ScreenShot
| Created | 2021.07.04 11:06 | Machine | s1_win7_x6401 |
| Filename | paypall.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 22 detected (Unsafe, malicious, confidence, ZexaF, ir3@aGOCoIfQ, Attribute, HighConfidence, FileRepMalware, Artemis, Crypzip, Hynamer, score, HiddenRun, CLASSIC, RedLineStealer, QVM41) | ||
| md5 | 66b4e1480891e217a8d38d63db386ca4 | ||
| sha256 | e328fa8198dd9dfb377612a5ab5d538c84968d4adcb69e4c94d13dd51109ae6e | ||
| ssdeep | 24576:G/T4vv98w3Td4vFSWXIx88d67+z8/0Atl7c1Vg92P13MIUWJAMm2+eYG4pW4:GbkX32vIWYx8K6SYMS1AekdJUEM2wn44 | ||
| imphash | e04eb610508ddb951732064297e50b65 | ||
| impfuzzy | 96:dZeusdRf+3s4+ycMVTXpZI6sSD+4+RGIXUo/X1:HeusdSKwZYSD+49IXn/X1 | ||
Network IP location
Signature (29cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 22 AntiVirus engines on VirusTotal as malicious |
| watch | A process attempted to delay the analysis task. |
| watch | A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable uses a known packer |
Rules (40cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | NPKI_Zero | File included NPKI | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Hijack_Network | Hijack network configuration | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
PE API
IAT(Import Address Table) Library
COMCTL32.dll
0x416010 None
SHELL32.dll
0x416254 SHGetSpecialFolderPathW
0x416258 ShellExecuteW
0x41625c SHGetMalloc
0x416260 SHGetPathFromIDListW
0x416264 SHBrowseForFolderW
0x416268 SHGetFileInfoW
0x41626c ShellExecuteExW
GDI32.dll
0x416018 CreateCompatibleDC
0x41601c CreateFontIndirectW
0x416020 DeleteObject
0x416024 DeleteDC
0x416028 GetCurrentObject
0x41602c StretchBlt
0x416030 GetDeviceCaps
0x416034 CreateCompatibleBitmap
0x416038 SelectObject
0x41603c SetStretchBltMode
0x416040 GetObjectW
ADVAPI32.dll
0x416000 FreeSid
0x416004 AllocateAndInitializeSid
0x416008 CheckTokenMembership
USER32.dll
0x416274 GetWindowLongW
0x416278 GetMenu
0x41627c SetWindowPos
0x416280 GetWindowDC
0x416284 ReleaseDC
0x416288 GetDlgItem
0x41628c GetParent
0x416290 GetWindowRect
0x416294 GetClassNameA
0x416298 CreateWindowExW
0x41629c SetTimer
0x4162a0 GetMessageW
0x4162a4 DispatchMessageW
0x4162a8 KillTimer
0x4162ac DestroyWindow
0x4162b0 SendMessageW
0x4162b4 EndDialog
0x4162b8 wsprintfW
0x4162bc GetWindowTextW
0x4162c0 GetWindowTextLengthW
0x4162c4 GetSysColor
0x4162c8 wsprintfA
0x4162cc SetWindowTextW
0x4162d0 MessageBoxA
0x4162d4 ScreenToClient
0x4162d8 GetClientRect
0x4162dc SetWindowLongW
0x4162e0 UnhookWindowsHookEx
0x4162e4 SetFocus
0x4162e8 GetSystemMetrics
0x4162ec SystemParametersInfoW
0x4162f0 ShowWindow
0x4162f4 DrawTextW
0x4162f8 GetDC
0x4162fc ClientToScreen
0x416300 GetWindow
0x416304 DialogBoxIndirectParamW
0x416308 DrawIconEx
0x41630c CallWindowProcW
0x416310 DefWindowProcW
0x416314 CallNextHookEx
0x416318 PtInRect
0x41631c SetWindowsHookExW
