ScreenShot
| Created | 2021.08.07 13:58 | Machine | s1_win7_x6402 |
| Filename | waads.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 54 detected (Sheljector, trJD, malicious, high confidence, Fugrafa, Cobaltstrike, Cobalt, EVTS, Unsafe, Rozena, Diple, Eldorado, Inject3, horsiq, Hacktool, A + ATK, Static AI, Malicious PE, ftawl, XPACK, Gen7, ASMalwS, score, R329694, TScope, ai score=100, CLASSIC, GenAsa, C5jzoNrl5s, confidence, 100%, HxQBBWYC) | ||
| md5 | c47ad106639801ac97d4d676dbc700ec | ||
| sha256 | 7f8f6685f7a93e134ea22dfc002505e12e68f37ca9dce13e0ecee894aab15bb2 | ||
| ssdeep | 384:AH+kGKqbOCdWIVBff+xzbIMPPPyfCXAn:AH+kqRVpfUPPafiA | ||
| imphash | dc25ee78e2ef4d36faa0badf1e7461c9 | ||
| impfuzzy | 24:Q2kfiK1JlDzncLLb9Lezd5XGDZEkqkoDquQZn:gfiK1jcTtezdJGVEkqkoqz | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 54 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | Network activity contains more than one unique useragent |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Starts servers listening |
| notice | Yara rule detected in process memory |
| info | Queries for the computername |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (4cnts) ?
Suricata ids
ET POLICY HTTP traffic on port 443 (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x406138 CloseHandle
0x40613c ConnectNamedPipe
0x406140 CreateFileA
0x406144 CreateNamedPipeA
0x406148 CreateThread
0x40614c DeleteCriticalSection
0x406150 EnterCriticalSection
0x406154 FreeLibrary
0x406158 GetCurrentProcess
0x40615c GetCurrentProcessId
0x406160 GetCurrentThreadId
0x406164 GetLastError
0x406168 GetModuleHandleA
0x40616c GetProcAddress
0x406170 GetStartupInfoA
0x406174 GetSystemTimeAsFileTime
0x406178 GetTickCount
0x40617c InitializeCriticalSection
0x406180 LeaveCriticalSection
0x406184 LoadLibraryA
0x406188 LoadLibraryW
0x40618c QueryPerformanceCounter
0x406190 ReadFile
0x406194 SetUnhandledExceptionFilter
0x406198 Sleep
0x40619c TerminateProcess
0x4061a0 TlsGetValue
0x4061a4 UnhandledExceptionFilter
0x4061a8 VirtualAlloc
0x4061ac VirtualProtect
0x4061b0 VirtualQuery
0x4061b4 WriteFile
msvcrt.dll
0x4061bc __dllonexit
0x4061c0 __getmainargs
0x4061c4 __initenv
0x4061c8 __lconv_init
0x4061cc __set_app_type
0x4061d0 __setusermatherr
0x4061d4 _acmdln
0x4061d8 _amsg_exit
0x4061dc _cexit
0x4061e0 _fmode
0x4061e4 _initterm
0x4061e8 _iob
0x4061ec _lock
0x4061f0 _onexit
0x4061f4 _unlock
0x4061f8 _winmajor
0x4061fc abort
0x406200 calloc
0x406204 exit
0x406208 fprintf
0x40620c free
0x406210 fwrite
0x406214 malloc
0x406218 memcpy
0x40621c signal
0x406220 sprintf
0x406224 strlen
0x406228 strncmp
0x40622c vfprintf
EAT(Export Address Table) is none
KERNEL32.dll
0x406138 CloseHandle
0x40613c ConnectNamedPipe
0x406140 CreateFileA
0x406144 CreateNamedPipeA
0x406148 CreateThread
0x40614c DeleteCriticalSection
0x406150 EnterCriticalSection
0x406154 FreeLibrary
0x406158 GetCurrentProcess
0x40615c GetCurrentProcessId
0x406160 GetCurrentThreadId
0x406164 GetLastError
0x406168 GetModuleHandleA
0x40616c GetProcAddress
0x406170 GetStartupInfoA
0x406174 GetSystemTimeAsFileTime
0x406178 GetTickCount
0x40617c InitializeCriticalSection
0x406180 LeaveCriticalSection
0x406184 LoadLibraryA
0x406188 LoadLibraryW
0x40618c QueryPerformanceCounter
0x406190 ReadFile
0x406194 SetUnhandledExceptionFilter
0x406198 Sleep
0x40619c TerminateProcess
0x4061a0 TlsGetValue
0x4061a4 UnhandledExceptionFilter
0x4061a8 VirtualAlloc
0x4061ac VirtualProtect
0x4061b0 VirtualQuery
0x4061b4 WriteFile
msvcrt.dll
0x4061bc __dllonexit
0x4061c0 __getmainargs
0x4061c4 __initenv
0x4061c8 __lconv_init
0x4061cc __set_app_type
0x4061d0 __setusermatherr
0x4061d4 _acmdln
0x4061d8 _amsg_exit
0x4061dc _cexit
0x4061e0 _fmode
0x4061e4 _initterm
0x4061e8 _iob
0x4061ec _lock
0x4061f0 _onexit
0x4061f4 _unlock
0x4061f8 _winmajor
0x4061fc abort
0x406200 calloc
0x406204 exit
0x406208 fprintf
0x40620c free
0x406210 fwrite
0x406214 malloc
0x406218 memcpy
0x40621c signal
0x406220 sprintf
0x406224 strlen
0x406228 strncmp
0x40622c vfprintf
EAT(Export Address Table) is none