ScreenShot
Created | 2021.07.19 10:55 | Machine | s1_win7_x6402 |
Filename | build.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 25 detected (malicious, high confidence, Unsafe, Save, Kryptik, Eldorado, Attribute, HighConfidence, FileRepMalware, StopCrypt, score, MachineLearning, Anomalous, Static AI, Malicious PE, GenKryptik, ERHN, susgen, confidence, 100%, QVM10) | ||
md5 | e6bf9a1d8f14d2e1f07976f93dfc554e | ||
sha256 | 20678f2e7e17e41244136f05f81ac066025b0575f4b34963ae4131cff9467602 | ||
ssdeep | 12288:/CtcEB57sSlLMnZhPjDeFNFVdKhevnbfgy4:VEDTNmVjDYVdKhevbfgy4 | ||
imphash | 52c37101f2973085af5ed972e3b0d2d3 | ||
impfuzzy | 48:k3u2trZ1TOFwLUYkvbdNp07Bk9t8JofvwTcfhI:k33trZpLjuB09k9tAofvccfhI |
Network IP location
Signature (45cnts)
Level | Description |
---|---|
danger | Executed a process and injected code into it |
warning | File has been identified by 25 AntiVirus engines on VirusTotal as malicious |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Attempts to access Bitcoin/ALTCoin wallets |
watch | Checks the CPU name from registry |
watch | Collects information about installed applications |
watch | Communicates with host for which no DNS query was performed |
watch | Harvests credentials from local email clients |
watch | Harvests credentials from local FTP client softwares |
watch | Installs itself for autorun at Windows startup |
watch | Network activity contains more than one unique useragent |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
watch | Uses suspicious command line tools or Windows utilities |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | An executable file was downloaded by the processes build.exe |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Drops a binary and executes it |
notice | Drops an executable to the user AppData folder |
notice | Executes one or more WMI queries |
notice | Foreign language identified in PE resource |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Potentially malicious URLs were found in the process memory dump |
notice | Queries for potentially installed applications |
notice | Resolves a suspicious Top Level Domain (TLD) |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | Sends data using the HTTP POST Method |
notice | Steals private information from local Internet browsers |
notice | Terminates another process |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Collects information to fingerprint the system (MachineGuid |
info | Command line console output was observed |
info | Queries for the computername |
info | This executable has a PDB path |
info | Tries to locate where the browsers are installed |
Rules (31cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | RedLine_Stealer_Zero | RedLine stealer | binaries (download) |
danger | Win32_PWS_Loki_Zero | Win32 PWS Loki | memory |
danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
warning | infoStealer_browser_Zero | browser info stealer | memory |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
notice | Network_DGA | Communication using DGA | memory |
notice | Network_DNS | Communications use DNS | memory |
notice | Network_TCP_Socket | Communications over RAW Socket | memory |
notice | ScreenShot | Take ScreenShot | memory |
notice | Str_Win32_Http_API | Match Windows Http API call | memory |
notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerException__SetConsoleCtrl | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsDLL | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | JPEG_Format_Zero | JPEG Format | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
info | Win_Trojan_agentTesla_Zero | Win.Trojan.agentTesla | memory |
Network (20cnts) ?
Suricata ids
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO TLS Handshake Failure
