ScreenShot
| Created | 2021.03.24 18:26 | Machine | s1_win7_x6402 |
| Filename | redbutton.png | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 021b3c4f43ecf8719fcca871a483767b | ||
| sha256 | 160fe5fb965b11cff6cbb697987cf72e1cb58207bf8da676575553edcc133406 | ||
| ssdeep | 6144:34rLCVe+nSUIo0ML1T/oK1bgAyxZ/bmTcO59xwnQV8htFzs+LnzQVXY:SLCVeepIoH1zkaT7B7mFA+7Md | ||
| imphash | 55084870e14c8f3b289a5358885b34e6 | ||
| impfuzzy | 96:/OAzl/1GxQZQUfoxTIugIkzdGg12xRMzJiY+9Nq/vjWo6GxgheIXYmIEISMRyUpH:EelgiFRp3B5 | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | Microsoft_Office_Document_Zero | Microsoft Office Document Signature Zero | binaries (download) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
Network (5cnts) ?
Suricata ids
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
PE API
IAT(Import Address Table) Library
advapi32.DLL
0x401000 RegDeleteKeyA
user32.dll
0x401008 LoadStringW
oleaut32.dll
0x401010 SysAllocStringLen
0x401014 SysAllocStringByteLen
0x401018 SysStringLen
kernel32.dll
0x401020 VirtualAlloc
0x401024 VirtualProtect
0x401028 RtlMoveMemory
0x40102c WideCharToMultiByte
0x401030 GetModuleHandleW
MSVBVM60.DLL
0x401038 __vbaVarTstGt
0x40103c __vbaVarSub
0x401040 __vbaStrI2
0x401044 _CIcos
0x401048 _adj_fptan
0x40104c __vbaStrI4
0x401050 __vbaVarMove
0x401054 __vbaVarVargNofree
0x401058 __vbaFreeVar
0x40105c __vbaAryMove
0x401060 __vbaLenBstr
0x401064 __vbaStrVarMove
0x401068 __vbaEnd
0x40106c __vbaFreeVarList
0x401070 _adj_fdiv_m64
0x401074 None
0x401078 __vbaFreeObjList
0x40107c _adj_fprem1
0x401080 None
0x401084 __vbaRecAnsiToUni
0x401088 None
0x40108c __vbaResume
0x401090 __vbaStrCat
0x401094 __vbaLsetFixstr
0x401098 None
0x40109c None
0x4010a0 __vbaSetSystemError
0x4010a4 __vbaRecDestruct
0x4010a8 __vbaNameFile
0x4010ac __vbaHresultCheckObj
0x4010b0 None
0x4010b4 __vbaLenVar
0x4010b8 _adj_fdiv_m32
0x4010bc None
0x4010c0 __vbaVarCmpGe
0x4010c4 __vbaAryDestruct
0x4010c8 __vbaVarIndexLoadRefLock
0x4010cc __vbaExitProc
0x4010d0 None
0x4010d4 __vbaVarForInit
0x4010d8 None
0x4010dc None
0x4010e0 __vbaObjSet
0x4010e4 __vbaOnError
0x4010e8 _adj_fdiv_m16i
0x4010ec __vbaObjSetAddref
0x4010f0 _adj_fdivr_m16i
0x4010f4 __vbaVarIndexLoad
0x4010f8 __vbaBoolVar
0x4010fc None
0x401100 None
0x401104 __vbaBoolVarNull
0x401108 __vbaRefVarAry
0x40110c __vbaVarTstLt
0x401110 _CIsin
0x401114 None
0x401118 None
0x40111c None
0x401120 __vbaChkstk
0x401124 None
0x401128 __vbaFileClose
0x40112c EVENT_SINK_AddRef
0x401130 None
0x401134 __vbaCyI2
0x401138 __vbaAryConstruct2
0x40113c __vbaDateR8
0x401140 __vbaObjVar
0x401144 None
