ScreenShot
| Created | 2021.06.16 08:54 | Machine | s1_win7_x6401 |
| Filename | 3306.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 61 detected (malicious, high confidence, Magania, Trojanpws, Bjlog, Unsafe, Save, Dialer, FRJV, Baijin, Redosdru, dxwn, TrojanPSW, fjzikd, ~Z@k24gw, MulDrop1, Zegost, A + Troj, chek, ASBOL, KVM005, kcloud, PcClient, dxtx, score, Pbbot, BScope, ai score=82, GenAsa, d0AUU2BCWeI, Static AI, Malicious PE, susgen, confidence, 100%) | ||
| md5 | 369af7277751019de4e0a12b294d24de | ||
| sha256 | 3c536c1558eba42c1967d9732bf9afd25c9c3c28bfbdc0028b945e88f1141d90 | ||
| ssdeep | 3072:mtABk6W//OzY3qKz05HOScaZLCbnUvH6+gxF13+ea2rXYShBdj7ExxwXDGLOqPfC:GABk6W/M1KKRCXvlYShPYxxwHqPf1mI | ||
| imphash | 07cd32fe06d43febfbbba5706c9ac01e | ||
| impfuzzy | 48:r9Gx02GIXAh8+CbGR7TsOosY8C/rJlvzzm/Em/:ZGRGIXAh8+GuTsnsYHfvvm/Em/ | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 61 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| notice | Creates a service |
| notice | Expresses interest in specific running processes |
| notice | Foreign language identified in PE resource |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| info | The executable uses a known packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Gh0st_RAT_Zero | binaries (upload) | |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
MSVCRT.dll
0x40412c _controlfp
0x404130 _strlwr
0x404134 _strnicmp
0x404138 _itoa
0x40413c __set_app_type
0x404140 __p__fmode
0x404144 __p__commode
0x404148 _adjust_fdiv
0x40414c __setusermatherr
0x404150 _initterm
0x404154 __getmainargs
0x404158 _acmdln
0x40415c exit
0x404160 _XcptFilter
0x404164 _exit
0x404168 ??1type_info@@UAE@XZ
0x40416c strstr
0x404170 strncpy
0x404174 _CxxThrowException
0x404178 __CxxFrameHandler
0x40417c strcmp
0x404180 ??3@YAXPAX@Z
0x404184 memcpy
0x404188 ??2@YAPAXI@Z
0x40418c memset
0x404190 strchr
0x404194 strncat
0x404198 strcat
0x40419c tolower
0x4041a0 toupper
0x4041a4 _ftol
0x4041a8 srand
0x4041ac rand
0x4041b0 strcpy
0x4041b4 _except_handler3
0x4041b8 strlen
0x4041bc _stricmp
KERNEL32.dll
0x404080 GetStartupInfoA
0x404084 MultiByteToWideChar
0x404088 GetLastError
0x40408c CreateDirectoryA
0x404090 GetFileAttributesA
0x404094 lstrcpyA
0x404098 lstrlenA
0x40409c DeleteFileA
0x4040a0 SetFileAttributesA
0x4040a4 CloseHandle
0x4040a8 Process32Next
0x4040ac GetCurrentProcessId
0x4040b0 Process32First
0x4040b4 CreateToolhelp32Snapshot
0x4040b8 GetTickCount
0x4040bc lstrcatA
0x4040c0 GetSystemDirectoryA
0x4040c4 HeapFree
0x4040c8 GetProcAddress
0x4040cc GetModuleHandleA
0x4040d0 HeapAlloc
0x4040d4 GetProcessHeap
0x4040d8 ExitProcess
0x4040dc SetEnvironmentVariableA
0x4040e0 GetWindowsDirectoryA
0x4040e4 GetTempPathA
0x4040e8 MoveFileA
0x4040ec SetFileTime
0x4040f0 WideCharToMultiByte
0x4040f4 SystemTimeToFileTime
0x4040f8 SetFilePointer
0x4040fc WriteFile
0x404100 CreateFileA
0x404104 lstrcmpiA
0x404108 GetModuleFileNameA
0x40410c Sleep
0x404110 WaitForSingleObject
0x404114 CreateEventA
0x404118 OpenEventA
0x40411c SetUnhandledExceptionFilter
0x404120 GetCommandLineA
0x404124 LocalFileTimeToFileTime
USER32.dll
0x4041d8 wsprintfA
ADVAPI32.dll
0x404000 GetUserNameA
0x404004 GetServiceKeyNameA
0x404008 StartServiceA
0x40400c ControlService
0x404010 OpenSCManagerA
0x404014 CreateServiceA
0x404018 DeleteService
0x40401c CloseServiceHandle
0x404020 RegCreateKeyExA
0x404024 RegSetValueExA
