ScreenShot
| Created | 2021.06.08 12:22 | Machine | s1_win7_x6402 |
| Filename | setup.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 41 detected (AIDetect, malware2, malicious, high confidence, Razy, GenericRI, S19154279, GenericRXNE, Unsafe, Save, ZexaF, SyW@auZHkTei, Attribute, HighConfidence, Fbkatz, iiwijl, PWSX, Generic ML PUA, Static AI, Suspicious PE, Score, AGEN, Glupteba, R414663, BScope, ai score=82, PasswordStealer, Generic@ML, RDML, vpzonNB64C7MwIVw0b, susgen, Genetic, confidence) | ||
| md5 | 3150a1bf870aa243738b71875a62c51b | ||
| sha256 | 9282835f29e080687ea77a9ffe8560955e2efebeb5cc68bd6e57d351c4b5e00c | ||
| ssdeep | 12288:fa/S3sCPfhmxjjpmt0OlIhaYbJAvSq8ZlUfMcZMSIP/LE5zfQnZuxTmP+fK0vS:UeSot0jvFAvS7ZufMcZMT/I1Qnse+p | ||
| imphash | 821bcaaa938f2cb9f56fbc1d4f9ddc4b | ||
| impfuzzy | 48:/dGtpv8U9fuOwO/e6BF9rsSuyYwOtEkMGZq3+Zkotn:/dGtpvZtu7oe6BF1sSuxwOt3MGNntn | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 41 AntiVirus engines on VirusTotal as malicious |
| warning | Generates some ICMP traffic |
| watch | Communicates with host for which no DNS query was performed |
| watch | Queries information on disks |
| notice | A process created a hidden window |
| notice | Creates a suspicious process |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Process_Snapshot_Kill_Zero | Process Kill Zero | binaries (download) |
| warning | Process_Snapshot_Kill_Zero | Process Kill Zero | binaries (upload) |
| info | Device_Check_Zero | Device Check Zero | binaries (download) |
| info | Device_Check_Zero | Device Check Zero | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (8cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x48f018 HeapFree
0x48f01c EnterCriticalSection
0x48f020 GetFullPathNameW
0x48f024 WriteFile
0x48f028 GetDiskFreeSpaceW
0x48f02c OutputDebugStringA
0x48f030 LockFile
0x48f034 LeaveCriticalSection
0x48f038 InitializeCriticalSection
0x48f03c SetFilePointer
0x48f040 GetFullPathNameA
0x48f044 SetEndOfFile
0x48f048 UnlockFileEx
0x48f04c GetTempPathW
0x48f050 CreateMutexW
0x48f054 WaitForSingleObject
0x48f058 CreateFileW
0x48f05c GetFileAttributesW
0x48f060 GetCurrentThreadId
0x48f064 UnmapViewOfFile
0x48f068 HeapValidate
0x48f06c HeapSize
0x48f070 MultiByteToWideChar
0x48f074 Sleep
0x48f078 GetTempPathA
0x48f07c FormatMessageW
0x48f080 GetDiskFreeSpaceA
0x48f084 GetLastError
0x48f088 GetFileAttributesA
0x48f08c GetFileAttributesExW
0x48f090 OutputDebugStringW
0x48f094 CreateFileA
0x48f098 LoadLibraryA
0x48f09c WaitForSingleObjectEx
0x48f0a0 DeleteFileA
0x48f0a4 DeleteFileW
0x48f0a8 HeapReAlloc
0x48f0ac CloseHandle
0x48f0b0 GetSystemInfo
0x48f0b4 LoadLibraryW
0x48f0b8 HeapCreate
0x48f0bc HeapCompact
0x48f0c0 HeapDestroy
0x48f0c4 UnlockFile
0x48f0c8 GetProcAddress
0x48f0cc CreateFileMappingA
0x48f0d0 LocalFree
0x48f0d4 LockFileEx
0x48f0d8 GetFileSize
