ScreenShot
| Created | 2021.08.25 10:23 | Machine | s1_win7_x6401 |
| Filename | safman_setup.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 13 detected (Artemis, Snojan, ctov, Malicious, Zpevdo, Ahot) | ||
| md5 | 72bbac2c87dff558073e6306f1552a39 | ||
| sha256 | 2ecb4724f6f253e573bf038b47709f88c862fd19741a1c65da13d45b597a2097 | ||
| ssdeep | 196608:TNw5s8BKUnGIt4BPiVIr3vI8CDSuhJmqs31hCbR3nN:TC5z3GfI8tip+sbR3nN | ||
| imphash | 2fb819a19fe4dee5c03e8c6a79342f79 | ||
| impfuzzy | 48:8cfp1rcQX0gebPCZr9ZbldH9AOZGwt+Eu55T/lGB:8cfpdcqNebqZr3rHW2 | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| watch | File has been identified by 13 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Drops an executable to the user AppData folder |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x40e0b4 DeleteCriticalSection
0x40e0b8 LeaveCriticalSection
0x40e0bc EnterCriticalSection
0x40e0c0 InitializeCriticalSection
0x40e0c4 VirtualFree
0x40e0c8 VirtualAlloc
0x40e0cc LocalFree
0x40e0d0 LocalAlloc
0x40e0d4 WideCharToMultiByte
0x40e0d8 TlsSetValue
0x40e0dc TlsGetValue
0x40e0e0 MultiByteToWideChar
0x40e0e4 GetModuleHandleA
0x40e0e8 GetLastError
0x40e0ec GetCommandLineA
0x40e0f0 WriteFile
0x40e0f4 SetFilePointer
0x40e0f8 SetEndOfFile
0x40e0fc RtlUnwind
0x40e100 ReadFile
0x40e104 RaiseException
0x40e108 GetStdHandle
0x40e10c GetFileSize
0x40e110 GetSystemTime
0x40e114 GetFileType
0x40e118 ExitProcess
0x40e11c CreateFileA
0x40e120 CloseHandle
user32.dll
0x40e128 MessageBoxA
oleaut32.dll
0x40e130 VariantChangeTypeEx
0x40e134 VariantCopyInd
0x40e138 VariantClear
0x40e13c SysStringLen
0x40e140 SysAllocStringLen
advapi32.dll
0x40e148 RegQueryValueExA
0x40e14c RegOpenKeyExA
0x40e150 RegCloseKey
0x40e154 OpenProcessToken
0x40e158 LookupPrivilegeValueA
kernel32.dll
0x40e160 WriteFile
0x40e164 VirtualQuery
0x40e168 VirtualProtect
0x40e16c VirtualFree
0x40e170 VirtualAlloc
0x40e174 Sleep
0x40e178 SizeofResource
0x40e17c SetLastError
0x40e180 SetFilePointer
0x40e184 SetErrorMode
0x40e188 SetEndOfFile
0x40e18c RemoveDirectoryA
0x40e190 ReadFile
0x40e194 LockResource
0x40e198 LoadResource
0x40e19c LoadLibraryA
0x40e1a0 IsDBCSLeadByte
0x40e1a4 GetWindowsDirectoryA
0x40e1a8 GetVersionExA
0x40e1ac GetVersion
0x40e1b0 GetUserDefaultLangID
0x40e1b4 GetSystemInfo
0x40e1b8 GetSystemDirectoryA
0x40e1bc GetSystemDefaultLCID
0x40e1c0 GetProcAddress
0x40e1c4 GetModuleHandleA
0x40e1c8 GetModuleFileNameA
0x40e1cc GetLocaleInfoA
0x40e1d0 GetLastError
0x40e1d4 GetFullPathNameA
0x40e1d8 GetFileSize
0x40e1dc GetFileAttributesA
0x40e1e0 GetExitCodeProcess
0x40e1e4 GetEnvironmentVariableA
0x40e1e8 GetCurrentProcess
0x40e1ec GetCommandLineA
0x40e1f0 GetACP
0x40e1f4 InterlockedExchange
0x40e1f8 FormatMessageA
0x40e1fc FindResourceA
0x40e200 DeleteFileA
