ScreenShot
| Created | 2021.04.09 17:04 | Machine | s1_win7_x6401 |
| Filename | setups.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 24 detected (AIDetect, malware2, malicious, high confidence, Artemis, Unsafe, Wacatac, confidence, Csdi, InnoSetup, StartPage1, flkmrj, AGEN, Eorezo, AdwareFileTour, Generic PUA HK, lpok, Bomitag, score, HyoDbh8A) | ||
| md5 | 44ecbc585f2689d58b5ae9f04fe01b3e | ||
| sha256 | 7719b68c0086f95dd9e816cfeada8215acd19747935b23999750d0d29f8272ce | ||
| ssdeep | 49152:XyNq5scu5GS73HAADa3B2C4eOxjDSojtkba7EG5FE2HUXCzD:ibzrUqjxvSojtU6EaFLHhn | ||
| imphash | 2fb819a19fe4dee5c03e8c6a79342f79 | ||
| impfuzzy | 48:8cfp1rcQX0gebPCZr9ZbldH9AOZGwt+Eu55T/lGB:8cfpdcqNebqZr3rHW2 | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 24 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An application raised an exception which may be indicative of an exploit crash |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (58cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| notice | Str_Win32_Http_API | Match Windows Http API call | binaries (download) |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | binaries (download) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | PNG_Format_Zero | PNG Format | binaries (download) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | borland_delphi | Borland Delphi 2.0 - 7.0 / 2005 - 2007 | binaries (download) |
| info | borland_delphi | Borland Delphi 2.0 - 7.0 / 2005 - 2007 | binaries (upload) |
| info | borland_delphi_dll | Borland Delphi DLL | binaries (download) |
| info | escalate_priv | Escalade priviledges | binaries (download) |
| info | escalate_priv | Escalade priviledges | binaries (upload) |
| info | HasDebugData | DebugData Check | binaries (download) |
| info | HasDigitalSignature | DigitalSignature Check | binaries (download) |
| info | HasOverlay | Overlay Check | binaries (download) |
| info | HasOverlay | Overlay Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (download) |
| info | IsConsole | (no description) | binaries (download) |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (download) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | keylogger | Run a keylogger | binaries (download) |
| info | Microsoft_Office_Document_Zero | Microsoft Office Document Signature Zero | binaries (download) |
| info | network_dns | Communications use DNS | binaries (download) |
| info | network_ftp | Communications over FTP | binaries (download) |
| info | network_http | Communications over HTTP | binaries (download) |
| info | network_tcp_listen | Listen for incoming communication | binaries (download) |
| info | network_tcp_socket | Communications over RAW socket | binaries (download) |
| info | network_udp_sock | Communications over UDP network | binaries (download) |
| info | screenshot | Take screenshot | binaries (download) |
| info | spreading_file | Malware can spread east-west file | binaries (download) |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | binaries (download) |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | binaries (download) |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_files_operation | Affect private profile | memory |
| info | win_mutex | Create or check mutex | binaries (download) |
| info | win_private_profile | Affect private profile | binaries (download) |
| info | win_registry | Affect system registries | binaries (download) |
| info | win_registry | Affect system registries | binaries (upload) |
| info | win_registry | Affect system registries | memory |
| info | win_token | Affect system token | binaries (download) |
| info | win_token | Affect system token | binaries (upload) |
| info | win_token | Affect system token | memory |
PE API
IAT(Import Address Table) Library
kernel32.dll
0x40e0b4 DeleteCriticalSection
0x40e0b8 LeaveCriticalSection
0x40e0bc EnterCriticalSection
0x40e0c0 InitializeCriticalSection
0x40e0c4 VirtualFree
0x40e0c8 VirtualAlloc
0x40e0cc LocalFree
0x40e0d0 LocalAlloc
0x40e0d4 WideCharToMultiByte
0x40e0d8 TlsSetValue
0x40e0dc TlsGetValue
0x40e0e0 MultiByteToWideChar
0x40e0e4 GetModuleHandleA
0x40e0e8 GetLastError
0x40e0ec GetCommandLineA
0x40e0f0 WriteFile
0x40e0f4 SetFilePointer
0x40e0f8 SetEndOfFile
0x40e0fc RtlUnwind
0x40e100 ReadFile
0x40e104 RaiseException
0x40e108 GetStdHandle
0x40e10c GetFileSize
0x40e110 GetSystemTime
