ScreenShot
| Created | 2021.08.23 12:15 | Machine | s1_win7_x6402 |
| Filename | fbtc-client.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 30 detected (GenericKD, TheRat, NSIS, R03FH0CHL21, TeamViewer, Artemis, Malicious, wccts, ai score=88, Tnega, score, Ajvu, Slntscn24, bVVB1s, InvalidSig) | ||
| md5 | 7a9a32c45303b7bef1651551799bb68f | ||
| sha256 | e806a4db88bb042b54e3fa43e03a2e59bf5d40ff6cd1dad371a1721148da843f | ||
| ssdeep | 49152:dsB+54Euz74/EGCWDudi1afr3+j6Qa8rHsDi6HxxJVhkRQyo5ggyFHMkaX5wTIZ1:ds6qRG7Du9frujRnwu2b6to5T4MkLIZ1 | ||
| imphash | ea4e67a31ace1a72683a99b80cf37830 | ||
| impfuzzy | 48:fjxZDh+W80DldG+T74VpFEX7wa4Oetz8t+tlALr80Q5Svyxl56U09y/1xoACnB5i:bxZDbBlYkXMCOCNwJsC | ||
Network IP location
Signature (44cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 30 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Checks for the presence of known windows from debuggers and forensic tools |
| watch | Checks the version of Bios |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates known TeamViewer mutexes and/or registry changes. |
| watch | Detects Virtual Machines through their custom firmware |
| watch | Detects VMWare through the in instruction feature |
| watch | Expresses interest in specific running processes |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process msci.exe |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Queries for potentially installed applications |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Starts servers listening |
| notice | Steals private information from local Internet browsers |
| notice | Terminates another process |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (50cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Lazarus_Zero | Lazarus Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| warning | themida_packer | themida packer | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | RAT_WebCam | Remote Administration toolkit using webcam | memory |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Hijack_Network | Hijack network configuration | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | Is_DotNET_EXE | (no description) | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | Virtual_currency_Zero | Virtual currency | memory |
| info | win_hook | Affect hook table | memory |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
Network (19cnts) ?
Suricata ids
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY TeamViewer Keep-alive inbound
ET MALWARE Win32.Spy/TVRat Checkin
SURICATA HTTP unable to match response to request
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY TeamViewer Keep-alive inbound
ET MALWARE Win32.Spy/TVRat Checkin
SURICATA HTTP unable to match response to request
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x408000 RegCreateKeyExA
0x408004 RegEnumKeyA
0x408008 RegQueryValueExA
0x40800c RegSetValueExA
0x408010 RegCloseKey
0x408014 RegDeleteValueA
0x408018 RegDeleteKeyA
0x40801c AdjustTokenPrivileges
0x408020 LookupPrivilegeValueA
0x408024 OpenProcessToken
0x408028 SetFileSecurityA
0x40802c RegOpenKeyExA
0x408030 RegEnumValueA
SHELL32.dll
0x40816c SHGetFileInfoA
0x408170 SHFileOperationA
0x408174 SHGetPathFromIDListA
0x408178 ShellExecuteExA
0x40817c SHGetSpecialFolderLocation
0x408180 SHBrowseForFolderA
ole32.dll
0x408284 IIDFromString
0x408288 OleInitialize
0x40828c OleUninitialize
0x408290 CoCreateInstance
0x408294 CoTaskMemFree
COMCTL32.dll
0x408038 None
0x40803c ImageList_Create
0x408040 ImageList_Destroy
