ScreenShot
| Created | 2025.04.28 09:10 | Machine | s1_win7_x6401 |
| Filename | ckuh.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 26 detected (AIDetectMalware, AsyncRAT, Lazy, Ghanarava, Unsafe, malicious, confidence, moderate confidence, a variant of Generik, FJGYUQI, Static AI, Suspicious PE, Detected, Sonbokli, 7IWU5B, ABTrojan, ARJI, Artemis) | ||
| md5 | a2980062855e3ff75037425dfe2fa1fc | ||
| sha256 | 326f6f4666110d3946f684fa450fa2f5e207b6fcbc6a8170a5df22c0fcc19385 | ||
| ssdeep | 24576:pcyATBJXnOFU2WW4FdAku07OKPe4x5TjKee1+oh/GH:f0/OKPeE5qee4l | ||
| imphash | 4ab2b6097cb4d5c94a2a2679ebd73227 | ||
| impfuzzy | 24:dMcpVPOK02tMSxoeDRGchyJe1lh7Qkv7rT/XuFZoSOovbOPZHu9pGMAqh:ecpVPO+tMSOoGc/rQuDuFZA30h | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 26 AntiVirus engines on VirusTotal as malicious |
| watch | One or more non-whitelisted processes were created |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (17cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140138000 GetLastError
0x140138008 CreateFileW
0x140138010 CloseHandle
0x140138018 ReadConsoleW
0x140138020 EnterCriticalSection
0x140138028 LeaveCriticalSection
0x140138030 InitializeCriticalSectionEx
0x140138038 DeleteCriticalSection
0x140138040 GetCurrentThreadId
0x140138048 IsDebuggerPresent
0x140138050 RaiseException
0x140138058 MultiByteToWideChar
0x140138060 WideCharToMultiByte
0x140138068 RtlCaptureContext
0x140138070 RtlLookupFunctionEntry
0x140138078 RtlVirtualUnwind
0x140138080 UnhandledExceptionFilter
0x140138088 SetUnhandledExceptionFilter
0x140138090 GetCurrentProcess
0x140138098 TerminateProcess
0x1401380a0 IsProcessorFeaturePresent
0x1401380a8 QueryPerformanceCounter
0x1401380b0 GetCurrentProcessId
0x1401380b8 GetSystemTimeAsFileTime
0x1401380c0 InitializeSListHead
0x1401380c8 GetStartupInfoW
0x1401380d0 GetModuleHandleW
0x1401380d8 HeapAlloc
0x1401380e0 HeapFree
0x1401380e8 GetProcessHeap
0x1401380f0 VirtualQuery
0x1401380f8 FreeLibrary
0x140138100 GetProcAddress
0x140138108 RtlPcToFileHeader
0x140138110 RtlUnwindEx
0x140138118 InterlockedPushEntrySList
0x140138120 InterlockedFlushSList
0x140138128 GetModuleFileNameW
0x140138130 LoadLibraryExW
0x140138138 SetLastError
0x140138140 EncodePointer
0x140138148 InitializeCriticalSectionAndSpinCount
0x140138150 TlsAlloc
0x140138158 TlsGetValue
0x140138160 TlsSetValue
0x140138168 TlsFree
0x140138170 GetModuleHandleExW
0x140138178 GetStdHandle
0x140138180 WriteFile
0x140138188 ExitProcess
0x140138190 HeapSize
0x140138198 HeapValidate
0x1401381a0 GetSystemInfo
0x1401381a8 GetCurrentThread
0x1401381b0 GetFileType
0x1401381b8 OutputDebugStringW
0x1401381c0 WriteConsoleW
0x1401381c8 SetConsoleCtrlHandler
0x1401381d0 GetTempPathW
0x1401381d8 FlsAlloc
0x1401381e0 FlsGetValue
0x1401381e8 FlsSetValue
0x1401381f0 FlsFree
0x1401381f8 GetDateFormatW
0x140138200 GetTimeFormatW
0x140138208 CompareStringW
0x140138210 LCMapStringW
0x140138218 GetLocaleInfoW
0x140138220 IsValidLocale
0x140138228 GetUserDefaultLCID
0x140138230 EnumSystemLocalesW
0x140138238 FindClose
0x140138240 FindFirstFileExW
0x140138248 FindNextFileW
0x140138250 IsValidCodePage
0x140138258 GetACP
0x140138260 GetOEMCP
0x140138268 GetCPInfo
0x140138270 GetCommandLineA
