ScreenShot
| Created | 2021.06.18 09:52 | Machine | s1_win7_x6402 |
| Filename | redbutton.png | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 32 detected (AIDetect, malware1, malicious, high confidence, GenericKD, Save, Attribute, HighConfidence, Trickpak, FileRepMalware, UMal, zdnxz@0, Artemis, Static AI, Malicious PE, ai score=89, kcloud, Trickbot, Core, OBKIMG, score, R002H01FH21, Generic@ML, RDMK, LNVvLtv7v9QnxE1Qiz83OA, Unsafe, Behavior, ZexaF, Hu2@ae1SP1dQ, confidence) | ||
| md5 | 1a5f3ca6597fcccd3295ead4d22ce70b | ||
| sha256 | 7501da197ff9bcd49198dce9cf668442b3a04122d1034effb29d74e0a09529d7 | ||
| ssdeep | 6144:Etq5lF4WVQ5521QdfB9qAwAysg8n65R4tiIfug1d7kjTnWPt:EU5lF3VQvbpIAA8nE+sI5kXn | ||
| imphash | ae9182174b5c4afd59b9b6502df5d8a1 | ||
| impfuzzy | 24:4zglqOovqDkpftj8Rnlyv95/J3IjT4RfLKjML7g45uSr1eKn:imW1tYK97McRf1k45uKn | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 32 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Terminates another process |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (10cnts) ?
Suricata ids
ET CNC Feodo Tracker Reported CnC Server group 12
ET CNC Feodo Tracker Reported CnC Server group 17
ET CNC Feodo Tracker Reported CnC Server group 11
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET CNC Feodo Tracker Reported CnC Server group 17
ET CNC Feodo Tracker Reported CnC Server group 11
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40c038 FlushFileBuffers
0x40c03c MulDiv
0x40c040 VirtualAlloc
0x40c044 MultiByteToWideChar
0x40c048 FindResourceW
0x40c04c LoadResource
0x40c050 SizeofResource
0x40c054 lstrlenA
0x40c058 GetLastError
0x40c05c HeapFree
0x40c060 HeapAlloc
0x40c064 GetCommandLineA
0x40c068 HeapSetInformation
0x40c06c GetStartupInfoW
0x40c070 HeapCreate
0x40c074 GetProcAddress
0x40c078 GetModuleHandleW
0x40c07c ExitProcess
0x40c080 DecodePointer
0x40c084 WriteFile
0x40c088 GetStdHandle
0x40c08c GetModuleFileNameW
0x40c090 EncodePointer
0x40c094 UnhandledExceptionFilter
0x40c098 SetUnhandledExceptionFilter
0x40c09c IsDebuggerPresent
0x40c0a0 TerminateProcess
0x40c0a4 GetCurrentProcess
0x40c0a8 IsProcessorFeaturePresent
0x40c0ac GetModuleFileNameA
0x40c0b0 FreeEnvironmentStringsW
0x40c0b4 WideCharToMultiByte
0x40c0b8 GetEnvironmentStringsW
0x40c0bc SetHandleCount
0x40c0c0 InitializeCriticalSectionAndSpinCount
0x40c0c4 GetFileType
0x40c0c8 DeleteCriticalSection
0x40c0cc TlsAlloc
0x40c0d0 TlsGetValue
0x40c0d4 TlsSetValue
0x40c0d8 TlsFree
0x40c0dc InterlockedIncrement
0x40c0e0 SetLastError
0x40c0e4 GetCurrentThreadId
0x40c0e8 InterlockedDecrement
0x40c0ec QueryPerformanceCounter
0x40c0f0 GetTickCount
0x40c0f4 GetCurrentProcessId
0x40c0f8 GetSystemTimeAsFileTime
0x40c0fc LeaveCriticalSection
0x40c100 EnterCriticalSection
0x40c104 LoadLibraryW
0x40c108 SetFilePointer
0x40c10c GetConsoleCP
