ScreenShot
| Created | 2021.04.23 10:10 | Machine | s1_win7_x6402 |
| Filename | askinstall36.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 39 detected (AIDetect, malware1, malicious, high confidence, Siggen12, Zusy, DisbukRI, S19305183, GenericRXLT, Save, ZexaF, v10@aCmAWxlj, Socelars, Eldorado, Attribute, HighConfidence, PWSX, Razy, BGVO, Static AI, Suspicious PE, Disbuk, AGEN, Emotet, score, R372531, BScope, Agentb, ai score=82, Glupteba, Bruteforce, ET#86%, RDMK, cmRtazoobj1HOeqKadbiAuTplqG0, confidence) | ||
| md5 | 9f2a48592d3ce0632f1ecca2c34567b9 | ||
| sha256 | 49458df54e5da628fe86d2173c15e5f95222e3d583075a8bc47a89d13521df53 | ||
| ssdeep | 24576:dJDMp/w7XTLV6ERPFmOR2EwCtEizv9dleCRcdGuRoNrRxP6dxZctge56xY:fDMpwTp6SFVRTwW5LebMuelxP6dxZct/ | ||
| imphash | 4f0608b5638c60342069764638589dcf | ||
| impfuzzy | 48:/XV+FLa0DZuBGRMUS0LES9wYQJcGtp48+9faOwOe6mxvmYBOvyzy:/XAFuEjRMr0LESBQJcGtp43ta736mxOP | ||
Network IP location
Signature (32cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 39 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Drops 100 unknown file mime types indicative of ransomware writing encrypted files back to disk |
| watch | One or more non-whitelisted processes were created |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An application raised an exception which may be indicative of an exploit crash |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries |
| notice | Foreign language identified in PE resource |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
Rules (75cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Trojan_PWS_Stealer_1_Zero | Trojan.PWS.Stealer Zero | binaries (upload) |
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Emotet_RL_1_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Emotet_RL_2_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Emotet_RL_Gen_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Credential_User_Data_Check_Zero | Credential User Data Check | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | SQLite_cookies_Check_Zero | SQLite Cookie Check... select | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| notice | Str_Win32_Http_API | Match Windows Http API call | binaries (download) |
| notice | Str_Win32_Http_API | Match Windows Http API call | binaries (upload) |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | binaries (download) |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | binaries (upload) |
| info | GIF_Format_Zero | GIF Format | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | PNG_Format_Zero | PNG Format | binaries (download) |
| info | create_com_service | Create a COM server | binaries (download) |
| info | create_service | Create a windows service | binaries (download) |
| info | cred_ie7 | Steal IE 7 credential | binaries (download) |
| info | cred_local | Steal credential | binaries (download) |
| info | escalate_priv | Escalade priviledges | binaries (download) |
| info | escalate_priv | Escalade priviledges | binaries (upload) |
| info | HasDebugData | DebugData Check | binaries (download) |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasDigitalSignature | DigitalSignature Check | binaries (download) |
| info | HasModified_DOS_Message | DOS Message Check | binaries (download) |
| info | HasOverlay | Overlay Check | binaries (download) |
| info | HasRichSignature | Rich Signature Check | binaries (download) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | ImportTableIsBad | ImportTable Check | binaries (download) |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | binaries (download) |
| info | IsConsole | (no description) | binaries (download) |
| info | IsPacked | Entropy Check | binaries (download) |
| info | IsSuspicious | Might be PE Virus | binaries (download) |
| info | IsWindowsGUI | (no description) | binaries (download) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | keylogger | Run a keylogger | binaries (download) |
| info | Microsoft_Office_Document_Zero | Microsoft Office Document Signature Zero | binaries (download) |
| info | migrate_apc | APC queue tasks migration | binaries (download) |
| info | network_dga | Communication using dga | binaries (download) |
| info | network_dns | Communications use DNS | binaries (download) |
| info | network_dropper | File downloader/dropper | binaries (download) |
| info | network_ftp | Communications over FTP | binaries (download) |
| info | network_http | Communications over HTTP | binaries (download) |
| info | network_http | Communications over HTTP | binaries (upload) |
| info | network_tcp_listen | Listen for incoming communication | binaries (download) |
| info | network_tcp_socket | Communications over RAW socket | binaries (download) |
| info | network_tor | Communications over TOR network | binaries (download) |
| info | network_udp_sock | Communications over UDP network | binaries (download) |
| info | rat_webcam | Remote Administration toolkit using webcam | binaries (download) |
| info | screenshot | Take screenshot | binaries (download) |
| info | sniff_audio | Record Audio | binaries (download) |
| info | spreading_share | Malware can spread east-west using share drive | binaries (download) |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | binaries (download) |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | binaries (upload) |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | binaries (download) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_mutex | Create or check mutex | binaries (download) |
| info | win_mutex | Create or check mutex | binaries (upload) |
| info | win_private_profile | Affect private profile | binaries (download) |
| info | win_registry | Affect system registries | binaries (download) |
| info | win_registry | Affect system registries | binaries (upload) |
| info | win_token | Affect system token | binaries (download) |
| info | win_token | Affect system token | binaries (upload) |
Network (12cnts) ?
