ScreenShot
Created | 2021.04.26 09:24 | Machine | s1_win7_x6402 |
Filename | apps.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 14 detected (Unsafe, Attribute, HighConfidence, Malicious, Generic ML PUA, Static AI, Suspicious PE, Score, Zpevdo, confidence, QVM11) | ||
md5 | cd155fbcc108d054d747ab4514f3cfd6 | ||
sha256 | d52768831871c36f7e5a53dcfe3bd299f1a043b9bb09b8aa8073f6e60cec75e5 | ||
ssdeep | 24576:zv7zplhCeHeesjmw/oOfCSvpj2GlYIAUVdtJQuVWKuTJL/6RejQ5dYGV4:vzJjSjmwgoCSblYYVdQoW1T16pdYGV | ||
imphash | f17e72f0fc16396d7f07b856795dc64e | ||
impfuzzy | 6:dBJAEHGDzyRlbRmVOZ/EwgtTJuVM4PIKHGgZdj3EQbBnaMBaMyyTc5hEWSXmJJcn:VA/DzqYOZ9gt34gfgZJ3E8yITQhrSX+O |
Network IP location
Signature (15cnts)
Level | Description |
---|---|
watch | Communicates with host for which no DNS query was performed |
watch | File has been identified by 14 AntiVirus engines on VirusTotal as malicious |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | An application raised an exception which may be indicative of an exploit crash |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
notice | Creates executable files on the filesystem |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Resolves a suspicious Top Level Domain (TLD) |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | The executable is compressed using UPX |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | One or more processes crashed |
Rules (20cnts)
Level | Name | Description | Collection |
---|---|---|---|
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | GIF_Format_Zero | GIF Format | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
info | PNG_Format_Zero | PNG Format | binaries (download) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
info | IsPacked | Entropy Check | binaries (upload) |
info | IsWindowsGUI | (no description) | binaries (upload) |
info | Microsoft_Office_Document_Zero | Microsoft Office Document Signature Zero | binaries (download) |
info | screenshot | Take screenshot | binaries (upload) |
info | win_files_operation | Affect private profile | memory |
info | win_registry | Affect system registries | memory |
info | win_token | Affect system token | memory |
Network (62cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x8db89c LoadLibraryA
0x8db8a0 GetProcAddress
0x8db8a4 VirtualProtect
0x8db8a8 VirtualAlloc
0x8db8ac VirtualFree
0x8db8b0 ExitProcess
advapi32.dll
0x8db8b8 RegLoadKeyW
comctl32.dll
0x8db8c0 ImageList_Add
gdi32.dll
0x8db8c8 Pie
msvcrt.dll
0x8db8d0 memcpy
netapi32.dll
0x8db8d8 NetWkstaGetInfo
ole32.dll
0x8db8e0 DoDragDrop
oleaut32.dll
0x8db8e8 VariantInit
shell32.dll
0x8db8f0 DragFinish
shlwapi.dll
0x8db8f8 PathIsUNCW
user32.dll
0x8db900 GetDC
version.dll
0x8db908 VerQueryValueW
winhttp.dll
0x8db910 WinHttpOpen
winspool.drv
0x8db918 ClosePrinter
EAT(Export Address Table) is none
KERNEL32.DLL
0x8db89c LoadLibraryA
0x8db8a0 GetProcAddress
0x8db8a4 VirtualProtect
0x8db8a8 VirtualAlloc
0x8db8ac VirtualFree
0x8db8b0 ExitProcess
advapi32.dll
0x8db8b8 RegLoadKeyW
comctl32.dll
0x8db8c0 ImageList_Add
gdi32.dll
0x8db8c8 Pie
msvcrt.dll
0x8db8d0 memcpy
netapi32.dll
0x8db8d8 NetWkstaGetInfo
ole32.dll
0x8db8e0 DoDragDrop
oleaut32.dll
0x8db8e8 VariantInit
shell32.dll
0x8db8f0 DragFinish
shlwapi.dll
0x8db8f8 PathIsUNCW
user32.dll
0x8db900 GetDC
version.dll
0x8db908 VerQueryValueW
winhttp.dll
0x8db910 WinHttpOpen
winspool.drv
0x8db918 ClosePrinter
EAT(Export Address Table) is none