ScreenShot
| Created | 2021.08.02 09:16 | Machine | s1_win7_x6401 |
| Filename | z.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 48 detected (malicious, high confidence, Steam, GenericRXMZ, Bobik, ZexaF, QqY@aW0S6vo, Trojan2, QDAM, Attribute, HighConfidence, Zusy, innsnn, PWSX, Kryptik, CLASSIC, PANDASTEALER, Static AI, Suspicious PE, AGEN, ai score=80, ASMalwS, StellarStealer, 3YNIAA, score, R355109, Gencirc, tUE6mpSx5ko, Racoon, GenKryptik, EZNX, GdSda) | ||
| md5 | fd047a74224274e29409c2b841c2b306 | ||
| sha256 | 71e5de30f627eacb124f9f11d7ba70de43997847e88a61e440593ef9fd776bab | ||
| ssdeep | 12288:VoJqNIPtNmO6IOOEp0TMlja7NRl2PSVikIyoyueh+AkHcnLwuukoCOD6zlTjOz+2:VoJEKZ6IEGTMxapRl2PSwHTehy6B8+p4 | ||
| imphash | 2a908babc5cc3af850e078751d7de0e9 | ||
| impfuzzy | 48:BbuKL1LAYYs0OwOzS9oD8EZmnBxSDdPa3tSE4F5r0UXua:BbuKL1LTYs07sSq3sSDVStSJ0UXua | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Communicates with host for which no DNS query was performed |
| watch | Disables proxy possibly for traffic interception |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Tries to locate where the browsers are installed |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET HUNTING Observed POST to xsph .ru Domain
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x48700c EnterCriticalSection
0x487010 GetCurrentProcess
0x487014 WriteFile
0x487018 LeaveCriticalSection
0x48701c SetFilePointer
0x487020 InitializeCriticalSectionEx
0x487024 UnmapViewOfFile
0x487028 GetModuleHandleA
0x48702c HeapSize
0x487030 MultiByteToWideChar
0x487034 GetFileInformationByHandle
0x487038 CopyFileA
0x48703c GetLastError
0x487040 CreateFileA
0x487044 FileTimeToSystemTime
0x487048 LoadLibraryA
0x48704c LockResource
0x487050 HeapReAlloc
0x487054 CloseHandle
0x487058 RaiseException
0x48705c FindResourceExW
0x487060 LoadResource
0x487064 FindResourceW
0x487068 HeapAlloc
0x48706c GetLocalTime
0x487070 DecodePointer
0x487074 HeapDestroy
0x487078 GetProcAddress
0x48707c CreateFileMappingA
0x487080 GetFileSize
0x487084 DeleteCriticalSection
0x487088 GetProcessHeap
0x48708c SystemTimeToFileTime
0x487090 FreeLibrary
0x487094 HeapFree
0x487098 MapViewOfFile
0x48709c GetTickCount
0x4870a0 IsWow64Process
0x4870a4 AreFileApisANSI
0x4870a8 GetFullPathNameW
0x4870ac LockFile
0x4870b0 InitializeCriticalSection
0x4870b4 GetFullPathNameA
0x4870b8 SetEndOfFile
0x4870bc GetTempPathW
0x4870c0 CreateFileW
0x4870c4 GetFileAttributesW
0x4870c8 GetCurrentThreadId
0x4870cc Sleep
0x4870d0 GetTempPathA
0x4870d4 GetFileAttributesA
0x4870d8 GetVersionExA
0x4870dc DeleteFileA
0x4870e0 DeleteFileW
0x4870e4 LoadLibraryW
0x4870e8 UnlockFile
0x4870ec LockFileEx
0x4870f0 GetCurrentProcessId
0x4870f4 GetSystemTimeAsFileTime
0x4870f8 GetSystemTime
0x4870fc FormatMessageA
0x487100 QueryPerformanceCounter
0x487104 FlushFileBuffers
0x487108 SetStdHandle
0x48710c SetEnvironmentVariableW
0x487110 FreeEnvironmentStringsW
0x487114 GetEnvironmentStringsW
0x487118 GetOEMCP
0x48711c GetACP
0x487120 IsValidCodePage
0x487124 SizeofResource
0x487128 GetModuleFileNameA
0x48712c WideCharToMultiByte
0x487130 ReadFile
