ScreenShot
Created | 2021.05.14 09:50 | Machine | s1_win7_x6402 |
Filename | OctodadSetup.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 52 detected (GenericKD, Artemis, Unsafe, malicious, Score, StartPage, esqoia, ApplicUnwnt@#avud7zvby13y, AGEN, DownloadShield, R002C0OA321, InstallAd, ai score=97, AGeneric, Vittalia, R182412, OpenDownloadManager, Genetic, Eawu, FileRepMalware, confidence) | ||
md5 | 8860fecf9a64e193bfde8808889f7e48 | ||
sha256 | 972a19b0dc047f482972e513446d3735ea7d41aadaa57e0201a5f0f9a93fedbb | ||
ssdeep | 6144:Y0hNLAQF57b5LAWUkV62/sFiv6BtgZHbGYXwE08A:ZMKHzUb2/ssG2ZyYXs | ||
imphash | f4fd5e474d548b6e56174e1335f360a9 | ||
impfuzzy | 48:YBfrOK5YZJqOkOGLblla/7LXEFSv8r+tAl5ylx0QpV74dT+5/1xyACnBoKQ50e4l:YBaK5YZJq1K41UvnvS |
Network IP location
Signature (23cnts)
Level | Description |
---|---|
danger | File has been identified by 52 AntiVirus engines on VirusTotal as malicious |
watch | Communicates with host for which no DNS query was performed |
watch | Network activity contains more than one unique useragent |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | An application raised an exception which may be indicative of an exploit crash |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
notice | Creates a shortcut to an executable file |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | Executes one or more WMI queries |
notice | Executes one or more WMI queries which can be used to identify virtual machines |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | One or more processes crashed |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (14cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsDLL | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Network (16cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP invalid response field folding
SURICATA HTTP response header invalid
ET INFO TLS Handshake Failure
SURICATA HTTP invalid response field folding
SURICATA HTTP response header invalid
ET INFO TLS Handshake Failure
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x407064 SearchPathA
0x407068 GetShortPathNameA
0x40706c GetFullPathNameA
0x407070 MoveFileA
0x407074 SetCurrentDirectoryA
0x407078 GetFileAttributesA
0x40707c GetLastError
0x407080 CreateDirectoryA
0x407084 SetFileAttributesA
0x407088 Sleep
0x40708c GetTickCount
0x407090 GetFileSize
0x407094 GetModuleFileNameA
0x407098 GetCurrentProcess
0x40709c CopyFileA
0x4070a0 ExitProcess
0x4070a4 GetWindowsDirectoryA
0x4070a8 CompareFileTime
0x4070ac GetCommandLineA
0x4070b0 GetVersion
0x4070b4 SetErrorMode
0x4070b8 lstrcpynA
0x4070bc GetDiskFreeSpaceA
0x4070c0 GlobalUnlock
0x4070c4 GlobalLock
0x4070c8 CreateThread
0x4070cc CreateProcessA
0x4070d0 CreateFileA
0x4070d4 GetTempFileNameA
0x4070d8 lstrlenA
0x4070dc lstrcatA
0x4070e0 LoadLibraryA
0x4070e4 GetSystemDirectoryA
0x4070e8 RemoveDirectoryA
0x4070ec SetFileTime
0x4070f0 CloseHandle
0x4070f4 lstrcmpiA
0x4070f8 lstrcmpA
0x4070fc ExpandEnvironmentStringsA
0x407100 GlobalAlloc
0x407104 WaitForSingleObject
0x407108 GetExitCodeProcess
0x40710c GlobalFree
0x407110 GetModuleHandleA
0x407114 LoadLibraryExA
0x407118 GetProcAddress
0x40711c FreeLibrary