0x408044 ImageList_AddMasked
USER32.dll
0x408188 SetClipboardData
0x40818c CharPrevA
0x408190 CallWindowProcA
0x408194 PeekMessageA
0x408198 DispatchMessageA
0x40819c MessageBoxIndirectA
0x4081a0 GetDlgItemTextA
0x4081a4 SetDlgItemTextA
0x4081a8 GetSystemMetrics
0x4081ac CreatePopupMenu
0x4081b0 AppendMenuA
0x4081b4 TrackPopupMenu
0x4081b8 FillRect
0x4081bc EmptyClipboard
0x4081c0 LoadCursorA
0x4081c4 GetMessagePos
0x4081c8 CheckDlgButton
0x4081cc GetSysColor
0x4081d0 SetCursor
0x4081d4 GetWindowLongA
0x4081d8 SetClassLongA
0x4081dc SetWindowPos
0x4081e0 IsWindowEnabled
0x4081e4 GetWindowRect
0x4081e8 GetSystemMenu
0x4081ec EnableMenuItem
0x4081f0 RegisterClassA
0x4081f4 ScreenToClient
0x4081f8 EndDialog
0x4081fc GetClassInfoA
0x408200 SystemParametersInfoA
0x408204 CreateWindowExA
0x408208 ExitWindowsEx
0x40820c DialogBoxParamA
0x408210 CharNextA
0x408214 SetTimer
0x408218 DestroyWindow
0x40821c CreateDialogParamA
0x408220 SetForegroundWindow
0x408224 SetWindowTextA
0x408228 PostQuitMessage
0x40822c SendMessageTimeoutA
0x408230 ShowWindow
0x408234 wsprintfA
0x408238 GetDlgItem
0x40823c FindWindowExA
0x408240 IsWindow
0x408244 GetDC
0x408248 SetWindowLongA
0x40824c LoadImageA
0x408250 InvalidateRect
0x408254 ReleaseDC
0x408258 EnableWindow
0x40825c BeginPaint
0x408260 SendMessageA
0x408264 DefWindowProcA
0x408268 DrawTextA
0x40826c GetClientRect
0x408270 EndPaint
0x408274 IsWindowVisible
0x408278 CloseClipboard
0x40827c OpenClipboard
GDI32.dll
0x40804c SetBkMode
0x408050 SetBkColor
0x408054 GetDeviceCaps
0x408058 CreateFontIndirectA
0x40805c CreateBrushIndirect
0x408060 DeleteObject
0x408064 SetTextColor
0x408068 SelectObject
KERNEL32.dll
0x408070 GetExitCodeProcess
0x408074 WaitForSingleObject
0x408078 GetProcAddress
0x40807c GetSystemDirectoryA
0x408080 WideCharToMultiByte
0x408084 MoveFileExA
0x408088 GetTempFileNameA
0x40808c RemoveDirectoryA
0x408090 WriteFile
0x408094 CreateDirectoryA
0x408098 GetLastError
0x40809c CreateProcessA
0x4080a0 GlobalLock
0x4080a4 GlobalUnlock
0x4080a8 CreateThread
0x4080ac lstrcpynA
0x4080b0 SetErrorMode
0x4080b4 GetDiskFreeSpaceA
0x4080b8 lstrlenA
0x4080bc GetCommandLineA
0x4080c0 GetVersion
0x4080c4 GetWindowsDirectoryA
0x4080c8 SetEnvironmentVariableA
0x4080cc GetTempPathA
0x4080d0 CopyFileA
0x4080d4 GetCurrentProcess
0x4080d8 ExitProcess
0x4080dc GetModuleFileNameA
0x4080e0 GetFileSize
0x4080e4 ReadFile
0x4080e8 GetTickCount
0x4080ec Sleep
0x4080f0 CreateFileA
0x4080f4 GetFileAttributesA
0x4080f8 SetCurrentDirectoryA
0x4080fc SetFileAttributesA
0x408100 GetFullPathNameA
0x408104 GetShortPathNameA
0x408108 MoveFileA
0x40810c CompareFileTime
0x408110 SetFileTime
0x408114 SearchPathA
0x408118 lstrcmpiA
0x40811c lstrcmpA
0x408120 CloseHandle
0x408124 GlobalFree
0x408128 GlobalAlloc
0x40812c ExpandEnvironmentStringsA
0x408130 LoadLibraryExA
0x408134 FreeLibrary
0x408138 lstrcpyA
0x40813c lstrcatA
0x408140 FindClose
0x408144 MultiByteToWideChar
0x408148 WritePrivateProfileStringA
0x40814c GetPrivateProfileStringA
0x408150 SetFilePointer
0x408154 GetModuleHandleA
0x408158 FindNextFileA
0x40815c FindFirstFileA
0x408160 DeleteFileA
0x408164 MulDiv
EAT(Export Address Table) is none
ADVAPI32.dll
0x408000 RegCreateKeyExA
0x408004 RegEnumKeyA
0x408008 RegQueryValueExA
0x40800c RegSetValueExA
0x408010 RegCloseKey
0x408014 RegDeleteValueA
0x408018 RegDeleteKeyA
0x40801c AdjustTokenPrivileges
0x408020 LookupPrivilegeValueA
0x408024 OpenProcessToken
0x408028 SetFileSecurityA
0x40802c RegOpenKeyExA
0x408030 RegEnumValueA
SHELL32.dll
0x40816c SHGetFileInfoA
