ScreenShot
| Created | 2021.04.03 10:52 | Machine | s1_win7_x6402 |
| Filename | Zeppelin.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 52 detected (AIDetect, malware2, malicious, high confidence, GenericRXKB, Unsafe, Save, ali2000010, Buhtrap, Eldorado, Attribute, HighConfidence, Filecoder, Buran, score, FileRepMalware, Ajbt, ZEPPELIN, SMTH, susgen, R + Mal, Behav, E39JD1, R338445, BScope, Crypmod, VegaLocker, ai score=89, CLOUD, Static AI, Malicious PE, GdSda, confidence, 100%, HwUBSaoA) | ||
| md5 | 75c1ff39aac846286257e7186dc0096e | ||
| sha256 | 63067c7050bab69e0903ed3887710e4fa50d30d5865c765941df579ddb9b4ab3 | ||
| ssdeep | 6144:/yJE1yd7WTJmcyfZmPWna4DQFu/U3buRKlemZ9DnGAevI4P9+:/U/d7WwvUPWa4DQFu/U3buRKlemZ9Dn4 | ||
| imphash | 8acb34bed3caa60cae3f08f75d53f727 | ||
| impfuzzy | 96:oO4fXYU3u0MQc9pQr3xUgV1q/6gwmKdbC1BQDwPOQD:ot3dpLxH1qSlxJ65POQD | ||
Network IP location
Signature (31cnts)
| Level | Description |
|---|---|
| danger | Drops 10881 unknown file mime types indicative of ransomware writing encrypted files back to disk |
| danger | File has been identified by 52 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| warning | Generates some ICMP traffic |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | Created a process named as a common system process |
| watch | Creates a thread using CreateRemoteThread in a non-child process indicative of process injection |
| watch | Deletes executed files from disk |
| watch | Installs itself for autorun at Windows startup |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Modifies boot configuration settings |
| watch | Network communications indicative of possible code injection originated from the process explorer.exe |
| watch | Potential code injection by writing to the memory of another process |
| watch | Removes the Shadow Copy to avoid recovery of the system |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Executes one or more WMI queries |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | Performs some HTTP requests |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
Rules (57cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| notice | network_smtp_raw | Communications smtp | binaries (download) |
| notice | Str_Win32_Http_API | Match Windows Http API call | binaries (download) |
| notice | Str_Win32_Http_API | Match Windows Http API call | binaries (upload) |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | binaries (download) |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | binaries (upload) |
| info | GIF_Format_Zero | GIF Format | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | PNG_Format_Zero | PNG Format | binaries (download) |
| info | borland_delphi | Borland Delphi 2.0 - 7.0 / 2005 - 2007 | binaries (upload) |
| info | create_service | Create a windows service | binaries (download) |
| info | escalate_priv | Escalade priviledges | binaries (download) |
| info | escalate_priv | Escalade priviledges | binaries (upload) |
| info | HasDebugData | DebugData Check | binaries (download) |
| info | HasDigitalSignature | DigitalSignature Check | binaries (download) |
| info | HasModified_DOS_Message | DOS Message Check | binaries (download) |
| info | HasOverlay | Overlay Check | binaries (download) |
| info | HasRichSignature | Rich Signature Check | binaries (download) |
| info | ImportTableIsBad | ImportTable Check | binaries (download) |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | binaries (upload) |
| info | IsBeyondImageSize | Data Beyond ImageSize Check | binaries (download) |
| info | IsConsole | (no description) | binaries (download) |
| info | IsPacked | Entropy Check | binaries (download) |
