ScreenShot
| Created | 2021.08.15 12:33 | Machine | s1_win7_x6401 |
| Filename | jushenkotak.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 32 detected (malicious, high confidence, score, Unsafe, myucsq, multiple detections, R011C0PHB21, Alien, Sabsik, Gencirc, UOJWaa2B1WA, ai score=99, HyoDNjcA) | ||
| md5 | 4ff6c915da988f6746263dc2eb000261 | ||
| sha256 | 3cb7b7b5baa118be862271eb8c793bf67f6918f6eca53b097cde230059c13e80 | ||
| ssdeep | 24576:1SLXIkuIoE7kxCRdkHonBZVQ5hSBwEPLWzq:24jCLBZVQ5ABwEDWzq | ||
| imphash | 667e6d0f434d248524103ade13b913e4 | ||
| impfuzzy | 96:dBVsPfcoSsTDcJXpZI6sSBu+RGIXUo/dXI:nVsP4nJZgSBu9IXn/dXI | ||
Network IP location
Signature (24cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 32 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Sends data using the HTTP POST Method |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable uses a known packer |
Rules (44cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | NPKI_Zero | File included NPKI | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Hijack_Network | Hijack network configuration | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | Is_DotNET_EXE | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
Network (6cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
COMCTL32.dll
0x412000 None
SHELL32.dll
0x412210 SHGetSpecialFolderPathW
0x412214 ShellExecuteExW
0x412218 SHGetMalloc
0x41221c SHGetPathFromIDListW
0x412220 SHBrowseForFolderW
0x412224 SHGetFileInfoW
0x412228 ShellExecuteW
GDI32.dll
0x412008 CreateFontIndirectW
0x41200c DeleteObject
0x412010 GetDeviceCaps
0x412014 GetObjectW
0x412018 CreateCompatibleDC
0x41201c SelectObject
0x412020 CreateCompatibleBitmap
0x412024 SetStretchBltMode
0x412028 DeleteDC
0x41202c GetCurrentObject
0x412030 StretchBlt
USER32.dll
0x412230 GetWindowRect
0x412234 ScreenToClient
0x412238 CreateWindowExW
0x41223c GetWindowTextW
0x412240 GetMessageW
0x412244 GetParent
0x412248 KillTimer
0x41224c DestroyWindow
0x412250 CharUpperW
0x412254 EndDialog
0x412258 SendMessageW
0x41225c wsprintfW
0x412260 CopyImage
0x412264 ReleaseDC
0x412268 GetWindowDC
0x41226c SetWindowPos
0x412270 GetMenu
0x412274 GetWindowLongW
0x412278 DispatchMessageW
0x41227c GetWindowTextLengthW
0x412280 GetSysColor
0x412284 SetWindowTextW
0x412288 MessageBoxA
0x41228c wsprintfA
0x412290 GetKeyState
0x412294 GetDlgItem
0x412298 GetClientRect
0x41229c GetSystemMetrics
0x4122a0 SetWindowLongW
0x4122a4 SetFocus
0x4122a8 SystemParametersInfoW
0x4122ac ShowWindow
0x4122b0 DrawTextW
0x4122b4 GetDC
0x4122b8 ClientToScreen
0x4122bc GetWindow
0x4122c0 DialogBoxIndirectParamW
0x4122c4 DrawIconEx
0x4122c8 CallWindowProcW
0x4122cc DefWindowProcW
0x4122d0 IsWindow
0x4122d4 wvsprintfW
0x4122d8 LoadImageW
0x4122dc LoadIconW
0x4122e0 MessageBeep
0x4122e4 EnableWindow
0x4122e8 EnableMenuItem
0x4122ec GetSystemMenu
0x4122f0 GetClassNameA
0x4122f4 SetTimer
ole32.dll
0x4122fc CreateStreamOnHGlobal
0x412300 CoCreateInstance
0x412304 CoInitialize
OLEAUT32.dll
0x412200 SysAllocString
0x412204 VariantClear
0x412208 OleLoadPicture
KERNEL32.dll
0x412038 SetEndOfFile
0x41203c EnterCriticalSection
0x412040 LeaveCriticalSection
0x412044 WaitForMultipleObjects
0x412048 DeleteCriticalSection
0x41204c GetModuleHandleA
0x412050 SetFileTime
0x412054 ReadFile
0x412058 SetFilePointer
0x41205c GetFileSize
0x412060 GetSystemDirectoryW
0x412064 FormatMessageW
0x412068 lstrcpyW
0x41206c LocalFree