0x404028 RegDeleteKeyA
0x40402c RegDeleteValueA
0x404030 RegQueryValueExA
0x404034 RegEnumKeyExA
0x404038 RegEnumValueA
0x40403c RegOpenKeyExA
0x404040 RegCloseKey
0x404044 LookupAccountNameA
0x404048 GetFileSecurityA
0x40404c InitializeSecurityDescriptor
0x404050 GetSecurityDescriptorDacl
0x404054 GetAclInformation
0x404058 GetLengthSid
0x40405c InitializeAcl
0x404060 GetAce
0x404064 EqualSid
0x404068 AddAce
0x40406c AddAccessAllowedAce
0x404070 SetSecurityDescriptorDacl
0x404074 GetSecurityDescriptorControl
0x404078 SetFileSecurityA
SHLWAPI.dll
0x4041d0 SHDeleteKeyA
NETAPI32.dll
0x4041c4 NetApiBufferFree
0x4041c8 NetUserGetLocalGroups
EAT(Export Address Table) is none
MSVCRT.dll
0x40412c _controlfp
0x404130 _strlwr
0x404134 _strnicmp
0x404138 _itoa
0x40413c __set_app_type
0x404140 __p__fmode
0x404144 __p__commode
0x404148 _adjust_fdiv
0x40414c __setusermatherr
0x404150 _initterm
0x404154 __getmainargs
0x404158 _acmdln
0x40415c exit
0x404160 _XcptFilter
0x404164 _exit
0x404168 ??1type_info@@UAE@XZ
0x40416c strstr
0x404170 strncpy
0x404174 _CxxThrowException
0x404178 __CxxFrameHandler
0x40417c strcmp
0x404180 ??3@YAXPAX@Z
0x404184 memcpy
0x404188 ??2@YAPAXI@Z
0x40418c memset
0x404190 strchr
0x404194 strncat
0x404198 strcat
0x40419c tolower
0x4041a0 toupper
0x4041a4 _ftol
0x4041a8 srand
0x4041ac rand
0x4041b0 strcpy
0x4041b4 _except_handler3
0x4041b8 strlen
0x4041bc _stricmp
KERNEL32.dll
0x404080 GetStartupInfoA
0x404084 MultiByteToWideChar
0x404088 GetLastError
0x40408c CreateDirectoryA
0x404090 GetFileAttributesA
0x404094 lstrcpyA
0x404098 lstrlenA
0x40409c DeleteFileA
0x4040a0 SetFileAttributesA
0x4040a4 CloseHandle
0x4040a8 Process32Next
0x4040ac GetCurrentProcessId
0x4040b0 Process32First
0x4040b4 CreateToolhelp32Snapshot
0x4040b8 GetTickCount
0x4040bc lstrcatA
0x4040c0 GetSystemDirectoryA
0x4040c4 HeapFree
0x4040c8 GetProcAddress
0x4040cc GetModuleHandleA
0x4040d0 HeapAlloc
0x4040d4 GetProcessHeap
0x4040d8 ExitProcess
0x4040dc SetEnvironmentVariableA
0x4040e0 GetWindowsDirectoryA
0x4040e4 GetTempPathA
0x4040e8 MoveFileA
0x4040ec SetFileTime
0x4040f0 WideCharToMultiByte
0x4040f4 SystemTimeToFileTime
0x4040f8 SetFilePointer
0x4040fc WriteFile
0x404100 CreateFileA
0x404104 lstrcmpiA
0x404108 GetModuleFileNameA
0x40410c Sleep
0x404110 WaitForSingleObject
0x404114 CreateEventA
0x404118 OpenEventA
0x40411c SetUnhandledExceptionFilter
0x404120 GetCommandLineA
0x404124 LocalFileTimeToFileTime
USER32.dll
0x4041d8 wsprintfA
ADVAPI32.dll
0x404000 GetUserNameA
0x404004 GetServiceKeyNameA
0x404008 StartServiceA
0x40400c ControlService
0x404010 OpenSCManagerA
0x404014 CreateServiceA
0x404018 DeleteService
0x40401c CloseServiceHandle
0x404020 RegCreateKeyExA
0x404024 RegSetValueExA
0x404028 RegDeleteKeyA
0x40402c RegDeleteValueA
0x404030 RegQueryValueExA
0x404034 RegEnumKeyExA
0x404038 RegEnumValueA
0x40403c RegOpenKeyExA
0x404040 RegCloseKey
0x404044 LookupAccountNameA
0x404048 GetFileSecurityA
0x40404c InitializeSecurityDescriptor
0x404050 GetSecurityDescriptorDacl
0x404054 GetAclInformation
0x404058 GetLengthSid
0x40405c InitializeAcl
0x404060 GetAce
0x404064 EqualSid
0x404068 AddAce
0x40406c AddAccessAllowedAce
0x404070 SetSecurityDescriptorDacl
0x404074 GetSecurityDescriptorControl
0x404078 SetFileSecurityA
SHLWAPI.dll
0x4041d0 SHDeleteKeyA
NETAPI32.dll
0x4041c4 NetApiBufferFree
0x4041c8 NetUserGetLocalGroups
EAT(Export Address Table) is none