ScreenShot
| Created | 2021.06.12 18:24 | Machine | s1_win7_x6401 |
| Filename | 1.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 44 detected (AIDetect, malware2, malicious, high confidence, Siggen2, GenericRXOM, Unsafe, Save, ZexaF, VqW@auO7, Eldorado, Attribute, HighConfidence, PWSX, Zusy, Bobik, iunqoq, CLASSIC, Racoon, susgen, AGEN, ASMalwS, Glupteba, MG6FVH, score, R355109, ai score=83, PasswordStealer, Gencirc, KdSyOWNBWz8, Static AI, Malicious PE, GdSda) | ||
| md5 | 5a3eb1ba34e04f53b7bc135578a1610b | ||
| sha256 | cf333d7bb01d28a0a43127cd5c86c8fdfa390c03565bc30fca6ea49b1ef0b7b6 | ||
| ssdeep | 12288:Ncgz2j45iutNW/o8LudKs/90+cr5xq9FAfiMZp7qKblsIgFm8gdosZ5TguHaO+yz:Ncgz2j4/NytEp0+cr5xq0fiMZp776IZF | ||
| imphash | 51ff75d6d097884e3e24394f5a7d0c8f | ||
| impfuzzy | 48:BbuKL1LhYYs0OwOzS9o4agZmHBMTMdPa3tSH4F5r0UXuN:BbuKL1LuYs07sSq4xTMVStSw0UXuN | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 44 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | Network activity contains more than one unique useragent |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Tries to locate where the browsers are installed |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (6cnts) ?
Suricata ids
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x49a00c EnterCriticalSection
0x49a010 GetCurrentProcess
0x49a014 WriteFile
0x49a018 LeaveCriticalSection
0x49a01c SetFilePointer
0x49a020 InitializeCriticalSectionEx
0x49a024 UnmapViewOfFile
0x49a028 GetModuleHandleA
0x49a02c HeapSize
0x49a030 MultiByteToWideChar
0x49a034 GetFileInformationByHandle
0x49a038 CopyFileA
0x49a03c GetLastError
0x49a040 CreateFileA
0x49a044 FileTimeToSystemTime
0x49a048 LoadLibraryA
0x49a04c LockResource
0x49a050 HeapReAlloc
0x49a054 CloseHandle
0x49a058 RaiseException
0x49a05c FindResourceExW
0x49a060 LoadResource
0x49a064 FindResourceW
0x49a068 HeapAlloc
0x49a06c GetLocalTime
0x49a070 DecodePointer
0x49a074 HeapDestroy
0x49a078 GetProcAddress
0x49a07c CreateFileMappingA
0x49a080 GetFileSize
0x49a084 DeleteCriticalSection
0x49a088 GetProcessHeap
0x49a08c SystemTimeToFileTime
0x49a090 FreeLibrary
0x49a094 WideCharToMultiByte
0x49a098 HeapFree
0x49a09c MapViewOfFile
0x49a0a0 GetTickCount
0x49a0a4 IsWow64Process
0x49a0a8 AreFileApisANSI
0x49a0ac GetFullPathNameW
0x49a0b0 LockFile
0x49a0b4 InitializeCriticalSection
0x49a0b8 GetFullPathNameA
0x49a0bc SetEndOfFile
0x49a0c0 GetTempPathW
0x49a0c4 CreateFileW
0x49a0c8 GetFileAttributesW
0x49a0cc GetCurrentThreadId
0x49a0d0 Sleep
0x49a0d4 GetTempPathA
0x49a0d8 GetFileAttributesA
0x49a0dc GetVersionExA
0x49a0e0 DeleteFileA
0x49a0e4 DeleteFileW
0x49a0e8 LoadLibraryW
0x49a0ec UnlockFile
0x49a0f0 LockFileEx
0x49a0f4 GetCurrentProcessId
0x49a0f8 GetSystemTimeAsFileTime
0x49a0fc GetSystemTime
0x49a100 FormatMessageA
0x49a104 QueryPerformanceCounter
0x49a108 FlushFileBuffers
0x49a10c SetStdHandle
0x49a110 SetEnvironmentVariableW
0x49a114 FreeEnvironmentStringsW
0x49a118 GetEnvironmentStringsW
0x49a11c GetOEMCP
0x49a120 GetACP
0x49a124 IsValidCodePage
0x49a128 SizeofResource
0x49a12c GetModuleFileNameA
0x49a130 CreateProcessA
0x49a134 ReadFile
0x49a138 ReadConsoleW