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET DNS Query to a *.top domain - Likely Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET INFO HTTP Request to a *.top domain
ET MALWARE Vidar/Arkei Stealer Client Data Upload
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
ET INFO TLS Handshake Failure
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET DNS Query to a *.top domain - Likely Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET INFO HTTP Request to a *.top domain
ET MALWARE Vidar/Arkei Stealer Client Data Upload
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x401000 InterlockedPopEntrySList
0x401004 EnumDateFormatsW
0x401008 LeaveCriticalSection
0x40100c GetConsoleAliasesLengthA
0x401010 CreateTapePartition
0x401014 GetLongPathNameW
0x401018 GetUserDefaultLangID
0x40101c AddRefActCtx
0x401020 GetCPInfoExA
0x401024 WriteConsoleInputW
0x401028 ReadConsoleInputW
0x40102c GetTapeParameters
0x401030 WaitCommEvent
0x401034 GetNumaNodeProcessorMask
0x401038 GetConsoleCP
0x40103c VerifyVersionInfoA
0x401040 WaitNamedPipeW
0x401044 CreateMutexA
0x401048 WriteConsoleW
0x40104c GetLastError
0x401050 CreateFileA
0x401054 DeleteFileW
0x401058 WritePrivateProfileSectionA
0x40105c GetPrivateProfileSectionW
0x401060 EnumDateFormatsExW
0x401064 SetStdHandle
0x401068 LoadLibraryW
0x40106c IsDebuggerPresent
0x401070 FindFirstVolumeW
0x401074 WriteFile
0x401078 BuildCommDCBW
0x40107c FindActCtxSectionStringW
0x401080 VerLanguageNameW
0x401084 AreFileApisANSI
0x401088 WriteProcessMemory
0x40108c RequestWakeupLatency
0x401090 PeekConsoleInputA
0x401094 SetEvent
0x401098 IsBadReadPtr
0x40109c Sleep
0x4010a0 WaitForSingleObject
0x4010a4 LoadResource
0x4010a8 GetCPInfo
0x4010ac FreeConsole
0x4010b0 SetConsoleCtrlHandler
0x4010b4 SetConsoleTitleW
0x4010b8 GetCurrentConsoleFont
0x4010bc SetConsoleTextAttribute
0x4010c0 AttachConsole
0x4010c4 GetConsoleAliasesLengthW
0x4010c8 ReadConsoleA
0x4010cc ReadConsoleOutputW
0x4010d0 GetSystemWindowsDirectoryW
0x4010d4 GetStringTypeW
0x4010d8 BuildCommDCBAndTimeoutsW
0x4010dc HeapUnlock
0x4010e0 HeapLock
0x4010e4 GetAtomNameW
0x4010e8 HeapReAlloc
0x4010ec HeapCompact
0x4010f0 GetGeoInfoW
0x4010f4 GetCurrentProcess
0x4010f8 GetProcAddress
0x4010fc GetModuleHandleA
0x401100 CreateThread
0x401104 GetVersionExW
0x401108 GetOEMCP
0x40110c WaitForMultipleObjects
0x401110 VerifyVersionInfoW
0x401114 WriteConsoleOutputCharacterA
0x401118 LocalAlloc
0x40111c SetMailslotInfo
0x401120 GetCPInfoExW
0x401124 SetEnvironmentVariableW
0x401128 SetCalendarInfoA
0x40112c GetComputerNameW
0x401130 GetConsoleWindow
0x401134 PostQueuedCompletionStatus
0x401138 SetFileApisToOEM
0x40113c GetStringTypeA
0x401140 HeapSize
0x401144 GetDiskFreeSpaceA
0x401148 GetModuleHandleW
0x40114c ExitProcess
0x401150 UnhandledExceptionFilter
0x401154 SetUnhandledExceptionFilter
0x401158 GetCommandLineA
0x40115c GetStartupInfoA
0x401160 HeapAlloc
0x401164 TlsGetValue
0x401168 TlsAlloc
0x40116c TlsSetValue
0x401170 TlsFree
0x401174 InterlockedIncrement
0x401178 SetLastError
0x40117c GetCurrentThreadId
0x401180 InterlockedDecrement
0x401184 GetStdHandle
0x401188 GetModuleFileNameA
0x40118c DeleteCriticalSection
0x401190 EnterCriticalSection
0x401194 TerminateProcess
0x401198 LoadLibraryA
0x40119c InitializeCriticalSectionAndSpinCount
0x4011a0 SetFilePointer
0x4011a4 SetHandleCount
0x4011a8 GetFileType
0x4011ac FreeEnvironmentStringsA
0x4011b0 GetEnvironmentStrings
0x4011b4 FreeEnvironmentStringsW
0x4011b8 WideCharToMultiByte
0x4011bc GetEnvironmentStringsW
0x4011c0 HeapCreate
0x4011c4 VirtualFree
0x4011c8 HeapFree
0x4011cc QueryPerformanceCounter
0x4011d0 GetTickCount
0x4011d4 GetCurrentProcessId
0x4011d8 GetSystemTimeAsFileTime
0x4011dc VirtualAlloc
0x4011e0 GetACP
0x4011e4 IsValidCodePage