Suricata ids
ET DNS Query to a *.pw domain - Likely Hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO HTTP Request to a *.pw domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO HTTP Request to a *.pw domain
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x50c050 LocalAlloc
0x50c054 LocalFree
0x50c058 WinExec
0x50c05c GetComputerNameW
0x50c060 GetModuleFileNameA
0x50c064 GetCurrentProcessId
0x50c068 OpenProcess
0x50c06c GetModuleFileNameW
0x50c070 SetLastError
0x50c074 GetCurrentThread
0x50c078 FindResourceW
0x50c07c GetPrivateProfileStringW
0x50c080 CopyFileW
0x50c084 SetStdHandle
0x50c088 SetEnvironmentVariableW
0x50c08c FreeEnvironmentStringsW
0x50c090 GetEnvironmentStringsW
0x50c094 GetOEMCP
0x50c098 SizeofResource
0x50c09c CreateProcessA
0x50c0a0 LockResource
0x50c0a4 LoadResource
0x50c0a8 FreeLibrary
0x50c0ac GetTickCount
0x50c0b0 TerminateProcess
0x50c0b4 Sleep
0x50c0b8 WaitForSingleObject
0x50c0bc GetProcessHeap
0x50c0c0 HeapAlloc
0x50c0c4 GetLastError
0x50c0c8 GetTempPathA
0x50c0cc CreateDirectoryA
0x50c0d0 SetCurrentDirectoryW
0x50c0d4 GetShortPathNameA
0x50c0d8 LoadLibraryW
0x50c0dc GetProcAddress
0x50c0e0 WideCharToMultiByte
0x50c0e4 MultiByteToWideChar
0x50c0e8 SystemTimeToFileTime
0x50c0ec DosDateTimeToFileTime
0x50c0f0 GetCurrentProcess
0x50c0f4 DuplicateHandle
0x50c0f8 CloseHandle
0x50c0fc WriteFile
0x50c100 SetFileTime
0x50c104 SetFilePointer
0x50c108 ReadFile
0x50c10c GetFileType
0x50c110 CreateFileW
0x50c114 CreateDirectoryW
0x50c118 CreateEventW
0x50c11c GetCurrentDirectoryW
0x50c120 GetACP
0x50c124 IsValidCodePage
0x50c128 FindNextFileW
0x50c12c FindFirstFileExW
0x50c130 FindClose
0x50c134 GetTimeZoneInformation
0x50c138 GetFileSizeEx
0x50c13c GetConsoleCP
0x50c140 SetFilePointerEx
0x50c144 ReadConsoleW
0x50c148 GetConsoleMode
0x50c14c EnumSystemLocalesW
0x50c150 GetUserDefaultLCID
0x50c154 IsValidLocale
0x50c158 GetCommandLineW
0x50c15c GetCommandLineA
0x50c160 GetStdHandle
0x50c164 ExitProcess
0x50c168 GetModuleHandleExW
0x50c16c FreeLibraryAndExitThread
0x50c170 ExitThread
0x50c174 CreateThread
0x50c178 LoadLibraryExW
0x50c17c RtlUnwind
0x50c180 RaiseException
0x50c184 GetStringTypeW
0x50c188 GetLocaleInfoW
0x50c18c LCMapStringW
0x50c190 CompareStringW
0x50c194 GetCPInfo
0x50c198 TlsFree
0x50c19c WriteConsoleW
0x50c1a0 TlsSetValue
0x50c1a4 TlsGetValue
0x50c1a8 TlsAlloc
0x50c1ac SwitchToThread
0x50c1b0 DecodePointer
0x50c1b4 EncodePointer
0x50c1b8 InitializeSListHead
0x50c1bc GetStartupInfoW
