x46d088 EncodePointer
0x46d08c GetModuleFileNameW
0x46d090 IsBadReadPtr
0x46d094 EnterCriticalSection
0x46d098 LeaveCriticalSection
0x46d09c QueryPerformanceCounter
0x46d0a0 GetTickCount
0x46d0a4 GetCurrentThreadId
0x46d0a8 GetCurrentProcessId
0x46d0ac GetSystemTimeAsFileTime
0x46d0b0 InterlockedDecrement
0x46d0b4 ExitProcess
0x46d0b8 FreeEnvironmentStringsW
0x46d0bc GetEnvironmentStringsW
0x46d0c0 SetHandleCount
0x46d0c4 GetStdHandle
0x46d0c8 InitializeCriticalSectionAndSpinCount
0x46d0cc GetFileType
0x46d0d0 DeleteCriticalSection
0x46d0d4 TlsAlloc
0x46d0d8 TlsGetValue
0x46d0dc TlsSetValue
0x46d0e0 TlsFree
0x46d0e4 SetLastError
0x46d0e8 HeapCreate
0x46d0ec WriteFile
0x46d0f0 SetFilePointer
0x46d0f4 WideCharToMultiByte
0x46d0f8 GetConsoleCP
0x46d0fc GetConsoleMode
0x46d100 GetACP
0x46d104 GetOEMCP
0x46d108 GetCPInfo
0x46d10c IsValidCodePage
0x46d110 OutputDebugStringA
0x46d114 WriteConsoleW
0x46d118 OutputDebugStringW
0x46d11c LoadLibraryW
0x46d120 HeapAlloc
0x46d124 GetModuleFileNameA
0x46d128 HeapSize
0x46d12c HeapQueryInformation
0x46d130 HeapFree
0x46d134 RtlUnwind
0x46d138 MultiByteToWideChar
0x46d13c SetStdHandle
0x46d140 GetStringTypeW
0x46d144 IsProcessorFeaturePresent
0x46d148 FlushFileBuffers
0x46d14c ReadFile
0x46d150 CreateFileW
0x46d154 CloseHandle
0x46d158 RaiseException
EAT(Export Address Table) is none