| info | IsWindowsGUI | (no description) | binaries (download) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | keylogger | Run a keylogger | binaries (download) |
| info | keylogger | Run a keylogger | binaries (upload) |
| info | Microsoft_Office_Document_Zero | Microsoft Office Document Signature Zero | binaries (download) |
| info | network_dga | Communication using dga | binaries (download) |
| info | network_dropper | File downloader/dropper | binaries (download) |
| info | network_http | Communications over HTTP | binaries (download) |
| info | network_http | Communications over HTTP | binaries (upload) |
| info | network_tcp_listen | Listen for incoming communication | binaries (download) |
| info | network_tor | Communications over TOR network | binaries (download) |
| info | rat_rdp | Remote Administration toolkit enable RDP | binaries (download) |
| info | screenshot | Take screenshot | binaries (download) |
| info | spreading_share | Malware can spread east-west using share drive | binaries (download) |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | binaries (download) |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | binaries (upload) |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | binaries (download) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_mutex | Create or check mutex | binaries (download) |
| info | win_private_profile | Affect private profile | binaries (download) |
| info | win_registry | Affect system registries | binaries (download) |
| info | win_registry | Affect system registries | binaries (upload) |
| info | win_token | Affect system token | binaries (download) |
| info | win_token | Affect system token | binaries (upload) |
Network (9cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
oleaut32.dll
0x539458 SysFreeString
0x53945c SysReAllocStringLen
0x539460 SysAllocStringLen
advapi32.dll
0x539468 RegQueryValueExA
0x53946c RegOpenKeyExA
0x539470 RegCloseKey
user32.dll
0x539478 GetKeyboardType
0x53947c DestroyWindow
0x539480 LoadStringA
0x539484 MessageBoxA
0x539488 CharNextA
kernel32.dll
0x539490 GetACP
0x539494 Sleep
0x539498 VirtualFree
0x53949c VirtualAlloc
0x5394a0 GetTickCount
0x5394a4 QueryPerformanceCounter
0x5394a8 GetCurrentThreadId
0x5394ac InterlockedDecrement
0x5394b0 InterlockedIncrement
0x5394b4 VirtualQuery
0x5394b8 WideCharToMultiByte
0x5394bc MultiByteToWideChar
0x5394c0 lstrlenA
0x5394c4 lstrcpynA
0x5394c8 LoadLibraryExA
0x5394cc GetThreadLocale
0x5394d0 GetStartupInfoA
0x5394d4 GetProcAddress
0x5394d8 GetModuleHandleA
0x5394dc GetModuleFileNameA
0x5394e0 GetLocaleInfoA
0x5394e4 GetCommandLineA
0x5394e8 FreeLibrary
0x5394ec FindFirstFileA
0x5394f0 FindClose
0x5394f4 ExitProcess
0x5394f8 ExitThread
0x5394fc CreateThread
0x539500 WriteFile
0x539504 UnhandledExceptionFilter
0x539508 RtlUnwind
0x53950c RaiseException
0x539510 GetStdHandle
kernel32.dll
0x539518 TlsSetValue
0x53951c TlsGetValue
0x539520 LocalAlloc
0x539524 GetModuleHandleA
user32.dll
0x53952c TranslateMessage
0x539530 PeekMessageA
0x539534 MsgWaitForMultipleObjects
0x539538 MessageBoxA
0x53953c LoadStringA
0x539540 GetSystemMetrics
0x539544 DispatchMessageA
0x539548 CharNextW
0x53954c CharLowerBuffW
0x539550 CharNextA
0x539554 CharLowerBuffA
0x539558 CharLowerA
0x53955c CharUpperA
0x539560 CharToOemA
mpr.dll
0x539568 WNetOpenEnumW
0x53956c WNetEnumResourceW
0x539570 WNetCloseEnum
kernel32.dll
0x539578 WriteProcessMemory
0x53957c WriteFile
0x539580 WaitForSingleObject
0x539584 VirtualQuery
0x539588 VirtualAllocEx
0x53958c TerminateThread
0x539590 TerminateProcess
0x539594 SetLastError
0x539598 SetFileTime
0x53959c SetFilePointer
0x5395a0 SetFileAttributesW
0x5395a4 SetEvent
0x5395a8 SetEndOfFile
