ScreenShot
| Created | 2021.08.03 16:53 | Machine | s1_win7_x6401 |
| Filename | BTC PAYMENTSCOPY_____________________________.jpg.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 27 detected (AIDetect, malware2, Bladabindi, malicious, high confidence, Unsafe, Save, GenKryptik, FIIH, PWSX, Kryptik, CLASSIC, Outbreak, kcloud, Wacatac, Artemis, BScope, Vittalia, MachineLearning, Anomalous, 100%, F0D1C00H321, Static AI, Malicious PE, susgen, ZexaF, UyZ@aqcVkSbi, HwoCAzYA) | ||
| md5 | d5d26738ed73d191556fc5640b43ed39 | ||
| sha256 | d254826085eaada20b9ab3803fdf88d2326ffcb2e90b36d3fbb129fce1cfed5a | ||
| ssdeep | 12288:I1Wl8T5+M63xjmevfUu+2EYhsJZ2uEYpplNw:IA24dx0Yrmps | ||
| imphash | 49be0836dac021f86af2cb207b4613c8 | ||
| impfuzzy | 48:19ZBQQgc+HNtoS1xG8hAQ4GJ4/KAnB1W09XKtuN+okijyF:1SBc+HNtoS1xG8qHbfxe | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 27 AntiVirus engines on VirusTotal as malicious |
| watch | Harvests credentials from local email clients |
| watch | Makes SMTP requests |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| watch | Win32_Trojan_PWS_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (download) |
| info | Is_DotNET_EXE | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x436000 OutputDebugStringW
0x436004 FormatMessageW
0x436008 VirtualProtect
0x43600c HeapSize
0x436010 GetConsoleMode
0x436014 GetConsoleOutputCP
0x436018 FlushFileBuffers
0x43601c SetFilePointerEx
0x436020 GetFileSizeEx
0x436024 SetStdHandle
0x436028 FreeEnvironmentStringsW
0x43602c GetEnvironmentStringsW
0x436030 GetCommandLineW
0x436034 GetCommandLineA
0x436038 GetOEMCP
0x43603c GetACP
0x436040 IsValidCodePage
0x436044 FindNextFileW
0x436048 FindFirstFileExW
0x43604c FindClose
0x436050 GetProcessHeap
0x436054 WriteFile
0x436058 ExitProcess
0x43605c HeapReAlloc
0x436060 HeapFree
0x436064 HeapAlloc
0x436068 WriteConsoleW
0x43606c GetModuleHandleExW
0x436070 GetModuleFileNameW
0x436074 GetFileType
0x436078 GetStdHandle
0x43607c LoadLibraryExW
0x436080 WideCharToMultiByte
0x436084 MultiByteToWideChar
0x436088 GetStringTypeW
0x43608c EnterCriticalSection
0x436090 LeaveCriticalSection
0x436094 DeleteCriticalSection
0x436098 EncodePointer
0x43609c DecodePointer
0x4360a0 SetLastError
0x4360a4 InitializeCriticalSectionAndSpinCount
0x4360a8 CreateEventW
0x4360ac TlsAlloc
0x4360b0 TlsGetValue
0x4360b4 TlsSetValue
0x4360b8 TlsFree
0x4360bc GetSystemTimeAsFileTime
0x4360c0 GetModuleHandleW
0x4360c4 GetProcAddress
0x4360c8 LCMapStringW
0x4360cc GetCPInfo
0x4360d0 CloseHandle
0x4360d4 UnhandledExceptionFilter
0x4360d8 SetUnhandledExceptionFilter
0x4360dc GetCurrentProcess
0x4360e0 TerminateProcess
0x4360e4 IsProcessorFeaturePresent
0x4360e8 IsDebuggerPresent
0x4360ec GetStartupInfoW
0x4360f0 QueryPerformanceCounter
0x4360f4 GetCurrentProcessId
0x4360f8 GetCurrentThreadId
0x4360fc InitializeSListHead
0x436100 RaiseException
0x436104 RtlUnwind
0x436108 GetLastError
0x43610c FreeLibrary
