ScreenShot
| Created | 2021.07.19 11:07 | Machine | s1_win7_x6402 |
| Filename | zxcv.EXE | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 45 detected (AIDetect, malware1, Chapak, malicious, high confidence, GenericKD, Unsafe, Save, ZevbaF, mn0@amUBMcA, EPQK, Trojanx, ezur, CLASSIC, Generic ML PUA, Siggen14, R002C0PGF21, Static AI, Suspicious PE, ai score=87, kcloud, Racealer, score, GenericRXPE, BScope, TrojanPSW, Stelega, RaccoonStealer, GdSda, confidence, 100%, HgIASYkA) | ||
| md5 | e0ee46172e94ab9aaed4f27dc2aab72a | ||
| sha256 | 37ab9185008d63309815a1bc846dcc7067374a8833b49f2bfa6f96fd784f35e9 | ||
| ssdeep | 24576:RZJWUupjq4JmaRO+I/2v+nQ1npPBmksd0e486EyO:RkpjfgChI/pahBoeeP | ||
| imphash | d98bce45dab9a77041968f41ed47c4c3 | ||
| impfuzzy | 48:jnj/48mEl/1wzQwgbgRxl3Yl39pCq9f4Tz2FNjWcQhHw+pHxmkS1wDDlxDTSwpw8:jnjoEl/1GQfbgRxluNpCq9fAz2FNjWck | ||
Network IP location
Signature (63cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 45 AntiVirus engines on VirusTotal as malicious |
| danger | Disables Windows Security features |
| danger | Executed a process and injected code into it |
| warning | Generates some ICMP traffic |
| watch | A process attempted to delay the analysis task. |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Attempts to detect Cuckoo Sandbox through the presence of a file |
| watch | Checks the CPU name from registry |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates a windows hook that monitors keyboard input (keylogger) |
| watch | Deletes a large number of files from the system indicative of ransomware |
| watch | Detects VirtualBox using WNetGetProviderName trick |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | Installs an hook procedure to monitor for mouse events |
| watch | Installs itself for autorun at Windows startup |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Network activity contains more than one unique useragent |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | The process powershell.exe wrote an executable file to disk |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the processes gdsfbnvfghsrf.exe |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (47cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_PWS_Loki_Zero | Win32 PWS Loki | memory |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | Win32_Trojan_PWS_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (download) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | Is_DotNET_EXE | (no description) | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | Lnk_Format_Zero | LNK Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
Network (38cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE AZORult v3.3 Server Response M2
ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Executable Download from dotted-quad Host
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE AZORult v3.3 Server Response M2
ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Executable Download from dotted-quad Host
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
PE API
IAT(Import Address Table) Library
ADVAPI32.DLL
0x401000 RegOpenKeyExW
0x401004 CryptCreateHash
0x401008 CryptDecrypt
0x40100c RegCloseKey
0x401010 CryptAcquireContextW
0x401014 CryptDeriveKey
KERNEL32.DLL
0x40101c VirtualAlloc
0x401020 RtlMoveMemory
0x401024 CloseHandle
0x401028 GetTickCount
0x40102c WriteFile
0x401030 RtlFillMemory
MSVBVM60.DLL
0x401038 __vbaVarSub