0x407120 MultiByteToWideChar
0x407124 WritePrivateProfileStringA
0x407128 GetPrivateProfileStringA
0x40712c WriteFile
0x407130 MulDiv
0x407134 ReadFile
0x407138 SetFilePointer
0x40713c FindClose
0x407140 FindNextFileA
0x407144 FindFirstFileA
0x407148 DeleteFileA
0x40714c GetTempPathA
USER32.dll
0x407170 GetMessagePos
0x407174 CallWindowProcA
0x407178 IsWindowVisible
0x40717c LoadBitmapA
0x407180 CloseClipboard
0x407184 SetClipboardData
0x407188 EmptyClipboard
0x40718c OpenClipboard
0x407190 TrackPopupMenu
0x407194 GetWindowRect
0x407198 AppendMenuA
0x40719c CreatePopupMenu
0x4071a0 GetSystemMetrics
0x4071a4 EndDialog
0x4071a8 EnableMenuItem
0x4071ac GetSystemMenu
0x4071b0 SetClassLongA
0x4071b4 IsWindowEnabled
0x4071b8 SetWindowPos
0x4071bc ScreenToClient
0x4071c0 GetClassInfoA
0x4071c4 CreateWindowExA
0x4071c8 SystemParametersInfoA
0x4071cc RegisterClassA
0x4071d0 SetDlgItemTextA
0x4071d4 GetDlgItemTextA
0x4071d8 MessageBoxIndirectA
0x4071dc CharPrevA
0x4071e0 DispatchMessageA
0x4071e4 PeekMessageA
0x4071e8 ExitWindowsEx
0x4071ec DestroyWindow
0x4071f0 CreateDialogParamA
0x4071f4 SetTimer
0x4071f8 SetWindowTextA
0x4071fc PostQuitMessage
0x407200 SetForegroundWindow
0x407204 wsprintfA
0x407208 SendMessageTimeoutA
0x40720c CheckDlgButton
0x407210 LoadCursorA
0x407214 SetCursor
0x407218 GetWindowLongA
0x40721c GetSysColor
0x407220 DialogBoxParamA
0x407224 CharNextA
0x407228 FindWindowExA
0x40722c IsWindow
0x407230 GetDlgItem
0x407234 SetWindowLongA
0x407238 LoadImageA
0x40723c GetDC
0x407240 EnableWindow
0x407244 InvalidateRect
0x407248 SendMessageA
0x40724c DefWindowProcA
0x407250 BeginPaint
0x407254 GetClientRect
0x407258 FillRect
0x40725c DrawTextA
0x407260 EndPaint
0x407264 ShowWindow
GDI32.dll
0x407040 SetBkColor
0x407044 GetDeviceCaps
0x407048 DeleteObject
0x40704c CreateBrushIndirect
0x407050 CreateFontIndirectA
0x407054 SetBkMode
0x407058 SetTextColor
0x40705c SelectObject
SHELL32.dll
0x407154 SHBrowseForFolderA
0x407158 SHGetPathFromIDListA
0x40715c SHGetFileInfoA
0x407160 ShellExecuteA
0x407164 SHFileOperationA
0x407168 SHGetSpecialFolderLocation
ADVAPI32.dll
0x407000 RegOpenKeyExA
0x407004 RegEnumValueA
0x407008 RegEnumKeyA
0x40700c RegCloseKey
0x407010 SetFileSecurityA
0x407014 RegDeleteValueA
0x407018 RegCreateKeyExA
0x40701c RegSetValueExA
0x407020 RegDeleteKeyA
0x407024 RegQueryValueExA
COMCTL32.dll
0x40702c ImageList_AddMasked
0x407030 ImageList_Destroy
0x407034 None
0x407038 ImageList_Create
ole32.dll
0x40726c OleUninitialize
0x407270 OleInitialize
0x407274 CoTaskMemFree
0x407278 CoCreateInstance
EAT(Export Address Table) is none
KERNEL32.dll
0x407064 SearchPathA
0x407068 GetShortPathNameA
0x40706c GetFullPathNameA
0x407070 MoveFileA
0x407074 SetCurrentDirectoryA
0x407078 GetFileAttributesA
0x40707c GetLastError
0x407080 CreateDirectoryA
0x407084 SetFileAttributesA
0x407088 Sleep
0x40708c GetTickCount
0x407090 GetFileSize
0x407094 GetModuleFileNameA
0x407098 GetCurrentProcess
0x40709c CopyFileA
0x4070a0 ExitProcess
0x4070a4 GetWindowsDirectoryA
0x4070a8 CompareFileTime
0x4070ac GetCommandLineA
0x4070b0 GetVersion
0x4070b4 SetErrorMode
0x4070b8 lstrcpynA
0x4070bc GetDiskFreeSpaceA
