ScreenShot
| Created | 2021.06.24 20:16 | Machine | s1_win7_x6402 |
| Filename | ti.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 17 detected (Artemis, Unsafe, TrojanPSW, LaZagne, malicious, confidence, Python, PSWTool, Bitmin, trK7, Generic PUA FG, Presenoker, BroPass, R002H0DCO21, Hacktool, HgEASRcA) | ||
| md5 | f330bbd9ca047fddd9c946898ae087c8 | ||
| sha256 | 61d6938d0dc7b9d9a7b5c3a63f70e422fb122ba8709ab1dabdc4ab69cebb38ba | ||
| ssdeep | 393216:lSaqO93N2xhDDBGlh2pWNhhovef51htB7pRnS:lSaqO93NSPGQpcW81N7pg | ||
| imphash | bb2292057634957dfa559b6eef7b52d8 | ||
| impfuzzy | 48:CkR9NteS1hEc+ppaRNgT+ONfiQhPmbU1b:lR3teS1hEc+ppEa+C6e8yb | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes a large number of files from the system indicative of ransomware |
| watch | File has been identified by 17 AntiVirus engines on VirusTotal as malicious |
| notice | Creates executable files on the filesystem |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_1_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140022028 GetCommandLineW
0x140022030 GetEnvironmentVariableW
0x140022038 SetEnvironmentVariableW
0x140022040 ExpandEnvironmentStringsW
0x140022048 CreateDirectoryW
0x140022050 GetTempPathW
0x140022058 WaitForSingleObject
0x140022060 Sleep
0x140022068 GetExitCodeProcess
0x140022070 GetStartupInfoW
0x140022078 LoadLibraryExW
0x140022080 CloseHandle
0x140022088 GetCurrentProcess
0x140022090 LocalFree
0x140022098 FormatMessageW
0x1400220a0 LoadLibraryA
0x1400220a8 MultiByteToWideChar
0x1400220b0 WideCharToMultiByte
0x1400220b8 GetProcAddress
0x1400220c0 GetModuleFileNameW
0x1400220c8 SetDllDirectoryW
0x1400220d0 CreateProcessW
0x1400220d8 GetLastError
0x1400220e0 SetEndOfFile
0x1400220e8 HeapReAlloc
0x1400220f0 RtlCaptureContext
0x1400220f8 RtlLookupFunctionEntry
0x140022100 RtlVirtualUnwind
0x140022108 UnhandledExceptionFilter
0x140022110 SetUnhandledExceptionFilter
0x140022118 TerminateProcess
0x140022120 IsProcessorFeaturePresent
0x140022128 QueryPerformanceCounter
0x140022130 GetCurrentProcessId
0x140022138 GetCurrentThreadId
0x140022140 GetSystemTimeAsFileTime
0x140022148 InitializeSListHead
0x140022150 IsDebuggerPresent
0x140022158 GetModuleHandleW
0x140022160 RtlUnwindEx
0x140022168 SetLastError
0x140022170 EnterCriticalSection
0x140022178 LeaveCriticalSection
0x140022180 DeleteCriticalSection
0x140022188 InitializeCriticalSectionAndSpinCount
0x140022190 TlsAlloc
0x140022198 TlsGetValue
0x1400221a0 TlsSetValue
0x1400221a8 TlsFree
0x1400221b0 FreeLibrary
0x1400221b8 GetCommandLineA
0x1400221c0 ReadFile
0x1400221c8 CreateFileW
0x1400221d0 GetDriveTypeW
0x1400221d8 GetFileType
0x1400221e0 PeekNamedPipe
0x1400221e8 SystemTimeToTzSpecificLocalTime
0x1400221f0 FileTimeToSystemTime
0x1400221f8 GetFullPathNameW
0x140022200 RemoveDirectoryW
0x140022208 FindClose
0x140022210 FindFirstFileExW
0x140022218 FindNextFileW
0x140022220 SetStdHandle
0x140022228 SetConsoleCtrlHandler
0x140022230 DeleteFileW
0x140022238 GetStdHandle
0x140022240 WriteFile
0x140022248 ExitProcess
0x140022250 GetModuleHandleExW
0x140022258 GetACP
0x140022260 HeapFree
0x140022268 HeapAlloc
0x140022270 GetConsoleMode
0x140022278 ReadConsoleW
0x140022280 SetFilePointerEx
0x140022288 GetConsoleCP
0x140022290 CompareStringW
0x140022298 LCMapStringW
0x1400222a0 GetCurrentDirectoryW
0x1400222a8 FlushFileBuffers
0x1400222b0 SetEnvironmentVariableA
0x1400222b8 GetFileAttributesExW
0x1400222c0 IsValidCodePage
