ScreenShot
| Created | 2021.03.22 09:00 | Machine | s1_win7_x6402 |
| Filename | sn1.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 33 detected (GenericKD, Artemis, malicious, confidence, Cometer, Siggen12, VTFlooder, Swrort, krmop, kcloud, Ymacco, score, ai score=100, Fuerboos, CLOUD, HgEASRIA) | ||
| md5 | 4e228802bcb649751855c0bd9a35ab0d | ||
| sha256 | 6c7386b07716fccd51108a9182a71c6855d6c0504e4fb62004ef004de1bb3bb1 | ||
| ssdeep | 1536:5hLVmgU/ruRYJurNs3YgcP2DX4w4PYf5aND:56zuWurNCYV26wf5aZ | ||
| imphash | 1ba58a7439f95ffe8a63e2db77ed6885 | ||
| impfuzzy | 6:DFrQ4qcK7vvKypbtn9XsZHAhHAHRkXbgM1MgX4qK6aAMaB5uX7dtCMyVJWNS3aSv:DFZIjpFtn9XsG+HRkLgaMgrKlSIHCZjh | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 33 AntiVirus engines on VirusTotal as malicious |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
Rules (47cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | create_service | Create a windows service | memory |
| info | cred_local | Steal credential | memory |
| info | escalate_priv | Escalade priviledges | memory |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | keylogger | Run a keylogger | memory |
| info | migrate_apc | APC queue tasks migration | memory |
| info | network_dga | Communication using dga | memory |
| info | network_dns | Communications use DNS | memory |
| info | network_dropper | File downloader/dropper | memory |
| info | network_ftp | Communications over FTP | memory |
| info | network_http | Communications over HTTP | memory |
| info | network_p2p_win | Communications over P2P network | memory |
| info | network_tcp_listen | Listen for incoming communication | memory |
| info | network_tcp_socket | Communications over RAW socket | memory |
| info | network_udp_sock | Communications over UDP network | memory |
| info | screenshot | Take screenshot | memory |
| info | sniff_audio | Record Audio | memory |
| info | spreading_file | Malware can spread east-west file | memory |
| info | spreading_share | Malware can spread east-west using share drive | memory |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
| info | win_files_operation | Affect private profile | memory |
| info | win_mutex | Create or check mutex | memory |
| info | win_private_profile | Affect private profile | memory |
| info | win_registry | Affect system registries | memory |
| info | win_token | Affect system token | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
USER32.dll
0x14000a060 MapDialogRect
0x14000a068 GetMenuDefaultItem
0x14000a070 CreateAcceleratorTableA
0x14000a078 PostThreadMessageA
0x14000a080 PeekMessageA
0x14000a088 DrawAnimatedRects
GDI32.dll
0x14000a000 GetGlyphOutlineA
0x14000a008 GetTextAlign
0x14000a010 EnumFontFamiliesExW
0x14000a018 CreateHatchBrush
0x14000a020 CreatePolygonRgn
0x14000a028 ColorCorrectPalette
0x14000a030 GetGlyphIndicesW
SHLWAPI.dll
0x14000a040 StrFormatByteSizeA
0x14000a048 StrRetToStrA
0x14000a050 StrDupA
EAT(Export Address Table) is none
USER32.dll
0x14000a060 MapDialogRect
0x14000a068 GetMenuDefaultItem
0x14000a070 CreateAcceleratorTableA
0x14000a078 PostThreadMessageA
0x14000a080 PeekMessageA
0x14000a088 DrawAnimatedRects
GDI32.dll
0x14000a000 GetGlyphOutlineA
0x14000a008 GetTextAlign
0x14000a010 EnumFontFamiliesExW
0x14000a018 CreateHatchBrush
0x14000a020 CreatePolygonRgn
0x14000a028 ColorCorrectPalette
0x14000a030 GetGlyphIndicesW
SHLWAPI.dll
0x14000a040 StrFormatByteSizeA
0x14000a048 StrRetToStrA
0x14000a050 StrDupA
EAT(Export Address Table) is none