ScreenShot
| Created | 2021.03.30 10:57 | Machine | s1_win7_x6401 |
| Filename | win.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 32 detected (AIDetect, malware1, malicious, high confidence, Artemis, Save, Attribute, HighConfidence, Kryptik, HKDW, BotX, ET#89%, RDMK, cmRtazrjB19VPue0WughyVo7uMwx, Emotet, R + Mal, GandCrypt, UrSnif, Unsafe, Score, Glupteba, R374654, Auto, Static AI, Malicious PE, susgen, GenKryptik, FDLV, confidence, 100%) | ||
| md5 | 32a337e8ac0912ec32e54553a0db095f | ||
| sha256 | f86b0f3ec06d574080bd86e2980c7d04c29d4093d025fe592a567b5767031d2b | ||
| ssdeep | 6144:/FRQC4ttnLO7nWXckWyZ9Q3eYhRyGNadC6D1Z:nQC4txQn/kWC63VtaF | ||
| imphash | c76e846ddcafac1d54c770f3946391e3 | ||
| impfuzzy | 48:63pa1uO2HHDE0OTVdx+cXtTT1KFV02cBZgE:gcB2nDE043x+cXtTT1UVFcrp | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 32 AntiVirus engines on VirusTotal as malicious |
| watch | Tries to unhook Windows functions monitored by Cuckoo |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Trojan_Win32_Glupteba_1_Zero | Trojan Win32 Glupteba | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasOverlay | Overlay Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_mutex | Create or check mutex | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x437008 CommConfigDialogA
0x43700c BuildCommDCBAndTimeoutsA
0x437010 CallNamedPipeA
0x437014 SetDefaultCommConfigW
0x437018 GetComputerNameW
0x43701c GetModuleHandleW
0x437020 SetCommState
0x437024 TlsSetValue
0x437028 ActivateActCtx
0x43702c GlobalAlloc
0x437030 _hread
0x437034 GetPrivateProfileStructW
0x437038 GetVersionExW
0x43703c ReadFile
0x437040 lstrcatA
0x437044 GetBinaryTypeW
0x437048 FindNextVolumeMountPointW
0x43704c RaiseException
0x437050 GetNamedPipeHandleStateW
0x437054 GetLargestConsoleWindowSize
0x437058 GetConsoleOutputCP
0x43705c GetLastError
0x437060 lstrlenA
0x437064 GetProcAddress
0x437068 VirtualAlloc
0x43706c CopyFileA
0x437070 SetStdHandle
0x437074 EnterCriticalSection
0x437078 LoadLibraryA
0x43707c IsSystemResumeAutomatic
0x437080 BeginUpdateResourceA
0x437084 SetCommMask
0x437088 SetEnvironmentVariableA
0x43708c GetOEMCP
0x437090 DebugSetProcessKillOnExit
0x437094 LoadLibraryExA
0x437098 CreateMutexA
0x43709c EnumDateFormatsW
0x4370a0 WriteConsoleOutputAttribute
0x4370a4 DuplicateHandle
0x4370a8 LocalSize
0x4370ac DeleteFileW
0x4370b0 AddConsoleAliasA
0x4370b4 CloseHandle
0x4370b8 GetCurrentDirectoryW
0x4370bc HeapCompact
0x4370c0 WideCharToMultiByte
0x4370c4 InterlockedIncrement
0x4370c8 InterlockedDecrement
0x4370cc InterlockedCompareExchange
0x4370d0 InterlockedExchange
0x4370d4 MultiByteToWideChar
0x4370d8 Sleep
0x4370dc InitializeCriticalSection
0x4370e0 DeleteCriticalSection
0x4370e4 LeaveCriticalSection
0x4370e8 MoveFileA
0x4370ec HeapFree
0x4370f0 TerminateProcess
0x4370f4 GetCurrentProcess
0x4370f8 UnhandledExceptionFilter
0x4370fc SetUnhandledExceptionFilter
0x437100 IsDebuggerPresent
0x437104 HeapReAlloc
0x437108 HeapAlloc
0x43710c ExitProcess
0x437110 GetStartupInfoW
0x437114 GetCPInfo
0x437118 RtlUnwind
0x43711c LCMapStringW
0x437120 LCMapStringA
0x437124 GetStringTypeW
0x437128 SetHandleCount
0x43712c GetStdHandle
0x437130 GetFileType
0x437134 GetStartupInfoA
0x437138 WriteFile
0x43713c GetConsoleCP
0x437140 GetConsoleMode
0x437144 HeapCreate
0x437148 VirtualFree
0x43714c TlsGetValue
0x437150 TlsAlloc
0x437154 TlsFree
0x437158 SetLastError
0x43715c GetCurrentThreadId
0x437160 GetModuleFileNameA
0x437164 InitializeCriticalSectionAndSpinCount
0x437168 GetModuleFileNameW