0x5395ac ResumeThread
0x5395b0 ResetEvent
0x5395b4 ReadFile
0x5395b8 OpenProcess
0x5395bc MoveFileW
0x5395c0 LoadLibraryA
0x5395c4 LeaveCriticalSection
0x5395c8 InitializeCriticalSection
0x5395cc GlobalUnlock
0x5395d0 GlobalReAlloc
0x5395d4 GlobalHandle
0x5395d8 GlobalLock
0x5395dc GlobalFree
0x5395e0 GlobalAlloc
0x5395e4 GetVersionExA
0x5395e8 GetUserDefaultLangID
0x5395ec GetTickCount
0x5395f0 GetThreadLocale
0x5395f4 GetStdHandle
0x5395f8 GetProcAddress
0x5395fc GetModuleHandleA
0x539600 GetModuleFileNameW
0x539604 GetModuleFileNameA
0x539608 GetLocaleInfoA
0x53960c GetLocalTime
0x539610 GetLastError
0x539614 GetFullPathNameA
0x539618 GetFileAttributesW
0x53961c GetFileAttributesA
0x539620 GetExitCodeThread
0x539624 GetEnvironmentVariableW
0x539628 GetEnvironmentVariableA
0x53962c GetDriveTypeA
0x539630 GetDiskFreeSpaceA
0x539634 GetDateFormatA
0x539638 GetCurrentThreadId
0x53963c GetCurrentProcess
0x539640 GetCommandLineW
0x539644 GetCPInfo
0x539648 InterlockedIncrement
0x53964c InterlockedExchange
0x539650 InterlockedDecrement
0x539654 FreeLibrary
0x539658 FormatMessageA
0x53965c FindNextFileW
0x539660 FindFirstFileW
0x539664 FindClose
0x539668 FileTimeToLocalFileTime
0x53966c FileTimeToDosDateTime
0x539670 ExitThread
0x539674 ExitProcess
0x539678 EnumCalendarInfoA
0x53967c EnterCriticalSection
0x539680 DuplicateHandle
0x539684 DeleteFileW
0x539688 DeleteCriticalSection
0x53968c CreateThread
0x539690 CreateRemoteThread
0x539694 CreateProcessW
0x539698 CreateProcessA
0x53969c CreatePipe
0x5396a0 CreateFileW
0x5396a4 CreateFileA
0x5396a8 CreateEventA
0x5396ac CreateDirectoryW
0x5396b0 CopyFileW
0x5396b4 CompareStringW
0x5396b8 CompareStringA
0x5396bc CloseHandle
advapi32.dll
0x5396c4 RegSetValueExW
0x5396c8 RegSetValueExA
0x5396cc RegQueryValueExW
0x5396d0 RegQueryValueExA
0x5396d4 RegOpenKeyExW
0x5396d8 RegOpenKeyExA
0x5396dc RegEnumKeyExA
0x5396e0 RegDeleteValueA
0x5396e4 RegDeleteKeyA
0x5396e8 RegCreateKeyExW
0x5396ec RegCreateKeyExA
0x5396f0 RegCloseKey
0x5396f4 OpenProcessToken
0x5396f8 LookupPrivilegeValueA
0x5396fc AdjustTokenPrivileges
kernel32.dll
0x539704 Sleep
wininet.dll
0x53970c InternetReadFile
0x539710 InternetOpenUrlA
0x539714 InternetOpenA
0x539718 InternetConnectA
0x53971c InternetCloseHandle
0x539720 HttpSendRequestA
0x539724 HttpOpenRequestA
0x539728 HttpAddRequestHeadersA
shell32.dll
0x539730 ShellExecuteW
shell32.dll
0x539738 SHGetSpecialFolderLocation
shell32.dll
0x539740 SHGetPathFromIDListW
0x539744 SHGetMalloc
oleaut32.dll
0x53974c SafeArrayPtrOfIndex
0x539750 SafeArrayGetUBound
0x539754 SafeArrayGetLBound
0x539758 SafeArrayCreate
0x53975c VariantChangeType
0x539760 VariantCopy
0x539764 VariantClear
0x539768 VariantInit
EAT(Export Address Table) is none
oleaut32.dll
0x539458 SysFreeString
0x53945c SysReAllocStringLen
0x539460 SysAllocStringLen
advapi32.dll
0x539468 RegQueryValueExA
0x53946c RegOpenKeyExA
0x539470 RegCloseKey
user32.dll
0x539478 GetKeyboardType
0x53947c DestroyWindow
0x539480 LoadStringA
0x539484 MessageBoxA
0x539488 CharNextA
kernel32.dll
0x539490 GetACP
0x539494 Sleep
0x539498 VirtualFree
0x53949c VirtualAlloc
0x5394a0 GetTickCount
0x5394a4 QueryPerformanceCounter
0x5394a8 GetCurrentThreadId
0x5394ac InterlockedDecrement
0x5394b0 InterlockedIncrement
0x5394b4 VirtualQuery
0x5394b8 WideCharToMultiByte
0x5394bc MultiByteToWideChar
0x5394c0 lstrlenA
0x5394c4 lstrcpynA
0x5394c8 LoadLibraryExA
0x5394cc GetThreadLocale
0x5394d0 GetStartupInfoA
0x5394d4 GetProcAddress
0x5394d8 GetModuleHandleA
0x5394dc GetModuleFileNameA
0x5394e0 GetLocaleInfoA
0x5394e4 GetCommandLineA
0x5394e8 FreeLibrary
0x5394ec FindFirstFileA
0x5394f0 FindClose
0x5394f4 ExitProcess
0x5394f8 ExitThread
0x5394fc CreateThread