0x416320 LoadImageW
0x416324 LoadIconW
0x416328 MessageBeep
0x41632c EnableWindow
0x416330 IsWindow
0x416334 EnableMenuItem
0x416338 GetSystemMenu
0x41633c CreateWindowExA
0x416340 wvsprintfW
0x416344 CharUpperW
0x416348 GetKeyState
0x41634c CopyImage
ole32.dll
0x416354 CreateStreamOnHGlobal
0x416358 CoCreateInstance
0x41635c CoInitialize
OLEAUT32.dll
0x416240 VariantClear
0x416244 SysFreeString
0x416248 OleLoadPicture
0x41624c SysAllocString
KERNEL32.dll
0x416048 GetFileSize
0x41604c SetFilePointer
0x416050 ReadFile
0x416054 WaitForMultipleObjects
0x416058 GetModuleHandleA
0x41605c SetFileTime
0x416060 SetEndOfFile
0x416064 LeaveCriticalSection
0x416068 EnterCriticalSection
0x41606c DeleteCriticalSection
0x416070 FormatMessageW
0x416074 lstrcpyW
0x416078 LocalFree
0x41607c IsBadReadPtr
0x416080 GetSystemDirectoryW
0x416084 GetCurrentThreadId
0x416088 SuspendThread
0x41608c TerminateThread
0x416090 InitializeCriticalSection
0x416094 ResetEvent
0x416098 SetEvent
0x41609c CreateEventW
0x4160a0 GetVersionExW
0x4160a4 GetModuleFileNameW
0x4160a8 GetCurrentProcess
0x4160ac SetProcessWorkingSetSize
0x4160b0 SetCurrentDirectoryW
0x4160b4 GetDriveTypeW
0x4160b8 CreateFileW
0x4160bc GetCommandLineW
0x4160c0 GetStartupInfoW
0x4160c4 CreateProcessW
0x4160c8 CreateJobObjectW
0x4160cc ResumeThread
0x4160d0 AssignProcessToJobObject
0x4160d4 CreateIoCompletionPort
0x4160d8 SetInformationJobObject
0x4160dc GetQueuedCompletionStatus
0x4160e0 GetExitCodeProcess
0x4160e4 CloseHandle
0x4160e8 SetEnvironmentVariableW
0x4160ec GetTempPathW
0x4160f0 GetSystemTimeAsFileTime
0x4160f4 lstrlenW
0x4160f8 CompareFileTime
0x4160fc SetThreadLocale
0x416100 FindFirstFileW
0x416104 DeleteFileW
0x416108 FindNextFileW
0x41610c FindClose
0x416110 RemoveDirectoryW
0x416114 ExpandEnvironmentStringsW
0x416118 WideCharToMultiByte
0x41611c VirtualAlloc
0x416120 GlobalMemoryStatusEx
0x416124 lstrcmpW
0x416128 GetEnvironmentVariableW
0x41612c lstrcmpiW
0x416130 lstrlenA
0x416134 GetLocaleInfoW
0x416138 MultiByteToWideChar
0x41613c GetUserDefaultUILanguage
0x416140 GetSystemDefaultUILanguage
0x416144 GetSystemDefaultLCID
0x416148 lstrcmpiA
0x41614c GlobalAlloc
0x416150 GlobalFree
0x416154 MulDiv
0x416158 FindResourceExA
0x41615c SizeofResource
0x416160 LoadResource
0x416164 LockResource
0x416168 LoadLibraryA
0x41616c GetProcAddress
0x416170 GetModuleHandleW
0x416174 ExitProcess
0x416178 lstrcatW
0x41617c GetDiskFreeSpaceExW
0x416180 SetFileAttributesW
0x416184 SetLastError
0x416188 Sleep
0x41618c GetExitCodeThread
0x416190 WaitForSingleObject
0x416194 CreateThread
0x416198 GetLastError
0x41619c SystemTimeToFileTime
0x4161a0 GetLocalTime
0x4161a4 GetFileAttributesW
0x4161a8 CreateDirectoryW
0x4161ac WriteFile
0x4161b0 GetStdHandle
0x4161b4 VirtualFree
0x4161b8 GetStartupInfoA
MSVCRT.dll
0x4161c0 ??3@YAXPAX@Z
0x4161c4 ??2@YAPAXI@Z
0x4161c8 memcmp
