ScreenShot
| Created | 2021.04.06 16:45 | Machine | s1_win7_x6401 |
| Filename | sogoufgnm.e | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 46 detected (malicious, high confidence, MauvaiseRI, S5244821, Unsafe, SogouCRTD, Sogou, Generic ML PUA, Eldorado, Attribute, HighConfidence, Chir, Gbot, fgypno, Chindo, C@6e9656, wqqyp, VSN03H18, Malicious PE, 28ICKY, score, R180775, ai score=100, confidence) | ||
| md5 | aa2bac3e53d4a670c8728f862f5e2650 | ||
| sha256 | 2cf4726e7806ccf6017b5aadfa4f0efd07a419b39b738bfa89aa02d53fbc9213 | ||
| ssdeep | 49152:nuuE7AnqIxGrGYyZa/tgrYJUGfZC3wA6EylfwEaFWd:ZE7AqrlyutLxC3sEwwMd | ||
| imphash | e1ca64229bf6b618126d05f47e655044 | ||
| impfuzzy | 48:kjoDd1UX+ZtHRHK9JcRfMiZSKdmXVOCQN3vi5jUXjE6:z1UuZtHRHQJcRfMKSGmXVcr | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 46 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to create or modify system certificates |
| watch | Network activity contains more than one unique useragent |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process sogousoftware.exe |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Foreign language identified in PE resource |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (66cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| notice | Str_Win32_Http_API | Match Windows Http API call | binaries (download) |
| notice | Str_Win32_Http_API | Match Windows Http API call | binaries (upload) |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | binaries (download) |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | escalate_priv | Escalade priviledges | binaries (download) |
| info | escalate_priv | Escalade priviledges | binaries (upload) |
| info | escalate_priv | Escalade priviledges | memory |
| info | HasDebugData | DebugData Check | binaries (download) |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasDigitalSignature | DigitalSignature Check | binaries (download) |
| info | HasDigitalSignature | DigitalSignature Check | binaries (upload) |
| info | HasOverlay | Overlay Check | binaries (download) |
| info | HasOverlay | Overlay Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (download) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | IsConsole | (no description) | binaries (download) |
| info | IsPacked | Entropy Check | binaries (download) |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (download) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | network_dns | Communications use DNS | binaries (download) |
| info | network_dropper | File downloader/dropper | binaries (download) |
| info | network_http | Communications over HTTP | binaries (download) |
| info | network_http | Communications over HTTP | binaries (upload) |
| info | network_tcp_listen | Listen for incoming communication | binaries (download) |
| info | network_tcp_socket | Communications over RAW socket | binaries (download) |
| info | network_udp_sock | Communications over UDP network | binaries (download) |
| info | screenshot | Take screenshot | binaries (download) |
| info | screenshot | Take screenshot | binaries (upload) |
