ScreenShot
Created | 2021.06.08 10:50 | Machine | s1_win7_x6402 |
Filename | jooyu.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 57 detected (AIDetect, malware2, malicious, high confidence, GenericKD, IgenericRI, S15903427, GenericRXAA, Unsafe, CookiesStealer, Save, confidence, CookieStealer, Eldorado, Attribute, HighConfidence, ACLN, Spyagent, PSWTool, hqsnsl, Gencirc, Malware@#dtfpxx1rbcg5, JazoStealer, znvpf, R002C0PE721, Score, ai score=100, ASMalwS, KVM003, kcloud, PassView, R356907, ZexaF, 8uW@a82JMxcj, BScope, Infospy, Facebook, CLASSIC, Convagent, WP9TbZjCMq4, Static AI, Suspicious PE, susgen, Genetic) | ||
md5 | aed57d50123897b0012c35ef5dec4184 | ||
sha256 | 096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e | ||
ssdeep | 24576:6dWdWjFMYKO1ZcqlHrorVCkTNkdBAnlXG6+Z1mbXEC:FSMYKO1ZcmHsrVCokUlXF+Z1IUC | ||
imphash | 2d61767a66f97802f04479dc222ea0b1 | ||
impfuzzy | 48:J9PBQnc+F9YtoS1rMUZFuPZ7OjKEj6Nh6p2:Jcc+vYtoS1rMUZ07cKEeNYp2 |
Network IP location
Signature (17cnts)
Level | Description |
---|---|
danger | File has been identified by 57 AntiVirus engines on VirusTotal as malicious |
warning | Generates some ICMP traffic |
watch | Communicates with host for which no DNS query was performed |
watch | Deletes executed files from disk |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | Foreign language identified in PE resource |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Looks up the external IP address |
notice | Performs some HTTP requests |
notice | Sends data using the HTTP POST Method |
notice | Steals private information from local Internet browsers |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
info | Checks amount of memory in system |
info | The file contains an unknown PE resource name possibly indicative of a packer |
info | This executable has a PDB path |
Rules (8cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (upload) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
Network (16cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup ip-api.com
ET POLICY External IP Lookup ip-api.com
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x463014 LocalFree
0x463018 SizeofResource
0x46301c GetLastError
0x463020 LockResource
0x463024 LoadResource
0x463028 FindResourceW
0x46302c WinExec
0x463030 WriteConsoleW
0x463034 FormatMessageW
0x463038 Sleep
0x46303c GetTempPathA
0x463040 lstrlenW
0x463044 HeapSize
0x463048 CreateFileW
0x46304c SetStdHandle
0x463050 GetProcessHeap
0x463054 SetEnvironmentVariableW
0x463058 FreeEnvironmentStringsW
0x46305c GetEnvironmentStringsW
0x463060 GetCommandLineW
0x463064 GetCommandLineA
0x463068 GetOEMCP
0x46306c GetACP
0x463070 IsValidCodePage
0x463074 FindNextFileW
0x463078 FindFirstFileExW
0x46307c FindClose
0x463080 GetTimeZoneInformation
0x463084 MultiByteToWideChar
0x463088 GetStringTypeW
0x46308c WideCharToMultiByte
0x463090 EnterCriticalSection
0x463094 LeaveCriticalSection
0x463098 DeleteCriticalSection
0x46309c EncodePointer
0x4630a0 DecodePointer
0x4630a4 GetCPInfo
0x4630a8 CompareStringW
0x4630ac LCMapStringW
0x4630b0 GetLocaleInfoW
0x4630b4 SetLastError
0x4630b8 InitializeCriticalSectionAndSpinCount
0x4630bc CreateEventW
0x4630c0 TlsAlloc
0x4630c4 TlsGetValue
0x4630c8 TlsSetValue
0x4630cc TlsFree
0x4630d0 GetSystemTimeAsFileTime
0x4630d4 GetModuleHandleW
0x4630d8 GetProcAddress
0x4630dc CloseHandle
0x4630e0 SetEvent
0x4630e4 ResetEvent
0x4630e8 WaitForSingleObjectEx
0x4630ec UnhandledExceptionFilter
0x4630f0 SetUnhandledExceptionFilter
0x4630f4 GetCurrentProcess
0x4630f8 TerminateProcess
0x4630fc IsProcessorFeaturePresent
0x463100 IsDebuggerPresent
0x463104 GetStartupInfoW
0x463108 QueryPerformanceCounter
0x46310c GetCurrentProcessId
0x463110 GetCurrentThreadId
0x463114 InitializeSListHead
0x463118 RtlUnwind
0x46311c RaiseException
0x463120 FreeLibrary
0x463124 LoadLibraryExW
0x463128 ExitProcess
0x46312c GetModuleHandleExW
0x463130 GetModuleFileNameW
