ScreenShot
| Created | 2021.06.19 10:02 | Machine | s1_win7_x6401 |
| Filename | maaacccc..exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 44 detected (AIDetect, malware2, malicious, high confidence, GenericKD, Unsafe, Save, Kryptik, ZexaF, vu0@aSHTY2ei, HSCI, Attribute, HighConfidence, HLJN, NetWiredRC, TRICKBOT, S + Mal, Score, jcaqx, Phonzy, Generic PWS, ai score=83, BScope, Wacatac, Static AI, Malicious PE, GdSda, confidence, 100%) | ||
| md5 | 0061d17ff54d214c5ea6867cb815caea | ||
| sha256 | fd413ec8d9d798c28fc99c0633e6477f6eabc218788ad37c93be4de758a02962 | ||
| ssdeep | 6144:gmoTVbtce+HAeeASCTqdAOaQxM3QLylFzk8x2dQ32/Y/XDzZKa:gnTVbtcmqTi7xM3+yHY84dQmgzzQa | ||
| imphash | 3f4e582201d9606d6a4423609978d670 | ||
| impfuzzy | 24:Bd1z4BrDSBetcpVWjsteS17MdlJBl39xEOovbOxv1jM+2j2FZxCEZHu9rM:fN6SBocpVwsteS17MDpz3R9FZIM | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 44 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | This executable has a PDB path |
Rules (21cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | infoStealer_browser_Zero | browser info stealer | memory |
| warning | infoStealer_emailClients_Zero | email clients info stealer | memory |
| watch | Chrome_User_Data_Check_Zero | Google Chrome User Data Check | memory |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | Win_Trojan_agentTesla_Zero | Win.Trojan.agentTesla | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x420000 GetModuleFileNameA
0x420004 VirtualProtect
0x420008 GetCurrentProcess
0x42000c LoadLibraryExA
0x420010 VirtualAllocExNuma
0x420014 ResumeThread
0x420018 OpenProcess
0x42001c Sleep
0x420020 GetTickCount64
0x420024 GetSystemInfo
0x420028 LoadLibraryW
0x42002c GetThreadContext
0x420030 GetProcAddress
0x420034 VirtualAllocEx
0x420038 ExitProcess
0x42003c ReadProcessMemory
0x420040 GlobalMemoryStatusEx
0x420044 GetConsoleWindow
0x420048 WriteConsoleW
0x42004c HeapSize
0x420050 CreateFileW
0x420054 EnterCriticalSection
0x420058 LeaveCriticalSection
0x42005c InitializeCriticalSectionEx
0x420060 DeleteCriticalSection
0x420064 EncodePointer
0x420068 DecodePointer
0x42006c MultiByteToWideChar
0x420070 WideCharToMultiByte
0x420074 LCMapStringEx
0x420078 GetStringTypeW
0x42007c GetCPInfo
0x420080 UnhandledExceptionFilter
0x420084 SetUnhandledExceptionFilter
0x420088 TerminateProcess
0x42008c IsProcessorFeaturePresent
0x420090 QueryPerformanceCounter
0x420094 GetCurrentProcessId
0x420098 GetCurrentThreadId
0x42009c GetSystemTimeAsFileTime
0x4200a0 InitializeSListHead
0x4200a4 IsDebuggerPresent
0x4200a8 GetStartupInfoW
0x4200ac GetModuleHandleW
0x4200b0 RtlUnwind
0x4200b4 RaiseException
0x4200b8 GetLastError
0x4200bc SetLastError
0x4200c0 InitializeCriticalSectionAndSpinCount
0x4200c4 TlsAlloc
0x4200c8 TlsGetValue
0x4200cc TlsSetValue
0x4200d0 TlsFree
0x4200d4 FreeLibrary
0x4200d8 LoadLibraryExW
0x4200dc GetStdHandle
0x4200e0 WriteFile
0x4200e4 GetModuleFileNameW
0x4200e8 GetModuleHandleExW
0x4200ec GetCommandLineA
0x4200f0 GetCommandLineW
0x4200f4 GetFileSizeEx
0x4200f8 SetFilePointerEx
0x4200fc GetFileType
0x420100 FlushFileBuffers
0x420104 GetConsoleCP
0x420108 GetConsoleMode
0x42010c HeapFree
0x420110 CloseHandle