0x4161cc memcpy
0x4161d0 _wtol
0x4161d4 _controlfp
0x4161d8 _except_handler3
0x4161dc __set_app_type
0x4161e0 __p__fmode
0x4161e4 __p__commode
0x4161e8 _adjust_fdiv
0x4161ec __setusermatherr
0x4161f0 _initterm
0x4161f4 __getmainargs
0x4161f8 _acmdln
0x4161fc exit
0x416200 _XcptFilter
0x416204 _exit
0x416208 ??1type_info@@UAE@XZ
0x41620c _onexit
0x416210 __dllonexit
0x416214 _CxxThrowException
0x416218 _beginthreadex
0x41621c _EH_prolog
0x416220 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z
0x416224 memset
0x416228 _wcsnicmp
0x41622c strncmp
0x416230 wcsncmp
0x416234 memmove
0x416238 _purecall
EAT(Export Address Table) is none
COMCTL32.dll
0x416010 None
SHELL32.dll
0x416254 SHGetSpecialFolderPathW
0x416258 ShellExecuteW
0x41625c SHGetMalloc
0x416260 SHGetPathFromIDListW
0x416264 SHBrowseForFolderW
0x416268 SHGetFileInfoW
0x41626c ShellExecuteExW
GDI32.dll
0x416018 CreateCompatibleDC
0x41601c CreateFontIndirectW
0x416020 DeleteObject
0x416024 DeleteDC
0x416028 GetCurrentObject
0x41602c StretchBlt
0x416030 GetDeviceCaps
0x416034 CreateCompatibleBitmap
0x416038 SelectObject
0x41603c SetStretchBltMode
0x416040 GetObjectW
ADVAPI32.dll
0x416000 FreeSid
0x416004 AllocateAndInitializeSid
0x416008 CheckTokenMembership
USER32.dll
0x416274 GetWindowLongW
0x416278 GetMenu
0x41627c SetWindowPos
0x416280 GetWindowDC
0x416284 ReleaseDC
0x416288 GetDlgItem
0x41628c GetParent
0x416290 GetWindowRect
0x416294 GetClassNameA
0x416298 CreateWindowExW
0x41629c SetTimer
0x4162a0 GetMessageW
0x4162a4 DispatchMessageW
0x4162a8 KillTimer
0x4162ac DestroyWindow
0x4162b0 SendMessageW
0x4162b4 EndDialog
0x4162b8 wsprintfW
0x4162bc GetWindowTextW
0x4162c0 GetWindowTextLengthW
0x4162c4 GetSysColor
0x4162c8 wsprintfA
0x4162cc SetWindowTextW
0x4162d0 MessageBoxA
0x4162d4 ScreenToClient
0x4162d8 GetClientRect
0x4162dc SetWindowLongW
0x4162e0 UnhookWindowsHookEx
0x4162e4 SetFocus
0x4162e8 GetSystemMetrics
0x4162ec SystemParametersInfoW
0x4162f0 ShowWindow
0x4162f4 DrawTextW
0x4162f8 GetDC
0x4162fc ClientToScreen
0x416300 GetWindow
0x416304 DialogBoxIndirectParamW
0x416308 DrawIconEx
0x41630c CallWindowProcW
0x416310 DefWindowProcW
0x416314 CallNextHookEx
0x416318 PtInRect
0x41631c SetWindowsHookExW
0x416320 LoadImageW
0x416324 LoadIconW
0x416328 MessageBeep
0x41632c EnableWindow
0x416330 IsWindow
0x416334 EnableMenuItem
0x416338 GetSystemMenu
0x41633c CreateWindowExA
0x416340 wvsprintfW
0x416344 CharUpperW
0x416348 GetKeyState
0x41634c CopyImage
ole32.dll
0x416354 CreateStreamOnHGlobal
0x416358 CoCreateInstance
0x41635c CoInitialize
OLEAUT32.dll
0x416240 VariantClear
0x416244 SysFreeString
0x416248 OleLoadPicture
0x41624c SysAllocString
KERNEL32.dll
0x416048 GetFileSize
0x41604c SetFilePointer
0x416050 ReadFile
0x416054 WaitForMultipleObjects
0x416058 GetModuleHandleA
0x41605c SetFileTime
0x416060 SetEndOfFile
0x416064 LeaveCriticalSection
