ScreenShot
| Created | 2021.08.18 11:37 | Machine | s1_win7_x6401 |
| Filename | wango666.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 37 detected (GenericKD, HgIASaMA, Deyma, Kryptik, Eldorado, Attribute, HighConfidence, ACYJ, Malicious, Ursu, Malware@#3ko08bgbszs5o, DownLoader41, AveMaria, R002C0WHG21, TrojDownloader, kcloud, Artemis, ai score=81, TrojanPSW, Convagent, confidence, 100%) | ||
| md5 | a9d35b3546a908c804d177020daefcb0 | ||
| sha256 | 45193fa14de60908b958e3f268ef46457acbbe4d7b63784a8dc177a510528827 | ||
| ssdeep | 196608:XPGZKb8EmARpfMWw93Axfy46VqPFUXd8hSXJTkWOg0rmt+kK1:+o7pa9wVaqcd8hSZkWOgOmHq | ||
| imphash | d619eda1a774da262071361b928bb2e4 | ||
| impfuzzy | 48:hylnpVOIDk/6AecfYtTE0c1GT+KQ4zuFbv:hylpVNDk/FecfYtT9c4gv | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 37 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes executed files from disk |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates (office) documents on the filesystem |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Sends data using the HTTP POST Method |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
Rules (35cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | PDF_Format_Z | PDF Format | binaries (download) |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | Is_DotNET_DLL | (no description) | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PNG_Format_Zero | PNG Format | binaries (download) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
Suricata ids
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET MALWARE Amadey CnC Check-In
ET MALWARE Amadey CnC Check-In
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40700c LoadLibraryA
0x407010 lstrcpyA
0x407014 lstrcatA
0x407018 lstrlenA
0x40701c GetSystemDirectoryA
0x407020 GetProcAddress
0x407024 GetModuleHandleA
0x407028 _lclose
0x40702c GetModuleFileNameA
0x407030 _lread
0x407034 _llseek
0x407038 _lopen
0x40703c _lwrite
0x407040 _lcreat
0x407044 CreateDirectoryA
0x407048 SetCurrentDirectoryA
0x40704c GetDiskFreeSpaceA
0x407050 GetFileAttributesA
0x407054 CompareStringA
0x407058 DeleteFileA
0x40705c GetTempPathA
0x407060 GetCurrentDirectoryA
0x407064 CloseHandle
0x407068 GetExitCodeProcess
0x40706c GetLastError
0x407070 LocalFree
0x407074 GetCurrentProcess
0x407078 MoveFileExA
0x40707c GetStringTypeW
0x407080 MultiByteToWideChar
0x407084 LCMapStringW
0x407088 HeapReAlloc
0x40708c RtlUnwind
0x407090 HeapSize
0x407094 Sleep
0x407098 RemoveDirectoryA
0x40709c FreeLibrary
0x4070a0 IsValidCodePage
0x4070a4 GetOEMCP
0x4070a8 GetModuleHandleW
0x4070ac ExitProcess
0x4070b0 DecodePointer
0x4070b4 HeapFree
0x4070b8 HeapAlloc
0x4070bc GetCommandLineA
0x4070c0 HeapSetInformation
0x4070c4 GetStartupInfoW
0x4070c8 InitializeCriticalSectionAndSpinCount
0x4070cc DeleteCriticalSection
0x4070d0 LeaveCriticalSection
0x4070d4 EnterCriticalSection
0x4070d8 EncodePointer
0x4070dc LoadLibraryW
0x4070e0 UnhandledExceptionFilter
0x4070e4 SetUnhandledExceptionFilter
0x4070e8 IsDebuggerPresent
0x4070ec TerminateProcess
0x4070f0 TlsAlloc
0x4070f4 TlsGetValue
0x4070f8 TlsSetValue
0x4070fc TlsFree
0x407100 InterlockedIncrement