0x40103c _CIcos
0x401040 _adj_fptan
0x401044 __vbaStrI4
0x401048 __vbaVarMove
0x40104c __vbaVarVargNofree
0x401050 __vbaFreeVar
0x401054 __vbaStrVarMove
0x401058 __vbaFreeVarList
0x40105c _adj_fdiv_m64
0x401060 None
0x401064 _adj_fprem1
0x401068 __vbaStrCat
0x40106c __vbaHresultCheckObj
0x401070 _adj_fdiv_m32
0x401074 __vbaAryDestruct
0x401078 None
0x40107c __vbaObjSet
0x401080 None
0x401084 _adj_fdiv_m16i
0x401088 __vbaObjSetAddref
0x40108c _adj_fdivr_m16i
0x401090 __vbaRefVarAry
0x401094 _CIsin
0x401098 __vbaErase
0x40109c None
0x4010a0 __vbaVarZero
0x4010a4 __vbaChkstk
0x4010a8 None
0x4010ac EVENT_SINK_AddRef
0x4010b0 None
0x4010b4 __vbaVarTstEq
0x4010b8 _adj_fpatan
0x4010bc __vbaRedim
0x4010c0 EVENT_SINK_Release
0x4010c4 _CIsqrt
0x4010c8 EVENT_SINK_QueryInterface
0x4010cc __vbaExceptHandler
0x4010d0 _adj_fprem
0x4010d4 _adj_fdivr_m64
0x4010d8 None
0x4010dc None
0x4010e0 __vbaFPException
0x4010e4 None
0x4010e8 __vbaStrVarVal
0x4010ec __vbaUbound
0x4010f0 __vbaVarCat
0x4010f4 None
0x4010f8 _CIlog
0x4010fc _adj_fdiv_m32i
0x401100 _adj_fdivr_m32i
0x401104 __vbaStrCopy
0x401108 __vbaI4Str
0x40110c __vbaFreeStrList
0x401110 _adj_fdivr_m32
0x401114 _adj_fdiv_r
0x401118 None
0x40111c __vbaI4Var
0x401120 __vbaVarAdd
0x401124 __vbaAryLock
0x401128 __vbaVarDup
0x40112c __vbaVarCopy
0x401130 None
0x401134 None
0x401138 _CIatan
0x40113c __vbaCastObj
0x401140 __vbaStrMove
0x401144 _allmul
0x401148 _CItan
0x40114c None
0x401150 __vbaAryUnlock
0x401154 _CIexp
0x401158 __vbaFreeStr
0x40115c __vbaFreeObj
EAT(Export Address Table) is none
ADVAPI32.DLL
0x401000 RegOpenKeyExW
0x401004 CryptCreateHash
0x401008 CryptDecrypt
0x40100c RegCloseKey
0x401010 CryptAcquireContextW
0x401014 CryptDeriveKey
KERNEL32.DLL
0x40101c VirtualAlloc
0x401020 RtlMoveMemory
0x401024 CloseHandle
0x401028 GetTickCount
0x40102c WriteFile
0x401030 RtlFillMemory
MSVBVM60.DLL
0x401038 __vbaVarSub
0x40103c _CIcos
0x401040 _adj_fptan
0x401044 __vbaStrI4
0x401048 __vbaVarMove
0x40104c __vbaVarVargNofree
0x401050 __vbaFreeVar
0x401054 __vbaStrVarMove
0x401058 __vbaFreeVarList
0x40105c _adj_fdiv_m64
0x401060 None
0x401064 _adj_fprem1
0x401068 __vbaStrCat
0x40106c __vbaHresultCheckObj
0x401070 _adj_fdiv_m32
0x401074 __vbaAryDestruct
0x401078 None
0x40107c __vbaObjSet
0x401080 None
0x401084 _adj_fdiv_m16i
0x401088 __vbaObjSetAddref
0x40108c _adj_fdivr_m16i
0x401090 __vbaRefVarAry
0x401094 _CIsin
0x401098 __vbaErase
0x40109c None
0x4010a0 __vbaVarZero
0x4010a4 __vbaChkstk
0x4010a8 None
0x4010ac EVENT_SINK_AddRef
0x4010b0 None
0x4010b4 __vbaVarTstEq
0x4010b8 _adj_fpatan
0x4010bc __vbaRedim
0x4010c0 EVENT_SINK_Release
0x4010c4 _CIsqrt
0x4010c8 EVENT_SINK_QueryInterface
0x4010cc __vbaExceptHandler
0x4010d0 _adj_fprem
0x4010d4 _adj_fdivr_m64
0x4010d8 None
0x4010dc None
0x4010e0 __vbaFPException
0x4010e4 None
0x4010e8 __vbaStrVarVal
0x4010ec __vbaUbound
0x4010f0 __vbaVarCat
0x4010f4 None
0x4010f8 _CIlog
0x4010fc _adj_fdiv_m32i
0x401100 _adj_fdivr_m32i
0x401104 __vbaStrCopy
0x401108 __vbaI4Str
0x40110c __vbaFreeStrList
0x401110 _adj_fdivr_m32
0x401114 _adj_fdiv_r
0x401118 None
0x40111c __vbaI4Var
0x401120 __vbaVarAdd
0x401124 __vbaAryLock
0x401128 __vbaVarDup
0x40112c __vbaVarCopy
0x401130 None
0x401134 None
0x401138 _CIatan
0x40113c __vbaCastObj
0x401140 __vbaStrMove
0x401144 _allmul
0x401148 _CItan
0x40114c None
0x401150 __vbaAryUnlock
0x401154 _CIexp
0x401158 __vbaFreeStr
0x40115c __vbaFreeObj
EAT(Export Address Table) is none