| info | screenshot | Take screenshot | memory |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | binaries (download) |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | binaries (upload) |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | binaries (download) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_files_operation | Affect private profile | memory |
| info | win_mutex | Create or check mutex | binaries (download) |
| info | win_mutex | Create or check mutex | binaries (upload) |
| info | win_private_profile | Affect private profile | binaries (download) |
| info | win_private_profile | Affect private profile | binaries (upload) |
| info | win_private_profile | Affect private profile | memory |
| info | win_registry | Affect system registries | binaries (download) |
| info | win_registry | Affect system registries | binaries (upload) |
| info | win_registry | Affect system registries | memory |
| info | win_token | Affect system token | binaries (download) |
| info | win_token | Affect system token | binaries (upload) |
| info | win_token | Affect system token | memory |
Network (17cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x42d020 CloseHandle
0x42d024 DebugBreak
0x42d028 GetCommandLineW
0x42d02c GetTempPathW
0x42d030 CompareStringW
0x42d034 GetProcessHeap
0x42d038 SetEndOfFile
0x42d03c WriteConsoleW
0x42d040 SetStdHandle
0x42d044 SetFilePointer
0x42d048 lstrlenW
0x42d04c PeekNamedPipe
0x42d050 GetFileInformationByHandle
0x42d054 GetFullPathNameW
0x42d058 GetTimeZoneInformation
0x42d05c FlushFileBuffers
0x42d060 GetConsoleMode
0x42d064 GetConsoleCP
0x42d068 FindFirstFileExW
0x42d06c GetDriveTypeW
0x42d070 FileTimeToLocalFileTime
0x42d074 FileTimeToSystemTime
0x42d078 CreateThread
0x42d07c ExitThread
0x42d080 MultiByteToWideChar
0x42d084 CreateFileW
0x42d088 WriteFile
0x42d08c OutputDebugStringW
0x42d090 InterlockedDecrement
0x42d094 InterlockedIncrement
0x42d098 lstrlenA
0x42d09c LockResource
0x42d0a0 SizeofResource
0x42d0a4 GetModuleHandleW
0x42d0a8 LoadResource
0x42d0ac FindResourceW
0x42d0b0 GetCurrentDirectoryW
0x42d0b4 FreeResource
0x42d0b8 CreateFileA
0x42d0bc CreateMutexW
0x42d0c0 lstrcmpW
0x42d0c4 GetSystemDirectoryW
0x42d0c8 DeviceIoControl
0x42d0cc ReadFile
0x42d0d0 CopyFileW
0x42d0d4 GetLastError
0x42d0d8 HeapFree
0x42d0dc HeapSetInformation
0x42d0e0 GetStartupInfoW
0x42d0e4 RaiseException
0x42d0e8 TerminateProcess
0x42d0ec GetCurrentProcess
0x42d0f0 UnhandledExceptionFilter
0x42d0f4 SetUnhandledExceptionFilter
0x42d0f8 IsDebuggerPresent
0x42d0fc HeapAlloc
0x42d100 IsProcessorFeaturePresent
0x42d104 EncodePointer
0x42d108 DecodePointer
0x42d10c HeapCreate
0x42d110 GetCPInfo
0x42d114 GetACP
0x42d118 GetOEMCP
0x42d11c IsValidCodePage
0x42d120 TlsAlloc
0x42d124 TlsGetValue
0x42d128 TlsSetValue
0x42d12c TlsFree
0x42d130 SetLastError
0x42d134 GetCurrentThreadId
0x42d138 GetProcAddress
0x42d13c LCMapStringW
0x42d140 GetStringTypeW
0x42d144 ExitProcess
0x42d148 GetStdHandle
0x42d14c GetModuleFileNameW
0x42d150 FreeEnvironmentStringsW
0x42d154 GetEnvironmentStringsW
0x42d158 SetHandleCount
0x42d15c InitializeCriticalSectionAndSpinCount
0x42d160 GetFileType
0x42d164 DeleteCriticalSection
0x42d168 QueryPerformanceCounter
0x42d16c GetTickCount
0x42d170 GetCurrentProcessId
