ScreenShot
Created | 2021.06.25 09:58 | Machine | s1_win7_x6401 |
Filename | CausticMucous.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 44 detected (AIDetect, malware1, malicious, high confidence, Symmi, Artemis, Unsafe, VMProtBad, ZexaF, @F0@aipzYJmj, Attribute, HighConfidence, xxzrbu, R002C0RFJ21, ouwqb, TrojDownloader, kcloud, Tnega, score, TScope, ai score=89, Generic@ML, RDML, xjKuZvbxL4DOO0vXoZ3Q, Static AI, Malicious PE, susgen, confidence, 100%) | ||
md5 | d070d331925d901996e19fda9f21a44b | ||
sha256 | 2db34048692a68cbddb227ac062584706a30d093cdb15fabd5179a3d102a2318 | ||
ssdeep | 98304:zRq+mR3siVf7T7vg4nUlLWyThN50r4Gs5Z371/DpE2RWH39aCMgEU:2Jf7T7vOh7ThNKuZ37Q2R41 | ||
imphash | e710443220febbbe2485d1e6667af815 | ||
impfuzzy | 12:mDYMpH97TvQ5kBZGoQtXJxZGb9AJcDfA5kLfP9m:mDLTvQ58QtXJHc9NDI5Q8 |
Network IP location
Signature (17cnts)
Level | Description |
---|---|
danger | File has been identified by 44 AntiVirus engines on VirusTotal as malicious |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Attempts to modify Internet Explorer's start page |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
notice | Creates a shortcut to an executable file |
notice | Foreign language identified in PE resource |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Queries for potentially installed applications |
notice | Repeatedly searches for a not-found process |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | Steals private information from local Internet browsers |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | The executable is likely packed with VMProtect |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (4cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0xca3000 GetProcAddress
WS2_32.dll
0xca3008 gethostname
WLDAP32.dll
0xca3010 None
MSVCR100.dll
0xca3018 ??1exception@std@@UAE@XZ
ADVAPI32.dll
0xca3020 CryptDestroyKey
WTSAPI32.dll
0xca3028 WTSSendMessageW
KERNEL32.dll
0xca3030 VirtualQuery
USER32.dll
0xca3038 GetProcessWindowStation
KERNEL32.dll
0xca3040 LocalAlloc
0xca3044 LocalFree
0xca3048 GetModuleFileNameW
0xca304c GetProcessAffinityMask
0xca3050 SetProcessAffinityMask
0xca3054 SetThreadAffinityMask
0xca3058 Sleep
0xca305c ExitProcess
0xca3060 FreeLibrary
0xca3064 LoadLibraryA
0xca3068 GetModuleHandleA
0xca306c GetProcAddress
USER32.dll
0xca3074 GetProcessWindowStation
0xca3078 GetUserObjectInformationW
EAT(Export Address Table) is none
KERNEL32.dll
0xca3000 GetProcAddress
WS2_32.dll
0xca3008 gethostname
WLDAP32.dll
0xca3010 None
MSVCR100.dll
0xca3018 ??1exception@std@@UAE@XZ
ADVAPI32.dll
0xca3020 CryptDestroyKey
WTSAPI32.dll
0xca3028 WTSSendMessageW
KERNEL32.dll
0xca3030 VirtualQuery
USER32.dll
0xca3038 GetProcessWindowStation
KERNEL32.dll
0xca3040 LocalAlloc
0xca3044 LocalFree
0xca3048 GetModuleFileNameW
0xca304c GetProcessAffinityMask
0xca3050 SetProcessAffinityMask
0xca3054 SetThreadAffinityMask
0xca3058 Sleep
0xca305c ExitProcess
0xca3060 FreeLibrary
0xca3064 LoadLibraryA
0xca3068 GetModuleHandleA
0xca306c GetProcAddress
USER32.dll
0xca3074 GetProcessWindowStation
0xca3078 GetUserObjectInformationW
EAT(Export Address Table) is none