ScreenShot
| Created | 2021.08.04 09:54 | Machine | s1_win7_x6401 |
| Filename | app.dll | ||
| Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 9 detected (a variant of Generik, EUVXCEM, Artemis, Wacapew, Ursnif, YF9M4Q, Generic@ML, RDML, c+nl9E+GY7UzE5BlqVN+oA) | ||
| md5 | 2f3c83a9b7d37b99c603a28d09c74cc6 | ||
| sha256 | 68ab9c658f136782ec8e341d0ad8257989689882cfc03db4cdf719b3a68c8e85 | ||
| ssdeep | 12288:UQvWGTLtCQBI4/JCx4EVwUsqx8cx6QVMO207bJ9xjYxYW5xrwythebCG6Qdk49ki:RI4/e4Eu/+x6TmKfheO4w | ||
| imphash | 3e7e5401ff9718dfa420098d2c9e79a8 | ||
| impfuzzy | 48:9oOF9ilCdo+fcftFmzaEG1Lln0ZZEUTeGAEb1tv090o6xv5LHcncBBkPOURWAQuq:Weoleo+fcftFJEG1Ll0O+JcncBBUWT5 | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| watch | Looks for the Windows Idle Time to determine the uptime |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | File has been identified by 9 AntiVirus engines on VirusTotal as malicious |
| notice | Performs some HTTP requests |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | This executable has a PDB path |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (11cnts) ?
Suricata ids
ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x450014 GetCurrentThread
0x450018 GetExitCodeProcess
0x45001c GetFileAttributesW
0x450020 GetModuleFileNameW
0x450024 OpenMutexW
0x450028 VirtualProtectEx
0x45002c ResetEvent
0x450030 DuplicateHandle
0x450034 ReleaseMutex
0x450038 GetWindowsDirectoryW
0x45003c DeleteFileW
0x450040 CreateProcessW
0x450044 CreateFileA
0x450048 GetConsoleOutputCP
0x45004c WriteConsoleA
0x450050 SetStdHandle
0x450054 GetLocaleInfoW
0x450058 LoadLibraryA
0x45005c InitializeCriticalSectionAndSpinCount
0x450060 PeekNamedPipe
0x450064 FindFirstChangeNotificationW
0x450068 CreateMutexW
0x45006c GetEnvironmentVariableW
0x450070 CloseHandle
0x450074 SetFilePointer
0x450078 ReadFile
0x45007c VirtualAlloc
0x450080 HeapReAlloc
0x450084 HeapSize
0x450088 HeapAlloc
0x45008c GetConsoleMode
0x450090 GetConsoleCP
0x450094 FlushFileBuffers
0x450098 GetSystemTimeAsFileTime
0x45009c GetCurrentProcessId
0x4500a0 GetTickCount
0x4500a4 QueryPerformanceCounter
0x4500a8 VirtualFree
0x4500ac HeapFree
0x4500b0 HeapCreate
0x4500b4 HeapDestroy
0x4500b8 GetEnvironmentStringsW
0x4500bc FreeEnvironmentStringsW
0x4500c0 GetEnvironmentStrings
0x4500c4 FreeEnvironmentStringsA
0x4500c8 GetModuleFileNameA
0x4500cc GetStartupInfoA
0x4500d0 WideCharToMultiByte
0x4500d4 InterlockedIncrement
0x4500d8 InterlockedDecrement
0x4500dc MultiByteToWideChar
0x4500e0 InterlockedCompareExchange
0x4500e4 InterlockedExchange
0x4500e8 Sleep
0x4500ec InitializeCriticalSection
0x4500f0 DeleteCriticalSection
0x4500f4 EnterCriticalSection
0x4500f8 LeaveCriticalSection
0x4500fc TerminateProcess
0x450100 GetCurrentProcess
0x450104 UnhandledExceptionFilter
0x450108 SetUnhandledExceptionFilter