0x49a13c GetTimeZoneInformation
0x49a140 GetFileSizeEx
0x49a144 GetConsoleMode
0x49a148 GetConsoleCP
0x49a14c GetFileType
0x49a150 EnumSystemLocalesW
0x49a154 GetUserDefaultLCID
0x49a158 IsValidLocale
0x49a15c GetTimeFormatW
0x49a160 WriteConsoleW
0x49a164 GetDateFormatW
0x49a168 GetCommandLineW
0x49a16c GetCommandLineA
0x49a170 GetStdHandle
0x49a174 GetModuleFileNameW
0x49a178 GetModuleHandleExW
0x49a17c ExitProcess
0x49a180 QueryPerformanceFrequency
0x49a184 VirtualQuery
0x49a188 VirtualProtect
0x49a18c VirtualAlloc
0x49a190 GetCurrentDirectoryW
0x49a194 CreateDirectoryW
0x49a198 FindClose
0x49a19c FindFirstFileExW
0x49a1a0 FindNextFileW
0x49a1a4 GetFileAttributesExW
0x49a1a8 RemoveDirectoryW
0x49a1ac SetFilePointerEx
0x49a1b0 SetLastError
0x49a1b4 GetModuleHandleW
0x49a1b8 CopyFileW
0x49a1bc LocalFree
0x49a1c0 GetStringTypeW
0x49a1c4 EncodePointer
0x49a1c8 InitializeCriticalSectionAndSpinCount
0x49a1cc CreateEventW
0x49a1d0 TlsAlloc
0x49a1d4 TlsGetValue
0x49a1d8 TlsSetValue
0x49a1dc TlsFree
0x49a1e0 CompareStringW
0x49a1e4 LCMapStringW
0x49a1e8 GetLocaleInfoW
0x49a1ec GetCPInfo
0x49a1f0 IsDebuggerPresent
0x49a1f4 OutputDebugStringW
0x49a1f8 SetEvent
0x49a1fc ResetEvent
0x49a200 WaitForSingleObjectEx
0x49a204 UnhandledExceptionFilter
0x49a208 SetUnhandledExceptionFilter
0x49a20c GetStartupInfoW
0x49a210 IsProcessorFeaturePresent
0x49a214 InitializeSListHead
0x49a218 TerminateProcess
0x49a21c RtlUnwind
0x49a220 LoadLibraryExW
0x49a224 GetSystemInfo
USER32.dll
0x49a238 GetDC
0x49a23c GetSystemMetrics
0x49a240 ReleaseDC
0x49a244 GetDesktopWindow
GDI32.dll
0x49a000 DeleteObject
0x49a004 GetObjectA
SHLWAPI.dll
0x49a22c PathFindExtensionW
0x49a230 PathFindExtensionA
gdiplus.dll
0x49a270 GdipSaveImageToFile
0x49a274 GdipCreateBitmapFromScan0
0x49a278 GdipGetImageEncodersSize
0x49a27c GdipDisposeImage
0x49a280 GdipGetImageEncoders
0x49a284 GdiplusStartup
0x49a288 GdipCreateBitmapFromHBITMAP
0x49a28c GdiplusShutdown
WININET.dll
0x49a24c HttpEndRequestA
0x49a250 HttpSendRequestExA
0x49a254 InternetOpenA
0x49a258 InternetCloseHandle
0x49a25c HttpOpenRequestA
0x49a260 HttpSendRequestA
0x49a264 InternetConnectA
0x49a268 InternetReadFile
EAT(Export Address Table) is none
KERNEL32.dll
0x49a00c EnterCriticalSection
0x49a010 GetCurrentProcess
0x49a014 WriteFile
0x49a018 LeaveCriticalSection
0x49a01c SetFilePointer
0x49a020 InitializeCriticalSectionEx
0x49a024 UnmapViewOfFile
0x49a028 GetModuleHandleA
0x49a02c HeapSize
0x49a030 MultiByteToWideChar
0x49a034 GetFileInformationByHandle
0x49a038 CopyFileA
0x49a03c GetLastError
0x49a040 CreateFileA
0x49a044 FileTimeToSystemTime
0x49a048 LoadLibraryA
0x49a04c LockResource
0x49a050 HeapReAlloc
0x49a054 CloseHandle
0x49a058 RaiseException
0x49a05c FindResourceExW
0x49a060 LoadResource
0x49a064 FindResourceW
0x49a068 HeapAlloc
0x49a06c GetLocalTime
0x49a070 DecodePointer
0x49a074 HeapDestroy
0x49a078 GetProcAddress
0x49a07c CreateFileMappingA
0x49a080 GetFileSize
0x49a084 DeleteCriticalSection
0x49a088 GetProcessHeap
0x49a08c SystemTimeToFileTime
0x49a090 FreeLibrary
0x49a094 WideCharToMultiByte
0x49a098 HeapFree
0x49a09c MapViewOfFile
0x49a0a0 GetTickCount