0x401148 DllFunctionCall
0x40114c __vbaVarLateMemSt
0x401150 __vbaVarOr
0x401154 __vbaLbound
0x401158 __vbaRedimPreserve
0x40115c _adj_fpatan
0x401160 __vbaRedim
0x401164 __vbaRecUniToAnsi
0x401168 EVENT_SINK_Release
0x40116c None
0x401170 _CIsqrt
0x401174 __vbaVarAnd
0x401178 EVENT_SINK_QueryInterface
0x40117c __vbaVarMul
0x401180 __vbaFpCmpCy
0x401184 __vbaExceptHandler
0x401188 __vbaStrToUnicode
0x40118c __vbaPrintFile
0x401190 None
0x401194 __vbaDateStr
0x401198 _adj_fprem
0x40119c _adj_fdivr_m64
0x4011a0 __vbaVarDiv
0x4011a4 None
0x4011a8 __vbaFPException
0x4011ac __vbaStrVarVal
0x4011b0 __vbaUbound
0x4011b4 __vbaVarCat
0x4011b8 None
0x4011bc __vbaI2Var
0x4011c0 __vbaLsetFixstrFree
0x4011c4 None
0x4011c8 None
0x4011cc None
0x4011d0 None
0x4011d4 _CIlog
0x4011d8 __vbaFileOpen
0x4011dc __vbaVarLateMemCallLdRf
0x4011e0 None
0x4011e4 __vbaNew2
0x4011e8 __vbaVar2Vec
0x4011ec _adj_fdiv_m32i
0x4011f0 _adj_fdivr_m32i
0x4011f4 __vbaStrCopy
0x4011f8 __vbaI4Str
0x4011fc __vbaFreeStrList
0x401200 _adj_fdivr_m32
0x401204 __vbaPowerR8
0x401208 __vbaR8Var
0x40120c _adj_fdiv_r
0x401210 None
0x401214 None
0x401218 __vbaVarTstNe
0x40121c __vbaI4Var
0x401220 __vbaLateMemCall
0x401224 __vbaAryLock
0x401228 __vbaVarAdd
0x40122c __vbaStrToAnsi
0x401230 __vbaVarDup
0x401234 __vbaVarLateMemCallLd
0x401238 __vbaFpI4
0x40123c __vbaVarCopy
0x401240 __vbaRecDestructAnsi
0x401244 _CIatan
0x401248 __vbaStrMove
0x40124c None
0x401250 _allmul
0x401254 __vbaVarLateMemCallSt
0x401258 None
0x40125c _CItan
0x401260 __vbaFPInt
0x401264 __vbaAryUnlock
0x401268 __vbaUI1Var
0x40126c __vbaVarForNext
0x401270 _CIexp
0x401274 __vbaI4ErrVar
0x401278 __vbaFreeObj
0x40127c __vbaFreeStr
EAT(Export Address Table) is none
advapi32.DLL
0x401000 RegDeleteKeyA
user32.dll
0x401008 LoadStringW
oleaut32.dll
0x401010 SysAllocStringLen
0x401014 SysAllocStringByteLen
0x401018 SysStringLen
kernel32.dll
0x401020 VirtualAlloc
0x401024 VirtualProtect
0x401028 RtlMoveMemory
0x40102c WideCharToMultiByte
0x401030 GetModuleHandleW
MSVBVM60.DLL
0x401038 __vbaVarTstGt
0x40103c __vbaVarSub
0x401040 __vbaStrI2
0x401044 _CIcos
0x401048 _adj_fptan
0x40104c __vbaStrI4
0x401050 __vbaVarMove
0x401054 __vbaVarVargNofree
0x401058 __vbaFreeVar
0x40105c __vbaAryMove
0x401060 __vbaLenBstr
0x401064 __vbaStrVarMove
0x401068 __vbaEnd
0x40106c __vbaFreeVarList
0x401070 _adj_fdiv_m64
0x401074 None
0x401078 __vbaFreeObjList
0x40107c _adj_fprem1
0x401080 None
0x401084 __vbaRecAnsiToUni
0x401088 None
0x40108c __vbaResume
0x401090 __vbaStrCat
0x401094 __vbaLsetFixstr
0x401098 None
0x40109c None
