ScreenShot
| Created | 2021.08.18 11:28 | Machine | s1_win7_x6401 |
| Filename | hot.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 32 detected (Zusy, malicious, high confidence, ZexaF, NuW@aO6OU7mO, Faker, Eldorado, Attribute, HighConfidence, Formbook, FileRepMalware, Kryptik, CLASSIC, ai score=87, score, R002H0CHH21, Static AI, Malicious PE, RnkBend, confidence, 100%, susgen) | ||
| md5 | 5fcbfeae2b818e9eab95723a87460401 | ||
| sha256 | 22a3ccdeb9ae4b196461cdb81c895ae891e2149af03e44b6ce86c2a1bf062947 | ||
| ssdeep | 12288:/U/Rmv+TmAXNzNxECRygNVl/GYlqPPMbQ4Z6hg0t9VoQigW:/Yme9P58gl/GhPPU5cgyX2 | ||
| imphash | ff42c22be7db6fd997a1f31962592e30 | ||
| impfuzzy | 24:0kgwcpV/qlpOovXG2lTJ3coXD8vZ7XZRjMAdtNJhFGXv2DgFnQu:bcpVLOG2/cFZ7BtPhFGZFnp | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 32 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | This executable has a PDB path |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (10cnts) ?
Suricata ids
ET MALWARE FormBook CnC Checkin (GET)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x424000 FreeConsole
0x424004 VirtualProtect
0x424008 CreateFileW
0x42400c ReadConsoleW
0x424010 WriteConsoleW
0x424014 WideCharToMultiByte
0x424018 InterlockedIncrement
0x42401c InterlockedDecrement
0x424020 EncodePointer
0x424024 DecodePointer
0x424028 EnterCriticalSection
0x42402c LeaveCriticalSection
0x424030 InitializeCriticalSectionEx
0x424034 DeleteCriticalSection
0x424038 Sleep
0x42403c GetLocaleInfoEx
0x424040 MultiByteToWideChar
0x424044 GetStringTypeW
0x424048 GetLastError
0x42404c HeapFree
0x424050 GetCommandLineA
0x424054 GetCPInfo
0x424058 RaiseException
0x42405c RtlUnwind
0x424060 HeapAlloc
0x424064 InitializeCriticalSectionAndSpinCount
0x424068 IsProcessorFeaturePresent
0x42406c IsDebuggerPresent
0x424070 GetProcessHeap
0x424074 SetLastError
0x424078 GetCurrentThreadId
0x42407c ExitProcess
0x424080 GetModuleHandleExW
0x424084 GetProcAddress
0x424088 HeapSize
0x42408c GetStdHandle
0x424090 WriteFile
0x424094 GetModuleFileNameW
0x424098 GetFileType
0x42409c InitOnceExecuteOnce
0x4240a0 GetStartupInfoW
0x4240a4 GetModuleFileNameA
0x4240a8 QueryPerformanceCounter
0x4240ac GetSystemTimeAsFileTime
0x4240b0 GetTickCount64
0x4240b4 GetEnvironmentStringsW
0x4240b8 FreeEnvironmentStringsW
0x4240bc IsValidCodePage
0x4240c0 GetACP
0x4240c4 GetOEMCP
0x4240c8 CloseHandle
0x4240cc FlushFileBuffers
0x4240d0 GetConsoleCP
0x4240d4 GetConsoleMode
0x4240d8 ReadFile
0x4240dc SetFilePointerEx
0x4240e0 UnhandledExceptionFilter
0x4240e4 SetUnhandledExceptionFilter
0x4240e8 FlsAlloc
0x4240ec FlsGetValue
0x4240f0 FlsSetValue
0x4240f4 FlsFree
0x4240f8 GetCurrentProcess
0x4240fc TerminateProcess
0x424100 GetModuleHandleW
0x424104 GetUserDefaultLocaleName
0x424108 LCMapStringEx
0x42410c IsValidLocaleName
0x424110 EnumSystemLocalesEx
0x424114 HeapReAlloc
0x424118 LoadLibraryExW
0x42411c OutputDebugStringW
0x424120 LoadLibraryW
0x424124 SetStdHandle
USER32.dll
0x42412c GetSystemMetrics
0x424130 PostQuitMessage
EAT(Export Address Table) is none
KERNEL32.dll
0x424000 FreeConsole
0x424004 VirtualProtect
0x424008 CreateFileW
0x42400c ReadConsoleW
0x424010 WriteConsoleW
0x424014 WideCharToMultiByte
0x424018 InterlockedIncrement
0x42401c InterlockedDecrement
0x424020 EncodePointer
0x424024 DecodePointer
0x424028 EnterCriticalSection
0x42402c LeaveCriticalSection
0x424030 InitializeCriticalSectionEx
0x424034 DeleteCriticalSection
0x424038 Sleep
0x42403c GetLocaleInfoEx
0x424040 MultiByteToWideChar
0x424044 GetStringTypeW
0x424048 GetLastError
0x42404c HeapFree
0x424050 GetCommandLineA
0x424054 GetCPInfo
0x424058 RaiseException
0x42405c RtlUnwind
0x424060 HeapAlloc
0x424064 InitializeCriticalSectionAndSpinCount
0x424068 IsProcessorFeaturePresent
0x42406c IsDebuggerPresent
0x424070 GetProcessHeap
0x424074 SetLastError
0x424078 GetCurrentThreadId
0x42407c ExitProcess
0x424080 GetModuleHandleExW
0x424084 GetProcAddress
0x424088 HeapSize
0x42408c GetStdHandle
0x424090 WriteFile
0x424094 GetModuleFileNameW
0x424098 GetFileType
0x42409c InitOnceExecuteOnce
0x4240a0 GetStartupInfoW
0x4240a4 GetModuleFileNameA
0x4240a8 QueryPerformanceCounter
0x4240ac GetSystemTimeAsFileTime
0x4240b0 GetTickCount64
0x4240b4 GetEnvironmentStringsW
0x4240b8 FreeEnvironmentStringsW
0x4240bc IsValidCodePage
0x4240c0 GetACP
0x4240c4 GetOEMCP
0x4240c8 CloseHandle
0x4240cc FlushFileBuffers
0x4240d0 GetConsoleCP
0x4240d4 GetConsoleMode
0x4240d8 ReadFile
0x4240dc SetFilePointerEx
0x4240e0 UnhandledExceptionFilter
0x4240e4 SetUnhandledExceptionFilter
0x4240e8 FlsAlloc
0x4240ec FlsGetValue
0x4240f0 FlsSetValue
0x4240f4 FlsFree
0x4240f8 GetCurrentProcess
0x4240fc TerminateProcess
0x424100 GetModuleHandleW
0x424104 GetUserDefaultLocaleName
0x424108 LCMapStringEx
0x42410c IsValidLocaleName
0x424110 EnumSystemLocalesEx
0x424114 HeapReAlloc
0x424118 LoadLibraryExW
0x42411c OutputDebugStringW
0x424120 LoadLibraryW
0x424124 SetStdHandle
USER32.dll
0x42412c GetSystemMetrics
0x424130 PostQuitMessage
EAT(Export Address Table) is none