ScreenShot
Created | 2021.03.11 15:44 | Machine | s1_win7_x6402 |
Filename | start.exea | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 56 detected (AIDetect, malware1, malicious, high confidence, GenericKDZ, Stop, Unsafe, Save, ali2000027, ZexaF, YG0@aqqPEFhG, Azorult, Eldorado, Attribute, HighConfidence, USMANBP21, BotX, Mokes, imjfpm, Raas, Auto, Hosts, Static AI, Malicious PE, Kryptik, HJPL, InstaBot, score, R367821, BScope, ai score=100, YzY0OnE6veYr8he4, WinGo, Ranumbot, GenKryptik, GdSda, confidence, 100%, HwoCdygA) | ||
md5 | 32f3be8697cbd7c40c05ee83318ae14c | ||
sha256 | 6c747049b34b13fee03f951bc3b0f330aab130d3f1ecd4e39df734a94d4442d1 | ||
ssdeep | 12288:6zVWziqF+qpKMHLWbPeJsyixMNOELgd2fsKpcHuRy1GmBzsEWJOifJNUyCt:6ZLqF+qLHAGPVOSpcu9EoLyy | ||
imphash | 113ab027842a74f801bdc92a0f80850f | ||
impfuzzy | 24:AmpMzQ2XkrNJfIxuJD/P7DX+fcxOovAYMt/zlzX8vA8RRvpJbDyx2KjMAtB:XfNJ1+fcE9ft/zpX8vJ+fB |
Network IP location
Signature (7cnts)
Level | Description |
---|---|
danger | File has been identified by 56 AntiVirus engines on VirusTotal as malicious |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Potentially malicious URLs were found in the process memory dump |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Yara rule detected in process memory |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (47cnts)
Level | Name | Description | Collection |
---|---|---|---|
notice | Str_Win32_Http_API | Match Windows Http API call | memory |
notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
info | anti_dbg | Checks if being debugged | memory |
info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
info | Check_Dlls | (no description) | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerCheck__RemoteAPI | (no description) | memory |
info | DebuggerException__ConsoleCtrl | (no description) | memory |
info | DebuggerException__SetConsoleCtrl | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
info | win_hook | Affect hook table | memory |
info | create_service | Create a windows service | memory |
info | cred_local | Steal credential | memory |
info | escalate_priv | Escalade priviledges | memory |
info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
info | IsPacked | Entropy Check | binaries (upload) |
info | IsWindowsGUI | (no description) | binaries (upload) |
info | keylogger | Run a keylogger | memory |
info | migrate_apc | APC queue tasks migration | memory |
info | network_dga | Communication using dga | memory |
info | network_dns | Communications use DNS | memory |
info | network_dropper | File downloader/dropper | memory |
info | network_ftp | Communications over FTP | memory |
info | network_http | Communications over HTTP | memory |
info | network_p2p_win | Communications over P2P network | memory |
info | network_tcp_listen | Listen for incoming communication | memory |
info | network_tcp_socket | Communications over RAW socket | memory |
info | network_udp_sock | Communications over UDP network | memory |
info | screenshot | Take screenshot | memory |
info | sniff_audio | Record Audio | memory |
info | spreading_share | Malware can spread east-west using share drive | memory |
info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
info | win_files_operation | Affect private profile | binaries (upload) |
info | win_files_operation | Affect private profile | memory |
info | win_mutex | Create or check mutex | memory |
info | win_private_profile | Affect private profile | memory |
info | win_registry | Affect system registries | memory |
info | win_token | Affect system token | memory |
Network (0cnts) ?
Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x4af000 GetModuleHandleExA
0x4af004 SetEndOfFile
0x4af008 FindResourceW
0x4af00c MapUserPhysicalPages
0x4af010 LoadResource
0x4af014 HeapAlloc
0x4af018 LoadLibraryExW
0x4af01c InterlockedIncrement
0x4af020 ZombifyActCtx
0x4af024 CreateDirectoryW
0x4af028 LockFile
0x4af02c GetModuleHandleW
0x4af030 GetTickCount
0x4af034 GenerateConsoleCtrlEvent
0x4af038 GetConsoleAliasesA
0x4af03c ReadConsoleOutputA
0x4af040 GetLocaleInfoW
0x4af044 GetFileAttributesA
0x4af048 GetTimeFormatW
0x4af04c HeapValidate
0x4af050 SetConsoleCursorPosition
0x4af054 GetFileAttributesW
0x4af058 GetAtomNameW
0x4af05c GetCompressedFileSizeA
0x4af060 lstrcatA
0x4af064 ExitThread