0x4010a0 __vbaSetSystemError
0x4010a4 __vbaRecDestruct
0x4010a8 __vbaNameFile
0x4010ac __vbaHresultCheckObj
0x4010b0 None
0x4010b4 __vbaLenVar
0x4010b8 _adj_fdiv_m32
0x4010bc None
0x4010c0 __vbaVarCmpGe
0x4010c4 __vbaAryDestruct
0x4010c8 __vbaVarIndexLoadRefLock
0x4010cc __vbaExitProc
0x4010d0 None
0x4010d4 __vbaVarForInit
0x4010d8 None
0x4010dc None
0x4010e0 __vbaObjSet
0x4010e4 __vbaOnError
0x4010e8 _adj_fdiv_m16i
0x4010ec __vbaObjSetAddref
0x4010f0 _adj_fdivr_m16i
0x4010f4 __vbaVarIndexLoad
0x4010f8 __vbaBoolVar
0x4010fc None
0x401100 None
0x401104 __vbaBoolVarNull
0x401108 __vbaRefVarAry
0x40110c __vbaVarTstLt
0x401110 _CIsin
0x401114 None
0x401118 None
0x40111c None
0x401120 __vbaChkstk
0x401124 None
0x401128 __vbaFileClose
0x40112c EVENT_SINK_AddRef
0x401130 None
0x401134 __vbaCyI2
0x401138 __vbaAryConstruct2
0x40113c __vbaDateR8
0x401140 __vbaObjVar
0x401144 None
0x401148 DllFunctionCall
0x40114c __vbaVarLateMemSt
0x401150 __vbaVarOr
0x401154 __vbaLbound
0x401158 __vbaRedimPreserve
0x40115c _adj_fpatan
0x401160 __vbaRedim
0x401164 __vbaRecUniToAnsi
0x401168 EVENT_SINK_Release
0x40116c None
0x401170 _CIsqrt
0x401174 __vbaVarAnd
0x401178 EVENT_SINK_QueryInterface
0x40117c __vbaVarMul
0x401180 __vbaFpCmpCy
0x401184 __vbaExceptHandler
0x401188 __vbaStrToUnicode
0x40118c __vbaPrintFile
0x401190 None
0x401194 __vbaDateStr
0x401198 _adj_fprem
0x40119c _adj_fdivr_m64
0x4011a0 __vbaVarDiv
0x4011a4 None
0x4011a8 __vbaFPException
0x4011ac __vbaStrVarVal
0x4011b0 __vbaUbound
0x4011b4 __vbaVarCat
0x4011b8 None
0x4011bc __vbaI2Var
0x4011c0 __vbaLsetFixstrFree
0x4011c4 None
0x4011c8 None
0x4011cc None
0x4011d0 None
0x4011d4 _CIlog
0x4011d8 __vbaFileOpen
0x4011dc __vbaVarLateMemCallLdRf
0x4011e0 None
0x4011e4 __vbaNew2
0x4011e8 __vbaVar2Vec
0x4011ec _adj_fdiv_m32i
0x4011f0 _adj_fdivr_m32i
0x4011f4 __vbaStrCopy
0x4011f8 __vbaI4Str
0x4011fc __vbaFreeStrList
0x401200 _adj_fdivr_m32
0x401204 __vbaPowerR8
0x401208 __vbaR8Var
0x40120c _adj_fdiv_r
0x401210 None
0x401214 None
0x401218 __vbaVarTstNe
0x40121c __vbaI4Var
0x401220 __vbaLateMemCall
0x401224 __vbaAryLock
0x401228 __vbaVarAdd
0x40122c __vbaStrToAnsi
0x401230 __vbaVarDup
0x401234 __vbaVarLateMemCallLd
0x401238 __vbaFpI4
0x40123c __vbaVarCopy
0x401240 __vbaRecDestructAnsi
0x401244 _CIatan
0x401248 __vbaStrMove
0x40124c None
0x401250 _allmul
0x401254 __vbaVarLateMemCallSt
0x401258 None
0x40125c _CItan
0x401260 __vbaFPInt
0x401264 __vbaAryUnlock
0x401268 __vbaUI1Var
0x40126c __vbaVarForNext
0x401270 _CIexp
0x401274 __vbaI4ErrVar
0x401278 __vbaFreeObj
0x40127c __vbaFreeStr
EAT(Export Address Table) is none