0x4011e8 RtlUnwind
0x4011ec GetLocaleInfoA
0x4011f0 GetConsoleMode
0x4011f4 FlushFileBuffers
0x4011f8 MultiByteToWideChar
0x4011fc LCMapStringA
0x401200 LCMapStringW
0x401204 WriteConsoleA
0x401208 GetConsoleOutputCP
0x40120c CloseHandle
EAT(Export Address Table) Library
0x493800 @GetSecondVice@0
KERNEL32.dll
0x401000 InterlockedPopEntrySList
0x401004 EnumDateFormatsW
0x401008 LeaveCriticalSection
0x40100c GetConsoleAliasesLengthA
0x401010 CreateTapePartition
0x401014 GetLongPathNameW
0x401018 GetUserDefaultLangID
0x40101c AddRefActCtx
0x401020 GetCPInfoExA
0x401024 WriteConsoleInputW
0x401028 ReadConsoleInputW
0x40102c GetTapeParameters
0x401030 WaitCommEvent
0x401034 GetNumaNodeProcessorMask
0x401038 GetConsoleCP
0x40103c VerifyVersionInfoA
0x401040 WaitNamedPipeW
0x401044 CreateMutexA
0x401048 WriteConsoleW
0x40104c GetLastError
0x401050 CreateFileA
0x401054 DeleteFileW
0x401058 WritePrivateProfileSectionA
0x40105c GetPrivateProfileSectionW
0x401060 EnumDateFormatsExW
0x401064 SetStdHandle
0x401068 LoadLibraryW
0x40106c IsDebuggerPresent
0x401070 FindFirstVolumeW
0x401074 WriteFile
0x401078 BuildCommDCBW
0x40107c FindActCtxSectionStringW
0x401080 VerLanguageNameW
0x401084 AreFileApisANSI
0x401088 WriteProcessMemory
0x40108c RequestWakeupLatency
0x401090 PeekConsoleInputA
0x401094 SetEvent
0x401098 IsBadReadPtr
0x40109c Sleep
0x4010a0 WaitForSingleObject
0x4010a4 LoadResource
0x4010a8 GetCPInfo
0x4010ac FreeConsole
0x4010b0 SetConsoleCtrlHandler
0x4010b4 SetConsoleTitleW
0x4010b8 GetCurrentConsoleFont
0x4010bc SetConsoleTextAttribute
0x4010c0 AttachConsole
0x4010c4 GetConsoleAliasesLengthW
0x4010c8 ReadConsoleA
0x4010cc ReadConsoleOutputW
0x4010d0 GetSystemWindowsDirectoryW
0x4010d4 GetStringTypeW
0x4010d8 BuildCommDCBAndTimeoutsW
0x4010dc HeapUnlock
0x4010e0 HeapLock
0x4010e4 GetAtomNameW
0x4010e8 HeapReAlloc
0x4010ec HeapCompact
0x4010f0 GetGeoInfoW
0x4010f4 GetCurrentProcess
0x4010f8 GetProcAddress
0x4010fc GetModuleHandleA
0x401100 CreateThread
0x401104 GetVersionExW
0x401108 GetOEMCP
0x40110c WaitForMultipleObjects
0x401110 VerifyVersionInfoW
0x401114 WriteConsoleOutputCharacterA
0x401118 LocalAlloc
0x40111c SetMailslotInfo
0x401120 GetCPInfoExW
0x401124 SetEnvironmentVariableW
0x401128 SetCalendarInfoA
0x40112c GetComputerNameW
0x401130 GetConsoleWindow
0x401134 PostQueuedCompletionStatus
0x401138 SetFileApisToOEM
0x40113c GetStringTypeA
0x401140 HeapSize
0x401144 GetDiskFreeSpaceA
0x401148 GetModuleHandleW
0x40114c ExitProcess
0x401150 UnhandledExceptionFilter
0x401154 SetUnhandledExceptionFilter
0x401158 GetCommandLineA
0x40115c GetStartupInfoA
0x401160 HeapAlloc
0x401164 TlsGetValue
0x401168 TlsAlloc
0x40116c TlsSetValue
0x401170 TlsFree
0x401174 InterlockedIncrement
0x401178 SetLastError
0x40117c GetCurrentThreadId
0x401180 InterlockedDecrement
0x401184 GetStdHandle
0x401188 GetModuleFileNameA
0x40118c DeleteCriticalSection
0x401190 EnterCriticalSection
0x401194 TerminateProcess
0x401198 LoadLibraryA
0x40119c InitializeCriticalSectionAndSpinCount
0x4011a0 SetFilePointer
0x4011a4 SetHandleCount
0x4011a8 GetFileType
0x4011ac FreeEnvironmentStringsA
0x4011b0 GetEnvironmentStrings
0x4011b4 FreeEnvironmentStringsW
0x4011b8 WideCharToMultiByte
0x4011bc GetEnvironmentStringsW
0x4011c0 HeapCreate
0x4011c4 VirtualFree
0x4011c8 HeapFree
0x4011cc QueryPerformanceCounter
0x4011d0 GetTickCount
0x4011d4 GetCurrentProcessId
0x4011d8 GetSystemTimeAsFileTime
0x4011dc VirtualAlloc
0x4011e0 GetACP
0x4011e4 IsValidCodePage
0x4011e8 RtlUnwind
0x4011ec GetLocaleInfoA
0x4011f0 GetConsoleMode
0x4011f4 FlushFileBuffers
0x4011f8 MultiByteToWideChar
0x4011fc LCMapStringA
0x401200 LCMapStringW
0x401204 WriteConsoleA
0x401208 GetConsoleOutputCP
0x40120c CloseHandle
EAT(Export Address Table) Library
0x493800 @GetSecondVice@0