0x40c110 GetConsoleMode
0x40c114 GetCPInfo
0x40c118 GetACP
0x40c11c GetOEMCP
0x40c120 IsValidCodePage
0x40c124 Sleep
0x40c128 RtlUnwind
0x40c12c HeapSize
0x40c130 SetStdHandle
0x40c134 WriteConsoleW
0x40c138 LCMapStringW
0x40c13c GetStringTypeW
0x40c140 HeapReAlloc
0x40c144 CreateFileW
0x40c148 CloseHandle
USER32.dll
0x40c150 GetDC
0x40c154 ReleaseDC
0x40c158 LoadImageW
GDI32.dll
0x40c000 DeleteDC
0x40c004 GetDeviceCaps
0x40c008 CreateFontW
0x40c00c SelectPalette
0x40c010 RealizePalette
0x40c014 BitBlt
0x40c018 DeleteObject
0x40c01c GetObjectW
0x40c020 CreateCompatibleDC
0x40c024 SelectObject
0x40c028 GetDIBColorTable
0x40c02c CreatePalette
0x40c030 CreateHalftonePalette
EAT(Export Address Table) is none
KERNEL32.dll
0x40c038 FlushFileBuffers
0x40c03c MulDiv
0x40c040 VirtualAlloc
0x40c044 MultiByteToWideChar
0x40c048 FindResourceW
0x40c04c LoadResource
0x40c050 SizeofResource
0x40c054 lstrlenA
0x40c058 GetLastError
0x40c05c HeapFree
0x40c060 HeapAlloc
0x40c064 GetCommandLineA
0x40c068 HeapSetInformation
0x40c06c GetStartupInfoW
0x40c070 HeapCreate
0x40c074 GetProcAddress
0x40c078 GetModuleHandleW
0x40c07c ExitProcess
0x40c080 DecodePointer
0x40c084 WriteFile
0x40c088 GetStdHandle
0x40c08c GetModuleFileNameW
0x40c090 EncodePointer
0x40c094 UnhandledExceptionFilter
0x40c098 SetUnhandledExceptionFilter
0x40c09c IsDebuggerPresent
0x40c0a0 TerminateProcess
0x40c0a4 GetCurrentProcess
0x40c0a8 IsProcessorFeaturePresent
0x40c0ac GetModuleFileNameA
0x40c0b0 FreeEnvironmentStringsW
0x40c0b4 WideCharToMultiByte
0x40c0b8 GetEnvironmentStringsW
0x40c0bc SetHandleCount
0x40c0c0 InitializeCriticalSectionAndSpinCount
0x40c0c4 GetFileType
0x40c0c8 DeleteCriticalSection
0x40c0cc TlsAlloc
0x40c0d0 TlsGetValue
0x40c0d4 TlsSetValue
0x40c0d8 TlsFree
0x40c0dc InterlockedIncrement
0x40c0e0 SetLastError
0x40c0e4 GetCurrentThreadId
0x40c0e8 InterlockedDecrement
0x40c0ec QueryPerformanceCounter
0x40c0f0 GetTickCount
0x40c0f4 GetCurrentProcessId
0x40c0f8 GetSystemTimeAsFileTime
0x40c0fc LeaveCriticalSection
0x40c100 EnterCriticalSection
0x40c104 LoadLibraryW
0x40c108 SetFilePointer
0x40c10c GetConsoleCP
0x40c110 GetConsoleMode
0x40c114 GetCPInfo
0x40c118 GetACP
0x40c11c GetOEMCP
0x40c120 IsValidCodePage
0x40c124 Sleep
0x40c128 RtlUnwind
0x40c12c HeapSize
0x40c130 SetStdHandle
0x40c134 WriteConsoleW
0x40c138 LCMapStringW
0x40c13c GetStringTypeW
0x40c140 HeapReAlloc
0x40c144 CreateFileW
0x40c148 CloseHandle
USER32.dll
0x40c150 GetDC
0x40c154 ReleaseDC
0x40c158 LoadImageW
GDI32.dll
0x40c000 DeleteDC
0x40c004 GetDeviceCaps
0x40c008 CreateFontW
0x40c00c SelectPalette
0x40c010 RealizePalette
0x40c014 BitBlt
0x40c018 DeleteObject
0x40c01c GetObjectW
0x40c020 CreateCompatibleDC
0x40c024 SelectObject
0x40c028 GetDIBColorTable
0x40c02c CreatePalette
0x40c030 CreateHalftonePalette
EAT(Export Address Table) is none