0x45010c IsDebuggerPresent
0x450110 GetCurrentThreadId
0x450114 GetCommandLineA
0x450118 GetCPInfo
0x45011c HeapValidate
0x450120 IsBadReadPtr
0x450124 RaiseException
0x450128 RtlUnwind
0x45012c LCMapStringW
0x450130 LCMapStringA
0x450134 GetLastError
0x450138 GetStringTypeW
0x45013c GetProcAddress
0x450140 TlsGetValue
0x450144 GetModuleHandleW
0x450148 TlsAlloc
0x45014c TlsSetValue
0x450150 TlsFree
0x450154 SetLastError
0x450158 DebugBreak
0x45015c GetStdHandle
0x450160 WriteFile
0x450164 OutputDebugStringA
0x450168 WriteConsoleW
0x45016c GetFileType
0x450170 OutputDebugStringW
0x450174 ExitProcess
0x450178 LoadLibraryW
0x45017c GetACP
0x450180 GetOEMCP
0x450184 IsValidCodePage
0x450188 GetStringTypeA
0x45018c GetLocaleInfoA
0x450190 IsValidLocale
0x450194 EnumSystemLocalesA
0x450198 GetUserDefaultLCID
0x45019c SetHandleCount
0x4501a0 GetModuleHandleA
USER32.dll
0x4501c4 GetWindowTextLengthW
0x4501c8 DispatchMessageA
0x4501cc FrameRect
0x4501d0 GetSysColorBrush
0x4501d4 CreatePopupMenu
0x4501d8 SystemParametersInfoW
0x4501dc CreateDialogIndirectParamW
0x4501e0 RegisterClassExW
0x4501e4 GetForegroundWindow
0x4501e8 GetClientRect
0x4501ec DialogBoxIndirectParamW
0x4501f0 ScreenToClient
0x4501f4 GetWindowRect
0x4501f8 ClientToScreen
GDI32.dll
0x450000 ScaleViewportExtEx
0x450004 SetViewportExtEx
0x450008 OffsetViewportOrgEx
0x45000c SetWindowExtEx
WS2_32.dll
0x45020c gethostbyname
0x450210 socket
0x450214 WSACleanup
0x450218 setsockopt
0x45021c shutdown
0x450220 getsockname
0x450224 WSAStartup
0x450228 gethostname
0x45022c sendto
WTSAPI32.dll
0x450234 WTSCloseServer
0x450238 WTSQueryUserToken
0x45023c WTSOpenServerW
UxTheme.dll
0x450200 CloseThemeData
0x450204 GetThemeFont
Secur32.dll
0x4501a8 InitializeSecurityContextW
0x4501ac AcquireCredentialsHandleW
0x4501b0 FreeContextBuffer
0x4501b4 QueryContextAttributesW
0x4501b8 FreeCredentialsHandle
0x4501bc DeleteSecurityContext
EAT(Export Address Table) Library
0x44a280 Chartthird
0x44a640 Heavybaby
0x44a160 Right
KERNEL32.dll
0x450014 GetCurrentThread
0x450018 GetExitCodeProcess
0x45001c GetFileAttributesW
0x450020 GetModuleFileNameW
0x450024 OpenMutexW
0x450028 VirtualProtectEx
0x45002c ResetEvent
0x450030 DuplicateHandle
0x450034 ReleaseMutex
0x450038 GetWindowsDirectoryW
0x45003c DeleteFileW
0x450040 CreateProcessW
0x450044 CreateFileA
0x450048 GetConsoleOutputCP
0x45004c WriteConsoleA
0x450050 SetStdHandle
0x450054 GetLocaleInfoW
0x450058 LoadLibraryA
0x45005c InitializeCriticalSectionAndSpinCount
0x450060 PeekNamedPipe
0x450064 FindFirstChangeNotificationW
0x450068 CreateMutexW
0x45006c GetEnvironmentVariableW
0x450070 CloseHandle
0x450074 SetFilePointer
0x450078 ReadFile
0x45007c VirtualAlloc
0x450080 HeapReAlloc
0x450084 HeapSize
0x450088 HeapAlloc
0x45008c GetConsoleMode
0x450090 GetConsoleCP
0x450094 FlushFileBuffers