0x408170 SHFileOperationA
0x408174 SHGetPathFromIDListA
0x408178 ShellExecuteExA
0x40817c SHGetSpecialFolderLocation
0x408180 SHBrowseForFolderA
ole32.dll
0x408284 IIDFromString
0x408288 OleInitialize
0x40828c OleUninitialize
0x408290 CoCreateInstance
0x408294 CoTaskMemFree
COMCTL32.dll
0x408038 None
0x40803c ImageList_Create
0x408040 ImageList_Destroy
0x408044 ImageList_AddMasked
USER32.dll
0x408188 SetClipboardData
0x40818c CharPrevA
0x408190 CallWindowProcA
0x408194 PeekMessageA
0x408198 DispatchMessageA
0x40819c MessageBoxIndirectA
0x4081a0 GetDlgItemTextA
0x4081a4 SetDlgItemTextA
0x4081a8 GetSystemMetrics
0x4081ac CreatePopupMenu
0x4081b0 AppendMenuA
0x4081b4 TrackPopupMenu
0x4081b8 FillRect
0x4081bc EmptyClipboard
0x4081c0 LoadCursorA
0x4081c4 GetMessagePos
0x4081c8 CheckDlgButton
0x4081cc GetSysColor
0x4081d0 SetCursor
0x4081d4 GetWindowLongA
0x4081d8 SetClassLongA
0x4081dc SetWindowPos
0x4081e0 IsWindowEnabled
0x4081e4 GetWindowRect
0x4081e8 GetSystemMenu
0x4081ec EnableMenuItem
0x4081f0 RegisterClassA
0x4081f4 ScreenToClient
0x4081f8 EndDialog
0x4081fc GetClassInfoA
0x408200 SystemParametersInfoA
0x408204 CreateWindowExA
0x408208 ExitWindowsEx
0x40820c DialogBoxParamA
0x408210 CharNextA
0x408214 SetTimer
0x408218 DestroyWindow
0x40821c CreateDialogParamA
0x408220 SetForegroundWindow
0x408224 SetWindowTextA
0x408228 PostQuitMessage
0x40822c SendMessageTimeoutA
0x408230 ShowWindow
0x408234 wsprintfA
0x408238 GetDlgItem
0x40823c FindWindowExA
0x408240 IsWindow
0x408244 GetDC
0x408248 SetWindowLongA
0x40824c LoadImageA
0x408250 InvalidateRect
0x408254 ReleaseDC
0x408258 EnableWindow
0x40825c BeginPaint
0x408260 SendMessageA
0x408264 DefWindowProcA
0x408268 DrawTextA
0x40826c GetClientRect
0x408270 EndPaint
0x408274 IsWindowVisible
0x408278 CloseClipboard
0x40827c OpenClipboard
GDI32.dll
0x40804c SetBkMode
0x408050 SetBkColor
0x408054 GetDeviceCaps
0x408058 CreateFontIndirectA
0x40805c CreateBrushIndirect
0x408060 DeleteObject
0x408064 SetTextColor
0x408068 SelectObject
KERNEL32.dll
0x408070 GetExitCodeProcess
0x408074 WaitForSingleObject
0x408078 GetProcAddress
0x40807c GetSystemDirectoryA
0x408080 WideCharToMultiByte
0x408084 MoveFileExA
0x408088 GetTempFileNameA
0x40808c RemoveDirectoryA
0x408090 WriteFile
0x408094 CreateDirectoryA
0x408098 GetLastError
0x40809c CreateProcessA
0x4080a0 GlobalLock
0x4080a4 GlobalUnlock
0x4080a8 CreateThread
0x4080ac lstrcpynA
0x4080b0 SetErrorMode
0x4080b4 GetDiskFreeSpaceA
0x4080b8 lstrlenA
0x4080bc GetCommandLineA
0x4080c0 GetVersion
0x4080c4 GetWindowsDirectoryA
0x4080c8 SetEnvironmentVariableA
0x4080cc GetTempPathA
0x4080d0 CopyFileA
0x4080d4 GetCurrentProcess
0x4080d8 ExitProcess
0x4080dc GetModuleFileNameA
0x4080e0 GetFileSize
0x4080e4 ReadFile
0x4080e8 GetTickCount
0x4080ec Sleep
0x4080f0 CreateFileA
0x4080f4 GetFileAttributesA
0x4080f8 SetCurrentDirectoryA
0x4080fc SetFileAttributesA
0x408100 GetFullPathNameA
0x408104 GetShortPathNameA
0x408108 MoveFileA
0x40810c CompareFileTime
0x408110 SetFileTime
0x408114 SearchPathA
0x408118 lstrcmpiA
0x40811c lstrcmpA
0x408120 CloseHandle
0x408124 GlobalFree
0x408128 GlobalAlloc
0x40812c ExpandEnvironmentStringsA
0x408130 LoadLibraryExA
0x408134 FreeLibrary
0x408138 lstrcpyA
0x40813c lstrcatA
0x408140 FindClose
0x408144 MultiByteToWideChar
0x408148 WritePrivateProfileStringA
0x40814c GetPrivateProfileStringA
0x408150 SetFilePointer
0x408154 GetModuleHandleA
0x408158 FindNextFileA
0x40815c FindFirstFileA
0x408160 DeleteFileA
0x408164 MulDiv
EAT(Export Address Table) is none