ScreenShot
| Created | 2021.08.15 13:11 | Machine | s1_win7_x6401 |
| Filename | 456.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 34 detected (Malicious, high confidence, MulDrop18, GenericKD, Artemis, Save, Starter, ali2000005, ZexaE, ruW@aGlBEvmi, Attribute, HighConfidence, Sysn, ai score=99, KVMH017, kcloud, Phonzy, score, ClipBanker, CLASSIC, Static AI, Malicious PE, Behavior, susgen, GdSda, confidence, HgIASaUA) | ||
| md5 | 39d6ec1892af37c0fd5c5c2ea89ea782 | ||
| sha256 | 439386a1dfa86c57251f8ee7eeafe15170f6999a97dfeb257ea139829af601c7 | ||
| ssdeep | 1536:Pi/RkUpybMbsLs6Hfo0uC3ItNmWPsh4U16wnrg/xSMxWRL7C9ki2FZ9DPnak9P8N:ewznY8ItNHGNr2vW79XIa+5k4 | ||
| imphash | e28242db9ee32a240d22ee7a94384b35 | ||
| impfuzzy | 96:Olfp+EA41zaNGb+Izx3tjxB6jf0aYifuux7krk+ao492G:zxGbn6jf0TiftxFcG | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 34 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| watch | Operates on local firewall's policies and settings |
| notice | A process created a hidden window |
| notice | Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol |
| notice | Connects to SIP Stun Server |
| notice | Creates a suspicious process |
| notice | Creates hidden or system file |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | This executable has a PDB path |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win_Worm_Phorpiex | a worm which spreads via removable drives and network drives. | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (6cnts) ?
Suricata ids
ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true)
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true)
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
PE API
IAT(Import Address Table) Library
urlmon.dll
0x4203a4 URLDownloadToFileW
KERNEL32.dll
0x420048 GetTickCount
0x42004c DeleteTimerQueueTimer
0x420050 LeaveCriticalSection
0x420054 EnterCriticalSection
0x420058 InitializeCriticalSection
0x42005c DeleteCriticalSection
0x420060 SwitchToThread
0x420064 CreateIoCompletionPort
0x420068 GetModuleFileNameW
0x42006c TerminateThread
0x420070 PostQueuedCompletionStatus
0x420074 DeleteFileW
0x420078 FlushViewOfFile
0x42007c GetCurrentProcessId
0x420080 GetCurrentThreadId
0x420084 GetQueuedCompletionStatus
0x420088 WaitForMultipleObjects
0x42008c Sleep
0x420090 HeapAlloc
0x420094 HeapReAlloc
0x420098 GetProcessHeap
0x42009c HeapFree
0x4200a0 OpenProcess
0x4200a4 FindClose
0x4200a8 FindNextFileW
0x4200ac FindFirstFileW
0x4200b0 LocalFree
0x4200b4 CreateProcessW
0x4200b8 lstrcmpiW
0x4200bc FlushFileBuffers
0x4200c0 WriteFile
0x4200c4 GetLastError
0x4200c8 SetFilePointer
0x4200cc GetFileSizeEx
0x4200d0 ReleaseMutex
0x4200d4 CreateMutexW
0x4200d8 GetNativeSystemInfo
0x4200dc MultiByteToWideChar
0x4200e0 WideCharToMultiByte
0x4200e4 GetModuleHandleW
0x4200e8 ExpandEnvironmentStringsW
0x4200ec CreateTimerQueueTimer
0x4200f0 ExitProcess
0x4200f4 CopyFileW
0x4200f8 SetFileAttributesW
0x4200fc CreateDirectoryW
0x420100 lstrcmpW
0x420104 GlobalFree
0x420108 GlobalUnlock
0x42010c GlobalLock
0x420110 GlobalAlloc
0x420114 MoveFileExW
0x420118 GetDriveTypeW
0x42011c DeviceIoControl
0x420120 GetVolumeNameForVolumeMountPointW
0x420124 GetSystemDirectoryW
0x420128 GetVolumeInformationW
0x42012c FindVolumeClose
