ScreenShot
| Created | 2021.07.23 07:39 | Machine | s1_win7_x6401 |
| Filename | suntogether.png | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | b64287a77fb567247cb8ec3465974eab | ||
| sha256 | dd577b807a2bfde9981f688db80b4e73cc5b76a3af99361e9e4d27a84350904c | ||
| ssdeep | 6144:ybRfnjXFr2KPL3bbHHjYXWOZcy8QGd37ci/fW6/gNXtlTF5yVNU5JhJDCyFE:UZr2SHHmjMd1W6/gNXtrkVQhJDrG | ||
| imphash | 13012c7764c22db0eea00ae6b1458d85 | ||
| impfuzzy | 24:sjEdlqOf18/8w2/MkgH+fcMMdlpOov+ttJ3qDewHRnlyv0T4UjMZmZrhAG:jjqOf1K+fcMMYbtfnUK0c4ZNAG | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Terminates another process |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (6cnts) ?
Suricata ids
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 22
ET CNC Feodo Tracker Reported CnC Server group 22
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x414000 SetEvent
0x414004 WaitForSingleObject
0x414008 CreateEventA
0x41400c lstrlenA
0x414010 CloseHandle
0x414014 CancelWaitableTimer
0x414018 SetWaitableTimer
0x41401c CreateWaitableTimerA
0x414020 VirtualAlloc
0x414024 GetLocaleInfoA
0x414028 DeleteTimerQueueEx
0x41402c CreateTimerQueueTimer
0x414030 CreateTimerQueue
0x414034 SizeofResource
0x414038 LoadResource
0x41403c FindResourceA
0x414040 SetStdHandle
0x414044 WriteConsoleW
0x414048 LoadLibraryW
0x41404c HeapReAlloc
0x414050 GetStringTypeW
0x414054 InterlockedIncrement
0x414058 InterlockedDecrement
0x41405c EncodePointer
0x414060 DecodePointer
0x414064 Sleep
0x414068 InitializeCriticalSection
0x41406c DeleteCriticalSection
0x414070 EnterCriticalSection
0x414074 LeaveCriticalSection
0x414078 RtlUnwind
0x41407c RaiseException
0x414080 GetLastError
0x414084 HeapFree
0x414088 GetCommandLineA
0x41408c HeapSetInformation
0x414090 GetStartupInfoW
0x414094 HeapAlloc
0x414098 WideCharToMultiByte
0x41409c LCMapStringW
0x4140a0 MultiByteToWideChar
0x4140a4 GetCPInfo
0x4140a8 TerminateProcess
0x4140ac GetCurrentProcess
0x4140b0 UnhandledExceptionFilter
0x4140b4 SetUnhandledExceptionFilter
0x4140b8 IsDebuggerPresent
0x4140bc TlsAlloc
0x4140c0 TlsGetValue
0x4140c4 TlsSetValue
0x4140c8 TlsFree
0x4140cc GetModuleHandleW
0x4140d0 SetLastError
0x4140d4 GetCurrentThreadId
0x4140d8 GetProcAddress
0x4140dc IsProcessorFeaturePresent
0x4140e0 HeapCreate
0x4140e4 ExitProcess
0x4140e8 WriteFile
0x4140ec GetStdHandle
0x4140f0 GetModuleFileNameW
0x4140f4 GetModuleFileNameA
0x4140f8 FreeEnvironmentStringsW
0x4140fc GetEnvironmentStringsW
0x414100 SetHandleCount
0x414104 InitializeCriticalSectionAndSpinCount
0x414108 GetFileType
0x41410c QueryPerformanceCounter
0x414110 GetTickCount
0x414114 GetCurrentProcessId
0x414118 GetSystemTimeAsFileTime
0x41411c GetConsoleCP
0x414120 GetConsoleMode
0x414124 FlushFileBuffers
0x414128 ReadFile
0x41412c SetFilePointer
0x414130 HeapSize
0x414134 GetLocaleInfoW
0x414138 GetACP
0x41413c GetOEMCP
0x414140 IsValidCodePage
0x414144 GetUserDefaultLCID
0x414148 EnumSystemLocalesA
0x41414c IsValidLocale
0x414150 CreateFileW
USER32.dll
0x414158 GetDC
EAT(Export Address Table) is none
KERNEL32.dll
0x414000 SetEvent
0x414004 WaitForSingleObject
0x414008 CreateEventA
0x41400c lstrlenA
0x414010 CloseHandle
0x414014 CancelWaitableTimer
0x414018 SetWaitableTimer
0x41401c CreateWaitableTimerA
0x414020 VirtualAlloc
0x414024 GetLocaleInfoA
0x414028 DeleteTimerQueueEx
0x41402c CreateTimerQueueTimer
0x414030 CreateTimerQueue
0x414034 SizeofResource
0x414038 LoadResource
0x41403c FindResourceA
0x414040 SetStdHandle
0x414044 WriteConsoleW
0x414048 LoadLibraryW
0x41404c HeapReAlloc
0x414050 GetStringTypeW
0x414054 InterlockedIncrement
0x414058 InterlockedDecrement
0x41405c EncodePointer
0x414060 DecodePointer
0x414064 Sleep
0x414068 InitializeCriticalSection
0x41406c DeleteCriticalSection
0x414070 EnterCriticalSection
0x414074 LeaveCriticalSection
0x414078 RtlUnwind
0x41407c RaiseException
0x414080 GetLastError
0x414084 HeapFree
0x414088 GetCommandLineA
0x41408c HeapSetInformation
0x414090 GetStartupInfoW
0x414094 HeapAlloc
0x414098 WideCharToMultiByte
0x41409c LCMapStringW
0x4140a0 MultiByteToWideChar
0x4140a4 GetCPInfo
0x4140a8 TerminateProcess
0x4140ac GetCurrentProcess
0x4140b0 UnhandledExceptionFilter
0x4140b4 SetUnhandledExceptionFilter
0x4140b8 IsDebuggerPresent
0x4140bc TlsAlloc
0x4140c0 TlsGetValue
0x4140c4 TlsSetValue
0x4140c8 TlsFree
0x4140cc GetModuleHandleW
0x4140d0 SetLastError
0x4140d4 GetCurrentThreadId
0x4140d8 GetProcAddress
0x4140dc IsProcessorFeaturePresent
0x4140e0 HeapCreate
0x4140e4 ExitProcess
0x4140e8 WriteFile
0x4140ec GetStdHandle
0x4140f0 GetModuleFileNameW
0x4140f4 GetModuleFileNameA
0x4140f8 FreeEnvironmentStringsW
0x4140fc GetEnvironmentStringsW
0x414100 SetHandleCount
0x414104 InitializeCriticalSectionAndSpinCount
0x414108 GetFileType
0x41410c QueryPerformanceCounter
0x414110 GetTickCount
0x414114 GetCurrentProcessId
0x414118 GetSystemTimeAsFileTime
0x41411c GetConsoleCP
0x414120 GetConsoleMode
0x414124 FlushFileBuffers
0x414128 ReadFile
0x41412c SetFilePointer
0x414130 HeapSize
0x414134 GetLocaleInfoW
0x414138 GetACP
0x41413c GetOEMCP
0x414140 IsValidCodePage
0x414144 GetUserDefaultLCID
0x414148 EnumSystemLocalesA
0x41414c IsValidLocale
0x414150 CreateFileW
USER32.dll
0x414158 GetDC
EAT(Export Address Table) is none