ScreenShot
| Created | 2021.04.13 09:19 | Machine | s1_win7_x6401 |
| Filename | p33.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 52 detected (AIDetect, malware1, malicious, high confidence, Siggen12, GenericKD, Artemis, Unsafe, SpikeAexR, PEVPSZL, Frank, YYBQ, Attribute, HighConfidence, Kryptik, HJTL, iphmkx, Gencirc, Malware@#2ppl5n9wbpuio, AGEN, Krypt, Vigorf, score, R372369, ai score=100, R002H0CCA21, CLOUD, HeFmQiT7svI, Static AI, Suspicious PE, GenKryptik, EZLB, confidence, 100%, HxMBzggA) | ||
| md5 | 29389832e538957dc769cf709f80144a | ||
| sha256 | d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035 | ||
| ssdeep | 98304:EoT9sIWSFT79YBDTzRHjEREGL1d2YuVNR:RCIW6790vlHjEREGLK3bR | ||
| imphash | 3a057d8e2436bad9e0ae8c20a8d4d334 | ||
| impfuzzy | 48:/NQLhH+fc9TWt3TGSe40QlKCFlyES5InB45/1uhbn6G6tKji/:/NUH+fc9TWaqMmqtKji/ | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 52 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to create or modify system certificates |
| watch | Communicates with host for which no DNS query was performed |
| watch | Disables proxy possibly for traffic interception |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (43cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| notice | Str_Win32_Http_API | Match Windows Http API call | binaries (download) |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | PNG_Format_Zero | PNG Format | binaries (download) |
| info | escalate_priv | Escalade priviledges | binaries (download) |
| info | HasDebugData | DebugData Check | binaries (download) |
| info | HasDigitalSignature | DigitalSignature Check | binaries (download) |
| info | HasDigitalSignature | DigitalSignature Check | binaries (upload) |
| info | HasOverlay | Overlay Check | binaries (download) |
| info | HasOverlay | Overlay Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (download) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | IsPacked | Entropy Check | binaries (download) |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (download) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | Microsoft_Office_Document_Zero | Microsoft Office Document Signature Zero | binaries (download) |
| info | network_dns | Communications use DNS | binaries (download) |
| info | network_http | Communications over HTTP | binaries (download) |
| info | network_tcp_listen | Listen for incoming communication | binaries (download) |
| info | network_tcp_socket | Communications over RAW socket | binaries (download) |
| info | network_udp_sock | Communications over UDP network | binaries (download) |
| info | screenshot | Take screenshot | binaries (download) |
| info | screenshot | Take screenshot | binaries (upload) |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | binaries (download) |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | binaries (download) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_mutex | Create or check mutex | binaries (download) |
