ScreenShot
| Created | 2021.04.20 09:23 | Machine | s1_win7_x6402 |
| Filename | g1mrfi.rar | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 8 detected (malicious, high confidence, Artemis, a variant of Generik, JLTUTKE, FileRepMalware) | ||
| md5 | 340994098deb6bf6fa91f73350af7c15 | ||
| sha256 | da81aa0dd37baccdbdc7f7f9a3619d6e85155f8bd67fcd2fafdbe534443fdc0c | ||
| ssdeep | 24576:9uxbU2AOgFXP8+MAdInh86SYuvBwbRxa3i5wlTDqtOsGQlqcVIQ0P:sxbU2AO2P89UIh86SYuvBwbRxa3wm3qE | ||
| imphash | 2a948aa6ee56b061a497687927ef5597 | ||
| impfuzzy | 24:kfaLu9QHY9Uc+WcJBlibZDXKjNtvSxGha9K2GoFv4/MrPZIfTqWpOovbORnU2t:kfb9Uc+H40tvSxG80n4nPZ3l35UM | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | File has been identified by 8 AntiVirus engines on VirusTotal as malicious |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
| info | win_files_operation | Affect private profile | binaries (upload) |
Network (5cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x4c1000 VirtualProtect
0x4c1004 VirtualProtectEx
0x4c1008 GetCurrentThreadId
0x4c100c Sleep
0x4c1010 CreateSemaphoreA
0x4c1014 GetModuleFileNameA
0x4c1018 CreateProcessA
0x4c101c RemoveDirectoryA
0x4c1020 WriteConsoleW
0x4c1024 SetEndOfFile
0x4c1028 HeapSize
0x4c102c CreateFileW
0x4c1030 SetStdHandle
0x4c1034 SetEnvironmentVariableW
0x4c1038 FreeEnvironmentStringsW
0x4c103c GetEnvironmentStringsW
0x4c1040 WideCharToMultiByte
0x4c1044 MultiByteToWideChar
0x4c1048 GetStringTypeW
0x4c104c FormatMessageW
0x4c1050 EnterCriticalSection
0x4c1054 LeaveCriticalSection
0x4c1058 DeleteCriticalSection
0x4c105c EncodePointer
0x4c1060 DecodePointer
0x4c1064 SetLastError
0x4c1068 InitializeCriticalSectionAndSpinCount
0x4c106c CreateEventW
0x4c1070 TlsAlloc
0x4c1074 TlsGetValue
0x4c1078 TlsSetValue
0x4c107c TlsFree
0x4c1080 GetSystemTimeAsFileTime
0x4c1084 GetTickCount
0x4c1088 GetModuleHandleW
0x4c108c GetProcAddress
0x4c1090 CompareStringW
0x4c1094 LCMapStringW
0x4c1098 GetLocaleInfoW
0x4c109c GetCPInfo
0x4c10a0 CloseHandle
0x4c10a4 SetEvent
0x4c10a8 ResetEvent
0x4c10ac WaitForSingleObjectEx
0x4c10b0 IsProcessorFeaturePresent
0x4c10b4 IsDebuggerPresent
0x4c10b8 UnhandledExceptionFilter
0x4c10bc SetUnhandledExceptionFilter
0x4c10c0 GetStartupInfoW
0x4c10c4 GetCurrentProcess
0x4c10c8 TerminateProcess
0x4c10cc QueryPerformanceCounter
0x4c10d0 GetCurrentProcessId
0x4c10d4 InitializeSListHead
0x4c10d8 RaiseException
0x4c10dc RtlUnwind
0x4c10e0 GetLastError
0x4c10e4 FreeLibrary
0x4c10e8 LoadLibraryExW
0x4c10ec InterlockedPushEntrySList
0x4c10f0 InterlockedFlushSList
0x4c10f4 HeapAlloc
0x4c10f8 HeapFree
0x4c10fc HeapReAlloc
0x4c1100 ExitProcess
0x4c1104 GetModuleHandleExW
0x4c1108 GetModuleFileNameW
0x4c110c GetCurrentThread
0x4c1110 GetStdHandle
0x4c1114 GetFileType
0x4c1118 ReadFile
0x4c111c GetConsoleMode
0x4c1120 ReadConsoleW
0x4c1124 GetDateFormatW
0x4c1128 GetTimeFormatW
0x4c112c IsValidLocale
0x4c1130 GetUserDefaultLCID
0x4c1134 EnumSystemLocalesW
0x4c1138 GetProcessHeap
0x4c113c GetFileSizeEx
0x4c1140 SetFilePointerEx
0x4c1144 FlushFileBuffers
0x4c1148 WriteFile
0x4c114c GetConsoleCP
0x4c1150 SetConsoleCtrlHandler
0x4c1154 GetTimeZoneInformation
0x4c1158 FindClose
0x4c115c FindFirstFileExW