0x420130 FindNextVolumeW
0x420134 FindFirstVolumeW
0x420138 CreateFileA
0x42013c GetLocaleInfoA
0x420140 GetStringTypeW
0x420144 GetStringTypeA
0x420148 LCMapStringW
0x42014c LCMapStringA
0x420150 WriteConsoleW
0x420154 GetConsoleOutputCP
0x420158 WriteConsoleA
0x42015c SetStdHandle
0x420160 HeapSize
0x420164 InitializeCriticalSectionAndSpinCount
0x420168 lstrcatW
0x42016c GetExitCodeThread
0x420170 lstrlenW
0x420174 UnmapViewOfFile
0x420178 CreateFileW
0x42017c GetFileSize
0x420180 CreateFileMappingW
0x420184 MapViewOfFile
0x420188 LoadLibraryA
0x42018c GetProcAddress
0x420190 FileTimeToSystemTime
0x420194 lstrcpynW
0x420198 WaitForSingleObject
0x42019c TerminateProcess
0x4201a0 CloseHandle
0x4201a4 lstrlenA
0x4201a8 GetThreadId
0x4201ac ExitThread
0x4201b0 CreateThread
0x4201b4 GetSystemTimeAsFileTime
0x4201b8 RtlUnwind
0x4201bc GetCurrentProcess
0x4201c0 UnhandledExceptionFilter
0x4201c4 SetUnhandledExceptionFilter
0x4201c8 IsDebuggerPresent
0x4201cc IsValidCodePage
0x4201d0 GetOEMCP
0x4201d4 GetACP
0x4201d8 GetCPInfo
0x4201dc RaiseException
0x4201e0 GetCommandLineA
0x4201e4 GetStartupInfoA
0x4201e8 GetConsoleMode
0x4201ec GetConsoleCP
0x4201f0 QueryPerformanceCounter
0x4201f4 GetFileType
0x4201f8 SetHandleCount
0x4201fc GetEnvironmentStringsW
0x420200 FreeEnvironmentStringsW
0x420204 GetEnvironmentStrings
0x420208 FreeEnvironmentStringsA
0x42020c GetModuleFileNameA
0x420210 GetStdHandle
0x420214 InterlockedDecrement
0x420218 SetLastError
0x42021c InterlockedIncrement
0x420220 TlsFree
0x420224 TlsSetValue
0x420228 TlsAlloc
0x42022c TlsGetValue
0x420230 VirtualAlloc
0x420234 VirtualFree
0x420238 HeapCreate
USER32.dll
0x4202b0 EmptyClipboard
0x4202b4 DefWindowProcW
0x4202b8 GetClipboardData
0x4202bc GetPriorityClipboardFormat
0x4202c0 DefWindowProcA
0x4202c4 DispatchMessageW
0x4202c8 GetShellWindow
0x4202cc GetWindowThreadProcessId
0x4202d0 SetClipboardData
0x4202d4 TranslateMessage
0x4202d8 GetMessageW
0x4202dc RegisterClassExW
0x4202e0 wsprintfW
0x4202e4 UnregisterClassW
0x4202e8 DestroyWindow
0x4202ec RemoveClipboardFormatListener
0x4202f0 AddClipboardFormatListener
0x4202f4 CreateWindowExW
0x4202f8 PostThreadMessageW
0x4202fc OpenClipboard
0x420300 CloseClipboard
0x420304 CharLowerW
ADVAPI32.dll
0x420000 RegCloseKey
0x420004 RegOpenKeyExW
0x420008 RegCreateKeyExW
0x42000c RevertToSelf
0x420010 ImpersonateLoggedOnUser
0x420014 ConvertStringSecurityDescriptorToSecurityDescriptorW
0x420018 CryptAcquireContextA
0x42001c CryptReleaseContext
0x420020 CryptCreateHash
0x420024 CryptHashData
0x420028 CryptVerifySignatureA
0x42002c CryptDestroyHash
0x420030 CryptImportKey
0x420034 CryptGetKeyParam
0x420038 CryptDestroyKey
0x42003c OpenProcessToken
0x420040 RegSetValueExW
SHELL32.dll
0x420264 ShellExecuteExW
0x420268 None
0x42026c SHChangeNotify
0x420270 SHGetFolderPathW
0x420274 ShellExecuteW
ole32.dll
0x420394 CoCreateInstance
0x420398 CoInitializeEx
0x42039c CoUninitialize
OLEAUT32.dll
0x420250 SysFreeString
0x420254 SysAllocString
WS2_32.dll
0x420338 htonl
0x42033c ntohl
0x420340 ntohs
0x420344 htons
0x420348 recvfrom
0x42034c setsockopt
0x420350 sendto
0x420354 inet_ntoa
0x420358 freeaddrinfo
0x42035c closesocket
0x420360 getsockname
0x420364 connect
0x420368 socket
0x42036c WSAGetLastError