0x407104 SetLastError
0x407108 GetCurrentThreadId
0x40710c InterlockedDecrement
0x407110 WriteFile
0x407114 GetStdHandle
0x407118 GetModuleFileNameW
0x40711c IsProcessorFeaturePresent
0x407120 HeapCreate
0x407124 FreeEnvironmentStringsW
0x407128 WideCharToMultiByte
0x40712c GetEnvironmentStringsW
0x407130 SetHandleCount
0x407134 GetFileType
0x407138 QueryPerformanceCounter
0x40713c GetTickCount
0x407140 GetCurrentProcessId
0x407144 GetSystemTimeAsFileTime
0x407148 GetCPInfo
0x40714c GetACP
USER32.dll
0x40715c TranslateMessage
0x407160 DispatchMessageA
0x407164 PeekMessageA
0x407168 wsprintfA
0x40716c LoadCursorA
0x407170 SetCursor
0x407174 MessageBoxA
0x407178 MsgWaitForMultipleObjects
ADVAPI32.dll
0x407000 GetTokenInformation
0x407004 OpenProcessToken
SHELL32.dll
0x407154 ShellExecuteExA
EAT(Export Address Table) is none
KERNEL32.dll
0x40700c LoadLibraryA
0x407010 lstrcpyA
0x407014 lstrcatA
0x407018 lstrlenA
0x40701c GetSystemDirectoryA
0x407020 GetProcAddress
0x407024 GetModuleHandleA
0x407028 _lclose
0x40702c GetModuleFileNameA
0x407030 _lread
0x407034 _llseek
0x407038 _lopen
0x40703c _lwrite
0x407040 _lcreat
0x407044 CreateDirectoryA
0x407048 SetCurrentDirectoryA
0x40704c GetDiskFreeSpaceA
0x407050 GetFileAttributesA
0x407054 CompareStringA
0x407058 DeleteFileA
0x40705c GetTempPathA
0x407060 GetCurrentDirectoryA
0x407064 CloseHandle
0x407068 GetExitCodeProcess
0x40706c GetLastError
0x407070 LocalFree
0x407074 GetCurrentProcess
0x407078 MoveFileExA
0x40707c GetStringTypeW
0x407080 MultiByteToWideChar
0x407084 LCMapStringW
0x407088 HeapReAlloc
0x40708c RtlUnwind
0x407090 HeapSize
0x407094 Sleep
0x407098 RemoveDirectoryA
0x40709c FreeLibrary
0x4070a0 IsValidCodePage
0x4070a4 GetOEMCP
0x4070a8 GetModuleHandleW
0x4070ac ExitProcess
0x4070b0 DecodePointer
0x4070b4 HeapFree
0x4070b8 HeapAlloc
0x4070bc GetCommandLineA
0x4070c0 HeapSetInformation
0x4070c4 GetStartupInfoW
0x4070c8 InitializeCriticalSectionAndSpinCount
0x4070cc DeleteCriticalSection
0x4070d0 LeaveCriticalSection
0x4070d4 EnterCriticalSection
0x4070d8 EncodePointer
0x4070dc LoadLibraryW
0x4070e0 UnhandledExceptionFilter
0x4070e4 SetUnhandledExceptionFilter
0x4070e8 IsDebuggerPresent
0x4070ec TerminateProcess
0x4070f0 TlsAlloc
0x4070f4 TlsGetValue
0x4070f8 TlsSetValue
0x4070fc TlsFree
0x407100 InterlockedIncrement
0x407104 SetLastError
0x407108 GetCurrentThreadId
0x40710c InterlockedDecrement
0x407110 WriteFile
0x407114 GetStdHandle
0x407118 GetModuleFileNameW
0x40711c IsProcessorFeaturePresent
0x407120 HeapCreate
0x407124 FreeEnvironmentStringsW
0x407128 WideCharToMultiByte
0x40712c GetEnvironmentStringsW
0x407130 SetHandleCount
0x407134 GetFileType
0x407138 QueryPerformanceCounter
0x40713c GetTickCount
0x407140 GetCurrentProcessId
0x407144 GetSystemTimeAsFileTime
0x407148 GetCPInfo
0x40714c GetACP
USER32.dll
0x40715c TranslateMessage
0x407160 DispatchMessageA
0x407164 PeekMessageA
0x407168 wsprintfA
0x40716c LoadCursorA
0x407170 SetCursor
0x407174 MessageBoxA
0x407178 MsgWaitForMultipleObjects
ADVAPI32.dll
0x407000 GetTokenInformation
0x407004 OpenProcessToken
SHELL32.dll
0x407154 ShellExecuteExA
EAT(Export Address Table) is none