0x420114 WaitForSingleObject
0x420118 GetExitCodeProcess
0x42011c CreateProcessW
0x420120 GetFileAttributesExW
0x420124 HeapAlloc
0x420128 CompareStringW
0x42012c LCMapStringW
0x420130 GetLocaleInfoW
0x420134 IsValidLocale
0x420138 GetUserDefaultLCID
0x42013c EnumSystemLocalesW
0x420140 ReadFile
0x420144 ReadConsoleW
0x420148 HeapReAlloc
0x42014c FindClose
0x420150 FindFirstFileExW
0x420154 FindNextFileW
0x420158 IsValidCodePage
0x42015c GetACP
0x420160 GetOEMCP
0x420164 GetEnvironmentStringsW
0x420168 FreeEnvironmentStringsW
0x42016c SetEnvironmentVariableW
0x420170 SetStdHandle
0x420174 GetProcessHeap
0x420178 SetEndOfFile
USER32.dll
0x420180 ShowWindow
EAT(Export Address Table) is none
KERNEL32.dll
0x420000 GetModuleFileNameA
0x420004 VirtualProtect
0x420008 GetCurrentProcess
0x42000c LoadLibraryExA
0x420010 VirtualAllocExNuma
0x420014 ResumeThread
0x420018 OpenProcess
0x42001c Sleep
0x420020 GetTickCount64
0x420024 GetSystemInfo
0x420028 LoadLibraryW
0x42002c GetThreadContext
0x420030 GetProcAddress
0x420034 VirtualAllocEx
0x420038 ExitProcess
0x42003c ReadProcessMemory
0x420040 GlobalMemoryStatusEx
0x420044 GetConsoleWindow
0x420048 WriteConsoleW
0x42004c HeapSize
0x420050 CreateFileW
0x420054 EnterCriticalSection
0x420058 LeaveCriticalSection
0x42005c InitializeCriticalSectionEx
0x420060 DeleteCriticalSection
0x420064 EncodePointer
0x420068 DecodePointer
0x42006c MultiByteToWideChar
0x420070 WideCharToMultiByte
0x420074 LCMapStringEx
0x420078 GetStringTypeW
0x42007c GetCPInfo
0x420080 UnhandledExceptionFilter
0x420084 SetUnhandledExceptionFilter
0x420088 TerminateProcess
0x42008c IsProcessorFeaturePresent
0x420090 QueryPerformanceCounter
0x420094 GetCurrentProcessId
0x420098 GetCurrentThreadId
0x42009c GetSystemTimeAsFileTime
0x4200a0 InitializeSListHead
0x4200a4 IsDebuggerPresent
0x4200a8 GetStartupInfoW
0x4200ac GetModuleHandleW
0x4200b0 RtlUnwind
0x4200b4 RaiseException
0x4200b8 GetLastError
0x4200bc SetLastError
0x4200c0 InitializeCriticalSectionAndSpinCount
0x4200c4 TlsAlloc
0x4200c8 TlsGetValue
0x4200cc TlsSetValue
0x4200d0 TlsFree
0x4200d4 FreeLibrary
0x4200d8 LoadLibraryExW
0x4200dc GetStdHandle
0x4200e0 WriteFile
0x4200e4 GetModuleFileNameW
0x4200e8 GetModuleHandleExW
0x4200ec GetCommandLineA
0x4200f0 GetCommandLineW
0x4200f4 GetFileSizeEx
0x4200f8 SetFilePointerEx
0x4200fc GetFileType
0x420100 FlushFileBuffers
0x420104 GetConsoleCP
0x420108 GetConsoleMode
0x42010c HeapFree
0x420110 CloseHandle
0x420114 WaitForSingleObject
0x420118 GetExitCodeProcess
0x42011c CreateProcessW
0x420120 GetFileAttributesExW
0x420124 HeapAlloc
0x420128 CompareStringW
0x42012c LCMapStringW
0x420130 GetLocaleInfoW
0x420134 IsValidLocale
0x420138 GetUserDefaultLCID
0x42013c EnumSystemLocalesW
0x420140 ReadFile
0x420144 ReadConsoleW
0x420148 HeapReAlloc
0x42014c FindClose
0x420150 FindFirstFileExW
0x420154 FindNextFileW
0x420158 IsValidCodePage
0x42015c GetACP
0x420160 GetOEMCP
0x420164 GetEnvironmentStringsW
0x420168 FreeEnvironmentStringsW
0x42016c SetEnvironmentVariableW
0x420170 SetStdHandle
0x420174 GetProcessHeap
0x420178 SetEndOfFile
USER32.dll
0x420180 ShowWindow
EAT(Export Address Table) is none