0x463134 GetStdHandle
0x463138 WriteFile
0x46313c HeapReAlloc
0x463140 HeapFree
0x463144 HeapAlloc
0x463148 GetFileType
0x46314c GetFileSizeEx
0x463150 SetFilePointerEx
0x463154 FlushFileBuffers
0x463158 GetConsoleCP
0x46315c GetConsoleMode
0x463160 GetDateFormatW
0x463164 GetTimeFormatW
0x463168 IsValidLocale
0x46316c GetUserDefaultLCID
0x463170 EnumSystemLocalesW
0x463174 DeleteFileW
0x463178 ReadFile
0x46317c ReadConsoleW
0x463180 SetEndOfFile
ADVAPI32.dll
0x463000 RegSetValueExW
0x463004 RegOpenKeyExW
0x463008 RegCreateKeyW
0x46300c RegCloseKey
WINHTTP.dll
0x463188 WinHttpQueryHeaders
0x46318c WinHttpReadData
0x463190 WinHttpOpenRequest
0x463194 WinHttpSetOption
0x463198 WinHttpCloseHandle
0x46319c WinHttpAddRequestHeaders
0x4631a0 WinHttpQueryAuthSchemes
0x4631a4 WinHttpGetProxyForUrl
0x4631a8 WinHttpSendRequest
0x4631ac WinHttpSetCredentials
0x4631b0 WinHttpConnect
0x4631b4 WinHttpQueryDataAvailable
0x4631b8 WinHttpReceiveResponse
0x4631bc WinHttpOpen
0x4631c0 WinHttpGetIEProxyConfigForCurrentUser
EAT(Export Address Table) is none
KERNEL32.dll
0x463014 LocalFree
0x463018 SizeofResource
0x46301c GetLastError
0x463020 LockResource
0x463024 LoadResource
0x463028 FindResourceW
0x46302c WinExec
0x463030 WriteConsoleW
0x463034 FormatMessageW
0x463038 Sleep
0x46303c GetTempPathA
0x463040 lstrlenW
0x463044 HeapSize
0x463048 CreateFileW
0x46304c SetStdHandle
0x463050 GetProcessHeap
0x463054 SetEnvironmentVariableW
0x463058 FreeEnvironmentStringsW
0x46305c GetEnvironmentStringsW
0x463060 GetCommandLineW
0x463064 GetCommandLineA
0x463068 GetOEMCP
0x46306c GetACP
0x463070 IsValidCodePage
0x463074 FindNextFileW
0x463078 FindFirstFileExW
0x46307c FindClose
0x463080 GetTimeZoneInformation
0x463084 MultiByteToWideChar
0x463088 GetStringTypeW
0x46308c WideCharToMultiByte
0x463090 EnterCriticalSection
0x463094 LeaveCriticalSection
0x463098 DeleteCriticalSection
0x46309c EncodePointer
0x4630a0 DecodePointer
0x4630a4 GetCPInfo
0x4630a8 CompareStringW
0x4630ac LCMapStringW
0x4630b0 GetLocaleInfoW
0x4630b4 SetLastError
0x4630b8 InitializeCriticalSectionAndSpinCount
0x4630bc CreateEventW
0x4630c0 TlsAlloc
0x4630c4 TlsGetValue
0x4630c8 TlsSetValue
0x4630cc TlsFree
0x4630d0 GetSystemTimeAsFileTime
0x4630d4 GetModuleHandleW
0x4630d8 GetProcAddress
0x4630dc CloseHandle
0x4630e0 SetEvent
0x4630e4 ResetEvent
0x4630e8 WaitForSingleObjectEx
0x4630ec UnhandledExceptionFilter
0x4630f0 SetUnhandledExceptionFilter
0x4630f4 GetCurrentProcess
0x4630f8 TerminateProcess
0x4630fc IsProcessorFeaturePresent
0x463100 IsDebuggerPresent
0x463104 GetStartupInfoW
0x463108 QueryPerformanceCounter
0x46310c GetCurrentProcessId
0x463110 GetCurrentThreadId
0x463114 InitializeSListHead
0x463118 RtlUnwind
0x46311c RaiseException
0x463120 FreeLibrary
0x463124 LoadLibraryExW
0x463128 ExitProcess
0x46312c GetModuleHandleExW
0x463130 GetModuleFileNameW
0x463134 GetStdHandle
0x463138 WriteFile
0x46313c HeapReAlloc
0x463140 HeapFree
0x463144 HeapAlloc
0x463148 GetFileType
0x46314c GetFileSizeEx
0x463150 SetFilePointerEx
0x463154 FlushFileBuffers
0x463158 GetConsoleCP
0x46315c GetConsoleMode
0x463160 GetDateFormatW
0x463164 GetTimeFormatW
0x463168 IsValidLocale
0x46316c GetUserDefaultLCID
0x463170 EnumSystemLocalesW
0x463174 DeleteFileW
0x463178 ReadFile
0x46317c ReadConsoleW
0x463180 SetEndOfFile
ADVAPI32.dll
0x463000 RegSetValueExW
0x463004 RegOpenKeyExW
0x463008 RegCreateKeyW
0x46300c RegCloseKey
WINHTTP.dll
0x463188 WinHttpQueryHeaders
0x46318c WinHttpReadData
0x463190 WinHttpOpenRequest
0x463194 WinHttpSetOption
0x463198 WinHttpCloseHandle
0x46319c WinHttpAddRequestHeaders
0x4631a0 WinHttpQueryAuthSchemes
0x4631a4 WinHttpGetProxyForUrl
0x4631a8 WinHttpSendRequest
0x4631ac WinHttpSetCredentials
0x4631b0 WinHttpConnect
0x4631b4 WinHttpQueryDataAvailable
0x4631b8 WinHttpReceiveResponse
0x4631bc WinHttpOpen
0x4631c0 WinHttpGetIEProxyConfigForCurrentUser
EAT(Export Address Table) is none