ScreenShot
| Created | 2025.05.02 09:14 | Machine | s1_win7_x6401 |
| Filename | knfl.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 19 detected (Unsafe, Tflower, malicious, confidence, high confidence, Kryptik@AI, RDML, vvmGpHFuNtdpoJVlNx7q6A, Static AI, Suspicious PE, Detected, Kepavll, Artemis, Oader, Fflw, susgen) | ||
| md5 | 1ba63abea41132cba32f200b48172a8f | ||
| sha256 | a300e62cdad3282467bd71fb7cd7931a734a84528f1b49a2874409a8301c048b | ||
| ssdeep | 24576:hg+J6MdwgOs1QQbCn+DzeQVLMJk0HCzx2gaMNfg:zMJVizI | ||
| imphash | 510a3588f1d3089e62364976381d5c62 | ||
| impfuzzy | 24:Yj1dcpVPOK02tMSYEoeDRGchyJe1lh7Qkv7rT/XuFZoSOovbOPZHu9pGMJh:icpVPO+tMSGoGc/rQuDuFZA3kh | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| watch | File has been identified by 19 AntiVirus engines on VirusTotal as malicious |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (17cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1401aa000 CloseHandle
0x1401aa008 WaitForSingleObject
0x1401aa010 Sleep
0x1401aa018 GetExitCodeProcess
0x1401aa020 CreateFileW
0x1401aa028 ReadConsoleW
0x1401aa030 ReadFile
0x1401aa038 EnterCriticalSection
0x1401aa040 LeaveCriticalSection
0x1401aa048 InitializeCriticalSectionEx
0x1401aa050 DeleteCriticalSection
0x1401aa058 GetCurrentThreadId
0x1401aa060 IsDebuggerPresent
0x1401aa068 RaiseException
0x1401aa070 MultiByteToWideChar
0x1401aa078 WideCharToMultiByte
0x1401aa080 RtlCaptureContext
0x1401aa088 RtlLookupFunctionEntry
0x1401aa090 RtlVirtualUnwind
0x1401aa098 UnhandledExceptionFilter
0x1401aa0a0 SetUnhandledExceptionFilter
0x1401aa0a8 GetCurrentProcess
0x1401aa0b0 TerminateProcess
0x1401aa0b8 IsProcessorFeaturePresent
0x1401aa0c0 QueryPerformanceCounter
0x1401aa0c8 GetCurrentProcessId
0x1401aa0d0 GetSystemTimeAsFileTime
0x1401aa0d8 InitializeSListHead
0x1401aa0e0 GetStartupInfoW
0x1401aa0e8 GetModuleHandleW
0x1401aa0f0 GetLastError
0x1401aa0f8 HeapAlloc
0x1401aa100 HeapFree
0x1401aa108 GetProcessHeap
0x1401aa110 VirtualQuery
0x1401aa118 FreeLibrary
0x1401aa120 GetProcAddress
0x1401aa128 RtlPcToFileHeader
0x1401aa130 RtlUnwindEx
0x1401aa138 InterlockedPushEntrySList
0x1401aa140 InterlockedFlushSList
0x1401aa148 GetModuleFileNameW
0x1401aa150 LoadLibraryExW
0x1401aa158 SetLastError
0x1401aa160 EncodePointer
0x1401aa168 InitializeCriticalSectionAndSpinCount
0x1401aa170 TlsAlloc
0x1401aa178 TlsGetValue
0x1401aa180 TlsSetValue
0x1401aa188 TlsFree
0x1401aa190 GetModuleHandleExW
0x1401aa198 GetStdHandle
0x1401aa1a0 WriteFile
0x1401aa1a8 ExitProcess
0x1401aa1b0 HeapSize
0x1401aa1b8 HeapValidate
0x1401aa1c0 GetSystemInfo
0x1401aa1c8 GetCurrentThread
0x1401aa1d0 GetFileType
0x1401aa1d8 OutputDebugStringW
0x1401aa1e0 WriteConsoleW
0x1401aa1e8 SetConsoleCtrlHandler
0x1401aa1f0 GetTempPathW
0x1401aa1f8 FlsAlloc
0x1401aa200 FlsGetValue
0x1401aa208 FlsSetValue
0x1401aa210 FlsFree
0x1401aa218 GetDateFormatW
0x1401aa220 GetTimeFormatW
0x1401aa228 CompareStringW
0x1401aa230 LCMapStringW
0x1401aa238 GetLocaleInfoW
0x1401aa240 IsValidLocale
0x1401aa248 GetUserDefaultLCID
0x1401aa250 EnumSystemLocalesW
0x1401aa258 FindClose
0x1401aa260 FindFirstFileExW
0x1401aa268 FindNextFileW
0x1401aa270 IsValidCodePage
0x1401aa278 GetACP
0x1401aa280 GetOEMCP
0x1401aa288 GetCPInfo
0x1401aa290 GetCommandLineA
0x1401aa298 GetCommandLineW
