popup

Report - 22001.dll

  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.03.21 10:22 Machine s1_win7_x6401
Filename 22001.dll
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
AI Score
11
 Behavior Score
2.0
ZERO API file : malware
VT API (file) 19 detected (malicious, high confidence, Unsafe, Save, Attribute, HighConfidence, ccmw, EncPk, Static AI, Malicious PE, Wacapew, score, BScope, TrojanPSW, Papras, Kryptik, HJZU, ET#87%, RDMK, cmRtazqihoMwCGyzJOO1bUAe27Cr, ZedlaF, hy4@aKtshZp)
md5 9a85e1eccf35e0c2e4f1b4764228e0f9
sha256 7857fb118ea676757804e373d4a743ad661b25e2f0aaef32ced6a68f0131568b
ssdeep 1536:sWVRLqnG1awzieRnGgpO7zzOTuwLvDCLonXIV6cDy7AKS4x8kXTZq9doUg:sgFHiirOnzO6wKtV5+7Znx/XTZqdo
imphash 6a037f055591c3dbbb16649e3c8fb605
impfuzzy 6:HGDYBJAEtwyRlbPp+TXWOBgvFtTXmGanWLl:mDoAPqPkXW80FNX9anm
  Network IP location

Signature (6cnts)

Level Description
watch File has been identified by 19 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (48cnts)

Level Name Description Collection
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info antisb_threatExpert Anti-Sandbox checks for ThreatExpert memory
info Check_Dlls (no description) memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerCheck__RemoteAPI (no description) memory
info DebuggerException__ConsoleCtrl (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsDLL (no description) binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature Zero binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info win_hook Affect hook table memory
info create_com_service Create a COM server memory
info create_service Create a windows service memory
info cred_local Steal credential memory
info escalate_priv Escalade priviledges memory
info HasRichSignature Rich Signature Check binaries (upload)
info inject_thread Code injection with CreateRemoteThread in a remote process memory
info IsWindowsGUI (no description) binaries (upload)
info keylogger Run a keylogger memory
info migrate_apc APC queue tasks migration memory
info network_dga Communication using dga memory
info network_dns Communications use DNS memory
info network_dropper File downloader/dropper memory
info network_ftp Communications over FTP memory
info network_http Communications over HTTP memory
info network_p2p_win Communications over P2P network memory
info network_tcp_listen Listen for incoming communication memory
info network_tcp_socket Communications over RAW socket memory
info network_udp_sock Communications over UDP network memory
info screenshot Take screenshot memory
info sniff_audio Record Audio memory
info spreading_file Malware can spread east-west file memory
info spreading_share Malware can spread east-west using share drive memory
info Str_Win32_Wininet_Library Match Windows Inet API library declaration memory
info Str_Win32_Winsock2_Library Match Winsock 2 API library declaration memory
info win_files_operation Affect private profile memory
info win_mutex Create or check mutex memory
info win_private_profile Affect private profile memory
info win_registry Affect system registries memory
info win_token Affect system token memory

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids


Similarity measure (PE file only) - Checking for service failure