0x50c1c0 IsDebuggerPresent
0x50c1c4 GetModuleHandleW
0x50c1c8 ResetEvent
0x50c1cc SetEvent
0x50c1d0 InitializeCriticalSectionAndSpinCount
0x50c1d4 IsProcessorFeaturePresent
0x50c1d8 SetUnhandledExceptionFilter
0x50c1dc UnhandledExceptionFilter
0x50c1e0 FlushFileBuffers
0x50c1e4 QueryPerformanceCounter
0x50c1e8 MapViewOfFile
0x50c1ec CreateFileMappingW
0x50c1f0 FormatMessageA
0x50c1f4 GetSystemTime
0x50c1f8 GetSystemTimeAsFileTime
0x50c1fc AreFileApisANSI
0x50c200 TryEnterCriticalSection
0x50c204 HeapCreate
0x50c208 HeapFree
0x50c20c EnterCriticalSection
0x50c210 GetFullPathNameW
0x50c214 GetDiskFreeSpaceW
0x50c218 OutputDebugStringA
0x50c21c LockFile
0x50c220 LeaveCriticalSection
0x50c224 InitializeCriticalSection
0x50c228 GetFullPathNameA
0x50c22c SetEndOfFile
0x50c230 UnlockFileEx
0x50c234 GetTempPathW
0x50c238 CreateMutexW
0x50c23c GetFileAttributesW
0x50c240 GetCurrentThreadId
0x50c244 UnmapViewOfFile
0x50c248 HeapValidate
0x50c24c HeapSize
0x50c250 FormatMessageW
0x50c254 GetDiskFreeSpaceA
0x50c258 GetFileAttributesA
0x50c25c GetFileAttributesExW
0x50c260 OutputDebugStringW
0x50c264 FlushViewOfFile
0x50c268 CreateFileA
0x50c26c LoadLibraryA
0x50c270 WaitForSingleObjectEx
0x50c274 DeleteFileA
0x50c278 DeleteFileW
0x50c27c HeapReAlloc
0x50c280 GetSystemInfo
0x50c284 HeapCompact
0x50c288 HeapDestroy
0x50c28c UnlockFile
0x50c290 LockFileEx
0x50c294 GetFileSize
0x50c298 DeleteCriticalSection
ADVAPI32.dll
0x50c000 LookupPrivilegeValueW
0x50c004 AdjustTokenPrivileges
0x50c008 LookupAccountNameW
0x50c00c SetSecurityDescriptorOwner
0x50c010 SetSecurityDescriptorGroup
0x50c014 SetSecurityDescriptorDacl
0x50c018 IsValidSecurityDescriptor
0x50c01c InitializeSecurityDescriptor
0x50c020 InitializeAcl
0x50c024 GetTokenInformation
0x50c028 GetLengthSid
0x50c02c FreeSid
0x50c030 EqualSid
0x50c034 DuplicateToken
0x50c038 AllocateAndInitializeSid
0x50c03c AddAccessAllowedAce
0x50c040 AccessCheck
0x50c044 OpenThreadToken
0x50c048 OpenProcessToken
SHELL32.dll
0x50c2a8 ShellExecuteExA
ole32.dll
0x50c2fc CoInitializeEx
0x50c300 CoGetObject
0x50c304 CoUninitialize
WININET.dll
0x50c2b0 InternetGetCookieExA
NETAPI32.dll
0x50c2a0 Netbios
ntdll.dll
0x50c2b8 RtlInitUnicodeString
0x50c2bc NtFreeVirtualMemory
0x50c2c0 LdrEnumerateLoadedModules
0x50c2c4 RtlEqualUnicodeString
0x50c2c8 RtlAcquirePebLock
0x50c2cc NtAllocateVirtualMemory
0x50c2d0 RtlReleasePebLock
0x50c2d4 RtlNtStatusToDosError
0x50c2d8 RtlCreateHeap
0x50c2dc RtlDestroyHeap
0x50c2e0 RtlAllocateHeap
0x50c2e4 RtlFreeHeap
