ScreenShot
| Created | 2021.03.12 16:27 | Machine | s1_win7_x6401 |
| Filename | 4.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 23 detected (AIDetect, malware1, malicious, high confidence, Unsafe, Save, Hacktool, ZexaF, vu0@aGG4f5dG, Kryptik, Eldorado, Attribute, HighConfidence, MultiPlug, Static AI, Malicious PE, Score, Wacatac, ET#96%, RDMK, cmRtazrTQF9vgaLX, 6LEu8F4w+wv, confidence, QVM10) | ||
| md5 | f43ab0f92340b89c74af85b624672dbe | ||
| sha256 | f9fa7707c2b699b79b0fe5948d0de10e4242220c0fd7c76062cf46fcb53f44ae | ||
| ssdeep | 6144:GXqM9G5eUxod6dBI25h+LWKd8akIqX1Xxv6rEO5+Vo7o3Q:GX9Y5eUxo6BIO8Sis96Ay/ | ||
| imphash | 9c2408c4e289059dc1f7339d62dec625 | ||
| impfuzzy | 24:YskFiqgEKMuoDI1ydicOOtjLaNcJTR8/+HRIlyv9EJEjMkyx2DECF:YfFARx1y0DOtfaNcJV8RK9Ipa | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 23 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (46cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | create_service | Create a windows service | memory |
| info | cred_local | Steal credential | memory |
| info | escalate_priv | Escalade priviledges | memory |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | keylogger | Run a keylogger | memory |
| info | migrate_apc | APC queue tasks migration | memory |
| info | network_dga | Communication using dga | memory |
| info | network_dns | Communications use DNS | memory |
| info | network_dropper | File downloader/dropper | memory |
| info | network_ftp | Communications over FTP | memory |
| info | network_http | Communications over HTTP | memory |
| info | network_p2p_win | Communications over P2P network | memory |
| info | network_tcp_listen | Listen for incoming communication | memory |
| info | network_tcp_socket | Communications over RAW socket | memory |
| info | network_udp_sock | Communications over UDP network | memory |
| info | screenshot | Take screenshot | memory |
| info | sniff_audio | Record Audio | memory |
| info | spreading_share | Malware can spread east-west using share drive | memory |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_files_operation | Affect private profile | memory |
| info | win_mutex | Create or check mutex | memory |
| info | win_private_profile | Affect private profile | memory |
| info | win_registry | Affect system registries | memory |
| info | win_token | Affect system token | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x433000 ExitProcess
0x433004 GetTempFileNameW
0x433008 GetNativeSystemInfo
0x43300c GetModuleHandleExA
0x433010 SetEndOfFile
0x433014 MapUserPhysicalPages
0x433018 SystemTimeToTzSpecificLocalTime
0x43301c HeapAlloc
0x433020 InterlockedIncrement
0x433024 MapViewOfFileEx
0x433028 MoveFileExW
0x43302c GetModuleHandleW
0x433030 SizeofResource
0x433034 ReadConsoleOutputW
0x433038 HeapCreate
0x43303c Beep
0x433040 SetTimeZoneInformation
0x433044 CompareStringW
0x433048 GlobalUnfix
0x43304c GetLastError
0x433050 ChangeTimerQueueTimer
0x433054 GetProcAddress
0x433058 HeapSize
0x43305c OpenWaitableTimerA
0x433060 GetAtomNameA
0x433064 AddVectoredExceptionHandler
0x433068 SetConsoleCursorInfo
0x43306c GetModuleHandleA
0x433070 lstrcatW
0x433074 EraseTape
0x433078 GetCommandLineW
0x43307c HeapSetInformation
0x433080 GetStartupInfoW
0x433084 TerminateProcess
0x433088 GetCurrentProcess
0x43308c UnhandledExceptionFilter
0x433090 SetUnhandledExceptionFilter
0x433094 IsDebuggerPresent
0x433098 DecodePointer
0x43309c EncodePointer
0x4330a0 GetModuleFileNameW
0x4330a4 HeapValidate
0x4330a8 IsBadReadPtr
0x4330ac EnterCriticalSection