0x487134 ReadConsoleW
0x487138 GetTimeZoneInformation
0x48713c GetFileType
0x487140 GetFileSizeEx
0x487144 GetConsoleMode
0x487148 GetConsoleCP
0x48714c EnumSystemLocalesW
0x487150 GetUserDefaultLCID
0x487154 IsValidLocale
0x487158 GetTimeFormatW
0x48715c GetDateFormatW
0x487160 WriteConsoleW
0x487164 GetCommandLineW
0x487168 GetCommandLineA
0x48716c GetStdHandle
0x487170 GetModuleFileNameW
0x487174 QueryPerformanceFrequency
0x487178 GetModuleHandleExW
0x48717c ExitProcess
0x487180 VirtualQuery
0x487184 VirtualProtect
0x487188 VirtualAlloc
0x48718c GetSystemInfo
0x487190 GetCurrentDirectoryW
0x487194 CreateDirectoryW
0x487198 FindClose
0x48719c FindFirstFileExW
0x4871a0 FindNextFileW
0x4871a4 GetFileAttributesExW
0x4871a8 RemoveDirectoryW
0x4871ac SetFilePointerEx
0x4871b0 SetLastError
0x4871b4 GetModuleHandleW
0x4871b8 CopyFileW
0x4871bc LocalFree
0x4871c0 GetStringTypeW
0x4871c4 EncodePointer
0x4871c8 InitializeCriticalSectionAndSpinCount
0x4871cc CreateEventW
0x4871d0 TlsAlloc
0x4871d4 TlsGetValue
0x4871d8 TlsSetValue
0x4871dc TlsFree
0x4871e0 CompareStringW
0x4871e4 LCMapStringW
0x4871e8 GetLocaleInfoW
0x4871ec GetCPInfo
0x4871f0 IsDebuggerPresent
0x4871f4 OutputDebugStringW
0x4871f8 SetEvent
0x4871fc ResetEvent
0x487200 WaitForSingleObjectEx
0x487204 UnhandledExceptionFilter
0x487208 SetUnhandledExceptionFilter
0x48720c GetStartupInfoW
0x487210 IsProcessorFeaturePresent
0x487214 InitializeSListHead
0x487218 TerminateProcess
0x48721c RtlUnwind
0x487220 LoadLibraryExW
USER32.dll
0x487234 GetDC
0x487238 GetSystemMetrics
0x48723c ReleaseDC
0x487240 GetDesktopWindow
GDI32.dll
0x487000 DeleteObject
0x487004 GetObjectA
SHLWAPI.dll
0x487228 PathFindExtensionW
0x48722c PathFindExtensionA
gdiplus.dll
0x487268 GdipSaveImageToFile
0x48726c GdipCreateBitmapFromScan0
0x487270 GdipGetImageEncodersSize
0x487274 GdipDisposeImage
0x487278 GdipGetImageEncoders
0x48727c GdiplusShutdown
0x487280 GdipCreateBitmapFromHBITMAP
0x487284 GdiplusStartup
WININET.dll
0x487248 InternetWriteFile
0x48724c HttpEndRequestA
0x487250 HttpSendRequestExA
0x487254 InternetOpenA
0x487258 HttpOpenRequestA
0x48725c InternetConnectA
0x487260 InternetCloseHandle
EAT(Export Address Table) is none
KERNEL32.dll
0x48700c EnterCriticalSection
0x487010 GetCurrentProcess
0x487014 WriteFile
0x487018 LeaveCriticalSection
0x48701c SetFilePointer
0x487020 InitializeCriticalSectionEx
0x487024 UnmapViewOfFile
0x487028 GetModuleHandleA
0x48702c HeapSize
0x487030 MultiByteToWideChar
0x487034 GetFileInformationByHandle
0x487038 CopyFileA
0x48703c GetLastError
0x487040 CreateFileA
0x487044 FileTimeToSystemTime
0x487048 LoadLibraryA
0x48704c LockResource
0x487050 HeapReAlloc
0x487054 CloseHandle
0x487058 RaiseException
0x48705c FindResourceExW
0x487060 LoadResource
0x487064 FindResourceW
0x487068 HeapAlloc
0x48706c GetLocalTime
0x487070 DecodePointer
0x487074 HeapDestroy
0x487078 GetProcAddress
0x48707c CreateFileMappingA
0x487080 GetFileSize
0x487084 DeleteCriticalSection
0x487088 GetProcessHeap
0x48708c SystemTimeToFileTime
0x487090 FreeLibrary
0x487094 HeapFree
0x487098 MapViewOfFile
0x48709c GetTickCount
