ScreenShot
| Created | 2021.08.10 09:37 | Machine | s1_win7_x6402 |
| Filename | wechat-35355.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 12 detected (7zip, CP suspicious, HiddenRun, CLASSIC, RedLineStealer, Alien, ASMalwS, Wacapew, ACXU) | ||
| md5 | e988d1994581870c6aac979f87ab2a5c | ||
| sha256 | 794833762b3a94a9b1e88ffb915352823b7192255aa7ac86bbe9f93a64395854 | ||
| ssdeep | 786432:C6scxHyYirF8OUBLTEjuFrzRtIRIHc8F/ZY2axBrJ6Sy6xlvbS/d:C/cFor2NauFrzRmS88Y2KVgSXxQV | ||
| imphash | 2b914b6fd04316572d777593dc737715 | ||
| impfuzzy | 96:d0+mOVs3df+3sFzqiVbXpqffFSGJZZ+RGIXjqcI/gI:m+hVs3GZgw1ScZZ9IXuT/gI | ||
Network IP location
Signature (41cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | File has been identified by 12 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Operates on local firewall's policies and settings |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | The process powershell.exe wrote an executable file to disk |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| watch | Uses windows command to add a user to the administrator group |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries |
| notice | One or more potentially interesting buffers were extracted |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Steals private information from local Internet browsers |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable uses a known packer |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (49cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | NPKI_Zero | File included NPKI | binaries (download) |
| danger | Win32_PWS_Loki_Zero | Win32 PWS Loki | binaries (download) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Hijack_Network | Hijack network configuration | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
Network (6cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO TLS Handshake Failure
PE API
IAT(Import Address Table) Library
COMCTL32.dll
0x417010 None
SHELL32.dll
0x417270 SHGetSpecialFolderPathW
0x417274 ShellExecuteW
0x417278 SHGetMalloc
0x41727c SHGetPathFromIDListW
0x417280 SHBrowseForFolderW
0x417284 SHGetFileInfoW
0x417288 ShellExecuteExW
GDI32.dll
0x417018 CreateCompatibleDC
0x41701c CreateFontIndirectW
0x417020 DeleteObject
0x417024 DeleteDC
0x417028 GetCurrentObject
0x41702c StretchBlt
0x417030 GetDeviceCaps
0x417034 CreateCompatibleBitmap
0x417038 SelectObject
0x41703c SetStretchBltMode
0x417040 GetObjectW
ADVAPI32.dll
0x417000 FreeSid
0x417004 AllocateAndInitializeSid
0x417008 CheckTokenMembership
USER32.dll
0x417290 CreateWindowExW
0x417294 GetDesktopWindow
0x417298 wsprintfA
0x41729c SetWindowPos
0x4172a0 SetTimer
0x4172a4 GetMessageW
0x4172a8 ScreenToClient
0x4172ac KillTimer
0x4172b0 CharUpperW
0x4172b4 SendMessageW
0x4172b8 EndDialog
0x4172bc wsprintfW
0x4172c0 MessageBoxW
0x4172c4 GetParent
0x4172c8 CopyImage
0x4172cc ReleaseDC
0x4172d0 GetWindowDC
0x4172d4 GetMenu
0x4172d8 GetWindowLongW
0x4172dc DispatchMessageW
0x4172e0 GetWindowTextW
0x4172e4 GetWindowTextLengthW
0x4172e8 SetWindowTextW
0x4172ec GetSysColor
0x4172f0 DestroyWindow
0x4172f4 MessageBoxA
0x4172f8 BringWindowToTop