0x140138278 GetCommandLineW
0x140138280 GetEnvironmentStringsW
0x140138288 FreeEnvironmentStringsW
0x140138290 SetEnvironmentVariableW
0x140138298 SetStdHandle
0x1401382a0 GetStringTypeW
0x1401382a8 HeapReAlloc
0x1401382b0 HeapQueryInformation
0x1401382b8 GetFileSizeEx
0x1401382c0 SetFilePointerEx
0x1401382c8 FlushFileBuffers
0x1401382d0 GetConsoleOutputCP
0x1401382d8 GetConsoleMode
0x1401382e0 ReadFile
0x1401382e8 RtlUnwind
SHELL32.dll
0x1401383d8 ShellExecuteExW
EAT(Export Address Table) is none
KERNEL32.dll
0x140138000 GetLastError
0x140138008 CreateFileW
0x140138010 CloseHandle
0x140138018 ReadConsoleW
0x140138020 EnterCriticalSection
0x140138028 LeaveCriticalSection
0x140138030 InitializeCriticalSectionEx
0x140138038 DeleteCriticalSection
0x140138040 GetCurrentThreadId
0x140138048 IsDebuggerPresent
0x140138050 RaiseException
0x140138058 MultiByteToWideChar
0x140138060 WideCharToMultiByte
0x140138068 RtlCaptureContext
0x140138070 RtlLookupFunctionEntry
0x140138078 RtlVirtualUnwind
0x140138080 UnhandledExceptionFilter
0x140138088 SetUnhandledExceptionFilter
0x140138090 GetCurrentProcess
0x140138098 TerminateProcess
0x1401380a0 IsProcessorFeaturePresent
0x1401380a8 QueryPerformanceCounter
0x1401380b0 GetCurrentProcessId
0x1401380b8 GetSystemTimeAsFileTime
0x1401380c0 InitializeSListHead
0x1401380c8 GetStartupInfoW
0x1401380d0 GetModuleHandleW
0x1401380d8 HeapAlloc
0x1401380e0 HeapFree
0x1401380e8 GetProcessHeap
0x1401380f0 VirtualQuery
0x1401380f8 FreeLibrary
0x140138100 GetProcAddress
0x140138108 RtlPcToFileHeader
0x140138110 RtlUnwindEx
0x140138118 InterlockedPushEntrySList
0x140138120 InterlockedFlushSList
0x140138128 GetModuleFileNameW
0x140138130 LoadLibraryExW
0x140138138 SetLastError
0x140138140 EncodePointer
0x140138148 InitializeCriticalSectionAndSpinCount
0x140138150 TlsAlloc
0x140138158 TlsGetValue
0x140138160 TlsSetValue
0x140138168 TlsFree
0x140138170 GetModuleHandleExW
0x140138178 GetStdHandle
0x140138180 WriteFile
0x140138188 ExitProcess
0x140138190 HeapSize
0x140138198 HeapValidate
0x1401381a0 GetSystemInfo
0x1401381a8 GetCurrentThread
0x1401381b0 GetFileType
0x1401381b8 OutputDebugStringW
0x1401381c0 WriteConsoleW
0x1401381c8 SetConsoleCtrlHandler
0x1401381d0 GetTempPathW
0x1401381d8 FlsAlloc
0x1401381e0 FlsGetValue
0x1401381e8 FlsSetValue
0x1401381f0 FlsFree
0x1401381f8 GetDateFormatW
0x140138200 GetTimeFormatW
0x140138208 CompareStringW
0x140138210 LCMapStringW
0x140138218 GetLocaleInfoW
0x140138220 IsValidLocale
0x140138228 GetUserDefaultLCID
0x140138230 EnumSystemLocalesW
0x140138238 FindClose
0x140138240 FindFirstFileExW
0x140138248 FindNextFileW
0x140138250 IsValidCodePage
0x140138258 GetACP
0x140138260 GetOEMCP
0x140138268 GetCPInfo
0x140138270 GetCommandLineA
0x140138278 GetCommandLineW
0x140138280 GetEnvironmentStringsW
0x140138288 FreeEnvironmentStringsW
0x140138290 SetEnvironmentVariableW
0x140138298 SetStdHandle
0x1401382a0 GetStringTypeW
0x1401382a8 HeapReAlloc
0x1401382b0 HeapQueryInformation
0x1401382b8 GetFileSizeEx
0x1401382c0 SetFilePointerEx
0x1401382c8 FlushFileBuffers
0x1401382d0 GetConsoleOutputCP
0x1401382d8 GetConsoleMode
0x1401382e0 ReadFile
0x1401382e8 RtlUnwind
SHELL32.dll
0x1401383d8 ShellExecuteExW
EAT(Export Address Table) is none