| info | win_mutex | Create or check mutex | binaries (upload) |
| info | win_private_profile | Affect private profile | binaries (download) |
| info | win_registry | Affect system registries | binaries (download) |
| info | win_registry | Affect system registries | binaries (upload) |
| info | win_token | Affect system token | binaries (download) |
Network (14cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40b050 FlushFileBuffers
0x40b054 GetStringTypeW
0x40b058 GetStringTypeA
0x40b05c SetStdHandle
0x40b060 LoadLibraryA
0x40b064 GetOEMCP
0x40b068 GetACP
0x40b06c LCMapStringW
0x40b070 MultiByteToWideChar
0x40b074 GetCPInfo
0x40b078 SetFilePointer
0x40b07c WriteFile
0x40b080 TlsGetValue
0x40b084 SetLastError
0x40b088 DeviceIoControl
0x40b08c GetTickCount
0x40b090 CreateFileA
0x40b094 GetLastError
0x40b098 CreateMutexA
0x40b09c ReleaseMutex
0x40b0a0 WaitForSingleObject
0x40b0a4 CloseHandle
0x40b0a8 GetModuleHandleA
0x40b0ac GetProcAddress
0x40b0b0 GetCurrentProcess
0x40b0b4 LCMapStringA
0x40b0b8 GetVersionExA
0x40b0bc TlsAlloc
0x40b0c0 TlsSetValue
0x40b0c4 GetCurrentThreadId
0x40b0c8 GetFileType
0x40b0cc GetStdHandle
0x40b0d0 HeapFree
0x40b0d4 HeapAlloc
0x40b0d8 HeapReAlloc
0x40b0dc GetStartupInfoA
0x40b0e0 GetCommandLineA
0x40b0e4 GetVersion
0x40b0e8 ExitProcess
0x40b0ec InitializeCriticalSection
0x40b0f0 DeleteCriticalSection
0x40b0f4 EnterCriticalSection
0x40b0f8 LeaveCriticalSection
0x40b0fc InterlockedDecrement
0x40b100 InterlockedIncrement
0x40b104 GetModuleFileNameA
0x40b108 GetEnvironmentVariableA
0x40b10c HeapDestroy
0x40b110 HeapCreate
0x40b114 VirtualFree
0x40b118 VirtualAlloc
0x40b11c RtlUnwind
0x40b120 TerminateProcess
0x40b124 UnhandledExceptionFilter
0x40b128 FreeEnvironmentStringsA
0x40b12c FreeEnvironmentStringsW
0x40b130 WideCharToMultiByte
0x40b134 GetEnvironmentStrings
0x40b138 GetEnvironmentStringsW
0x40b13c SetHandleCount
USER32.dll
0x40b160 GetMessageA
0x40b164 DispatchMessageA
0x40b168 TranslateMessage
0x40b16c LoadIconA
0x40b170 LoadCursorA
0x40b174 RegisterClassA
0x40b178 CreateWindowExA
0x40b17c ShowWindow
0x40b180 UpdateWindow
0x40b184 GetSystemMetrics
0x40b188 SetWindowPos
0x40b18c SetTimer
0x40b190 BeginPaint
0x40b194 EndPaint
0x40b198 KillTimer
0x40b19c PostQuitMessage
0x40b1a0 GetDC
0x40b1a4 ReleaseDC
0x40b1a8 DefWindowProcA
0x40b1ac MessageBoxA
0x40b1b0 DrawTextA
0x40b1b4 LoadBitmapA
0x40b1b8 PostMessageA
0x40b1bc SystemParametersInfoA
GDI32.dll
0x40b01c SetBkMode
0x40b020 SetTextColor
0x40b024 Rectangle
0x40b028 CreateCompatibleDC
0x40b02c SelectObject
0x40b030 GetObjectA
0x40b034 BitBlt
0x40b038 DeleteDC
0x40b03c DeleteObject
0x40b040 CreateFontIndirectA
0x40b044 CreateBrushIndirect
0x40b048 GetStockObject
ADVAPI32.dll
0x40b000 RegOpenKeyExA
0x40b004 RegCreateKeyExA
0x40b008 RegOpenKeyA
0x40b00c RegCreateKeyA
0x40b010 RegSetValueExA
0x40b014 RegCloseKey