0x4172fc ShowWindow
0x417300 GetKeyState
0x417304 GetDlgItem
0x417308 GetClientRect
0x41730c SetWindowLongW
0x417310 UnhookWindowsHookEx
0x417314 SetFocus
0x417318 GetSystemMetrics
0x41731c SystemParametersInfoW
0x417320 DrawTextW
0x417324 GetDC
0x417328 ClientToScreen
0x41732c GetWindow
0x417330 DialogBoxIndirectParamW
0x417334 DrawIconEx
0x417338 CallWindowProcW
0x41733c DefWindowProcW
0x417340 CallNextHookEx
0x417344 PtInRect
0x417348 SetWindowsHookExW
0x41734c LoadImageW
0x417350 LoadIconW
0x417354 MessageBeep
0x417358 EnableWindow
0x41735c IsWindow
0x417360 EnableMenuItem
0x417364 GetSystemMenu
0x417368 CreateWindowExA
0x41736c wvsprintfW
0x417370 GetClassNameA
0x417374 GetWindowRect
ole32.dll
0x41737c CreateStreamOnHGlobal
0x417380 CoCreateInstance
0x417384 CoInitialize
OLEAUT32.dll
0x417258 SysAllocStringLen
0x41725c VariantClear
0x417260 SysFreeString
0x417264 OleLoadPicture
0x417268 SysAllocString
KERNEL32.dll
0x417048 SetFileTime
0x41704c SetEndOfFile
0x417050 GetFileInformationByHandle
0x417054 VirtualFree
0x417058 GetModuleHandleA
0x41705c WaitForMultipleObjects
0x417060 VirtualAlloc
0x417064 ReadFile
0x417068 SetFilePointer
0x41706c GetFileSize
0x417070 LeaveCriticalSection
0x417074 EnterCriticalSection
0x417078 DeleteCriticalSection
0x41707c FormatMessageW
0x417080 lstrcpyW
0x417084 LocalFree
0x417088 IsBadReadPtr
0x41708c SuspendThread
0x417090 TerminateThread
0x417094 GetSystemDirectoryW
0x417098 GetCurrentThreadId
0x41709c InitializeCriticalSection
0x4170a0 ResetEvent
0x4170a4 SetEvent
0x4170a8 CreateEventW
0x4170ac GetVersionExW
0x4170b0 GetModuleFileNameW
0x4170b4 GetCurrentProcess
0x4170b8 SetProcessWorkingSetSize
0x4170bc GetDriveTypeW
0x4170c0 CreateFileW
0x4170c4 SetEnvironmentVariableW
0x4170c8 GetTempPathW
0x4170cc GetCommandLineW
0x4170d0 GetStartupInfoW
0x4170d4 CreateProcessW
0x4170d8 CreateJobObjectW
0x4170dc ResumeThread
0x4170e0 AssignProcessToJobObject
0x4170e4 CreateIoCompletionPort
0x4170e8 SetInformationJobObject
0x4170ec GetQueuedCompletionStatus
0x4170f0 GetExitCodeProcess
0x4170f4 CloseHandle
0x4170f8 LoadLibraryA
0x4170fc SetThreadLocale
0x417100 lstrlenW
0x417104 GetSystemTimeAsFileTime
0x417108 ExpandEnvironmentStringsW
0x41710c CompareFileTime
0x417110 WideCharToMultiByte
0x417114 FindFirstFileW
0x417118 lstrcmpW
0x41711c DeleteFileW
0x417120 FindNextFileW
0x417124 FindClose
0x417128 SetCurrentDirectoryW
0x41712c RemoveDirectoryW
0x417130 GetEnvironmentVariableW
0x417134 lstrcmpiW
0x417138 GetLocaleInfoW
0x41713c MultiByteToWideChar
0x417140 GetUserDefaultUILanguage
0x417144 GetSystemDefaultUILanguage
0x417148 GetSystemDefaultLCID
0x41714c lstrcmpiA
0x417150 GlobalAlloc
0x417154 GlobalFree
0x417158 MulDiv
0x41715c FindResourceExA
0x417160 SizeofResource
0x417164 LoadResource
0x417168 LockResource
0x41716c GetProcAddress
0x417170 GetModuleHandleW
0x417174 GetStdHandle
0x417178 ExitProcess
0x41717c lstrcatW
0x417180 GetDiskFreeSpaceExW
0x417184 SetLastError
0x417188 SetFileAttributesW
0x41718c Sleep
0x417190 GetExitCodeThread
0x417194 WaitForSingleObject
0x417198 CreateThread
0x41719c GetLastError