0x42d174 GetSystemTimeAsFileTime
0x42d178 LeaveCriticalSection
0x42d17c EnterCriticalSection
0x42d180 RtlUnwind
0x42d184 Sleep
0x42d188 HeapSize
0x42d18c WideCharToMultiByte
0x42d190 GetUserDefaultLCID
0x42d194 GetLocaleInfoW
0x42d198 GetLocaleInfoA
0x42d19c EnumSystemLocalesA
0x42d1a0 IsValidLocale
0x42d1a4 FreeLibrary
0x42d1a8 InterlockedExchange
0x42d1ac LoadLibraryW
0x42d1b0 HeapReAlloc
0x42d1b4 GetEnvironmentVariableW
0x42d1b8 CreateDirectoryW
0x42d1bc GetPrivateProfileStringW
0x42d1c0 WaitForSingleObject
0x42d1c4 OutputDebugStringA
0x42d1c8 InitializeCriticalSection
0x42d1cc FindFirstFileW
0x42d1d0 FindNextFileW
0x42d1d4 FindClose
0x42d1d8 GetVersionExW
0x42d1dc GetLocalTime
0x42d1e0 CreateEventW
0x42d1e4 CreateSemaphoreW
0x42d1e8 ResetEvent
0x42d1ec ReleaseSemaphore
0x42d1f0 SetEvent
0x42d1f4 WaitForMultipleObjects
0x42d1f8 DeleteFileW
0x42d1fc lstrcpynW
0x42d200 lstrcpyW
0x42d204 GetFileSize
0x42d208 SetEnvironmentVariableA
USER32.dll
0x42d258 wvsprintfW
0x42d25c wsprintfW
0x42d260 CharNextW
0x42d264 LoadStringW
SHELL32.dll
0x42d228 ShellExecuteExW
0x42d22c ShellExecuteW
0x42d230 SHGetSpecialFolderPathW
0x42d234 SHFileOperationW
ole32.dll
0x42d2a8 CoInitialize
0x42d2ac CoGetClassObject
0x42d2b0 CoCreateGuid
0x42d2b4 CoUninitialize
SHLWAPI.dll
0x42d23c StrCpyW
0x42d240 PathIsDirectoryW
0x42d244 PathFileExistsW
0x42d248 SHSetValueW
0x42d24c SHGetValueW
0x42d250 PathAppendW
PSAPI.DLL
0x42d220 GetModuleBaseNameW
WININET.dll
0x42d27c InternetConnectW
0x42d280 InternetCloseHandle
0x42d284 InternetOpenW
0x42d288 InternetSetOptionW
0x42d28c InternetQueryDataAvailable
0x42d290 HttpQueryInfoW
0x42d294 InternetCrackUrlW
0x42d298 HttpSendRequestW
0x42d29c HttpOpenRequestW
0x42d2a0 InternetReadFile
VERSION.dll
0x42d26c VerQueryValueW
0x42d270 GetFileVersionInfoSizeW
0x42d274 GetFileVersionInfoW
NETAPI32.dll
0x42d210 NetApiBufferFree
0x42d214 NetWkstaTransportEnum
0x42d218 Netbios
ADVAPI32.dll
0x42d000 RegOpenKeyExA
0x42d004 RegCloseKey
0x42d008 OpenSCManagerW
0x42d00c OpenServiceW
0x42d010 QueryServiceStatus
0x42d014 CloseServiceHandle
0x42d018 RegQueryValueExA
EAT(Export Address Table) is none
KERNEL32.dll
0x42d020 CloseHandle
0x42d024 DebugBreak
0x42d028 GetCommandLineW
0x42d02c GetTempPathW
0x42d030 CompareStringW
0x42d034 GetProcessHeap
0x42d038 SetEndOfFile
0x42d03c WriteConsoleW
0x42d040 SetStdHandle
0x42d044 SetFilePointer
0x42d048 lstrlenW
0x42d04c PeekNamedPipe
0x42d050 GetFileInformationByHandle
0x42d054 GetFullPathNameW
0x42d058 GetTimeZoneInformation
0x42d05c FlushFileBuffers
0x42d060 GetConsoleMode
0x42d064 GetConsoleCP
0x42d068 FindFirstFileExW
0x42d06c GetDriveTypeW
0x42d070 FileTimeToLocalFileTime
0x42d074 FileTimeToSystemTime
0x42d078 CreateThread
0x42d07c ExitThread
0x42d080 MultiByteToWideChar
0x42d084 CreateFileW
0x42d088 WriteFile
0x42d08c OutputDebugStringW
0x42d090 InterlockedDecrement
0x42d094 InterlockedIncrement
0x42d098 lstrlenA
0x42d09c LockResource
0x42d0a0 SizeofResource
0x42d0a4 GetModuleHandleW
0x42d0a8 LoadResource
0x42d0ac FindResourceW
0x42d0b0 GetCurrentDirectoryW
0x42d0b4 FreeResource
0x42d0b8 CreateFileA
0x42d0bc CreateMutexW
0x42d0c0 lstrcmpW
0x42d0c4 GetSystemDirectoryW