SHELL32.dll
0x40b158 ShellExecuteA
SETUPAPI.dll
0x40b144 SetupDiGetClassDevsA
0x40b148 SetupDiEnumDeviceInterfaces
0x40b14c SetupDiGetDeviceInterfaceDetailA
0x40b150 SetupDiDestroyDeviceInfoList
EAT(Export Address Table) is none
KERNEL32.dll
0x40b050 FlushFileBuffers
0x40b054 GetStringTypeW
0x40b058 GetStringTypeA
0x40b05c SetStdHandle
0x40b060 LoadLibraryA
0x40b064 GetOEMCP
0x40b068 GetACP
0x40b06c LCMapStringW
0x40b070 MultiByteToWideChar
0x40b074 GetCPInfo
0x40b078 SetFilePointer
0x40b07c WriteFile
0x40b080 TlsGetValue
0x40b084 SetLastError
0x40b088 DeviceIoControl
0x40b08c GetTickCount
0x40b090 CreateFileA
0x40b094 GetLastError
0x40b098 CreateMutexA
0x40b09c ReleaseMutex
0x40b0a0 WaitForSingleObject
0x40b0a4 CloseHandle
0x40b0a8 GetModuleHandleA
0x40b0ac GetProcAddress
0x40b0b0 GetCurrentProcess
0x40b0b4 LCMapStringA
0x40b0b8 GetVersionExA
0x40b0bc TlsAlloc
0x40b0c0 TlsSetValue
0x40b0c4 GetCurrentThreadId
0x40b0c8 GetFileType
0x40b0cc GetStdHandle
0x40b0d0 HeapFree
0x40b0d4 HeapAlloc
0x40b0d8 HeapReAlloc
0x40b0dc GetStartupInfoA
0x40b0e0 GetCommandLineA
0x40b0e4 GetVersion
0x40b0e8 ExitProcess
0x40b0ec InitializeCriticalSection
0x40b0f0 DeleteCriticalSection
0x40b0f4 EnterCriticalSection
0x40b0f8 LeaveCriticalSection
0x40b0fc InterlockedDecrement
0x40b100 InterlockedIncrement
0x40b104 GetModuleFileNameA
0x40b108 GetEnvironmentVariableA
0x40b10c HeapDestroy
0x40b110 HeapCreate
0x40b114 VirtualFree
0x40b118 VirtualAlloc
0x40b11c RtlUnwind
0x40b120 TerminateProcess
0x40b124 UnhandledExceptionFilter
0x40b128 FreeEnvironmentStringsA
0x40b12c FreeEnvironmentStringsW
0x40b130 WideCharToMultiByte
0x40b134 GetEnvironmentStrings
0x40b138 GetEnvironmentStringsW
0x40b13c SetHandleCount
USER32.dll
0x40b160 GetMessageA
0x40b164 DispatchMessageA
0x40b168 TranslateMessage
0x40b16c LoadIconA
0x40b170 LoadCursorA
0x40b174 RegisterClassA
0x40b178 CreateWindowExA
0x40b17c ShowWindow
0x40b180 UpdateWindow
0x40b184 GetSystemMetrics
0x40b188 SetWindowPos
0x40b18c SetTimer
0x40b190 BeginPaint
0x40b194 EndPaint
0x40b198 KillTimer
0x40b19c PostQuitMessage
0x40b1a0 GetDC
0x40b1a4 ReleaseDC
0x40b1a8 DefWindowProcA
0x40b1ac MessageBoxA
0x40b1b0 DrawTextA
0x40b1b4 LoadBitmapA
0x40b1b8 PostMessageA
0x40b1bc SystemParametersInfoA
GDI32.dll
0x40b01c SetBkMode
0x40b020 SetTextColor
0x40b024 Rectangle
0x40b028 CreateCompatibleDC
0x40b02c SelectObject
0x40b030 GetObjectA
0x40b034 BitBlt
0x40b038 DeleteDC
0x40b03c DeleteObject
0x40b040 CreateFontIndirectA
0x40b044 CreateBrushIndirect
0x40b048 GetStockObject
ADVAPI32.dll
0x40b000 RegOpenKeyExA
0x40b004 RegCreateKeyExA
0x40b008 RegOpenKeyA
0x40b00c RegCreateKeyA
0x40b010 RegSetValueExA
0x40b014 RegCloseKey
SHELL32.dll
0x40b158 ShellExecuteA
SETUPAPI.dll
0x40b144 SetupDiGetClassDevsA
0x40b148 SetupDiEnumDeviceInterfaces
0x40b14c SetupDiGetDeviceInterfaceDetailA
0x40b150 SetupDiDestroyDeviceInfoList
EAT(Export Address Table) is none