0x412070 IsBadReadPtr
0x412074 SuspendThread
0x412078 ResumeThread
0x41207c TerminateThread
0x412080 InitializeCriticalSection
0x412084 ResetEvent
0x412088 SetEvent
0x41208c CreateEventW
0x412090 GetVersionExW
0x412094 GetCommandLineW
0x412098 GetModuleFileNameW
0x41209c SetCurrentDirectoryW
0x4120a0 GetDriveTypeW
0x4120a4 CreateFileW
0x4120a8 CloseHandle
0x4120ac SetEnvironmentVariableW
0x4120b0 GetTempPathW
0x4120b4 lstrlenW
0x4120b8 GetSystemTimeAsFileTime
0x4120bc CompareFileTime
0x4120c0 SetThreadLocale
0x4120c4 FindFirstFileW
0x4120c8 DeleteFileW
0x4120cc FindNextFileW
0x4120d0 FindClose
0x4120d4 RemoveDirectoryW
0x4120d8 ExpandEnvironmentStringsW
0x4120dc WideCharToMultiByte
0x4120e0 VirtualAlloc
0x4120e4 GlobalMemoryStatusEx
0x4120e8 lstrcmpW
0x4120ec GetEnvironmentVariableW
0x4120f0 lstrcmpiW
0x4120f4 lstrlenA
0x4120f8 GetLocaleInfoW
0x4120fc MultiByteToWideChar
0x412100 GetUserDefaultUILanguage
0x412104 GetSystemDefaultUILanguage
0x412108 GetSystemDefaultLCID
0x41210c lstrcmpiA
0x412110 GlobalAlloc
0x412114 GlobalFree
0x412118 MulDiv
0x41211c FindResourceExA
0x412120 SizeofResource
0x412124 LoadResource
0x412128 LockResource
0x41212c LoadLibraryA
0x412130 GetProcAddress
0x412134 GetModuleHandleW
0x412138 VirtualFree
0x41213c GetStdHandle
0x412140 ExitProcess
0x412144 lstrcatW
0x412148 GetDiskFreeSpaceExW
0x41214c SetFileAttributesW
0x412150 SetLastError
0x412154 Sleep
0x412158 GetExitCodeThread
0x41215c WaitForSingleObject
0x412160 CreateThread
0x412164 GetLastError
0x412168 SystemTimeToFileTime
0x41216c GetLocalTime
0x412170 GetFileAttributesW
0x412174 CreateDirectoryW
0x412178 WriteFile
0x41217c GetStartupInfoA
MSVCRT.dll
0x412184 ??2@YAPAXI@Z
0x412188 _purecall
0x41218c memcmp
0x412190 memcpy
0x412194 _controlfp
0x412198 _except_handler3
0x41219c __set_app_type
0x4121a0 __p__fmode
0x4121a4 __p__commode
0x4121a8 _adjust_fdiv
0x4121ac __setusermatherr
0x4121b0 _initterm
0x4121b4 __getmainargs
0x4121b8 _acmdln
0x4121bc exit
0x4121c0 _XcptFilter
0x4121c4 _exit
0x4121c8 ??1type_info@@UAE@XZ
0x4121cc _onexit
0x4121d0 __dllonexit
0x4121d4 _CxxThrowException
0x4121d8 _beginthreadex
0x4121dc _EH_prolog
0x4121e0 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z
0x4121e4 memset
0x4121e8 _wcsnicmp
0x4121ec strncmp
0x4121f0 memmove
0x4121f4 _wtol
0x4121f8 ??3@YAXPAX@Z
EAT(Export Address Table) is none
COMCTL32.dll
0x412000 None
SHELL32.dll
0x412210 SHGetSpecialFolderPathW
0x412214 ShellExecuteExW
0x412218 SHGetMalloc
0x41221c SHGetPathFromIDListW
0x412220 SHBrowseForFolderW
0x412224 SHGetFileInfoW
0x412228 ShellExecuteW
GDI32.dll
0x412008 CreateFontIndirectW
0x41200c DeleteObject
0x412010 GetDeviceCaps
0x412014 GetObjectW
0x412018 CreateCompatibleDC
0x41201c SelectObject
0x412020 CreateCompatibleBitmap
0x412024 SetStretchBltMode
0x412028 DeleteDC
0x41202c GetCurrentObject
0x412030 StretchBlt
USER32.dll
0x412230 GetWindowRect
0x412234 ScreenToClient
0x412238 CreateWindowExW
0x41223c GetWindowTextW
0x412240 GetMessageW
0x412244 GetParent
0x412248 KillTimer
0x41224c DestroyWindow
0x412250 CharUpperW
0x412254 EndDialog
0x412258 SendMessageW
0x41225c wsprintfW
0x412260 CopyImage
0x412264 ReleaseDC
0x412268 GetWindowDC
0x41226c SetWindowPos
0x412270 GetMenu
0x412274 GetWindowLongW
0x412278 DispatchMessageW
0x41227c GetWindowTextLengthW
0x412280 GetSysColor
0x412284 SetWindowTextW
0x412288 MessageBoxA
0x41228c wsprintfA
0x412290 GetKeyState