0x48f0dc DeleteCriticalSection
0x48f0e0 GetCurrentProcessId
0x48f0e4 GetProcessHeap
0x48f0e8 SystemTimeToFileTime
0x48f0ec FreeLibrary
0x48f0f0 WideCharToMultiByte
0x48f0f4 GetSystemTimeAsFileTime
0x48f0f8 GetSystemTime
0x48f0fc FormatMessageA
0x48f100 CreateFileMappingW
0x48f104 MapViewOfFile
0x48f108 QueryPerformanceCounter
0x48f10c GetTickCount
0x48f110 FlushFileBuffers
0x48f114 lstrlenA
0x48f118 lstrcatA
0x48f11c CopyFileA
0x48f120 CreateThread
0x48f124 FindFirstFileW
0x48f128 FindNextFileW
0x48f12c GetModuleFileNameW
0x48f130 FindClose
0x48f134 SetStdHandle
0x48f138 VerSetConditionMask
0x48f13c VerifyVersionInfoW
0x48f140 ExitProcess
0x48f144 GetModuleHandleW
0x48f148 DeviceIoControl
0x48f14c FreeEnvironmentStringsW
0x48f150 TryEnterCriticalSection
0x48f154 ReadFile
0x48f158 AreFileApisANSI
0x48f15c SetEnvironmentVariableW
0x48f160 HeapAlloc
0x48f164 GetEnvironmentStringsW
0x48f168 GetOEMCP
0x48f16c InitializeCriticalSectionAndSpinCount
0x48f170 SetEvent
0x48f174 ResetEvent
0x48f178 CreateEventW
0x48f17c IsProcessorFeaturePresent
0x48f180 IsDebuggerPresent
0x48f184 UnhandledExceptionFilter
0x48f188 SetUnhandledExceptionFilter
0x48f18c GetStartupInfoW
0x48f190 InitializeSListHead
0x48f194 GetCurrentProcess
0x48f198 TerminateProcess
0x48f19c EncodePointer
0x48f1a0 DecodePointer
0x48f1a4 GetCPInfo
0x48f1a8 SetLastError
0x48f1ac SwitchToThread
0x48f1b0 TlsAlloc
0x48f1b4 TlsGetValue
0x48f1b8 TlsSetValue
0x48f1bc TlsFree
0x48f1c0 CompareStringW
0x48f1c4 LCMapStringW
0x48f1c8 GetLocaleInfoW
0x48f1cc GetStringTypeW
0x48f1d0 RtlUnwind
0x48f1d4 RaiseException
0x48f1d8 LoadLibraryExW
0x48f1dc ExitThread
0x48f1e0 FreeLibraryAndExitThread
0x48f1e4 GetModuleHandleExW
0x48f1e8 QueryPerformanceFrequency
0x48f1ec GetStdHandle
0x48f1f0 GetFileType
0x48f1f4 WriteConsoleW
0x48f1f8 GetCommandLineA
0x48f1fc GetCommandLineW
0x48f200 IsValidLocale
0x48f204 GetUserDefaultLCID
0x48f208 EnumSystemLocalesW
0x48f20c GetTimeZoneInformation
0x48f210 GetFileSizeEx
0x48f214 SetFilePointerEx
0x48f218 GetConsoleCP
0x48f21c GetConsoleMode
0x48f220 FindFirstFileExW
0x48f224 IsValidCodePage
0x48f228 GetACP
ADVAPI32.dll
0x48f000 RegCloseKey
0x48f004 RegSetValueExA
0x48f008 RegOpenKeyExA
0x48f00c GetUserNameA
0x48f010 RegCreateKeyA
EAT(Export Address Table) is none
KERNEL32.dll
0x48f018 HeapFree
0x48f01c EnterCriticalSection
0x48f020 GetFullPathNameW
0x48f024 WriteFile
0x48f028 GetDiskFreeSpaceW
0x48f02c OutputDebugStringA
0x48f030 LockFile
0x48f034 LeaveCriticalSection
0x48f038 InitializeCriticalSection
0x48f03c SetFilePointer
0x48f040 GetFullPathNameA
0x48f044 SetEndOfFile
0x48f048 UnlockFileEx
0x48f04c GetTempPathW
0x48f050 CreateMutexW
0x48f054 WaitForSingleObject
0x48f058 CreateFileW
0x48f05c GetFileAttributesW
0x48f060 GetCurrentThreadId
0x48f064 UnmapViewOfFile
0x48f068 HeapValidate
0x48f06c HeapSize
0x48f070 MultiByteToWideChar
0x48f074 Sleep