0x4c1160 FindNextFileW
0x4c1164 IsValidCodePage
0x4c1168 GetACP
0x4c116c GetOEMCP
0x4c1170 GetCommandLineA
0x4c1174 GetCommandLineW
0x4c1178 OutputDebugStringW
VERSION.dll
0x4c1190 GetFileVersionInfoA
0x4c1194 GetFileVersionInfoSizeA
0x4c1198 VerQueryValueA
MPR.dll
0x4c1180 WNetGetUserA
0x4c1184 WNetGetUniversalNameW
0x4c1188 WNetGetConnectionA
EAT(Export Address Table) Library
0x459510 Babydream
0x459ab0 Finalplay
0x459b50 Milkwhole
0x459e60 SpeedBig
0x45a070 Thisfrom
KERNEL32.dll
0x4c1000 VirtualProtect
0x4c1004 VirtualProtectEx
0x4c1008 GetCurrentThreadId
0x4c100c Sleep
0x4c1010 CreateSemaphoreA
0x4c1014 GetModuleFileNameA
0x4c1018 CreateProcessA
0x4c101c RemoveDirectoryA
0x4c1020 WriteConsoleW
0x4c1024 SetEndOfFile
0x4c1028 HeapSize
0x4c102c CreateFileW
0x4c1030 SetStdHandle
0x4c1034 SetEnvironmentVariableW
0x4c1038 FreeEnvironmentStringsW
0x4c103c GetEnvironmentStringsW
0x4c1040 WideCharToMultiByte
0x4c1044 MultiByteToWideChar
0x4c1048 GetStringTypeW
0x4c104c FormatMessageW
0x4c1050 EnterCriticalSection
0x4c1054 LeaveCriticalSection
0x4c1058 DeleteCriticalSection
0x4c105c EncodePointer
0x4c1060 DecodePointer
0x4c1064 SetLastError
0x4c1068 InitializeCriticalSectionAndSpinCount
0x4c106c CreateEventW
0x4c1070 TlsAlloc
0x4c1074 TlsGetValue
0x4c1078 TlsSetValue
0x4c107c TlsFree
0x4c1080 GetSystemTimeAsFileTime
0x4c1084 GetTickCount
0x4c1088 GetModuleHandleW
0x4c108c GetProcAddress
0x4c1090 CompareStringW
0x4c1094 LCMapStringW
0x4c1098 GetLocaleInfoW
0x4c109c GetCPInfo
0x4c10a0 CloseHandle
0x4c10a4 SetEvent
0x4c10a8 ResetEvent
0x4c10ac WaitForSingleObjectEx
0x4c10b0 IsProcessorFeaturePresent
0x4c10b4 IsDebuggerPresent
0x4c10b8 UnhandledExceptionFilter
0x4c10bc SetUnhandledExceptionFilter
0x4c10c0 GetStartupInfoW
0x4c10c4 GetCurrentProcess
0x4c10c8 TerminateProcess
0x4c10cc QueryPerformanceCounter
0x4c10d0 GetCurrentProcessId
0x4c10d4 InitializeSListHead
0x4c10d8 RaiseException
0x4c10dc RtlUnwind
0x4c10e0 GetLastError
0x4c10e4 FreeLibrary
0x4c10e8 LoadLibraryExW
0x4c10ec InterlockedPushEntrySList
0x4c10f0 InterlockedFlushSList
0x4c10f4 HeapAlloc
0x4c10f8 HeapFree
0x4c10fc HeapReAlloc
0x4c1100 ExitProcess
0x4c1104 GetModuleHandleExW
0x4c1108 GetModuleFileNameW
0x4c110c GetCurrentThread
0x4c1110 GetStdHandle
0x4c1114 GetFileType
0x4c1118 ReadFile
0x4c111c GetConsoleMode
0x4c1120 ReadConsoleW
0x4c1124 GetDateFormatW
0x4c1128 GetTimeFormatW
0x4c112c IsValidLocale
0x4c1130 GetUserDefaultLCID
0x4c1134 EnumSystemLocalesW
0x4c1138 GetProcessHeap
0x4c113c GetFileSizeEx
0x4c1140 SetFilePointerEx
0x4c1144 FlushFileBuffers
0x4c1148 WriteFile
0x4c114c GetConsoleCP
0x4c1150 SetConsoleCtrlHandler
0x4c1154 GetTimeZoneInformation
0x4c1158 FindClose
0x4c115c FindFirstFileExW
0x4c1160 FindNextFileW
0x4c1164 IsValidCodePage
0x4c1168 GetACP
0x4c116c GetOEMCP
0x4c1170 GetCommandLineA
0x4c1174 GetCommandLineW
0x4c1178 OutputDebugStringW
VERSION.dll
0x4c1190 GetFileVersionInfoA
0x4c1194 GetFileVersionInfoSizeA
0x4c1198 VerQueryValueA
MPR.dll
0x4c1180 WNetGetUserA
0x4c1184 WNetGetUniversalNameW
0x4c1188 WNetGetConnectionA
EAT(Export Address Table) Library
0x459510 Babydream
0x459ab0 Finalplay
0x459b50 Milkwhole
0x459e60 SpeedBig
0x45a070 Thisfrom