0x50c2e8 NtClose
0x50c2ec NtOpenKey
0x50c2f0 NtEnumerateValueKey
0x50c2f4 NtQueryValueKey
EAT(Export Address Table) is none
KERNEL32.dll
0x50c050 LocalAlloc
0x50c054 LocalFree
0x50c058 WinExec
0x50c05c GetComputerNameW
0x50c060 GetModuleFileNameA
0x50c064 GetCurrentProcessId
0x50c068 OpenProcess
0x50c06c GetModuleFileNameW
0x50c070 SetLastError
0x50c074 GetCurrentThread
0x50c078 FindResourceW
0x50c07c GetPrivateProfileStringW
0x50c080 CopyFileW
0x50c084 SetStdHandle
0x50c088 SetEnvironmentVariableW
0x50c08c FreeEnvironmentStringsW
0x50c090 GetEnvironmentStringsW
0x50c094 GetOEMCP
0x50c098 SizeofResource
0x50c09c CreateProcessA
0x50c0a0 LockResource
0x50c0a4 LoadResource
0x50c0a8 FreeLibrary
0x50c0ac GetTickCount
0x50c0b0 TerminateProcess
0x50c0b4 Sleep
0x50c0b8 WaitForSingleObject
0x50c0bc GetProcessHeap
0x50c0c0 HeapAlloc
0x50c0c4 GetLastError
0x50c0c8 GetTempPathA
0x50c0cc CreateDirectoryA
0x50c0d0 SetCurrentDirectoryW
0x50c0d4 GetShortPathNameA
0x50c0d8 LoadLibraryW
0x50c0dc GetProcAddress
0x50c0e0 WideCharToMultiByte
0x50c0e4 MultiByteToWideChar
0x50c0e8 SystemTimeToFileTime
0x50c0ec DosDateTimeToFileTime
0x50c0f0 GetCurrentProcess
0x50c0f4 DuplicateHandle
0x50c0f8 CloseHandle
0x50c0fc WriteFile
0x50c100 SetFileTime
0x50c104 SetFilePointer
0x50c108 ReadFile
0x50c10c GetFileType
0x50c110 CreateFileW
0x50c114 CreateDirectoryW
0x50c118 CreateEventW
0x50c11c GetCurrentDirectoryW
0x50c120 GetACP
0x50c124 IsValidCodePage
0x50c128 FindNextFileW
0x50c12c FindFirstFileExW
0x50c130 FindClose
0x50c134 GetTimeZoneInformation
0x50c138 GetFileSizeEx
0x50c13c GetConsoleCP
0x50c140 SetFilePointerEx
0x50c144 ReadConsoleW
0x50c148 GetConsoleMode
0x50c14c EnumSystemLocalesW
0x50c150 GetUserDefaultLCID
0x50c154 IsValidLocale
0x50c158 GetCommandLineW
0x50c15c GetCommandLineA
0x50c160 GetStdHandle
0x50c164 ExitProcess
0x50c168 GetModuleHandleExW
0x50c16c FreeLibraryAndExitThread
0x50c170 ExitThread
0x50c174 CreateThread
0x50c178 LoadLibraryExW
0x50c17c RtlUnwind
0x50c180 RaiseException
0x50c184 GetStringTypeW
0x50c188 GetLocaleInfoW
0x50c18c LCMapStringW
0x50c190 CompareStringW
0x50c194 GetCPInfo
0x50c198 TlsFree
0x50c19c WriteConsoleW
0x50c1a0 TlsSetValue
0x50c1a4 TlsGetValue
0x50c1a8 TlsAlloc
0x50c1ac SwitchToThread
0x50c1b0 DecodePointer
0x50c1b4 EncodePointer
0x50c1b8 InitializeSListHead
0x50c1bc GetStartupInfoW
0x50c1c0 IsDebuggerPresent
0x50c1c4 GetModuleHandleW
0x50c1c8 ResetEvent
0x50c1cc SetEvent
0x50c1d0 InitializeCriticalSectionAndSpinCount