0x1400222c8 GetOEMCP
0x1400222d0 GetCPInfo
0x1400222d8 GetEnvironmentStringsW
0x1400222e0 FreeEnvironmentStringsW
0x1400222e8 GetStringTypeW
0x1400222f0 GetProcessHeap
0x1400222f8 WriteConsoleW
0x140022300 GetTimeZoneInformation
0x140022308 HeapSize
0x140022310 RaiseException
ADVAPI32.dll
0x140022000 ConvertSidToStringSidW
0x140022008 GetTokenInformation
0x140022010 OpenProcessToken
0x140022018 ConvertStringSecurityDescriptorToSecurityDescriptorW
WS2_32.dll
0x140022320 ntohl
EAT(Export Address Table) is none
KERNEL32.dll
0x140022028 GetCommandLineW
0x140022030 GetEnvironmentVariableW
0x140022038 SetEnvironmentVariableW
0x140022040 ExpandEnvironmentStringsW
0x140022048 CreateDirectoryW
0x140022050 GetTempPathW
0x140022058 WaitForSingleObject
0x140022060 Sleep
0x140022068 GetExitCodeProcess
0x140022070 GetStartupInfoW
0x140022078 LoadLibraryExW
0x140022080 CloseHandle
0x140022088 GetCurrentProcess
0x140022090 LocalFree
0x140022098 FormatMessageW
0x1400220a0 LoadLibraryA
0x1400220a8 MultiByteToWideChar
0x1400220b0 WideCharToMultiByte
0x1400220b8 GetProcAddress
0x1400220c0 GetModuleFileNameW
0x1400220c8 SetDllDirectoryW
0x1400220d0 CreateProcessW
0x1400220d8 GetLastError
0x1400220e0 SetEndOfFile
0x1400220e8 HeapReAlloc
0x1400220f0 RtlCaptureContext
0x1400220f8 RtlLookupFunctionEntry
0x140022100 RtlVirtualUnwind
0x140022108 UnhandledExceptionFilter
0x140022110 SetUnhandledExceptionFilter
0x140022118 TerminateProcess
0x140022120 IsProcessorFeaturePresent
0x140022128 QueryPerformanceCounter
0x140022130 GetCurrentProcessId
0x140022138 GetCurrentThreadId
0x140022140 GetSystemTimeAsFileTime
0x140022148 InitializeSListHead
0x140022150 IsDebuggerPresent
0x140022158 GetModuleHandleW
0x140022160 RtlUnwindEx
0x140022168 SetLastError
0x140022170 EnterCriticalSection
0x140022178 LeaveCriticalSection
0x140022180 DeleteCriticalSection
0x140022188 InitializeCriticalSectionAndSpinCount
0x140022190 TlsAlloc
0x140022198 TlsGetValue
0x1400221a0 TlsSetValue
0x1400221a8 TlsFree
0x1400221b0 FreeLibrary
0x1400221b8 GetCommandLineA
0x1400221c0 ReadFile
0x1400221c8 CreateFileW
0x1400221d0 GetDriveTypeW
0x1400221d8 GetFileType
0x1400221e0 PeekNamedPipe
0x1400221e8 SystemTimeToTzSpecificLocalTime
0x1400221f0 FileTimeToSystemTime
0x1400221f8 GetFullPathNameW
0x140022200 RemoveDirectoryW
0x140022208 FindClose
0x140022210 FindFirstFileExW
0x140022218 FindNextFileW
0x140022220 SetStdHandle
0x140022228 SetConsoleCtrlHandler
0x140022230 DeleteFileW
0x140022238 GetStdHandle
0x140022240 WriteFile
0x140022248 ExitProcess
0x140022250 GetModuleHandleExW
0x140022258 GetACP
0x140022260 HeapFree
0x140022268 HeapAlloc
0x140022270 GetConsoleMode
0x140022278 ReadConsoleW
0x140022280 SetFilePointerEx
0x140022288 GetConsoleCP
0x140022290 CompareStringW
0x140022298 LCMapStringW
0x1400222a0 GetCurrentDirectoryW
0x1400222a8 FlushFileBuffers
0x1400222b0 SetEnvironmentVariableA
0x1400222b8 GetFileAttributesExW
0x1400222c0 IsValidCodePage
0x1400222c8 GetOEMCP
0x1400222d0 GetCPInfo
0x1400222d8 GetEnvironmentStringsW
0x1400222e0 FreeEnvironmentStringsW
0x1400222e8 GetStringTypeW
0x1400222f0 GetProcessHeap
0x1400222f8 WriteConsoleW
0x140022300 GetTimeZoneInformation
0x140022308 HeapSize
0x140022310 RaiseException
ADVAPI32.dll
0x140022000 ConvertSidToStringSidW
0x140022008 GetTokenInformation
0x140022010 OpenProcessToken
0x140022018 ConvertStringSecurityDescriptorToSecurityDescriptorW
WS2_32.dll
0x140022320 ntohl
EAT(Export Address Table) is none