0x450098 GetSystemTimeAsFileTime
0x45009c GetCurrentProcessId
0x4500a0 GetTickCount
0x4500a4 QueryPerformanceCounter
0x4500a8 VirtualFree
0x4500ac HeapFree
0x4500b0 HeapCreate
0x4500b4 HeapDestroy
0x4500b8 GetEnvironmentStringsW
0x4500bc FreeEnvironmentStringsW
0x4500c0 GetEnvironmentStrings
0x4500c4 FreeEnvironmentStringsA
0x4500c8 GetModuleFileNameA
0x4500cc GetStartupInfoA
0x4500d0 WideCharToMultiByte
0x4500d4 InterlockedIncrement
0x4500d8 InterlockedDecrement
0x4500dc MultiByteToWideChar
0x4500e0 InterlockedCompareExchange
0x4500e4 InterlockedExchange
0x4500e8 Sleep
0x4500ec InitializeCriticalSection
0x4500f0 DeleteCriticalSection
0x4500f4 EnterCriticalSection
0x4500f8 LeaveCriticalSection
0x4500fc TerminateProcess
0x450100 GetCurrentProcess
0x450104 UnhandledExceptionFilter
0x450108 SetUnhandledExceptionFilter
0x45010c IsDebuggerPresent
0x450110 GetCurrentThreadId
0x450114 GetCommandLineA
0x450118 GetCPInfo
0x45011c HeapValidate
0x450120 IsBadReadPtr
0x450124 RaiseException
0x450128 RtlUnwind
0x45012c LCMapStringW
0x450130 LCMapStringA
0x450134 GetLastError
0x450138 GetStringTypeW
0x45013c GetProcAddress
0x450140 TlsGetValue
0x450144 GetModuleHandleW
0x450148 TlsAlloc
0x45014c TlsSetValue
0x450150 TlsFree
0x450154 SetLastError
0x450158 DebugBreak
0x45015c GetStdHandle
0x450160 WriteFile
0x450164 OutputDebugStringA
0x450168 WriteConsoleW
0x45016c GetFileType
0x450170 OutputDebugStringW
0x450174 ExitProcess
0x450178 LoadLibraryW
0x45017c GetACP
0x450180 GetOEMCP
0x450184 IsValidCodePage
0x450188 GetStringTypeA
0x45018c GetLocaleInfoA
0x450190 IsValidLocale
0x450194 EnumSystemLocalesA
0x450198 GetUserDefaultLCID
0x45019c SetHandleCount
0x4501a0 GetModuleHandleA
USER32.dll
0x4501c4 GetWindowTextLengthW
0x4501c8 DispatchMessageA
0x4501cc FrameRect
0x4501d0 GetSysColorBrush
0x4501d4 CreatePopupMenu
0x4501d8 SystemParametersInfoW
0x4501dc CreateDialogIndirectParamW
0x4501e0 RegisterClassExW
0x4501e4 GetForegroundWindow
0x4501e8 GetClientRect
0x4501ec DialogBoxIndirectParamW
0x4501f0 ScreenToClient
0x4501f4 GetWindowRect
0x4501f8 ClientToScreen
GDI32.dll
0x450000 ScaleViewportExtEx
0x450004 SetViewportExtEx
0x450008 OffsetViewportOrgEx
0x45000c SetWindowExtEx
WS2_32.dll
0x45020c gethostbyname
0x450210 socket
0x450214 WSACleanup
0x450218 setsockopt
0x45021c shutdown
0x450220 getsockname
0x450224 WSAStartup
0x450228 gethostname
0x45022c sendto
WTSAPI32.dll
0x450234 WTSCloseServer
0x450238 WTSQueryUserToken
0x45023c WTSOpenServerW
UxTheme.dll
0x450200 CloseThemeData
0x450204 GetThemeFont
Secur32.dll
0x4501a8 InitializeSecurityContextW
0x4501ac AcquireCredentialsHandleW
0x4501b0 FreeContextBuffer
0x4501b4 QueryContextAttributesW
0x4501b8 FreeCredentialsHandle
0x4501bc DeleteSecurityContext
EAT(Export Address Table) Library
0x44a280 Chartthird
0x44a640 Heavybaby
0x44a160 Right