0x420370 WSARecvFrom
0x420374 WSASendTo
0x420378 ind
0x42037c WSAStartup
0x420380 WSACleanup
0x420384 inet_addr
0x420388 WSASocketW
0x42038c getaddrinfo
SHLWAPI.dll
0x42027c PathCombineW
0x420280 StrToIntA
0x420284 StrDupW
0x420288 PathFindExtensionW
0x42028c PathFileExistsW
0x420290 StrStrNIW
0x420294 StrCmpNIW
0x420298 StrStrIW
0x42029c PathAddExtensionW
0x4202a0 PathStripToRootW
0x4202a4 PathAppendW
0x4202a8 PathRemoveFileSpecW
MPR.dll
0x420240 WNetCloseEnum
0x420244 WNetEnumResourceW
0x420248 WNetOpenEnumW
WININET.dll
0x42030c InternetOpenUrlW
0x420310 InternetCrackUrlW
0x420314 InternetOpenW
0x420318 InternetConnectW
0x42031c HttpOpenRequestW
0x420320 HttpAddRequestHeadersW
0x420324 HttpSendRequestW
0x420328 HttpQueryInfoW
0x42032c InternetReadFile
0x420330 InternetCloseHandle
RPCRT4.dll
0x42025c UuidCreate
EAT(Export Address Table) is none
urlmon.dll
0x4203a4 URLDownloadToFileW
KERNEL32.dll
0x420048 GetTickCount
0x42004c DeleteTimerQueueTimer
0x420050 LeaveCriticalSection
0x420054 EnterCriticalSection
0x420058 InitializeCriticalSection
0x42005c DeleteCriticalSection
0x420060 SwitchToThread
0x420064 CreateIoCompletionPort
0x420068 GetModuleFileNameW
0x42006c TerminateThread
0x420070 PostQueuedCompletionStatus
0x420074 DeleteFileW
0x420078 FlushViewOfFile
0x42007c GetCurrentProcessId
0x420080 GetCurrentThreadId
0x420084 GetQueuedCompletionStatus
0x420088 WaitForMultipleObjects
0x42008c Sleep
0x420090 HeapAlloc
0x420094 HeapReAlloc
0x420098 GetProcessHeap
0x42009c HeapFree
0x4200a0 OpenProcess
0x4200a4 FindClose
0x4200a8 FindNextFileW
0x4200ac FindFirstFileW
0x4200b0 LocalFree
0x4200b4 CreateProcessW
0x4200b8 lstrcmpiW
0x4200bc FlushFileBuffers
0x4200c0 WriteFile
0x4200c4 GetLastError
0x4200c8 SetFilePointer
0x4200cc GetFileSizeEx
0x4200d0 ReleaseMutex
0x4200d4 CreateMutexW
0x4200d8 GetNativeSystemInfo
0x4200dc MultiByteToWideChar
0x4200e0 WideCharToMultiByte
0x4200e4 GetModuleHandleW
0x4200e8 ExpandEnvironmentStringsW
0x4200ec CreateTimerQueueTimer
0x4200f0 ExitProcess
0x4200f4 CopyFileW
0x4200f8 SetFileAttributesW
0x4200fc CreateDirectoryW
0x420100 lstrcmpW
0x420104 GlobalFree
0x420108 GlobalUnlock
0x42010c GlobalLock
0x420110 GlobalAlloc
0x420114 MoveFileExW
0x420118 GetDriveTypeW
0x42011c DeviceIoControl
0x420120 GetVolumeNameForVolumeMountPointW
0x420124 GetSystemDirectoryW
0x420128 GetVolumeInformationW
0x42012c FindVolumeClose
0x420130 FindNextVolumeW
0x420134 FindFirstVolumeW
0x420138 CreateFileA
0x42013c GetLocaleInfoA
0x420140 GetStringTypeW
0x420144 GetStringTypeA
0x420148 LCMapStringW
0x42014c LCMapStringA
0x420150 WriteConsoleW
0x420154 GetConsoleOutputCP
0x420158 WriteConsoleA
0x42015c SetStdHandle
0x420160 HeapSize
0x420164 InitializeCriticalSectionAndSpinCount
0x420168 lstrcatW
0x42016c GetExitCodeThread
0x420170 lstrlenW
0x420174 UnmapViewOfFile
0x420178 CreateFileW
0x42017c GetFileSize
0x420180 CreateFileMappingW
0x420184 MapViewOfFile
0x420188 LoadLibraryA
0x42018c GetProcAddress
0x420190 FileTimeToSystemTime
0x420194 lstrcpynW
0x420198 WaitForSingleObject
0x42019c TerminateProcess
0x4201a0 CloseHandle
0x4201a4 lstrlenA
0x4201a8 GetThreadId
0x4201ac ExitThread
0x4201b0 CreateThread
0x4201b4 GetSystemTimeAsFileTime
0x4201b8 RtlUnwind
0x4201bc GetCurrentProcess
