ScreenShot
| Created | 2021.08.21 09:01 | Machine | s1_win7_x6402 |
| Filename | eli.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 58 detected (RultalinaTZ, Lmir, laiL, malicious, high confidence, score, GandcrabIH, S17569987, GenericKD, AzorUlt, Delf, Save, TrojanPSW, Coins, confidence, 100%, Eldorado, Rultazo, fitdqk, PWSX, Gencirc, COINSTEAL, SMPIS, Outbreak, XPACK, PSWTroj, kcloud, Stimilina, KBot, R260844, FSEP, ai score=100, Unsafe, CLASSIC, GenAsa, zpkWsvf3gpo, Static AI, Suspicious PE, Genetic, susgen) | ||
| md5 | 70ded05d874a95b1b3027c1e97b16287 | ||
| sha256 | aca7a7d812ac2192255aa3d47477f13b05963da0383e459d6b09d1630cd11aae | ||
| ssdeep | 3072:KExRaQ6raoCoCyz6/mqv1JR+yBtGOeaeWgibq:faO1tme++wi2 | ||
| imphash | 6d1f2b41411eacafcf447fc002d8cb00 | ||
| impfuzzy | 24:8cfpwYz5nv6OovsgO0MXg+4Qw3J1w2+u2Ag2mZDq2CflOOCntY5F4OwxA:8cfp95nlngO0Mw+4QuPhl2ulOOT5F4RA | ||
Network IP location
Signature (21cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 58 AntiVirus engines on VirusTotal as malicious |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | Tries to locate where the browsers are installed |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
PE API
IAT(Import Address Table) Library
kernel32.dll
0x41d0dc DeleteCriticalSection
0x41d0e0 LeaveCriticalSection
0x41d0e4 EnterCriticalSection
0x41d0e8 InitializeCriticalSection
0x41d0ec VirtualFree
0x41d0f0 VirtualAlloc
0x41d0f4 LocalFree
0x41d0f8 LocalAlloc
0x41d0fc GetTickCount
0x41d100 QueryPerformanceCounter
0x41d104 GetVersion
0x41d108 GetCurrentThreadId
0x41d10c WideCharToMultiByte
0x41d110 MultiByteToWideChar
0x41d114 GetThreadLocale
0x41d118 GetStartupInfoA
0x41d11c GetModuleFileNameA
0x41d120 GetLocaleInfoA
0x41d124 GetCommandLineA
0x41d128 FreeLibrary
0x41d12c ExitProcess
0x41d130 WriteFile
0x41d134 UnhandledExceptionFilter
0x41d138 RtlUnwind
0x41d13c RaiseException
0x41d140 GetStdHandle
user32.dll
0x41d148 GetKeyboardType
0x41d14c MessageBoxA
0x41d150 CharNextA
advapi32.dll
0x41d158 RegQueryValueExA
0x41d15c RegOpenKeyExA
0x41d160 RegCloseKey
oleaut32.dll
0x41d168 SysFreeString
0x41d16c SysReAllocStringLen
0x41d170 SysAllocStringLen
kernel32.dll
0x41d178 GetModuleHandleA
advapi32.dll
0x41d180 RegOpenKeyExA
0x41d184 RegEnumKeyA
0x41d188 FreeSid
kernel32.dll
0x41d190 WriteFile
0x41d194 Sleep
0x41d198 LocalFree
0x41d19c LoadLibraryExW
0x41d1a0 LoadLibraryA
0x41d1a4 GlobalUnlock
0x41d1a8 GlobalLock
0x41d1ac GetTickCount
0x41d1b0 GetSystemInfo
0x41d1b4 GetProcAddress
0x41d1b8 GetModuleHandleA