0x4171a0 SystemTimeToFileTime
0x4171a4 GetLocalTime
0x4171a8 GetFileAttributesW
0x4171ac CreateDirectoryW
0x4171b0 lstrlenA
0x4171b4 WriteFile
0x4171b8 GetStartupInfoA
MSVCRT.dll
0x4171c0 _purecall
0x4171c4 memcmp
0x4171c8 ??2@YAPAXI@Z
0x4171cc memmove
0x4171d0 memcpy
0x4171d4 _wtol
0x4171d8 strncpy
0x4171dc _controlfp
0x4171e0 _except_handler3
0x4171e4 __set_app_type
0x4171e8 __p__fmode
0x4171ec __p__commode
0x4171f0 _adjust_fdiv
0x4171f4 __setusermatherr
0x4171f8 _initterm
0x4171fc __getmainargs
0x417200 _acmdln
0x417204 exit
0x417208 _XcptFilter
0x41720c _exit
0x417210 ??1type_info@@UAE@XZ
0x417214 _onexit
0x417218 __dllonexit
0x41721c malloc
0x417220 free
0x417224 wcsstr
0x417228 _CxxThrowException
0x41722c wcscmp
0x417230 _beginthreadex
0x417234 _EH_prolog
0x417238 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z
0x41723c memset
0x417240 _wcsnicmp
0x417244 strncmp
0x417248 wcsncmp
0x41724c wcsncpy
0x417250 ??3@YAXPAX@Z
EAT(Export Address Table) is none
COMCTL32.dll
0x417010 None
SHELL32.dll
0x417270 SHGetSpecialFolderPathW
0x417274 ShellExecuteW
0x417278 SHGetMalloc
0x41727c SHGetPathFromIDListW
0x417280 SHBrowseForFolderW
0x417284 SHGetFileInfoW
0x417288 ShellExecuteExW
GDI32.dll
0x417018 CreateCompatibleDC
0x41701c CreateFontIndirectW
0x417020 DeleteObject
0x417024 DeleteDC
0x417028 GetCurrentObject
0x41702c StretchBlt
0x417030 GetDeviceCaps
0x417034 CreateCompatibleBitmap
0x417038 SelectObject
0x41703c SetStretchBltMode
0x417040 GetObjectW
ADVAPI32.dll
0x417000 FreeSid
0x417004 AllocateAndInitializeSid
0x417008 CheckTokenMembership
USER32.dll
0x417290 CreateWindowExW
0x417294 GetDesktopWindow
0x417298 wsprintfA
0x41729c SetWindowPos
0x4172a0 SetTimer
0x4172a4 GetMessageW
0x4172a8 ScreenToClient
0x4172ac KillTimer
0x4172b0 CharUpperW
0x4172b4 SendMessageW
0x4172b8 EndDialog
0x4172bc wsprintfW
0x4172c0 MessageBoxW
0x4172c4 GetParent
0x4172c8 CopyImage
0x4172cc ReleaseDC
0x4172d0 GetWindowDC
0x4172d4 GetMenu
0x4172d8 GetWindowLongW
0x4172dc DispatchMessageW
0x4172e0 GetWindowTextW
0x4172e4 GetWindowTextLengthW
0x4172e8 SetWindowTextW
0x4172ec GetSysColor
0x4172f0 DestroyWindow
0x4172f4 MessageBoxA
0x4172f8 BringWindowToTop
0x4172fc ShowWindow
0x417300 GetKeyState
0x417304 GetDlgItem
0x417308 GetClientRect
0x41730c SetWindowLongW
0x417310 UnhookWindowsHookEx
0x417314 SetFocus
0x417318 GetSystemMetrics
0x41731c SystemParametersInfoW
0x417320 DrawTextW
0x417324 GetDC
0x417328 ClientToScreen
0x41732c GetWindow
0x417330 DialogBoxIndirectParamW
0x417334 DrawIconEx
0x417338 CallWindowProcW
0x41733c DefWindowProcW
0x417340 CallNextHookEx
0x417344 PtInRect
0x417348 SetWindowsHookExW
0x41734c LoadImageW
0x417350 LoadIconW
0x417354 MessageBeep
0x417358 EnableWindow
0x41735c IsWindow
0x417360 EnableMenuItem
0x417364 GetSystemMenu
0x417368 CreateWindowExA
0x41736c wvsprintfW
0x417370 GetClassNameA
0x417374 GetWindowRect
ole32.dll
0x41737c CreateStreamOnHGlobal
0x417380 CoCreateInstance
0x417384 CoInitialize
OLEAUT32.dll
0x417258 SysAllocStringLen
0x41725c VariantClear
0x417260 SysFreeString
0x417264 OleLoadPicture
0x417268 SysAllocString
KERNEL32.dll
0x417048 SetFileTime