0x48f078 GetTempPathA
0x48f07c FormatMessageW
0x48f080 GetDiskFreeSpaceA
0x48f084 GetLastError
0x48f088 GetFileAttributesA
0x48f08c GetFileAttributesExW
0x48f090 OutputDebugStringW
0x48f094 CreateFileA
0x48f098 LoadLibraryA
0x48f09c WaitForSingleObjectEx
0x48f0a0 DeleteFileA
0x48f0a4 DeleteFileW
0x48f0a8 HeapReAlloc
0x48f0ac CloseHandle
0x48f0b0 GetSystemInfo
0x48f0b4 LoadLibraryW
0x48f0b8 HeapCreate
0x48f0bc HeapCompact
0x48f0c0 HeapDestroy
0x48f0c4 UnlockFile
0x48f0c8 GetProcAddress
0x48f0cc CreateFileMappingA
0x48f0d0 LocalFree
0x48f0d4 LockFileEx
0x48f0d8 GetFileSize
0x48f0dc DeleteCriticalSection
0x48f0e0 GetCurrentProcessId
0x48f0e4 GetProcessHeap
0x48f0e8 SystemTimeToFileTime
0x48f0ec FreeLibrary
0x48f0f0 WideCharToMultiByte
0x48f0f4 GetSystemTimeAsFileTime
0x48f0f8 GetSystemTime
0x48f0fc FormatMessageA
0x48f100 CreateFileMappingW
0x48f104 MapViewOfFile
0x48f108 QueryPerformanceCounter
0x48f10c GetTickCount
0x48f110 FlushFileBuffers
0x48f114 lstrlenA
0x48f118 lstrcatA
0x48f11c CopyFileA
0x48f120 CreateThread
0x48f124 FindFirstFileW
0x48f128 FindNextFileW
0x48f12c GetModuleFileNameW
0x48f130 FindClose
0x48f134 SetStdHandle
0x48f138 VerSetConditionMask
0x48f13c VerifyVersionInfoW
0x48f140 ExitProcess
0x48f144 GetModuleHandleW
0x48f148 DeviceIoControl
0x48f14c FreeEnvironmentStringsW
0x48f150 TryEnterCriticalSection
0x48f154 ReadFile
0x48f158 AreFileApisANSI
0x48f15c SetEnvironmentVariableW
0x48f160 HeapAlloc
0x48f164 GetEnvironmentStringsW
0x48f168 GetOEMCP
0x48f16c InitializeCriticalSectionAndSpinCount
0x48f170 SetEvent
0x48f174 ResetEvent
0x48f178 CreateEventW
0x48f17c IsProcessorFeaturePresent
0x48f180 IsDebuggerPresent
0x48f184 UnhandledExceptionFilter
0x48f188 SetUnhandledExceptionFilter
0x48f18c GetStartupInfoW
0x48f190 InitializeSListHead
0x48f194 GetCurrentProcess
0x48f198 TerminateProcess
0x48f19c EncodePointer
0x48f1a0 DecodePointer
0x48f1a4 GetCPInfo
0x48f1a8 SetLastError
0x48f1ac SwitchToThread
0x48f1b0 TlsAlloc
0x48f1b4 TlsGetValue
0x48f1b8 TlsSetValue
0x48f1bc TlsFree
0x48f1c0 CompareStringW
0x48f1c4 LCMapStringW
0x48f1c8 GetLocaleInfoW
0x48f1cc GetStringTypeW
0x48f1d0 RtlUnwind
0x48f1d4 RaiseException
0x48f1d8 LoadLibraryExW
0x48f1dc ExitThread
0x48f1e0 FreeLibraryAndExitThread
0x48f1e4 GetModuleHandleExW
0x48f1e8 QueryPerformanceFrequency
0x48f1ec GetStdHandle
0x48f1f0 GetFileType
0x48f1f4 WriteConsoleW
0x48f1f8 GetCommandLineA
0x48f1fc GetCommandLineW
0x48f200 IsValidLocale
0x48f204 GetUserDefaultLCID
0x48f208 EnumSystemLocalesW
0x48f20c GetTimeZoneInformation
0x48f210 GetFileSizeEx
0x48f214 SetFilePointerEx
0x48f218 GetConsoleCP
0x48f21c GetConsoleMode
0x48f220 FindFirstFileExW
0x48f224 IsValidCodePage
0x48f228 GetACP
ADVAPI32.dll
0x48f000 RegCloseKey
0x48f004 RegSetValueExA
0x48f008 RegOpenKeyExA
0x48f00c GetUserNameA
0x48f010 RegCreateKeyA
EAT(Export Address Table) is none