0x4af068 FindNextVolumeMountPointW
0x4af06c CreateJobObjectA
0x4af070 GetProcAddress
0x4af074 CreateTimerQueueTimer
0x4af078 LocalAlloc
0x4af07c SetConsoleOutputCP
0x4af080 VirtualLock
0x4af084 InterlockedDecrement
0x4af088 InitializeCriticalSection
0x4af08c DeleteCriticalSection
0x4af090 EnterCriticalSection
0x4af094 LeaveCriticalSection
0x4af098 GetCommandLineA
0x4af09c HeapSetInformation
0x4af0a0 GetStartupInfoW
0x4af0a4 GetModuleFileNameW
0x4af0a8 RaiseException
0x4af0ac EncodePointer
0x4af0b0 DecodePointer
0x4af0b4 TerminateProcess
0x4af0b8 GetCurrentProcess
0x4af0bc UnhandledExceptionFilter
0x4af0c0 SetUnhandledExceptionFilter
0x4af0c4 IsDebuggerPresent
0x4af0c8 IsProcessorFeaturePresent
0x4af0cc IsBadReadPtr
0x4af0d0 InitializeCriticalSectionAndSpinCount
0x4af0d4 QueryPerformanceCounter
0x4af0d8 GetCurrentThreadId
0x4af0dc GetCurrentProcessId
0x4af0e0 GetSystemTimeAsFileTime
0x4af0e4 ExitProcess
0x4af0e8 GetModuleFileNameA
0x4af0ec FreeEnvironmentStringsW
0x4af0f0 WideCharToMultiByte
0x4af0f4 GetEnvironmentStringsW
0x4af0f8 SetHandleCount
0x4af0fc GetStdHandle
0x4af100 GetFileType
0x4af104 TlsAlloc
0x4af108 TlsGetValue
0x4af10c TlsSetValue
0x4af110 TlsFree
0x4af114 SetLastError
0x4af118 GetLastError
0x4af11c HeapCreate
0x4af120 WriteFile
0x4af124 OutputDebugStringA
0x4af128 WriteConsoleW
0x4af12c OutputDebugStringW
0x4af130 LoadLibraryW
0x4af134 SetFilePointer
0x4af138 GetConsoleCP
0x4af13c GetConsoleMode
0x4af140 GetACP
0x4af144 GetOEMCP
0x4af148 GetCPInfo
0x4af14c IsValidCodePage
0x4af150 HeapReAlloc
0x4af154 HeapSize
0x4af158 HeapQueryInformation
0x4af15c HeapFree
0x4af160 MultiByteToWideChar
0x4af164 RtlUnwind
0x4af168 SetStdHandle
0x4af16c GetStringTypeW
0x4af170 LCMapStringW
0x4af174 CreateFileW
0x4af178 CloseHandle
0x4af17c FlushFileBuffers
EAT(Export Address Table) is none
KERNEL32.dll
0x4af000 GetModuleHandleExA
0x4af004 SetEndOfFile
0x4af008 FindResourceW
0x4af00c MapUserPhysicalPages
0x4af010 LoadResource
0x4af014 HeapAlloc
0x4af018 LoadLibraryExW
0x4af01c InterlockedIncrement
0x4af020 ZombifyActCtx
0x4af024 CreateDirectoryW
0x4af028 LockFile
0x4af02c GetModuleHandleW
0x4af030 GetTickCount
0x4af034 GenerateConsoleCtrlEvent
0x4af038 GetConsoleAliasesA
0x4af03c ReadConsoleOutputA
0x4af040 GetLocaleInfoW
0x4af044 GetFileAttributesA
0x4af048 GetTimeFormatW
0x4af04c HeapValidate
0x4af050 SetConsoleCursorPosition
0x4af054 GetFileAttributesW
0x4af058 GetAtomNameW
0x4af05c GetCompressedFileSizeA
0x4af060 lstrcatA
0x4af064 ExitThread
0x4af068 FindNextVolumeMountPointW
0x4af06c CreateJobObjectA
0x4af070 GetProcAddress
0x4af074 CreateTimerQueueTimer
0x4af078 LocalAlloc
0x4af07c SetConsoleOutputCP
0x4af080 VirtualLock
0x4af084 InterlockedDecrement
0x4af088 InitializeCriticalSection
0x4af08c DeleteCriticalSection
0x4af090 EnterCriticalSection
0x4af094 LeaveCriticalSection
0x4af098 GetCommandLineA
0x4af09c HeapSetInformation
0x4af0a0 GetStartupInfoW
0x4af0a4 GetModuleFileNameW
0x4af0a8 RaiseException
0x4af0ac EncodePointer
0x4af0b0 DecodePointer
0x4af0b4 TerminateProcess
0x4af0b8 GetCurrentProcess
0x4af0bc UnhandledExceptionFilter
0x4af0c0 SetUnhandledExceptionFilter
0x4af0c4 IsDebuggerPresent
0x4af0c8 IsProcessorFeaturePresent
0x4af0cc IsBadReadPtr
0x4af0d0 InitializeCriticalSectionAndSpinCount
0x4af0d4 QueryPerformanceCounter
0x4af0d8 GetCurrentThreadId
0x4af0dc GetCurrentProcessId
0x4af0e0 GetSystemTimeAsFileTime
0x4af0e4 ExitProcess
0x4af0e8 GetModuleFileNameA
0x4af0ec FreeEnvironmentStringsW
0x4af0f0 WideCharToMultiByte
0x4af0f4 GetEnvironmentStringsW
0x4af0f8 SetHandleCount
0x4af0fc GetStdHandle
0x4af100 GetFileType
0x4af104 TlsAlloc
0x4af108 TlsGetValue
0x4af10c TlsSetValue
0x4af110 TlsFree
0x4af114 SetLastError
0x4af118 GetLastError
0x4af11c HeapCreate
0x4af120 WriteFile
0x4af124 OutputDebugStringA
0x4af128 WriteConsoleW
0x4af12c OutputDebugStringW
0x4af130 LoadLibraryW
0x4af134 SetFilePointer
0x4af138 GetConsoleCP
0x4af13c GetConsoleMode
0x4af140 GetACP
0x4af144 GetOEMCP
0x4af148 GetCPInfo
0x4af14c IsValidCodePage
0x4af150 HeapReAlloc
0x4af154 HeapSize
0x4af158 HeapQueryInformation
0x4af15c HeapFree
0x4af160 MultiByteToWideChar
0x4af164 RtlUnwind
0x4af168 SetStdHandle
0x4af16c GetStringTypeW
0x4af170 LCMapStringW
0x4af174 CreateFileW
0x4af178 CloseHandle
0x4af17c FlushFileBuffers
EAT(Export Address Table) is none