0x49a0a4 IsWow64Process
0x49a0a8 AreFileApisANSI
0x49a0ac GetFullPathNameW
0x49a0b0 LockFile
0x49a0b4 InitializeCriticalSection
0x49a0b8 GetFullPathNameA
0x49a0bc SetEndOfFile
0x49a0c0 GetTempPathW
0x49a0c4 CreateFileW
0x49a0c8 GetFileAttributesW
0x49a0cc GetCurrentThreadId
0x49a0d0 Sleep
0x49a0d4 GetTempPathA
0x49a0d8 GetFileAttributesA
0x49a0dc GetVersionExA
0x49a0e0 DeleteFileA
0x49a0e4 DeleteFileW
0x49a0e8 LoadLibraryW
0x49a0ec UnlockFile
0x49a0f0 LockFileEx
0x49a0f4 GetCurrentProcessId
0x49a0f8 GetSystemTimeAsFileTime
0x49a0fc GetSystemTime
0x49a100 FormatMessageA
0x49a104 QueryPerformanceCounter
0x49a108 FlushFileBuffers
0x49a10c SetStdHandle
0x49a110 SetEnvironmentVariableW
0x49a114 FreeEnvironmentStringsW
0x49a118 GetEnvironmentStringsW
0x49a11c GetOEMCP
0x49a120 GetACP
0x49a124 IsValidCodePage
0x49a128 SizeofResource
0x49a12c GetModuleFileNameA
0x49a130 CreateProcessA
0x49a134 ReadFile
0x49a138 ReadConsoleW
0x49a13c GetTimeZoneInformation
0x49a140 GetFileSizeEx
0x49a144 GetConsoleMode
0x49a148 GetConsoleCP
0x49a14c GetFileType
0x49a150 EnumSystemLocalesW
0x49a154 GetUserDefaultLCID
0x49a158 IsValidLocale
0x49a15c GetTimeFormatW
0x49a160 WriteConsoleW
0x49a164 GetDateFormatW
0x49a168 GetCommandLineW
0x49a16c GetCommandLineA
0x49a170 GetStdHandle
0x49a174 GetModuleFileNameW
0x49a178 GetModuleHandleExW
0x49a17c ExitProcess
0x49a180 QueryPerformanceFrequency
0x49a184 VirtualQuery
0x49a188 VirtualProtect
0x49a18c VirtualAlloc
0x49a190 GetCurrentDirectoryW
0x49a194 CreateDirectoryW
0x49a198 FindClose
0x49a19c FindFirstFileExW
0x49a1a0 FindNextFileW
0x49a1a4 GetFileAttributesExW
0x49a1a8 RemoveDirectoryW
0x49a1ac SetFilePointerEx
0x49a1b0 SetLastError
0x49a1b4 GetModuleHandleW
0x49a1b8 CopyFileW
0x49a1bc LocalFree
0x49a1c0 GetStringTypeW
0x49a1c4 EncodePointer
0x49a1c8 InitializeCriticalSectionAndSpinCount
0x49a1cc CreateEventW
0x49a1d0 TlsAlloc
0x49a1d4 TlsGetValue
0x49a1d8 TlsSetValue
0x49a1dc TlsFree
0x49a1e0 CompareStringW
0x49a1e4 LCMapStringW
0x49a1e8 GetLocaleInfoW
0x49a1ec GetCPInfo
0x49a1f0 IsDebuggerPresent
0x49a1f4 OutputDebugStringW
0x49a1f8 SetEvent
0x49a1fc ResetEvent
0x49a200 WaitForSingleObjectEx
0x49a204 UnhandledExceptionFilter
0x49a208 SetUnhandledExceptionFilter
0x49a20c GetStartupInfoW
0x49a210 IsProcessorFeaturePresent
0x49a214 InitializeSListHead
0x49a218 TerminateProcess
0x49a21c RtlUnwind
0x49a220 LoadLibraryExW
0x49a224 GetSystemInfo
USER32.dll
0x49a238 GetDC
0x49a23c GetSystemMetrics
0x49a240 ReleaseDC
0x49a244 GetDesktopWindow
GDI32.dll
0x49a000 DeleteObject
0x49a004 GetObjectA
SHLWAPI.dll
0x49a22c PathFindExtensionW
0x49a230 PathFindExtensionA
gdiplus.dll
0x49a270 GdipSaveImageToFile
0x49a274 GdipCreateBitmapFromScan0
0x49a278 GdipGetImageEncodersSize
0x49a27c GdipDisposeImage
0x49a280 GdipGetImageEncoders
0x49a284 GdiplusStartup
0x49a288 GdipCreateBitmapFromHBITMAP
0x49a28c GdiplusShutdown
WININET.dll
0x49a24c HttpEndRequestA
0x49a250 HttpSendRequestExA
0x49a254 InternetOpenA
0x49a258 InternetCloseHandle
0x49a25c HttpOpenRequestA
0x49a260 HttpSendRequestA
0x49a264 InternetConnectA
0x49a268 InternetReadFile
EAT(Export Address Table) is none