ScreenShot
| Created | 2021.06.25 14:42 | Machine | s1_win7_x6402 |
| Filename | outlook.eml | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 46 detected (AIDetect, malware1, GenericKD, Apost, Unsafe, malicious, ZexaF, Au3@auy4Sqjc, KSDT, Kryptik, HLKH, R002C0PFJ21, Generic@ML, RDMK, hB6E, JZDv4Fe5gwxIXgPcw, MultiPlug, BHFV, kcloud, Malgent, score, AGEN, ai score=85, BScope, OJYzR4Yb4bw, PossibleThreat, susgen, confidence, 100%) | ||
| md5 | 8d15f4990f6b8cc9f996e0ab67fe0d7f | ||
| sha256 | 99f35c93872e9a0267400bc3641d08fffe5b5d3f6bdc06c95fc9ee3ebc76fbe1 | ||
| ssdeep | 6144:ayzQYD9/1TpeSfuLuMeqcC3qVF+gHpZzHTW/rWTY4ML+cp6e3cYbx+Xg/:aydD1RplGqBqxA+EvzH6DWTJOppSXA | ||
| imphash | 0483153b924655a48ec726c0122d224b | ||
| impfuzzy | 24:YTHDolZtdcplQnVv9Gla6/J3If9ljMKQwL:bZtdcpud9TguHQA | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 46 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| info | This executable has a PDB path |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x420000 GetFileSize
0x420004 SetFilePointer
0x420008 GetModuleHandleW
0x42000c GetTickCount
0x420010 TlsSetValue
0x420014 ReadFile
0x420018 GetModuleFileNameW
0x42001c CreateFileW
0x420020 GetProcAddress
0x420024 LoadLibraryA
0x420028 LocalAlloc
0x42002c GetModuleHandleA
0x420030 GetSystemTime
0x420034 RaiseException
0x420038 TerminateProcess
0x42003c GetCurrentProcess
0x420040 UnhandledExceptionFilter
0x420044 SetUnhandledExceptionFilter
0x420048 IsDebuggerPresent
0x42004c EnterCriticalSection
0x420050 LeaveCriticalSection
0x420054 InitializeCriticalSectionAndSpinCount
0x420058 EncodePointer
0x42005c DecodePointer
0x420060 RtlUnwind
0x420064 GetStdHandle
0x420068 GetFileType
0x42006c DeleteCriticalSection
0x420070 Sleep
0x420074 GetLastError
0x420078 HeapFree
0x42007c ExitProcess
0x420080 CloseHandle
0x420084 TlsGetValue
0x420088 InterlockedIncrement
0x42008c SetLastError
0x420090 GetCurrentThreadId
0x420094 InterlockedDecrement
0x420098 HeapAlloc
0x42009c FreeLibrary
0x4200a0 LoadLibraryW
0x4200a4 WriteFile
0x4200a8 WideCharToMultiByte
0x4200ac GetConsoleCP
0x4200b0 GetConsoleMode
0x4200b4 FlushFileBuffers
0x4200b8 SetStdHandle
0x4200bc SetEndOfFile
0x4200c0 GetProcessHeap
0x4200c4 MultiByteToWideChar
0x4200c8 GetCPInfo
0x4200cc GetACP
0x4200d0 GetOEMCP
0x4200d4 IsValidCodePage
0x4200d8 IsProcessorFeaturePresent
0x4200dc WriteConsoleW
0x4200e0 LCMapStringW
0x4200e4 GetStringTypeW
0x4200e8 VirtualQuery
USER32.dll
0x4200f0 MessageBoxA
EAT(Export Address Table) is none
KERNEL32.dll
0x420000 GetFileSize
0x420004 SetFilePointer
0x420008 GetModuleHandleW
0x42000c GetTickCount
0x420010 TlsSetValue
0x420014 ReadFile
0x420018 GetModuleFileNameW
0x42001c CreateFileW
0x420020 GetProcAddress
0x420024 LoadLibraryA
0x420028 LocalAlloc
0x42002c GetModuleHandleA
0x420030 GetSystemTime
0x420034 RaiseException
0x420038 TerminateProcess
0x42003c GetCurrentProcess
0x420040 UnhandledExceptionFilter
0x420044 SetUnhandledExceptionFilter
0x420048 IsDebuggerPresent
0x42004c EnterCriticalSection
0x420050 LeaveCriticalSection
0x420054 InitializeCriticalSectionAndSpinCount
0x420058 EncodePointer
0x42005c DecodePointer
0x420060 RtlUnwind
0x420064 GetStdHandle
0x420068 GetFileType
0x42006c DeleteCriticalSection
0x420070 Sleep
0x420074 GetLastError
0x420078 HeapFree
0x42007c ExitProcess
0x420080 CloseHandle
0x420084 TlsGetValue
0x420088 InterlockedIncrement
0x42008c SetLastError
0x420090 GetCurrentThreadId
0x420094 InterlockedDecrement
0x420098 HeapAlloc
0x42009c FreeLibrary
0x4200a0 LoadLibraryW
0x4200a4 WriteFile
0x4200a8 WideCharToMultiByte
0x4200ac GetConsoleCP
0x4200b0 GetConsoleMode
0x4200b4 FlushFileBuffers
0x4200b8 SetStdHandle
0x4200bc SetEndOfFile
0x4200c0 GetProcessHeap
0x4200c4 MultiByteToWideChar
0x4200c8 GetCPInfo
0x4200cc GetACP
0x4200d0 GetOEMCP
0x4200d4 IsValidCodePage
0x4200d8 IsProcessorFeaturePresent
0x4200dc WriteConsoleW
0x4200e0 LCMapStringW
0x4200e4 GetStringTypeW
0x4200e8 VirtualQuery
USER32.dll
0x4200f0 MessageBoxA
EAT(Export Address Table) is none