0x4201c0 UnhandledExceptionFilter
0x4201c4 SetUnhandledExceptionFilter
0x4201c8 IsDebuggerPresent
0x4201cc IsValidCodePage
0x4201d0 GetOEMCP
0x4201d4 GetACP
0x4201d8 GetCPInfo
0x4201dc RaiseException
0x4201e0 GetCommandLineA
0x4201e4 GetStartupInfoA
0x4201e8 GetConsoleMode
0x4201ec GetConsoleCP
0x4201f0 QueryPerformanceCounter
0x4201f4 GetFileType
0x4201f8 SetHandleCount
0x4201fc GetEnvironmentStringsW
0x420200 FreeEnvironmentStringsW
0x420204 GetEnvironmentStrings
0x420208 FreeEnvironmentStringsA
0x42020c GetModuleFileNameA
0x420210 GetStdHandle
0x420214 InterlockedDecrement
0x420218 SetLastError
0x42021c InterlockedIncrement
0x420220 TlsFree
0x420224 TlsSetValue
0x420228 TlsAlloc
0x42022c TlsGetValue
0x420230 VirtualAlloc
0x420234 VirtualFree
0x420238 HeapCreate
USER32.dll
0x4202b0 EmptyClipboard
0x4202b4 DefWindowProcW
0x4202b8 GetClipboardData
0x4202bc GetPriorityClipboardFormat
0x4202c0 DefWindowProcA
0x4202c4 DispatchMessageW
0x4202c8 GetShellWindow
0x4202cc GetWindowThreadProcessId
0x4202d0 SetClipboardData
0x4202d4 TranslateMessage
0x4202d8 GetMessageW
0x4202dc RegisterClassExW
0x4202e0 wsprintfW
0x4202e4 UnregisterClassW
0x4202e8 DestroyWindow
0x4202ec RemoveClipboardFormatListener
0x4202f0 AddClipboardFormatListener
0x4202f4 CreateWindowExW
0x4202f8 PostThreadMessageW
0x4202fc OpenClipboard
0x420300 CloseClipboard
0x420304 CharLowerW
ADVAPI32.dll
0x420000 RegCloseKey
0x420004 RegOpenKeyExW
0x420008 RegCreateKeyExW
0x42000c RevertToSelf
0x420010 ImpersonateLoggedOnUser
0x420014 ConvertStringSecurityDescriptorToSecurityDescriptorW
0x420018 CryptAcquireContextA
0x42001c CryptReleaseContext
0x420020 CryptCreateHash
0x420024 CryptHashData
0x420028 CryptVerifySignatureA
0x42002c CryptDestroyHash
0x420030 CryptImportKey
0x420034 CryptGetKeyParam
0x420038 CryptDestroyKey
0x42003c OpenProcessToken
0x420040 RegSetValueExW
SHELL32.dll
0x420264 ShellExecuteExW
0x420268 None
0x42026c SHChangeNotify
0x420270 SHGetFolderPathW
0x420274 ShellExecuteW
ole32.dll
0x420394 CoCreateInstance
0x420398 CoInitializeEx
0x42039c CoUninitialize
OLEAUT32.dll
0x420250 SysFreeString
0x420254 SysAllocString
WS2_32.dll
0x420338 htonl
0x42033c ntohl
0x420340 ntohs
0x420344 htons
0x420348 recvfrom
0x42034c setsockopt
0x420350 sendto
0x420354 inet_ntoa
0x420358 freeaddrinfo
0x42035c closesocket
0x420360 getsockname
0x420364 connect
0x420368 socket
0x42036c WSAGetLastError
0x420370 WSARecvFrom
0x420374 WSASendTo
0x420378 ind
0x42037c WSAStartup
0x420380 WSACleanup
0x420384 inet_addr
0x420388 WSASocketW
0x42038c getaddrinfo
SHLWAPI.dll
0x42027c PathCombineW
0x420280 StrToIntA
0x420284 StrDupW
0x420288 PathFindExtensionW
0x42028c PathFileExistsW
0x420290 StrStrNIW
0x420294 StrCmpNIW
0x420298 StrStrIW
0x42029c PathAddExtensionW
0x4202a0 PathStripToRootW
0x4202a4 PathAppendW
0x4202a8 PathRemoveFileSpecW
MPR.dll
0x420240 WNetCloseEnum
0x420244 WNetEnumResourceW
0x420248 WNetOpenEnumW
WININET.dll
0x42030c InternetOpenUrlW
0x420310 InternetCrackUrlW
0x420314 InternetOpenW
0x420318 InternetConnectW
0x42031c HttpOpenRequestW
0x420320 HttpAddRequestHeadersW
0x420324 HttpSendRequestW
0x420328 HttpQueryInfoW
0x42032c InternetReadFile
0x420330 InternetCloseHandle
RPCRT4.dll
0x42025c UuidCreate
EAT(Export Address Table) is none