ScreenShot
| Created | 2021.04.23 10:10 | Machine | s1_win7_x6402 |
| Filename | soft.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 42 detected (AIDetect, malware1, malicious, high confidence, Razy, Artemis, Unsafe, Save, TrojanPSW, GenKryptik, Attribute, HighConfidence, FDVB, TrojanX, Kpot, Krypt, Score, Kryptik, fynue, ai score=80, Wacatac, ZexaF, ruW@a0JF5ebi, KpotStealer, R002C0WDK21, CLOUD, Static AI, Suspicious PE, GdSda, confidence, HwoCtZ4A) | ||
| md5 | 7c41e064f77799275788d55d09d1ff3e | ||
| sha256 | 4d4f335669d4e7a200c2b9f31430a6090ab922ba476e0d3aafe0a2462b0978fa | ||
| ssdeep | 6144:SqbQBrkT5xbZosSEEzZ0FTs2s5EM5udsJNsoX0Wq:SqbQBQxbIHUvbMNbE3 | ||
| imphash | e1baf4ab6685a606620fe187c276b405 | ||
| impfuzzy | 24:+scDgMUntwS17M3JeDc+pl39LouXSOovbO9Ziv9:ztwS17M2c+ppJr3A9 | ||
Network IP location
Signature (25cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 42 AntiVirus engines on VirusTotal as malicious |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Expresses interest in specific running processes |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | HasDebugData | DebugData Check | binaries (download) |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (download) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | IsPacked | Entropy Check | binaries (download) |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (download) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | win_files_operation | Affect private profile | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (upload) |
Network (12cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/Unk Downloader CnC Activity
ET MALWARE Win32/Unk Downloader CnC Activity
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40f008 VirtualProtect
0x40f00c VirtualFree
0x40f010 GetCurrentProcess
0x40f014 VirtualAlloc
0x40f018 TerminateProcess
0x40f01c GetModuleHandleA
0x40f020 GetLastError
0x40f024 GetProcAddress
0x40f028 WriteConsoleW
0x40f02c CloseHandle
0x40f030 CreateFileW
0x40f034 SetFilePointerEx
0x40f038 GetConsoleMode
0x40f03c GetConsoleCP
0x40f040 FlushFileBuffers
0x40f044 HeapReAlloc
0x40f048 HeapSize
0x40f04c UnhandledExceptionFilter
0x40f050 SetUnhandledExceptionFilter
0x40f054 IsProcessorFeaturePresent
0x40f058 QueryPerformanceCounter
0x40f05c GetCurrentProcessId
0x40f060 GetCurrentThreadId
0x40f064 GetSystemTimeAsFileTime
0x40f068 InitializeSListHead
0x40f06c IsDebuggerPresent
0x40f070 GetStartupInfoW
0x40f074 GetModuleHandleW
0x40f078 RtlUnwind
0x40f07c RaiseException
0x40f080 SetLastError
0x40f084 EncodePointer
0x40f088 EnterCriticalSection
0x40f08c LeaveCriticalSection
0x40f090 DeleteCriticalSection
0x40f094 InitializeCriticalSectionAndSpinCount
0x40f098 TlsAlloc
0x40f09c TlsGetValue
0x40f0a0 TlsSetValue
0x40f0a4 TlsFree
0x40f0a8 FreeLibrary
0x40f0ac LoadLibraryExW
0x40f0b0 GetStdHandle
0x40f0b4 WriteFile
0x40f0b8 GetModuleFileNameW
0x40f0bc ExitProcess
0x40f0c0 GetModuleHandleExW
0x40f0c4 HeapFree
0x40f0c8 HeapAlloc
0x40f0cc FindClose
0x40f0d0 FindFirstFileExW
0x40f0d4 FindNextFileW
0x40f0d8 IsValidCodePage
0x40f0dc GetACP
0x40f0e0 GetOEMCP
0x40f0e4 GetCPInfo
0x40f0e8 GetCommandLineA
0x40f0ec GetCommandLineW
0x40f0f0 MultiByteToWideChar
0x40f0f4 WideCharToMultiByte
0x40f0f8 GetEnvironmentStringsW
0x40f0fc FreeEnvironmentStringsW
0x40f100 SetStdHandle
0x40f104 GetFileType
0x40f108 GetStringTypeW
0x40f10c LCMapStringW
0x40f110 GetProcessHeap
0x40f114 DecodePointer
GDI32.dll
0x40f000 DPtoLP
EAT(Export Address Table) is none
KERNEL32.dll
0x40f008 VirtualProtect
0x40f00c VirtualFree
0x40f010 GetCurrentProcess
0x40f014 VirtualAlloc
0x40f018 TerminateProcess
0x40f01c GetModuleHandleA
0x40f020 GetLastError
0x40f024 GetProcAddress
0x40f028 WriteConsoleW
0x40f02c CloseHandle
0x40f030 CreateFileW
0x40f034 SetFilePointerEx
0x40f038 GetConsoleMode
0x40f03c GetConsoleCP
0x40f040 FlushFileBuffers
0x40f044 HeapReAlloc
0x40f048 HeapSize
0x40f04c UnhandledExceptionFilter
0x40f050 SetUnhandledExceptionFilter
0x40f054 IsProcessorFeaturePresent
0x40f058 QueryPerformanceCounter
0x40f05c GetCurrentProcessId
0x40f060 GetCurrentThreadId
0x40f064 GetSystemTimeAsFileTime
0x40f068 InitializeSListHead
0x40f06c IsDebuggerPresent
0x40f070 GetStartupInfoW
0x40f074 GetModuleHandleW
0x40f078 RtlUnwind
0x40f07c RaiseException
0x40f080 SetLastError
0x40f084 EncodePointer
0x40f088 EnterCriticalSection
0x40f08c LeaveCriticalSection
0x40f090 DeleteCriticalSection
0x40f094 InitializeCriticalSectionAndSpinCount
0x40f098 TlsAlloc
0x40f09c TlsGetValue
0x40f0a0 TlsSetValue
0x40f0a4 TlsFree
0x40f0a8 FreeLibrary
0x40f0ac LoadLibraryExW
0x40f0b0 GetStdHandle
0x40f0b4 WriteFile
0x40f0b8 GetModuleFileNameW
0x40f0bc ExitProcess
0x40f0c0 GetModuleHandleExW
0x40f0c4 HeapFree
0x40f0c8 HeapAlloc
0x40f0cc FindClose
0x40f0d0 FindFirstFileExW
0x40f0d4 FindNextFileW
0x40f0d8 IsValidCodePage
0x40f0dc GetACP
0x40f0e0 GetOEMCP
0x40f0e4 GetCPInfo
0x40f0e8 GetCommandLineA
0x40f0ec GetCommandLineW
0x40f0f0 MultiByteToWideChar
0x40f0f4 WideCharToMultiByte
0x40f0f8 GetEnvironmentStringsW
0x40f0fc FreeEnvironmentStringsW
0x40f100 SetStdHandle
0x40f104 GetFileType
0x40f108 GetStringTypeW
0x40f10c LCMapStringW
0x40f110 GetProcessHeap
0x40f114 DecodePointer
GDI32.dll
0x40f000 DPtoLP
EAT(Export Address Table) is none