ScreenShot
| Created | 2021.07.03 18:29 | Machine | s1_win7_x6401 |
| Filename | preloader.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 34 detected (AIDetect, malware2, malicious, high confidence, guW@aKTiSUoi, Unsafe, Save, Attribute, HighConfidence, AGEN, Artemis, Wacatac, score, ai score=89, R002H09G221, PossibleThreat, confidence) | ||
| md5 | 9ef7986267bda788fec22557df41e6f1 | ||
| sha256 | 5edf36f66a907a94f784312aba40f5090418e4a1b404d53d88965ad11fdeec20 | ||
| ssdeep | 3072:z2kNdv6G5BHlLjBRQHiabSttu1wY/q8qhcLskyh7ppkCvPx3:KkN/jF+HbfwY/k7kq53 | ||
| imphash | 379eeb3dff6fa63dd79e7b6f6a70f460 | ||
| impfuzzy | 24:dPOYdMUZtMS17bJnc+pl3eDoTZoEOovbOIhvRRZHu9Fhyj52hb:5OYbtMS17lc+pp/Zc3Wowtub | ||
Network IP location
Signature (10cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 34 AntiVirus engines on VirusTotal as malicious |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process preloader.exe |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| info | Collects information to fingerprint the system (MachineGuid |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (9cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (WinInet)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (WinInet)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x413008 GetLastError
0x41300c DeleteFileW
0x413010 CreateFileW
0x413014 CreateProcessW
0x413018 OpenMutexW
0x41301c DecodePointer
0x413020 CloseHandle
0x413024 Sleep
0x413028 WriteFile
0x41302c GetConsoleMode
0x413030 GetConsoleOutputCP
0x413034 FlushFileBuffers
0x413038 HeapReAlloc
0x41303c HeapSize
0x413040 SetFilePointerEx
0x413044 GetProcessHeap
0x413048 UnhandledExceptionFilter
0x41304c SetUnhandledExceptionFilter
0x413050 GetCurrentProcess
0x413054 TerminateProcess
0x413058 IsProcessorFeaturePresent
0x41305c QueryPerformanceCounter
0x413060 GetCurrentProcessId
0x413064 GetCurrentThreadId
0x413068 GetSystemTimeAsFileTime
0x41306c InitializeSListHead
0x413070 IsDebuggerPresent
0x413074 GetStartupInfoW
0x413078 GetModuleHandleW
0x41307c RtlUnwind
0x413080 SetLastError
0x413084 EnterCriticalSection
0x413088 LeaveCriticalSection
0x41308c DeleteCriticalSection
0x413090 InitializeCriticalSectionAndSpinCount
0x413094 TlsAlloc
0x413098 TlsGetValue
0x41309c TlsSetValue
0x4130a0 TlsFree
0x4130a4 FreeLibrary
0x4130a8 GetProcAddress
0x4130ac LoadLibraryExW
0x4130b0 RaiseException
0x4130b4 GetStdHandle
0x4130b8 GetModuleFileNameW
0x4130bc ExitProcess
0x4130c0 GetModuleHandleExW
0x4130c4 GetCommandLineA
0x4130c8 GetCommandLineW
0x4130cc HeapFree
0x4130d0 HeapAlloc
0x4130d4 GetFileType
0x4130d8 FindClose
0x4130dc FindFirstFileExW
0x4130e0 FindNextFileW
0x4130e4 IsValidCodePage
0x4130e8 GetACP
0x4130ec GetOEMCP
0x4130f0 GetCPInfo
0x4130f4 MultiByteToWideChar
0x4130f8 WideCharToMultiByte
0x4130fc GetEnvironmentStringsW
0x413100 FreeEnvironmentStringsW
0x413104 SetEnvironmentVariableW
0x413108 SetStdHandle
0x41310c GetStringTypeW
0x413110 CompareStringW
0x413114 LCMapStringW
0x413118 WriteConsoleW
ADVAPI32.dll
0x413000 RegGetValueA
WININET.dll
0x413120 InternetSetOptionW
0x413124 InternetConnectW
0x413128 InternetCloseHandle
0x41312c HttpSendRequestW
0x413130 InternetReadFile
0x413134 HttpQueryInfoW
0x413138 InternetOpenW
0x41313c InternetOpenUrlW
0x413140 HttpOpenRequestW
0x413144 InternetCrackUrlW
EAT(Export Address Table) is none
KERNEL32.dll
0x413008 GetLastError
0x41300c DeleteFileW
0x413010 CreateFileW
0x413014 CreateProcessW
0x413018 OpenMutexW
0x41301c DecodePointer
0x413020 CloseHandle
0x413024 Sleep
0x413028 WriteFile
0x41302c GetConsoleMode
0x413030 GetConsoleOutputCP
0x413034 FlushFileBuffers
0x413038 HeapReAlloc
0x41303c HeapSize
0x413040 SetFilePointerEx
0x413044 GetProcessHeap
0x413048 UnhandledExceptionFilter
0x41304c SetUnhandledExceptionFilter
0x413050 GetCurrentProcess
0x413054 TerminateProcess
0x413058 IsProcessorFeaturePresent
0x41305c QueryPerformanceCounter
0x413060 GetCurrentProcessId
0x413064 GetCurrentThreadId
0x413068 GetSystemTimeAsFileTime
0x41306c InitializeSListHead
0x413070 IsDebuggerPresent
0x413074 GetStartupInfoW
0x413078 GetModuleHandleW
0x41307c RtlUnwind
0x413080 SetLastError
0x413084 EnterCriticalSection
0x413088 LeaveCriticalSection
0x41308c DeleteCriticalSection
0x413090 InitializeCriticalSectionAndSpinCount
0x413094 TlsAlloc
0x413098 TlsGetValue
0x41309c TlsSetValue
0x4130a0 TlsFree
0x4130a4 FreeLibrary
0x4130a8 GetProcAddress
0x4130ac LoadLibraryExW
0x4130b0 RaiseException
0x4130b4 GetStdHandle
0x4130b8 GetModuleFileNameW
0x4130bc ExitProcess
0x4130c0 GetModuleHandleExW
0x4130c4 GetCommandLineA
0x4130c8 GetCommandLineW
0x4130cc HeapFree
0x4130d0 HeapAlloc
0x4130d4 GetFileType
0x4130d8 FindClose
0x4130dc FindFirstFileExW
0x4130e0 FindNextFileW
0x4130e4 IsValidCodePage
0x4130e8 GetACP
0x4130ec GetOEMCP
0x4130f0 GetCPInfo
0x4130f4 MultiByteToWideChar
0x4130f8 WideCharToMultiByte
0x4130fc GetEnvironmentStringsW
0x413100 FreeEnvironmentStringsW
0x413104 SetEnvironmentVariableW
0x413108 SetStdHandle
0x41310c GetStringTypeW
0x413110 CompareStringW
0x413114 LCMapStringW
0x413118 WriteConsoleW
ADVAPI32.dll
0x413000 RegGetValueA
WININET.dll
0x413120 InternetSetOptionW
0x413124 InternetConnectW
0x413128 InternetCloseHandle
0x41312c HttpSendRequestW
0x413130 InternetReadFile
0x413134 HttpQueryInfoW
0x413138 InternetOpenW
0x41313c InternetOpenUrlW
0x413140 HttpOpenRequestW
0x413144 InternetCrackUrlW
EAT(Export Address Table) is none