0x4070c0 GlobalUnlock
0x4070c4 GlobalLock
0x4070c8 CreateThread
0x4070cc CreateProcessA
0x4070d0 CreateFileA
0x4070d4 GetTempFileNameA
0x4070d8 lstrlenA
0x4070dc lstrcatA
0x4070e0 LoadLibraryA
0x4070e4 GetSystemDirectoryA
0x4070e8 RemoveDirectoryA
0x4070ec SetFileTime
0x4070f0 CloseHandle
0x4070f4 lstrcmpiA
0x4070f8 lstrcmpA
0x4070fc ExpandEnvironmentStringsA
0x407100 GlobalAlloc
0x407104 WaitForSingleObject
0x407108 GetExitCodeProcess
0x40710c GlobalFree
0x407110 GetModuleHandleA
0x407114 LoadLibraryExA
0x407118 GetProcAddress
0x40711c FreeLibrary
0x407120 MultiByteToWideChar
0x407124 WritePrivateProfileStringA
0x407128 GetPrivateProfileStringA
0x40712c WriteFile
0x407130 MulDiv
0x407134 ReadFile
0x407138 SetFilePointer
0x40713c FindClose
0x407140 FindNextFileA
0x407144 FindFirstFileA
0x407148 DeleteFileA
0x40714c GetTempPathA
USER32.dll
0x407170 GetMessagePos
0x407174 CallWindowProcA
0x407178 IsWindowVisible
0x40717c LoadBitmapA
0x407180 CloseClipboard
0x407184 SetClipboardData
0x407188 EmptyClipboard
0x40718c OpenClipboard
0x407190 TrackPopupMenu
0x407194 GetWindowRect
0x407198 AppendMenuA
0x40719c CreatePopupMenu
0x4071a0 GetSystemMetrics
0x4071a4 EndDialog
0x4071a8 EnableMenuItem
0x4071ac GetSystemMenu
0x4071b0 SetClassLongA
0x4071b4 IsWindowEnabled
0x4071b8 SetWindowPos
0x4071bc ScreenToClient
0x4071c0 GetClassInfoA
0x4071c4 CreateWindowExA
0x4071c8 SystemParametersInfoA
0x4071cc RegisterClassA
0x4071d0 SetDlgItemTextA
0x4071d4 GetDlgItemTextA
0x4071d8 MessageBoxIndirectA
0x4071dc CharPrevA
0x4071e0 DispatchMessageA
0x4071e4 PeekMessageA
0x4071e8 ExitWindowsEx
0x4071ec DestroyWindow
0x4071f0 CreateDialogParamA
0x4071f4 SetTimer
0x4071f8 SetWindowTextA
0x4071fc PostQuitMessage
0x407200 SetForegroundWindow
0x407204 wsprintfA
0x407208 SendMessageTimeoutA
0x40720c CheckDlgButton
0x407210 LoadCursorA
0x407214 SetCursor
0x407218 GetWindowLongA
0x40721c GetSysColor
0x407220 DialogBoxParamA
0x407224 CharNextA
0x407228 FindWindowExA
0x40722c IsWindow
0x407230 GetDlgItem
0x407234 SetWindowLongA
0x407238 LoadImageA
0x40723c GetDC
0x407240 EnableWindow
0x407244 InvalidateRect
0x407248 SendMessageA
0x40724c DefWindowProcA
0x407250 BeginPaint
0x407254 GetClientRect
0x407258 FillRect
0x40725c DrawTextA
0x407260 EndPaint
0x407264 ShowWindow
GDI32.dll
0x407040 SetBkColor
0x407044 GetDeviceCaps
0x407048 DeleteObject
0x40704c CreateBrushIndirect
0x407050 CreateFontIndirectA
0x407054 SetBkMode
0x407058 SetTextColor
0x40705c SelectObject
SHELL32.dll
0x407154 SHBrowseForFolderA
0x407158 SHGetPathFromIDListA
0x40715c SHGetFileInfoA
0x407160 ShellExecuteA
0x407164 SHFileOperationA
0x407168 SHGetSpecialFolderLocation
ADVAPI32.dll
0x407000 RegOpenKeyExA
0x407004 RegEnumValueA
0x407008 RegEnumKeyA
0x40700c RegCloseKey
0x407010 SetFileSecurityA
0x407014 RegDeleteValueA
0x407018 RegCreateKeyExA
0x40701c RegSetValueExA
0x407020 RegDeleteKeyA
0x407024 RegQueryValueExA
COMCTL32.dll
0x40702c ImageList_AddMasked
0x407030 ImageList_Destroy
0x407034 None
0x407038 ImageList_Create
ole32.dll
0x40726c OleUninitialize
0x407270 OleInitialize
0x407274 CoTaskMemFree
0x407278 CoCreateInstance
EAT(Export Address Table) is none