0x41704c SetEndOfFile
0x417050 GetFileInformationByHandle
0x417054 VirtualFree
0x417058 GetModuleHandleA
0x41705c WaitForMultipleObjects
0x417060 VirtualAlloc
0x417064 ReadFile
0x417068 SetFilePointer
0x41706c GetFileSize
0x417070 LeaveCriticalSection
0x417074 EnterCriticalSection
0x417078 DeleteCriticalSection
0x41707c FormatMessageW
0x417080 lstrcpyW
0x417084 LocalFree
0x417088 IsBadReadPtr
0x41708c SuspendThread
0x417090 TerminateThread
0x417094 GetSystemDirectoryW
0x417098 GetCurrentThreadId
0x41709c InitializeCriticalSection
0x4170a0 ResetEvent
0x4170a4 SetEvent
0x4170a8 CreateEventW
0x4170ac GetVersionExW
0x4170b0 GetModuleFileNameW
0x4170b4 GetCurrentProcess
0x4170b8 SetProcessWorkingSetSize
0x4170bc GetDriveTypeW
0x4170c0 CreateFileW
0x4170c4 SetEnvironmentVariableW
0x4170c8 GetTempPathW
0x4170cc GetCommandLineW
0x4170d0 GetStartupInfoW
0x4170d4 CreateProcessW
0x4170d8 CreateJobObjectW
0x4170dc ResumeThread
0x4170e0 AssignProcessToJobObject
0x4170e4 CreateIoCompletionPort
0x4170e8 SetInformationJobObject
0x4170ec GetQueuedCompletionStatus
0x4170f0 GetExitCodeProcess
0x4170f4 CloseHandle
0x4170f8 LoadLibraryA
0x4170fc SetThreadLocale
0x417100 lstrlenW
0x417104 GetSystemTimeAsFileTime
0x417108 ExpandEnvironmentStringsW
0x41710c CompareFileTime
0x417110 WideCharToMultiByte
0x417114 FindFirstFileW
0x417118 lstrcmpW
0x41711c DeleteFileW
0x417120 FindNextFileW
0x417124 FindClose
0x417128 SetCurrentDirectoryW
0x41712c RemoveDirectoryW
0x417130 GetEnvironmentVariableW
0x417134 lstrcmpiW
0x417138 GetLocaleInfoW
0x41713c MultiByteToWideChar
0x417140 GetUserDefaultUILanguage
0x417144 GetSystemDefaultUILanguage
0x417148 GetSystemDefaultLCID
0x41714c lstrcmpiA
0x417150 GlobalAlloc
0x417154 GlobalFree
0x417158 MulDiv
0x41715c FindResourceExA
0x417160 SizeofResource
0x417164 LoadResource
0x417168 LockResource
0x41716c GetProcAddress
0x417170 GetModuleHandleW
0x417174 GetStdHandle
0x417178 ExitProcess
0x41717c lstrcatW
0x417180 GetDiskFreeSpaceExW
0x417184 SetLastError
0x417188 SetFileAttributesW
0x41718c Sleep
0x417190 GetExitCodeThread
0x417194 WaitForSingleObject
0x417198 CreateThread
0x41719c GetLastError
0x4171a0 SystemTimeToFileTime
0x4171a4 GetLocalTime
0x4171a8 GetFileAttributesW
0x4171ac CreateDirectoryW
0x4171b0 lstrlenA
0x4171b4 WriteFile
0x4171b8 GetStartupInfoA
MSVCRT.dll
0x4171c0 _purecall
0x4171c4 memcmp
0x4171c8 ??2@YAPAXI@Z
0x4171cc memmove
0x4171d0 memcpy
0x4171d4 _wtol
0x4171d8 strncpy
0x4171dc _controlfp
0x4171e0 _except_handler3
0x4171e4 __set_app_type
0x4171e8 __p__fmode
0x4171ec __p__commode
0x4171f0 _adjust_fdiv
0x4171f4 __setusermatherr
0x4171f8 _initterm
0x4171fc __getmainargs
0x417200 _acmdln
0x417204 exit
0x417208 _XcptFilter
0x41720c _exit
0x417210 ??1type_info@@UAE@XZ
0x417214 _onexit
0x417218 __dllonexit
0x41721c malloc
0x417220 free
0x417224 wcsstr
0x417228 _CxxThrowException
0x41722c wcscmp
0x417230 _beginthreadex
0x417234 _EH_prolog
0x417238 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z
0x41723c memset
0x417240 _wcsnicmp
0x417244 strncmp
0x417248 wcsncmp
0x41724c wcsncpy
0x417250 ??3@YAXPAX@Z
EAT(Export Address Table) is none