0x41d1bc GetModuleFileNameA
0x41d1c0 GetFileAttributesW
0x41d1c4 GetCurrentProcessId
0x41d1c8 GetCurrentProcess
0x41d1cc FreeLibrary
0x41d1d0 FindNextFileW
0x41d1d4 FindFirstFileW
0x41d1d8 FindClose
0x41d1dc ExitProcess
0x41d1e0 DeleteFileW
0x41d1e4 CreateDirectoryW
0x41d1e8 CopyFileW
gdi32.dll
0x41d1f0 SelectObject
0x41d1f4 DeleteObject
0x41d1f8 DeleteDC
0x41d1fc CreateCompatibleDC
0x41d200 CreateCompatibleBitmap
0x41d204 BitBlt
user32.dll
0x41d20c ReleaseDC
0x41d210 GetSystemMetrics
0x41d214 GetDC
0x41d218 CharToOemBuffA
ole32.dll
0x41d220 OleInitialize
0x41d224 CoCreateInstance
EAT(Export Address Table) is none
kernel32.dll
0x41d0dc DeleteCriticalSection
0x41d0e0 LeaveCriticalSection
0x41d0e4 EnterCriticalSection
0x41d0e8 InitializeCriticalSection
0x41d0ec VirtualFree
0x41d0f0 VirtualAlloc
0x41d0f4 LocalFree
0x41d0f8 LocalAlloc
0x41d0fc GetTickCount
0x41d100 QueryPerformanceCounter
0x41d104 GetVersion
0x41d108 GetCurrentThreadId
0x41d10c WideCharToMultiByte
0x41d110 MultiByteToWideChar
0x41d114 GetThreadLocale
0x41d118 GetStartupInfoA
0x41d11c GetModuleFileNameA
0x41d120 GetLocaleInfoA
0x41d124 GetCommandLineA
0x41d128 FreeLibrary
0x41d12c ExitProcess
0x41d130 WriteFile
0x41d134 UnhandledExceptionFilter
0x41d138 RtlUnwind
0x41d13c RaiseException
0x41d140 GetStdHandle
user32.dll
0x41d148 GetKeyboardType
0x41d14c MessageBoxA
0x41d150 CharNextA
advapi32.dll
0x41d158 RegQueryValueExA
0x41d15c RegOpenKeyExA
0x41d160 RegCloseKey
oleaut32.dll
0x41d168 SysFreeString
0x41d16c SysReAllocStringLen
0x41d170 SysAllocStringLen
kernel32.dll
0x41d178 GetModuleHandleA
advapi32.dll
0x41d180 RegOpenKeyExA
0x41d184 RegEnumKeyA
0x41d188 FreeSid
kernel32.dll
0x41d190 WriteFile
0x41d194 Sleep
0x41d198 LocalFree
0x41d19c LoadLibraryExW
0x41d1a0 LoadLibraryA
0x41d1a4 GlobalUnlock
0x41d1a8 GlobalLock
0x41d1ac GetTickCount
0x41d1b0 GetSystemInfo
0x41d1b4 GetProcAddress
0x41d1b8 GetModuleHandleA
0x41d1bc GetModuleFileNameA
0x41d1c0 GetFileAttributesW
0x41d1c4 GetCurrentProcessId
0x41d1c8 GetCurrentProcess
0x41d1cc FreeLibrary
0x41d1d0 FindNextFileW
0x41d1d4 FindFirstFileW
0x41d1d8 FindClose
0x41d1dc ExitProcess
0x41d1e0 DeleteFileW
0x41d1e4 CreateDirectoryW
0x41d1e8 CopyFileW
gdi32.dll
0x41d1f0 SelectObject
0x41d1f4 DeleteObject
0x41d1f8 DeleteDC
0x41d1fc CreateCompatibleDC
0x41d200 CreateCompatibleBitmap
0x41d204 BitBlt
user32.dll
0x41d20c ReleaseDC
0x41d210 GetSystemMetrics
0x41d214 GetDC
0x41d218 CharToOemBuffA
ole32.dll
0x41d220 OleInitialize
0x41d224 CoCreateInstance
EAT(Export Address Table) is none