0x42d0c8 DeviceIoControl
0x42d0cc ReadFile
0x42d0d0 CopyFileW
0x42d0d4 GetLastError
0x42d0d8 HeapFree
0x42d0dc HeapSetInformation
0x42d0e0 GetStartupInfoW
0x42d0e4 RaiseException
0x42d0e8 TerminateProcess
0x42d0ec GetCurrentProcess
0x42d0f0 UnhandledExceptionFilter
0x42d0f4 SetUnhandledExceptionFilter
0x42d0f8 IsDebuggerPresent
0x42d0fc HeapAlloc
0x42d100 IsProcessorFeaturePresent
0x42d104 EncodePointer
0x42d108 DecodePointer
0x42d10c HeapCreate
0x42d110 GetCPInfo
0x42d114 GetACP
0x42d118 GetOEMCP
0x42d11c IsValidCodePage
0x42d120 TlsAlloc
0x42d124 TlsGetValue
0x42d128 TlsSetValue
0x42d12c TlsFree
0x42d130 SetLastError
0x42d134 GetCurrentThreadId
0x42d138 GetProcAddress
0x42d13c LCMapStringW
0x42d140 GetStringTypeW
0x42d144 ExitProcess
0x42d148 GetStdHandle
0x42d14c GetModuleFileNameW
0x42d150 FreeEnvironmentStringsW
0x42d154 GetEnvironmentStringsW
0x42d158 SetHandleCount
0x42d15c InitializeCriticalSectionAndSpinCount
0x42d160 GetFileType
0x42d164 DeleteCriticalSection
0x42d168 QueryPerformanceCounter
0x42d16c GetTickCount
0x42d170 GetCurrentProcessId
0x42d174 GetSystemTimeAsFileTime
0x42d178 LeaveCriticalSection
0x42d17c EnterCriticalSection
0x42d180 RtlUnwind
0x42d184 Sleep
0x42d188 HeapSize
0x42d18c WideCharToMultiByte
0x42d190 GetUserDefaultLCID
0x42d194 GetLocaleInfoW
0x42d198 GetLocaleInfoA
0x42d19c EnumSystemLocalesA
0x42d1a0 IsValidLocale
0x42d1a4 FreeLibrary
0x42d1a8 InterlockedExchange
0x42d1ac LoadLibraryW
0x42d1b0 HeapReAlloc
0x42d1b4 GetEnvironmentVariableW
0x42d1b8 CreateDirectoryW
0x42d1bc GetPrivateProfileStringW
0x42d1c0 WaitForSingleObject
0x42d1c4 OutputDebugStringA
0x42d1c8 InitializeCriticalSection
0x42d1cc FindFirstFileW
0x42d1d0 FindNextFileW
0x42d1d4 FindClose
0x42d1d8 GetVersionExW
0x42d1dc GetLocalTime
0x42d1e0 CreateEventW
0x42d1e4 CreateSemaphoreW
0x42d1e8 ResetEvent
0x42d1ec ReleaseSemaphore
0x42d1f0 SetEvent
0x42d1f4 WaitForMultipleObjects
0x42d1f8 DeleteFileW
0x42d1fc lstrcpynW
0x42d200 lstrcpyW
0x42d204 GetFileSize
0x42d208 SetEnvironmentVariableA
USER32.dll
0x42d258 wvsprintfW
0x42d25c wsprintfW
0x42d260 CharNextW
0x42d264 LoadStringW
SHELL32.dll
0x42d228 ShellExecuteExW
0x42d22c ShellExecuteW
0x42d230 SHGetSpecialFolderPathW
0x42d234 SHFileOperationW
ole32.dll
0x42d2a8 CoInitialize
0x42d2ac CoGetClassObject
0x42d2b0 CoCreateGuid
0x42d2b4 CoUninitialize
SHLWAPI.dll
0x42d23c StrCpyW
0x42d240 PathIsDirectoryW
0x42d244 PathFileExistsW
0x42d248 SHSetValueW
0x42d24c SHGetValueW
0x42d250 PathAppendW
PSAPI.DLL
0x42d220 GetModuleBaseNameW
WININET.dll
0x42d27c InternetConnectW
0x42d280 InternetCloseHandle
0x42d284 InternetOpenW
0x42d288 InternetSetOptionW
0x42d28c InternetQueryDataAvailable
0x42d290 HttpQueryInfoW
0x42d294 InternetCrackUrlW
0x42d298 HttpSendRequestW
0x42d29c HttpOpenRequestW
0x42d2a0 InternetReadFile
VERSION.dll
0x42d26c VerQueryValueW
0x42d270 GetFileVersionInfoSizeW
0x42d274 GetFileVersionInfoW
NETAPI32.dll
0x42d210 NetApiBufferFree
0x42d214 NetWkstaTransportEnum
0x42d218 Netbios
ADVAPI32.dll
0x42d000 RegOpenKeyExA
0x42d004 RegCloseKey
0x42d008 OpenSCManagerW
0x42d00c OpenServiceW
0x42d010 QueryServiceStatus
0x42d014 CloseServiceHandle
0x42d018 RegQueryValueExA
EAT(Export Address Table) is none