0x4870a0 IsWow64Process
0x4870a4 AreFileApisANSI
0x4870a8 GetFullPathNameW
0x4870ac LockFile
0x4870b0 InitializeCriticalSection
0x4870b4 GetFullPathNameA
0x4870b8 SetEndOfFile
0x4870bc GetTempPathW
0x4870c0 CreateFileW
0x4870c4 GetFileAttributesW
0x4870c8 GetCurrentThreadId
0x4870cc Sleep
0x4870d0 GetTempPathA
0x4870d4 GetFileAttributesA
0x4870d8 GetVersionExA
0x4870dc DeleteFileA
0x4870e0 DeleteFileW
0x4870e4 LoadLibraryW
0x4870e8 UnlockFile
0x4870ec LockFileEx
0x4870f0 GetCurrentProcessId
0x4870f4 GetSystemTimeAsFileTime
0x4870f8 GetSystemTime
0x4870fc FormatMessageA
0x487100 QueryPerformanceCounter
0x487104 FlushFileBuffers
0x487108 SetStdHandle
0x48710c SetEnvironmentVariableW
0x487110 FreeEnvironmentStringsW
0x487114 GetEnvironmentStringsW
0x487118 GetOEMCP
0x48711c GetACP
0x487120 IsValidCodePage
0x487124 SizeofResource
0x487128 GetModuleFileNameA
0x48712c WideCharToMultiByte
0x487130 ReadFile
0x487134 ReadConsoleW
0x487138 GetTimeZoneInformation
0x48713c GetFileType
0x487140 GetFileSizeEx
0x487144 GetConsoleMode
0x487148 GetConsoleCP
0x48714c EnumSystemLocalesW
0x487150 GetUserDefaultLCID
0x487154 IsValidLocale
0x487158 GetTimeFormatW
0x48715c GetDateFormatW
0x487160 WriteConsoleW
0x487164 GetCommandLineW
0x487168 GetCommandLineA
0x48716c GetStdHandle
0x487170 GetModuleFileNameW
0x487174 QueryPerformanceFrequency
0x487178 GetModuleHandleExW
0x48717c ExitProcess
0x487180 VirtualQuery
0x487184 VirtualProtect
0x487188 VirtualAlloc
0x48718c GetSystemInfo
0x487190 GetCurrentDirectoryW
0x487194 CreateDirectoryW
0x487198 FindClose
0x48719c FindFirstFileExW
0x4871a0 FindNextFileW
0x4871a4 GetFileAttributesExW
0x4871a8 RemoveDirectoryW
0x4871ac SetFilePointerEx
0x4871b0 SetLastError
0x4871b4 GetModuleHandleW
0x4871b8 CopyFileW
0x4871bc LocalFree
0x4871c0 GetStringTypeW
0x4871c4 EncodePointer
0x4871c8 InitializeCriticalSectionAndSpinCount
0x4871cc CreateEventW
0x4871d0 TlsAlloc
0x4871d4 TlsGetValue
0x4871d8 TlsSetValue
0x4871dc TlsFree
0x4871e0 CompareStringW
0x4871e4 LCMapStringW
0x4871e8 GetLocaleInfoW
0x4871ec GetCPInfo
0x4871f0 IsDebuggerPresent
0x4871f4 OutputDebugStringW
0x4871f8 SetEvent
0x4871fc ResetEvent
0x487200 WaitForSingleObjectEx
0x487204 UnhandledExceptionFilter
0x487208 SetUnhandledExceptionFilter
0x48720c GetStartupInfoW
0x487210 IsProcessorFeaturePresent
0x487214 InitializeSListHead
0x487218 TerminateProcess
0x48721c RtlUnwind
0x487220 LoadLibraryExW
USER32.dll
0x487234 GetDC
0x487238 GetSystemMetrics
0x48723c ReleaseDC
0x487240 GetDesktopWindow
GDI32.dll
0x487000 DeleteObject
0x487004 GetObjectA
SHLWAPI.dll
0x487228 PathFindExtensionW
0x48722c PathFindExtensionA
gdiplus.dll
0x487268 GdipSaveImageToFile
0x48726c GdipCreateBitmapFromScan0
0x487270 GdipGetImageEncodersSize
0x487274 GdipDisposeImage
0x487278 GdipGetImageEncoders
0x48727c GdiplusShutdown
0x487280 GdipCreateBitmapFromHBITMAP
0x487284 GdiplusStartup
WININET.dll
0x487248 InternetWriteFile
0x48724c HttpEndRequestA
0x487250 HttpSendRequestExA
0x487254 InternetOpenA
0x487258 HttpOpenRequestA
0x48725c InternetConnectA
0x487260 InternetCloseHandle
EAT(Export Address Table) is none