0x416068 EnterCriticalSection
0x41606c DeleteCriticalSection
0x416070 FormatMessageW
0x416074 lstrcpyW
0x416078 LocalFree
0x41607c IsBadReadPtr
0x416080 GetSystemDirectoryW
0x416084 GetCurrentThreadId
0x416088 SuspendThread
0x41608c TerminateThread
0x416090 InitializeCriticalSection
0x416094 ResetEvent
0x416098 SetEvent
0x41609c CreateEventW
0x4160a0 GetVersionExW
0x4160a4 GetModuleFileNameW
0x4160a8 GetCurrentProcess
0x4160ac SetProcessWorkingSetSize
0x4160b0 SetCurrentDirectoryW
0x4160b4 GetDriveTypeW
0x4160b8 CreateFileW
0x4160bc GetCommandLineW
0x4160c0 GetStartupInfoW
0x4160c4 CreateProcessW
0x4160c8 CreateJobObjectW
0x4160cc ResumeThread
0x4160d0 AssignProcessToJobObject
0x4160d4 CreateIoCompletionPort
0x4160d8 SetInformationJobObject
0x4160dc GetQueuedCompletionStatus
0x4160e0 GetExitCodeProcess
0x4160e4 CloseHandle
0x4160e8 SetEnvironmentVariableW
0x4160ec GetTempPathW
0x4160f0 GetSystemTimeAsFileTime
0x4160f4 lstrlenW
0x4160f8 CompareFileTime
0x4160fc SetThreadLocale
0x416100 FindFirstFileW
0x416104 DeleteFileW
0x416108 FindNextFileW
0x41610c FindClose
0x416110 RemoveDirectoryW
0x416114 ExpandEnvironmentStringsW
0x416118 WideCharToMultiByte
0x41611c VirtualAlloc
0x416120 GlobalMemoryStatusEx
0x416124 lstrcmpW
0x416128 GetEnvironmentVariableW
0x41612c lstrcmpiW
0x416130 lstrlenA
0x416134 GetLocaleInfoW
0x416138 MultiByteToWideChar
0x41613c GetUserDefaultUILanguage
0x416140 GetSystemDefaultUILanguage
0x416144 GetSystemDefaultLCID
0x416148 lstrcmpiA
0x41614c GlobalAlloc
0x416150 GlobalFree
0x416154 MulDiv
0x416158 FindResourceExA
0x41615c SizeofResource
0x416160 LoadResource
0x416164 LockResource
0x416168 LoadLibraryA
0x41616c GetProcAddress
0x416170 GetModuleHandleW
0x416174 ExitProcess
0x416178 lstrcatW
0x41617c GetDiskFreeSpaceExW
0x416180 SetFileAttributesW
0x416184 SetLastError
0x416188 Sleep
0x41618c GetExitCodeThread
0x416190 WaitForSingleObject
0x416194 CreateThread
0x416198 GetLastError
0x41619c SystemTimeToFileTime
0x4161a0 GetLocalTime
0x4161a4 GetFileAttributesW
0x4161a8 CreateDirectoryW
0x4161ac WriteFile
0x4161b0 GetStdHandle
0x4161b4 VirtualFree
0x4161b8 GetStartupInfoA
MSVCRT.dll
0x4161c0 ??3@YAXPAX@Z
0x4161c4 ??2@YAPAXI@Z
0x4161c8 memcmp
0x4161cc memcpy
0x4161d0 _wtol
0x4161d4 _controlfp
0x4161d8 _except_handler3
0x4161dc __set_app_type
0x4161e0 __p__fmode
0x4161e4 __p__commode
0x4161e8 _adjust_fdiv
0x4161ec __setusermatherr
0x4161f0 _initterm
0x4161f4 __getmainargs
0x4161f8 _acmdln
0x4161fc exit
0x416200 _XcptFilter
0x416204 _exit
0x416208 ??1type_info@@UAE@XZ
0x41620c _onexit
0x416210 __dllonexit
0x416214 _CxxThrowException
0x416218 _beginthreadex
0x41621c _EH_prolog
0x416220 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z
0x416224 memset
0x416228 _wcsnicmp
0x41622c strncmp
0x416230 wcsncmp
0x416234 memmove
0x416238 _purecall
EAT(Export Address Table) is none