0x40e114 GetFileType
0x40e118 ExitProcess
0x40e11c CreateFileA
0x40e120 CloseHandle
user32.dll
0x40e128 MessageBoxA
oleaut32.dll
0x40e130 VariantChangeTypeEx
0x40e134 VariantCopyInd
0x40e138 VariantClear
0x40e13c SysStringLen
0x40e140 SysAllocStringLen
advapi32.dll
0x40e148 RegQueryValueExA
0x40e14c RegOpenKeyExA
0x40e150 RegCloseKey
0x40e154 OpenProcessToken
0x40e158 LookupPrivilegeValueA
kernel32.dll
0x40e160 WriteFile
0x40e164 VirtualQuery
0x40e168 VirtualProtect
0x40e16c VirtualFree
0x40e170 VirtualAlloc
0x40e174 Sleep
0x40e178 SizeofResource
0x40e17c SetLastError
0x40e180 SetFilePointer
0x40e184 SetErrorMode
0x40e188 SetEndOfFile
0x40e18c RemoveDirectoryA
0x40e190 ReadFile
0x40e194 LockResource
0x40e198 LoadResource
0x40e19c LoadLibraryA
0x40e1a0 IsDBCSLeadByte
0x40e1a4 GetWindowsDirectoryA
0x40e1a8 GetVersionExA
0x40e1ac GetVersion
0x40e1b0 GetUserDefaultLangID
0x40e1b4 GetSystemInfo
0x40e1b8 GetSystemDirectoryA
0x40e1bc GetSystemDefaultLCID
0x40e1c0 GetProcAddress
0x40e1c4 GetModuleHandleA
0x40e1c8 GetModuleFileNameA
0x40e1cc GetLocaleInfoA
0x40e1d0 GetLastError
0x40e1d4 GetFullPathNameA
0x40e1d8 GetFileSize
0x40e1dc GetFileAttributesA
0x40e1e0 GetExitCodeProcess
0x40e1e4 GetEnvironmentVariableA
0x40e1e8 GetCurrentProcess
0x40e1ec GetCommandLineA
0x40e1f0 GetACP
0x40e1f4 InterlockedExchange
0x40e1f8 FormatMessageA
0x40e1fc FindResourceA
0x40e200 DeleteFileA
0x40e204 CreateProcessA
0x40e208 CreateFileA
0x40e20c CreateDirectoryA
0x40e210 CloseHandle
user32.dll
0x40e218 TranslateMessage
0x40e21c SetWindowLongA
0x40e220 PeekMessageA
0x40e224 MsgWaitForMultipleObjects
0x40e228 MessageBoxA
0x40e22c LoadStringA
0x40e230 ExitWindowsEx
0x40e234 DispatchMessageA
0x40e238 DestroyWindow
0x40e23c CreateWindowExA
0x40e240 CallWindowProcA
0x40e244 CharPrevA
comctl32.dll
0x40e24c InitCommonControls
advapi32.dll
0x40e254 AdjustTokenPrivileges
EAT(Export Address Table) is none
kernel32.dll
0x40e0b4 DeleteCriticalSection
0x40e0b8 LeaveCriticalSection
0x40e0bc EnterCriticalSection
0x40e0c0 InitializeCriticalSection
0x40e0c4 VirtualFree
0x40e0c8 VirtualAlloc
0x40e0cc LocalFree
0x40e0d0 LocalAlloc
0x40e0d4 WideCharToMultiByte
0x40e0d8 TlsSetValue
0x40e0dc TlsGetValue
0x40e0e0 MultiByteToWideChar
0x40e0e4 GetModuleHandleA
0x40e0e8 GetLastError
0x40e0ec GetCommandLineA
0x40e0f0 WriteFile
0x40e0f4 SetFilePointer
0x40e0f8 SetEndOfFile
0x40e0fc RtlUnwind
0x40e100 ReadFile
0x40e104 RaiseException
0x40e108 GetStdHandle
0x40e10c GetFileSize
0x40e110 GetSystemTime
0x40e114 GetFileType
0x40e118 ExitProcess
0x40e11c CreateFileA
0x40e120 CloseHandle
user32.dll
0x40e128 MessageBoxA
oleaut32.dll
0x40e130 VariantChangeTypeEx
0x40e134 VariantCopyInd
0x40e138 VariantClear
0x40e13c SysStringLen
0x40e140 SysAllocStringLen
advapi32.dll
0x40e148 RegQueryValueExA
0x40e14c RegOpenKeyExA
0x40e150 RegCloseKey
0x40e154 OpenProcessToken
0x40e158 LookupPrivilegeValueA
kernel32.dll
0x40e160 WriteFile
0x40e164 VirtualQuery
0x40e168 VirtualProtect
0x40e16c VirtualFree
0x40e170 VirtualAlloc
0x40e174 Sleep
0x40e178 SizeofResource
0x40e17c SetLastError
0x40e180 SetFilePointer
0x40e184 SetErrorMode
0x40e188 SetEndOfFile
0x40e18c RemoveDirectoryA
0x40e190 ReadFile
0x40e194 LockResource
0x40e198 LoadResource
0x40e19c LoadLibraryA
0x40e1a0 IsDBCSLeadByte
0x40e1a4 GetWindowsDirectoryA
0x40e1a8 GetVersionExA
0x40e1ac GetVersion
0x40e1b0 GetUserDefaultLangID
0x40e1b4 GetSystemInfo
0x40e1b8 GetSystemDirectoryA
0x40e1bc GetSystemDefaultLCID
0x40e1c0 GetProcAddress
0x40e1c4 GetModuleHandleA
0x40e1c8 GetModuleFileNameA
0x40e1cc GetLocaleInfoA
0x40e1d0 GetLastError
0x40e1d4 GetFullPathNameA
0x40e1d8 GetFileSize
0x40e1dc GetFileAttributesA
0x40e1e0 GetExitCodeProcess
0x40e1e4 GetEnvironmentVariableA
0x40e1e8 GetCurrentProcess
0x40e1ec GetCommandLineA
0x40e1f0 GetACP
0x40e1f4 InterlockedExchange
0x40e1f8 FormatMessageA
0x40e1fc FindResourceA
0x40e200 DeleteFileA
0x40e204 CreateProcessA
0x40e208 CreateFileA
0x40e20c CreateDirectoryA
0x40e210 CloseHandle
user32.dll
0x40e218 TranslateMessage
0x40e21c SetWindowLongA
0x40e220 PeekMessageA
0x40e224 MsgWaitForMultipleObjects
0x40e228 MessageBoxA
0x40e22c LoadStringA
0x40e230 ExitWindowsEx
0x40e234 DispatchMessageA
0x40e238 DestroyWindow
0x40e23c CreateWindowExA
0x40e240 CallWindowProcA
0x40e244 CharPrevA
comctl32.dll
0x40e24c InitCommonControls
advapi32.dll
0x40e254 AdjustTokenPrivileges
EAT(Export Address Table) is none