0x4330b0 LeaveCriticalSection
0x4330b4 QueryPerformanceCounter
0x4330b8 GetTickCount
0x4330bc GetCurrentThreadId
0x4330c0 GetCurrentProcessId
0x4330c4 GetSystemTimeAsFileTime
0x4330c8 InterlockedDecrement
0x4330cc FreeEnvironmentStringsW
0x4330d0 GetEnvironmentStringsW
0x4330d4 SetHandleCount
0x4330d8 GetStdHandle
0x4330dc InitializeCriticalSectionAndSpinCount
0x4330e0 GetFileType
0x4330e4 DeleteCriticalSection
0x4330e8 TlsAlloc
0x4330ec TlsGetValue
0x4330f0 TlsSetValue
0x4330f4 TlsFree
0x4330f8 SetLastError
0x4330fc WriteFile
0x433100 SetFilePointer
0x433104 WideCharToMultiByte
0x433108 GetConsoleCP
0x43310c GetConsoleMode
0x433110 GetACP
0x433114 GetOEMCP
0x433118 GetCPInfo
0x43311c IsValidCodePage
0x433120 OutputDebugStringA
0x433124 WriteConsoleW
0x433128 OutputDebugStringW
0x43312c LoadLibraryW
0x433130 GetModuleFileNameA
0x433134 HeapReAlloc
0x433138 HeapQueryInformation
0x43313c HeapFree
0x433140 RtlUnwind
0x433144 MultiByteToWideChar
0x433148 SetStdHandle
0x43314c GetStringTypeW
0x433150 LCMapStringW
0x433154 IsProcessorFeaturePresent
0x433158 FlushFileBuffers
0x43315c ReadFile
0x433160 CreateFileW
0x433164 CloseHandle
0x433168 RaiseException
EAT(Export Address Table) is none
KERNEL32.dll
0x433000 ExitProcess
0x433004 GetTempFileNameW
0x433008 GetNativeSystemInfo
0x43300c GetModuleHandleExA
0x433010 SetEndOfFile
0x433014 MapUserPhysicalPages
0x433018 SystemTimeToTzSpecificLocalTime
0x43301c HeapAlloc
0x433020 InterlockedIncrement
0x433024 MapViewOfFileEx
0x433028 MoveFileExW
0x43302c GetModuleHandleW
0x433030 SizeofResource
0x433034 ReadConsoleOutputW
0x433038 HeapCreate
0x43303c Beep
0x433040 SetTimeZoneInformation
0x433044 CompareStringW
0x433048 GlobalUnfix
0x43304c GetLastError
0x433050 ChangeTimerQueueTimer
0x433054 GetProcAddress
0x433058 HeapSize
0x43305c OpenWaitableTimerA
0x433060 GetAtomNameA
0x433064 AddVectoredExceptionHandler
0x433068 SetConsoleCursorInfo
0x43306c GetModuleHandleA
0x433070 lstrcatW
0x433074 EraseTape
0x433078 GetCommandLineW
0x43307c HeapSetInformation
0x433080 GetStartupInfoW
0x433084 TerminateProcess
0x433088 GetCurrentProcess
0x43308c UnhandledExceptionFilter
0x433090 SetUnhandledExceptionFilter
0x433094 IsDebuggerPresent
0x433098 DecodePointer
0x43309c EncodePointer
0x4330a0 GetModuleFileNameW
0x4330a4 HeapValidate
0x4330a8 IsBadReadPtr
0x4330ac EnterCriticalSection
0x4330b0 LeaveCriticalSection
0x4330b4 QueryPerformanceCounter
0x4330b8 GetTickCount
0x4330bc GetCurrentThreadId
0x4330c0 GetCurrentProcessId
0x4330c4 GetSystemTimeAsFileTime
0x4330c8 InterlockedDecrement
0x4330cc FreeEnvironmentStringsW
0x4330d0 GetEnvironmentStringsW
0x4330d4 SetHandleCount
0x4330d8 GetStdHandle
0x4330dc InitializeCriticalSectionAndSpinCount
0x4330e0 GetFileType
0x4330e4 DeleteCriticalSection
0x4330e8 TlsAlloc
0x4330ec TlsGetValue
0x4330f0 TlsSetValue
0x4330f4 TlsFree
0x4330f8 SetLastError
0x4330fc WriteFile
0x433100 SetFilePointer
0x433104 WideCharToMultiByte
0x433108 GetConsoleCP
0x43310c GetConsoleMode
0x433110 GetACP
0x433114 GetOEMCP
0x433118 GetCPInfo
0x43311c IsValidCodePage
0x433120 OutputDebugStringA
0x433124 WriteConsoleW
0x433128 OutputDebugStringW
0x43312c LoadLibraryW
0x433130 GetModuleFileNameA
0x433134 HeapReAlloc
0x433138 HeapQueryInformation
0x43313c HeapFree
0x433140 RtlUnwind
0x433144 MultiByteToWideChar
0x433148 SetStdHandle
0x43314c GetStringTypeW
0x433150 LCMapStringW
0x433154 IsProcessorFeaturePresent
0x433158 FlushFileBuffers
0x43315c ReadFile
0x433160 CreateFileW
0x433164 CloseHandle
0x433168 RaiseException
EAT(Export Address Table) is none