0x43716c FreeEnvironmentStringsW
0x437170 GetEnvironmentStringsW
0x437174 GetCommandLineW
0x437178 QueryPerformanceCounter
0x43717c GetTickCount
0x437180 GetCurrentProcessId
0x437184 GetSystemTimeAsFileTime
0x437188 GetStringTypeA
0x43718c HeapSize
0x437190 GetACP
0x437194 IsValidCodePage
0x437198 GetUserDefaultLCID
0x43719c GetLocaleInfoA
0x4371a0 EnumSystemLocalesA
0x4371a4 IsValidLocale
0x4371a8 WriteConsoleA
0x4371ac WriteConsoleW
0x4371b0 SetFilePointer
0x4371b4 GetLocaleInfoW
0x4371b8 FlushFileBuffers
0x4371bc CreateFileA
USER32.dll
0x4371c4 GetAncestor
ADVAPI32.dll
0x437000 IsTextUnicode
EAT(Export Address Table) is none
KERNEL32.dll
0x437008 CommConfigDialogA
0x43700c BuildCommDCBAndTimeoutsA
0x437010 CallNamedPipeA
0x437014 SetDefaultCommConfigW
0x437018 GetComputerNameW
0x43701c GetModuleHandleW
0x437020 SetCommState
0x437024 TlsSetValue
0x437028 ActivateActCtx
0x43702c GlobalAlloc
0x437030 _hread
0x437034 GetPrivateProfileStructW
0x437038 GetVersionExW
0x43703c ReadFile
0x437040 lstrcatA
0x437044 GetBinaryTypeW
0x437048 FindNextVolumeMountPointW
0x43704c RaiseException
0x437050 GetNamedPipeHandleStateW
0x437054 GetLargestConsoleWindowSize
0x437058 GetConsoleOutputCP
0x43705c GetLastError
0x437060 lstrlenA
0x437064 GetProcAddress
0x437068 VirtualAlloc
0x43706c CopyFileA
0x437070 SetStdHandle
0x437074 EnterCriticalSection
0x437078 LoadLibraryA
0x43707c IsSystemResumeAutomatic
0x437080 BeginUpdateResourceA
0x437084 SetCommMask
0x437088 SetEnvironmentVariableA
0x43708c GetOEMCP
0x437090 DebugSetProcessKillOnExit
0x437094 LoadLibraryExA
0x437098 CreateMutexA
0x43709c EnumDateFormatsW
0x4370a0 WriteConsoleOutputAttribute
0x4370a4 DuplicateHandle
0x4370a8 LocalSize
0x4370ac DeleteFileW
0x4370b0 AddConsoleAliasA
0x4370b4 CloseHandle
0x4370b8 GetCurrentDirectoryW
0x4370bc HeapCompact
0x4370c0 WideCharToMultiByte
0x4370c4 InterlockedIncrement
0x4370c8 InterlockedDecrement
0x4370cc InterlockedCompareExchange
0x4370d0 InterlockedExchange
0x4370d4 MultiByteToWideChar
0x4370d8 Sleep
0x4370dc InitializeCriticalSection
0x4370e0 DeleteCriticalSection
0x4370e4 LeaveCriticalSection
0x4370e8 MoveFileA
0x4370ec HeapFree
0x4370f0 TerminateProcess
0x4370f4 GetCurrentProcess
0x4370f8 UnhandledExceptionFilter
0x4370fc SetUnhandledExceptionFilter
0x437100 IsDebuggerPresent
0x437104 HeapReAlloc
0x437108 HeapAlloc
0x43710c ExitProcess
0x437110 GetStartupInfoW
0x437114 GetCPInfo
0x437118 RtlUnwind
0x43711c LCMapStringW
0x437120 LCMapStringA
0x437124 GetStringTypeW
0x437128 SetHandleCount
0x43712c GetStdHandle
0x437130 GetFileType
0x437134 GetStartupInfoA
0x437138 WriteFile
0x43713c GetConsoleCP
0x437140 GetConsoleMode
0x437144 HeapCreate
0x437148 VirtualFree
0x43714c TlsGetValue
0x437150 TlsAlloc
0x437154 TlsFree
0x437158 SetLastError
0x43715c GetCurrentThreadId
0x437160 GetModuleFileNameA
0x437164 InitializeCriticalSectionAndSpinCount
0x437168 GetModuleFileNameW
0x43716c FreeEnvironmentStringsW
0x437170 GetEnvironmentStringsW
0x437174 GetCommandLineW
0x437178 QueryPerformanceCounter
0x43717c GetTickCount
0x437180 GetCurrentProcessId
0x437184 GetSystemTimeAsFileTime
0x437188 GetStringTypeA
0x43718c HeapSize
0x437190 GetACP
0x437194 IsValidCodePage
0x437198 GetUserDefaultLCID
0x43719c GetLocaleInfoA
0x4371a0 EnumSystemLocalesA
0x4371a4 IsValidLocale
0x4371a8 WriteConsoleA
0x4371ac WriteConsoleW
0x4371b0 SetFilePointer
0x4371b4 GetLocaleInfoW
0x4371b8 FlushFileBuffers
0x4371bc CreateFileA
USER32.dll
0x4371c4 GetAncestor
ADVAPI32.dll
0x437000 IsTextUnicode
EAT(Export Address Table) is none