ScreenShot
| Created | 2021.07.22 13:57 | Machine | s1_win7_x6402 |
| Filename | 12.bin | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | f07a2b61edd48c6d6c310cf9b7e4882e | ||
| sha256 | 74fc2d5f6140f595c2002e50a82b9d2e5dc5050c25cd6963f87e9b61ac98e93b | ||
| ssdeep | 196608:DxbeGOzHs8RTmMlr7xuDVPYvw0l9uyQaWNAs0D27:J3OnRTrB9KWNLTfWNAHD27 | ||
| imphash | 898d2213a85b483d34c574804fb124bd | ||
| impfuzzy | 12:oHQZpQ5kBZGoQtXJxZGb9AJcDfA5kLfP9m:YmpQ58QtXJHc9NDI5Q8 | ||
Network IP location
Signature (29cnts)
| Level | Description |
|---|---|
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes executed files from disk |
| watch | Harvests credentials from local FTP client softwares |
| watch | Network activity contains more than one unique useragent |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process 12.bin |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Reads the systems User Agent and subsequently performs requests |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (12cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | VMProtect_Zero | VMProtect packed file | binaries (download) |
| watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
Network (6cnts) ?
Suricata ids
ET MALWARE Generic .bin download from Dotted Quad
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Generic gate[.].php GET with minimal headers
ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
ET HUNTING Suspicious GET To gate.php with no Referer
SURICATA HTTP unable to match response to request
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Generic gate[.].php GET with minimal headers
ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
ET HUNTING Suspicious GET To gate.php with no Referer
SURICATA HTTP unable to match response to request
PE API
IAT(Import Address Table) Library
ADVAPI32.DLL
0x10cf000 GetUserNameW
KERNEL32.dll
0x10cf008 CreateThread
msvcrt.dll
0x10cf010 _strdup
msvcrt.dll
0x10cf018 __getmainargs
USER32.dll
0x10cf020 BeginPaint
WTSAPI32.dll
0x10cf028 WTSSendMessageW
KERNEL32.dll
0x10cf030 VirtualQuery
USER32.dll
0x10cf038 GetProcessWindowStation
KERNEL32.dll
0x10cf040 LocalAlloc
0x10cf044 LocalFree
0x10cf048 GetModuleFileNameW
0x10cf04c GetProcessAffinityMask
0x10cf050 SetProcessAffinityMask
0x10cf054 SetThreadAffinityMask
0x10cf058 Sleep
0x10cf05c ExitProcess
0x10cf060 FreeLibrary
0x10cf064 LoadLibraryA
0x10cf068 GetModuleHandleA
0x10cf06c GetProcAddress
USER32.dll
0x10cf074 GetProcessWindowStation
0x10cf078 GetUserObjectInformationW
EAT(Export Address Table) is none
ADVAPI32.DLL
0x10cf000 GetUserNameW
KERNEL32.dll
0x10cf008 CreateThread
msvcrt.dll
0x10cf010 _strdup
msvcrt.dll
0x10cf018 __getmainargs
USER32.dll
0x10cf020 BeginPaint
WTSAPI32.dll
0x10cf028 WTSSendMessageW
KERNEL32.dll
0x10cf030 VirtualQuery
USER32.dll
0x10cf038 GetProcessWindowStation
KERNEL32.dll
0x10cf040 LocalAlloc
0x10cf044 LocalFree
0x10cf048 GetModuleFileNameW
0x10cf04c GetProcessAffinityMask
0x10cf050 SetProcessAffinityMask
0x10cf054 SetThreadAffinityMask
0x10cf058 Sleep
0x10cf05c ExitProcess
0x10cf060 FreeLibrary
0x10cf064 LoadLibraryA
0x10cf068 GetModuleHandleA
0x10cf06c GetProcAddress
USER32.dll
0x10cf074 GetProcessWindowStation
0x10cf078 GetUserObjectInformationW
EAT(Export Address Table) is none