0x539500 WriteFile
0x539504 UnhandledExceptionFilter
0x539508 RtlUnwind
0x53950c RaiseException
0x539510 GetStdHandle
kernel32.dll
0x539518 TlsSetValue
0x53951c TlsGetValue
0x539520 LocalAlloc
0x539524 GetModuleHandleA
user32.dll
0x53952c TranslateMessage
0x539530 PeekMessageA
0x539534 MsgWaitForMultipleObjects
0x539538 MessageBoxA
0x53953c LoadStringA
0x539540 GetSystemMetrics
0x539544 DispatchMessageA
0x539548 CharNextW
0x53954c CharLowerBuffW
0x539550 CharNextA
0x539554 CharLowerBuffA
0x539558 CharLowerA
0x53955c CharUpperA
0x539560 CharToOemA
mpr.dll
0x539568 WNetOpenEnumW
0x53956c WNetEnumResourceW
0x539570 WNetCloseEnum
kernel32.dll
0x539578 WriteProcessMemory
0x53957c WriteFile
0x539580 WaitForSingleObject
0x539584 VirtualQuery
0x539588 VirtualAllocEx
0x53958c TerminateThread
0x539590 TerminateProcess
0x539594 SetLastError
0x539598 SetFileTime
0x53959c SetFilePointer
0x5395a0 SetFileAttributesW
0x5395a4 SetEvent
0x5395a8 SetEndOfFile
0x5395ac ResumeThread
0x5395b0 ResetEvent
0x5395b4 ReadFile
0x5395b8 OpenProcess
0x5395bc MoveFileW
0x5395c0 LoadLibraryA
0x5395c4 LeaveCriticalSection
0x5395c8 InitializeCriticalSection
0x5395cc GlobalUnlock
0x5395d0 GlobalReAlloc
0x5395d4 GlobalHandle
0x5395d8 GlobalLock
0x5395dc GlobalFree
0x5395e0 GlobalAlloc
0x5395e4 GetVersionExA
0x5395e8 GetUserDefaultLangID
0x5395ec GetTickCount
0x5395f0 GetThreadLocale
0x5395f4 GetStdHandle
0x5395f8 GetProcAddress
0x5395fc GetModuleHandleA
0x539600 GetModuleFileNameW
0x539604 GetModuleFileNameA
0x539608 GetLocaleInfoA
0x53960c GetLocalTime
0x539610 GetLastError
0x539614 GetFullPathNameA
0x539618 GetFileAttributesW
0x53961c GetFileAttributesA
0x539620 GetExitCodeThread
0x539624 GetEnvironmentVariableW
0x539628 GetEnvironmentVariableA
0x53962c GetDriveTypeA
0x539630 GetDiskFreeSpaceA
0x539634 GetDateFormatA
0x539638 GetCurrentThreadId
0x53963c GetCurrentProcess
0x539640 GetCommandLineW
0x539644 GetCPInfo
0x539648 InterlockedIncrement
0x53964c InterlockedExchange
0x539650 InterlockedDecrement
0x539654 FreeLibrary
0x539658 FormatMessageA
0x53965c FindNextFileW
0x539660 FindFirstFileW
0x539664 FindClose
0x539668 FileTimeToLocalFileTime
0x53966c FileTimeToDosDateTime
0x539670 ExitThread
0x539674 ExitProcess
0x539678 EnumCalendarInfoA
0x53967c EnterCriticalSection
0x539680 DuplicateHandle
0x539684 DeleteFileW
0x539688 DeleteCriticalSection
0x53968c CreateThread
0x539690 CreateRemoteThread
0x539694 CreateProcessW
0x539698 CreateProcessA
0x53969c CreatePipe
0x5396a0 CreateFileW
0x5396a4 CreateFileA
0x5396a8 CreateEventA
0x5396ac CreateDirectoryW
0x5396b0 CopyFileW
0x5396b4 CompareStringW
0x5396b8 CompareStringA
0x5396bc CloseHandle
advapi32.dll
0x5396c4 RegSetValueExW
0x5396c8 RegSetValueExA
0x5396cc RegQueryValueExW
0x5396d0 RegQueryValueExA
0x5396d4 RegOpenKeyExW
0x5396d8 RegOpenKeyExA
0x5396dc RegEnumKeyExA
0x5396e0 RegDeleteValueA
0x5396e4 RegDeleteKeyA
0x5396e8 RegCreateKeyExW
0x5396ec RegCreateKeyExA
0x5396f0 RegCloseKey
0x5396f4 OpenProcessToken
0x5396f8 LookupPrivilegeValueA
0x5396fc AdjustTokenPrivileges
kernel32.dll
0x539704 Sleep
wininet.dll
0x53970c InternetReadFile
0x539710 InternetOpenUrlA
0x539714 InternetOpenA
0x539718 InternetConnectA
0x53971c InternetCloseHandle
0x539720 HttpSendRequestA
0x539724 HttpOpenRequestA
0x539728 HttpAddRequestHeadersA
shell32.dll
0x539730 ShellExecuteW
shell32.dll
0x539738 SHGetSpecialFolderLocation
shell32.dll
0x539740 SHGetPathFromIDListW
0x539744 SHGetMalloc
oleaut32.dll
0x53974c SafeArrayPtrOfIndex
0x539750 SafeArrayGetUBound
0x539754 SafeArrayGetLBound
0x539758 SafeArrayCreate
0x53975c VariantChangeType
0x539760 VariantCopy
0x539764 VariantClear
0x539768 VariantInit
EAT(Export Address Table) is none