0x1401aa2a0 GetEnvironmentStringsW
0x1401aa2a8 FreeEnvironmentStringsW
0x1401aa2b0 SetEnvironmentVariableW
0x1401aa2b8 SetStdHandle
0x1401aa2c0 GetStringTypeW
0x1401aa2c8 HeapReAlloc
0x1401aa2d0 HeapQueryInformation
0x1401aa2d8 GetFileSizeEx
0x1401aa2e0 SetFilePointerEx
0x1401aa2e8 FlushFileBuffers
0x1401aa2f0 GetConsoleOutputCP
0x1401aa2f8 GetConsoleMode
0x1401aa300 RtlUnwind
SHELL32.dll
0x1401aa3f8 ShellExecuteExW
EAT(Export Address Table) is none
KERNEL32.dll
0x1401aa000 CloseHandle
0x1401aa008 WaitForSingleObject
0x1401aa010 Sleep
0x1401aa018 GetExitCodeProcess
0x1401aa020 CreateFileW
0x1401aa028 ReadConsoleW
0x1401aa030 ReadFile
0x1401aa038 EnterCriticalSection
0x1401aa040 LeaveCriticalSection
0x1401aa048 InitializeCriticalSectionEx
0x1401aa050 DeleteCriticalSection
0x1401aa058 GetCurrentThreadId
0x1401aa060 IsDebuggerPresent
0x1401aa068 RaiseException
0x1401aa070 MultiByteToWideChar
0x1401aa078 WideCharToMultiByte
0x1401aa080 RtlCaptureContext
0x1401aa088 RtlLookupFunctionEntry
0x1401aa090 RtlVirtualUnwind
0x1401aa098 UnhandledExceptionFilter
0x1401aa0a0 SetUnhandledExceptionFilter
0x1401aa0a8 GetCurrentProcess
0x1401aa0b0 TerminateProcess
0x1401aa0b8 IsProcessorFeaturePresent
0x1401aa0c0 QueryPerformanceCounter
0x1401aa0c8 GetCurrentProcessId
0x1401aa0d0 GetSystemTimeAsFileTime
0x1401aa0d8 InitializeSListHead
0x1401aa0e0 GetStartupInfoW
0x1401aa0e8 GetModuleHandleW
0x1401aa0f0 GetLastError
0x1401aa0f8 HeapAlloc
0x1401aa100 HeapFree
0x1401aa108 GetProcessHeap
0x1401aa110 VirtualQuery
0x1401aa118 FreeLibrary
0x1401aa120 GetProcAddress
0x1401aa128 RtlPcToFileHeader
0x1401aa130 RtlUnwindEx
0x1401aa138 InterlockedPushEntrySList
0x1401aa140 InterlockedFlushSList
0x1401aa148 GetModuleFileNameW
0x1401aa150 LoadLibraryExW
0x1401aa158 SetLastError
0x1401aa160 EncodePointer
0x1401aa168 InitializeCriticalSectionAndSpinCount
0x1401aa170 TlsAlloc
0x1401aa178 TlsGetValue
0x1401aa180 TlsSetValue
0x1401aa188 TlsFree
0x1401aa190 GetModuleHandleExW
0x1401aa198 GetStdHandle
0x1401aa1a0 WriteFile
0x1401aa1a8 ExitProcess
0x1401aa1b0 HeapSize
0x1401aa1b8 HeapValidate
0x1401aa1c0 GetSystemInfo
0x1401aa1c8 GetCurrentThread
0x1401aa1d0 GetFileType
0x1401aa1d8 OutputDebugStringW
0x1401aa1e0 WriteConsoleW
0x1401aa1e8 SetConsoleCtrlHandler
0x1401aa1f0 GetTempPathW
0x1401aa1f8 FlsAlloc
0x1401aa200 FlsGetValue
0x1401aa208 FlsSetValue
0x1401aa210 FlsFree
0x1401aa218 GetDateFormatW
0x1401aa220 GetTimeFormatW
0x1401aa228 CompareStringW
0x1401aa230 LCMapStringW
0x1401aa238 GetLocaleInfoW
0x1401aa240 IsValidLocale
0x1401aa248 GetUserDefaultLCID
0x1401aa250 EnumSystemLocalesW
0x1401aa258 FindClose
0x1401aa260 FindFirstFileExW
0x1401aa268 FindNextFileW
0x1401aa270 IsValidCodePage
0x1401aa278 GetACP
0x1401aa280 GetOEMCP
0x1401aa288 GetCPInfo
0x1401aa290 GetCommandLineA
0x1401aa298 GetCommandLineW
0x1401aa2a0 GetEnvironmentStringsW
0x1401aa2a8 FreeEnvironmentStringsW
0x1401aa2b0 SetEnvironmentVariableW
0x1401aa2b8 SetStdHandle
0x1401aa2c0 GetStringTypeW
0x1401aa2c8 HeapReAlloc
0x1401aa2d0 HeapQueryInformation
0x1401aa2d8 GetFileSizeEx
0x1401aa2e0 SetFilePointerEx
0x1401aa2e8 FlushFileBuffers
0x1401aa2f0 GetConsoleOutputCP
0x1401aa2f8 GetConsoleMode
0x1401aa300 RtlUnwind
SHELL32.dll
0x1401aa3f8 ShellExecuteExW
EAT(Export Address Table) is none