0x50c1d4 IsProcessorFeaturePresent
0x50c1d8 SetUnhandledExceptionFilter
0x50c1dc UnhandledExceptionFilter
0x50c1e0 FlushFileBuffers
0x50c1e4 QueryPerformanceCounter
0x50c1e8 MapViewOfFile
0x50c1ec CreateFileMappingW
0x50c1f0 FormatMessageA
0x50c1f4 GetSystemTime
0x50c1f8 GetSystemTimeAsFileTime
0x50c1fc AreFileApisANSI
0x50c200 TryEnterCriticalSection
0x50c204 HeapCreate
0x50c208 HeapFree
0x50c20c EnterCriticalSection
0x50c210 GetFullPathNameW
0x50c214 GetDiskFreeSpaceW
0x50c218 OutputDebugStringA
0x50c21c LockFile
0x50c220 LeaveCriticalSection
0x50c224 InitializeCriticalSection
0x50c228 GetFullPathNameA
0x50c22c SetEndOfFile
0x50c230 UnlockFileEx
0x50c234 GetTempPathW
0x50c238 CreateMutexW
0x50c23c GetFileAttributesW
0x50c240 GetCurrentThreadId
0x50c244 UnmapViewOfFile
0x50c248 HeapValidate
0x50c24c HeapSize
0x50c250 FormatMessageW
0x50c254 GetDiskFreeSpaceA
0x50c258 GetFileAttributesA
0x50c25c GetFileAttributesExW
0x50c260 OutputDebugStringW
0x50c264 FlushViewOfFile
0x50c268 CreateFileA
0x50c26c LoadLibraryA
0x50c270 WaitForSingleObjectEx
0x50c274 DeleteFileA
0x50c278 DeleteFileW
0x50c27c HeapReAlloc
0x50c280 GetSystemInfo
0x50c284 HeapCompact
0x50c288 HeapDestroy
0x50c28c UnlockFile
0x50c290 LockFileEx
0x50c294 GetFileSize
0x50c298 DeleteCriticalSection
ADVAPI32.dll
0x50c000 LookupPrivilegeValueW
0x50c004 AdjustTokenPrivileges
0x50c008 LookupAccountNameW
0x50c00c SetSecurityDescriptorOwner
0x50c010 SetSecurityDescriptorGroup
0x50c014 SetSecurityDescriptorDacl
0x50c018 IsValidSecurityDescriptor
0x50c01c InitializeSecurityDescriptor
0x50c020 InitializeAcl
0x50c024 GetTokenInformation
0x50c028 GetLengthSid
0x50c02c FreeSid
0x50c030 EqualSid
0x50c034 DuplicateToken
0x50c038 AllocateAndInitializeSid
0x50c03c AddAccessAllowedAce
0x50c040 AccessCheck
0x50c044 OpenThreadToken
0x50c048 OpenProcessToken
SHELL32.dll
0x50c2a8 ShellExecuteExA
ole32.dll
0x50c2fc CoInitializeEx
0x50c300 CoGetObject
0x50c304 CoUninitialize
WININET.dll
0x50c2b0 InternetGetCookieExA
NETAPI32.dll
0x50c2a0 Netbios
ntdll.dll
0x50c2b8 RtlInitUnicodeString
0x50c2bc NtFreeVirtualMemory
0x50c2c0 LdrEnumerateLoadedModules
0x50c2c4 RtlEqualUnicodeString
0x50c2c8 RtlAcquirePebLock
0x50c2cc NtAllocateVirtualMemory
0x50c2d0 RtlReleasePebLock
0x50c2d4 RtlNtStatusToDosError
0x50c2d8 RtlCreateHeap
0x50c2dc RtlDestroyHeap
0x50c2e0 RtlAllocateHeap
0x50c2e4 RtlFreeHeap
0x50c2e8 NtClose
0x50c2ec NtOpenKey
0x50c2f0 NtEnumerateValueKey
0x50c2f4 NtQueryValueKey
EAT(Export Address Table) is none