ScreenShot
Created | 2021.06.25 10:11 | Machine | s1_win7_x6402 |
Filename | moonitor-setup.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 58 detected (AIDetect, malware2, malicious, high confidence, Small, GenericRXAC, Unsafe, Save, Poison, confidence, 100%, GenTroj, Eldorado, ggrf, cbeljp, Gencirc, Xorist, ET@4mg4hg, MulDrop8, Detect, VBINDER, A + Troj, Static AI, Suspicious PE, abtg, Score, AGEN, tnhw, R72119, ai score=100, Bladabindi, Njrat, CLASSIC, GenAsa, UkYT, susgen) | ||
md5 | 9f105a70f86071d39afad31c14c6c9c2 | ||
sha256 | 6aa436d8c7a5205a40ae1a806dec9d00c2161029fcd16aee21575e246e5c474c | ||
ssdeep | 49152:YeAKdvi9IP/UU54GEaCgKB2z0glD0zNZj:YM/UU54GZNrz0aDuPj | ||
imphash | d5d9d937853db8b666bd4b525813d7bd | ||
impfuzzy | 24:ESQItOovgu2DzIpMjtO4oEU/1T3+SQSLCw3nQnA0vxtKdAhS:EhI4Y4ol/1T34SeunB0vXKGE |
Network IP location
Signature (38cnts)
Level | Description |
---|---|
danger | File has been identified by 58 AntiVirus engines on VirusTotal as malicious |
danger | Executed a process and injected code into it |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Collects information about installed applications |
watch | Communicates with host for which no DNS query was performed |
watch | Executes one or more WMI queries |
watch | Harvests credentials from local FTP client softwares |
watch | Installs itself for autorun at Windows startup |
watch | One or more of the buffers contains an embedded PE file |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Drops a binary and executes it |
notice | Drops an executable to the user AppData folder |
notice | Executes one or more WMI queries which can be used to identify virtual machines |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Potentially malicious URLs were found in the process memory dump |
notice | Queries for potentially installed applications |
notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
notice | Steals private information from local Internet browsers |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Command line console output was observed |
info | One or more processes crashed |
info | Queries for the computername |
info | Tries to locate where the browsers are installed |
info | Uses Windows APIs to generate a cryptographic key |
Rules (42cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | NPKI_Zero | File included NPKI | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Network_Downloader | File Downloader | memory |
notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
notice | Create_Service | Create a windows service | memory |
notice | Escalate_priviledges | Escalate priviledges | memory |
notice | Hijack_Network | Hijack network configuration | memory |
notice | KeyLogger | Run a KeyLogger | memory |
notice | local_credential_Steal | Steal credential | memory |
notice | Network_DGA | Communication using DGA | memory |
notice | Network_DNS | Communications use DNS | memory |
notice | Network_FTP | Communications over FTP | memory |
notice | Network_HTTP | Communications over HTTP | memory |
notice | Network_P2P_Win | Communications over P2P network | memory |
notice | Network_TCP_Socket | Communications over RAW Socket | memory |
notice | Persistence | Install itself for autorun at Windows startup | memory |
notice | ScreenShot | Take ScreenShot | memory |
notice | Sniff_Audio | Record Audio | memory |
notice | Str_Win32_Http_API | Match Windows Http API call | memory |
notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
info | anti_dbg | Checks if being debugged | memory |
info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
info | Check_Dlls | (no description) | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerCheck__RemoteAPI | (no description) | memory |
info | DebuggerException__ConsoleCtrl | (no description) | memory |
info | DebuggerException__SetConsoleCtrl | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | Is_DotNET_EXE | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
info | win_hook | Affect hook table | memory |
info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
Network (6cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
SURICATA HTTP unable to match response to request
PE API
IAT(Import Address Table) Library
shlwapi.dll
0x40207c PathFindFileNameA
kernel32.dll
0x402000 LockResource
0x402004 lstrlenA
0x402008 CloseHandle
0x40200c CreateFileA
0x402010 ExitProcess
0x402014 FindResourceA
0x402018 FreeResource
0x40201c GetCommandLineA
0x402020 GetEnvironmentVariableA
0x402024 GetFileSize
0x402028 GetModuleFileNameA
0x40202c GetModuleHandleA
0x402030 GetProcAddress
0x402034 GetProcessHeap
0x402038 GetSystemDirectoryA
0x40203c GetTempPathA
0x402040 GetWindowsDirectoryA
0x402044 GlobalAlloc
0x402048 GlobalFree
0x40204c HeapAlloc
0x402050 HeapFree
0x402054 LoadLibraryA
0x402058 LoadResource
0x40205c lstrcpynA
0x402060 RtlMoveMemory
0x402064 SetFileAttributesA
0x402068 SizeofResource
0x40206c WriteFile
0x402070 lstrcatA
0x402074 lstrcpyA
user32.dll
0x402084 CreateWindowExA
0x402088 DefWindowProcA
0x40208c DispatchMessageA
0x402090 GetMessageA
0x402094 LoadCursorA
0x402098 LoadIconA
0x40209c MessageBoxA
0x4020a0 PostQuitMessage
0x4020a4 RegisterClassExA
0x4020a8 SendMessageA
0x4020ac ShowWindow
0x4020b0 TranslateMessage
0x4020b4 UpdateWindow
EAT(Export Address Table) is none
shlwapi.dll
0x40207c PathFindFileNameA
kernel32.dll
0x402000 LockResource
0x402004 lstrlenA
0x402008 CloseHandle
0x40200c CreateFileA
0x402010 ExitProcess
0x402014 FindResourceA
0x402018 FreeResource
0x40201c GetCommandLineA
0x402020 GetEnvironmentVariableA
0x402024 GetFileSize
0x402028 GetModuleFileNameA
0x40202c GetModuleHandleA
0x402030 GetProcAddress
0x402034 GetProcessHeap
0x402038 GetSystemDirectoryA
0x40203c GetTempPathA
0x402040 GetWindowsDirectoryA
0x402044 GlobalAlloc
0x402048 GlobalFree
0x40204c HeapAlloc
0x402050 HeapFree
0x402054 LoadLibraryA
0x402058 LoadResource
0x40205c lstrcpynA
0x402060 RtlMoveMemory
0x402064 SetFileAttributesA
0x402068 SizeofResource
0x40206c WriteFile
0x402070 lstrcatA
0x402074 lstrcpyA
user32.dll
0x402084 CreateWindowExA
0x402088 DefWindowProcA
0x40208c DispatchMessageA
0x402090 GetMessageA
0x402094 LoadCursorA
0x402098 LoadIconA
0x40209c MessageBoxA
0x4020a0 PostQuitMessage
0x4020a4 RegisterClassExA
0x4020a8 SendMessageA
0x4020ac ShowWindow
0x4020b0 TranslateMessage
0x4020b4 UpdateWindow
EAT(Export Address Table) is none