0x412294 GetDlgItem
0x412298 GetClientRect
0x41229c GetSystemMetrics
0x4122a0 SetWindowLongW
0x4122a4 SetFocus
0x4122a8 SystemParametersInfoW
0x4122ac ShowWindow
0x4122b0 DrawTextW
0x4122b4 GetDC
0x4122b8 ClientToScreen
0x4122bc GetWindow
0x4122c0 DialogBoxIndirectParamW
0x4122c4 DrawIconEx
0x4122c8 CallWindowProcW
0x4122cc DefWindowProcW
0x4122d0 IsWindow
0x4122d4 wvsprintfW
0x4122d8 LoadImageW
0x4122dc LoadIconW
0x4122e0 MessageBeep
0x4122e4 EnableWindow
0x4122e8 EnableMenuItem
0x4122ec GetSystemMenu
0x4122f0 GetClassNameA
0x4122f4 SetTimer
ole32.dll
0x4122fc CreateStreamOnHGlobal
0x412300 CoCreateInstance
0x412304 CoInitialize
OLEAUT32.dll
0x412200 SysAllocString
0x412204 VariantClear
0x412208 OleLoadPicture
KERNEL32.dll
0x412038 SetEndOfFile
0x41203c EnterCriticalSection
0x412040 LeaveCriticalSection
0x412044 WaitForMultipleObjects
0x412048 DeleteCriticalSection
0x41204c GetModuleHandleA
0x412050 SetFileTime
0x412054 ReadFile
0x412058 SetFilePointer
0x41205c GetFileSize
0x412060 GetSystemDirectoryW
0x412064 FormatMessageW
0x412068 lstrcpyW
0x41206c LocalFree
0x412070 IsBadReadPtr
0x412074 SuspendThread
0x412078 ResumeThread
0x41207c TerminateThread
0x412080 InitializeCriticalSection
0x412084 ResetEvent
0x412088 SetEvent
0x41208c CreateEventW
0x412090 GetVersionExW
0x412094 GetCommandLineW
0x412098 GetModuleFileNameW
0x41209c SetCurrentDirectoryW
0x4120a0 GetDriveTypeW
0x4120a4 CreateFileW
0x4120a8 CloseHandle
0x4120ac SetEnvironmentVariableW
0x4120b0 GetTempPathW
0x4120b4 lstrlenW
0x4120b8 GetSystemTimeAsFileTime
0x4120bc CompareFileTime
0x4120c0 SetThreadLocale
0x4120c4 FindFirstFileW
0x4120c8 DeleteFileW
0x4120cc FindNextFileW
0x4120d0 FindClose
0x4120d4 RemoveDirectoryW
0x4120d8 ExpandEnvironmentStringsW
0x4120dc WideCharToMultiByte
0x4120e0 VirtualAlloc
0x4120e4 GlobalMemoryStatusEx
0x4120e8 lstrcmpW
0x4120ec GetEnvironmentVariableW
0x4120f0 lstrcmpiW
0x4120f4 lstrlenA
0x4120f8 GetLocaleInfoW
0x4120fc MultiByteToWideChar
0x412100 GetUserDefaultUILanguage
0x412104 GetSystemDefaultUILanguage
0x412108 GetSystemDefaultLCID
0x41210c lstrcmpiA
0x412110 GlobalAlloc
0x412114 GlobalFree
0x412118 MulDiv
0x41211c FindResourceExA
0x412120 SizeofResource
0x412124 LoadResource
0x412128 LockResource
0x41212c LoadLibraryA
0x412130 GetProcAddress
0x412134 GetModuleHandleW
0x412138 VirtualFree
0x41213c GetStdHandle
0x412140 ExitProcess
0x412144 lstrcatW
0x412148 GetDiskFreeSpaceExW
0x41214c SetFileAttributesW
0x412150 SetLastError
0x412154 Sleep
0x412158 GetExitCodeThread
0x41215c WaitForSingleObject
0x412160 CreateThread
0x412164 GetLastError
0x412168 SystemTimeToFileTime
0x41216c GetLocalTime
0x412170 GetFileAttributesW
0x412174 CreateDirectoryW
0x412178 WriteFile
0x41217c GetStartupInfoA
MSVCRT.dll
0x412184 ??2@YAPAXI@Z
0x412188 _purecall
0x41218c memcmp
0x412190 memcpy
0x412194 _controlfp
0x412198 _except_handler3
0x41219c __set_app_type
0x4121a0 __p__fmode
0x4121a4 __p__commode
0x4121a8 _adjust_fdiv
0x4121ac __setusermatherr
0x4121b0 _initterm
0x4121b4 __getmainargs
0x4121b8 _acmdln
0x4121bc exit
0x4121c0 _XcptFilter
0x4121c4 _exit
0x4121c8 ??1type_info@@UAE@XZ
0x4121cc _onexit
0x4121d0 __dllonexit
0x4121d4 _CxxThrowException
0x4121d8 _beginthreadex
0x4121dc _EH_prolog
0x4121e0 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z
0x4121e4 memset
0x4121e8 _wcsnicmp
0x4121ec strncmp
0x4121f0 memmove
0x4121f4 _wtol
0x4121f8 ??3@YAXPAX@Z
EAT(Export Address Table) is none