0x436110 CreateFileW
USER32.dll
0x436118 GrayStringA
0x43611c GetDC
0x436120 TranslateMessage
0x436124 DispatchMessageW
0x436128 PeekMessageW
0x43612c DefWindowProcW
0x436130 PostQuitMessage
0x436134 UnregisterClassW
0x436138 RegisterClassExW
0x43613c CreateWindowExW
0x436140 ShowWindow
0x436144 SetCapture
0x436148 ReleaseCapture
0x43614c LoadImageW
0x436150 LoadCursorW
0x436154 SetWindowLongW
0x436158 GetWindowLongW
0x43615c AdjustWindowRect
0x436160 UpdateWindow
d3d11.dll
0x436168 D3D11CreateDeviceAndSwapChain
gdiplus.dll
0x436170 GdiplusStartup
0x436174 GdiplusShutdown
EAT(Export Address Table) is none
KERNEL32.dll
0x436000 OutputDebugStringW
0x436004 FormatMessageW
0x436008 VirtualProtect
0x43600c HeapSize
0x436010 GetConsoleMode
0x436014 GetConsoleOutputCP
0x436018 FlushFileBuffers
0x43601c SetFilePointerEx
0x436020 GetFileSizeEx
0x436024 SetStdHandle
0x436028 FreeEnvironmentStringsW
0x43602c GetEnvironmentStringsW
0x436030 GetCommandLineW
0x436034 GetCommandLineA
0x436038 GetOEMCP
0x43603c GetACP
0x436040 IsValidCodePage
0x436044 FindNextFileW
0x436048 FindFirstFileExW
0x43604c FindClose
0x436050 GetProcessHeap
0x436054 WriteFile
0x436058 ExitProcess
0x43605c HeapReAlloc
0x436060 HeapFree
0x436064 HeapAlloc
0x436068 WriteConsoleW
0x43606c GetModuleHandleExW
0x436070 GetModuleFileNameW
0x436074 GetFileType
0x436078 GetStdHandle
0x43607c LoadLibraryExW
0x436080 WideCharToMultiByte
0x436084 MultiByteToWideChar
0x436088 GetStringTypeW
0x43608c EnterCriticalSection
0x436090 LeaveCriticalSection
0x436094 DeleteCriticalSection
0x436098 EncodePointer
0x43609c DecodePointer
0x4360a0 SetLastError
0x4360a4 InitializeCriticalSectionAndSpinCount
0x4360a8 CreateEventW
0x4360ac TlsAlloc
0x4360b0 TlsGetValue
0x4360b4 TlsSetValue
0x4360b8 TlsFree
0x4360bc GetSystemTimeAsFileTime
0x4360c0 GetModuleHandleW
0x4360c4 GetProcAddress
0x4360c8 LCMapStringW
0x4360cc GetCPInfo
0x4360d0 CloseHandle
0x4360d4 UnhandledExceptionFilter
0x4360d8 SetUnhandledExceptionFilter
0x4360dc GetCurrentProcess
0x4360e0 TerminateProcess
0x4360e4 IsProcessorFeaturePresent
0x4360e8 IsDebuggerPresent
0x4360ec GetStartupInfoW
0x4360f0 QueryPerformanceCounter
0x4360f4 GetCurrentProcessId
0x4360f8 GetCurrentThreadId
0x4360fc InitializeSListHead
0x436100 RaiseException
0x436104 RtlUnwind
0x436108 GetLastError
0x43610c FreeLibrary
0x436110 CreateFileW
USER32.dll
0x436118 GrayStringA
0x43611c GetDC
0x436120 TranslateMessage
0x436124 DispatchMessageW
0x436128 PeekMessageW
0x43612c DefWindowProcW
0x436130 PostQuitMessage
0x436134 UnregisterClassW
0x436138 RegisterClassExW
0x43613c CreateWindowExW
0x436140 ShowWindow
0x436144 SetCapture
0x436148 ReleaseCapture
0x43614c LoadImageW
0x436150 LoadCursorW
0x436154 SetWindowLongW
0x436158 GetWindowLongW
0x43615c AdjustWindowRect
0x436160 UpdateWindow
d3d11.dll
0x436168 D3D11CreateDeviceAndSwapChain
gdiplus.dll
0x436170 GdiplusStartup
0x436174 GdiplusShutdown
EAT(Export Address Table) is none