0x40e204 CreateProcessA
0x40e208 CreateFileA
0x40e20c CreateDirectoryA
0x40e210 CloseHandle
user32.dll
0x40e218 TranslateMessage
0x40e21c SetWindowLongA
0x40e220 PeekMessageA
0x40e224 MsgWaitForMultipleObjects
0x40e228 MessageBoxA
0x40e22c LoadStringA
0x40e230 ExitWindowsEx
0x40e234 DispatchMessageA
0x40e238 DestroyWindow
0x40e23c CreateWindowExA
0x40e240 CallWindowProcA
0x40e244 CharPrevA
comctl32.dll
0x40e24c InitCommonControls
advapi32.dll
0x40e254 AdjustTokenPrivileges
EAT(Export Address Table) is none
kernel32.dll
0x40e0b4 DeleteCriticalSection
0x40e0b8 LeaveCriticalSection
0x40e0bc EnterCriticalSection
0x40e0c0 InitializeCriticalSection
0x40e0c4 VirtualFree
0x40e0c8 VirtualAlloc
0x40e0cc LocalFree
0x40e0d0 LocalAlloc
0x40e0d4 WideCharToMultiByte
0x40e0d8 TlsSetValue
0x40e0dc TlsGetValue
0x40e0e0 MultiByteToWideChar
0x40e0e4 GetModuleHandleA
0x40e0e8 GetLastError
0x40e0ec GetCommandLineA
0x40e0f0 WriteFile
0x40e0f4 SetFilePointer
0x40e0f8 SetEndOfFile
0x40e0fc RtlUnwind
0x40e100 ReadFile
0x40e104 RaiseException
0x40e108 GetStdHandle
0x40e10c GetFileSize
0x40e110 GetSystemTime
0x40e114 GetFileType
0x40e118 ExitProcess
0x40e11c CreateFileA
0x40e120 CloseHandle
user32.dll
0x40e128 MessageBoxA
oleaut32.dll
0x40e130 VariantChangeTypeEx
0x40e134 VariantCopyInd
0x40e138 VariantClear
0x40e13c SysStringLen
0x40e140 SysAllocStringLen
advapi32.dll
0x40e148 RegQueryValueExA
0x40e14c RegOpenKeyExA
0x40e150 RegCloseKey
0x40e154 OpenProcessToken
0x40e158 LookupPrivilegeValueA
kernel32.dll
0x40e160 WriteFile
0x40e164 VirtualQuery
0x40e168 VirtualProtect
0x40e16c VirtualFree
0x40e170 VirtualAlloc
0x40e174 Sleep
0x40e178 SizeofResource
0x40e17c SetLastError
0x40e180 SetFilePointer
0x40e184 SetErrorMode
0x40e188 SetEndOfFile
0x40e18c RemoveDirectoryA
0x40e190 ReadFile
0x40e194 LockResource
0x40e198 LoadResource
0x40e19c LoadLibraryA
0x40e1a0 IsDBCSLeadByte
0x40e1a4 GetWindowsDirectoryA
0x40e1a8 GetVersionExA
0x40e1ac GetVersion
0x40e1b0 GetUserDefaultLangID
0x40e1b4 GetSystemInfo
0x40e1b8 GetSystemDirectoryA
0x40e1bc GetSystemDefaultLCID
0x40e1c0 GetProcAddress
0x40e1c4 GetModuleHandleA
0x40e1c8 GetModuleFileNameA
0x40e1cc GetLocaleInfoA
0x40e1d0 GetLastError
0x40e1d4 GetFullPathNameA
0x40e1d8 GetFileSize
0x40e1dc GetFileAttributesA
0x40e1e0 GetExitCodeProcess
0x40e1e4 GetEnvironmentVariableA
0x40e1e8 GetCurrentProcess
0x40e1ec GetCommandLineA
0x40e1f0 GetACP
0x40e1f4 InterlockedExchange
0x40e1f8 FormatMessageA
0x40e1fc FindResourceA
0x40e200 DeleteFileA
0x40e204 CreateProcessA
0x40e208 CreateFileA
0x40e20c CreateDirectoryA
0x40e210 CloseHandle
user32.dll
0x40e218 TranslateMessage
0x40e21c SetWindowLongA
0x40e220 PeekMessageA
0x40e224 MsgWaitForMultipleObjects
0x40e228 MessageBoxA
0x40e22c LoadStringA
0x40e230 ExitWindowsEx
0x40e234 DispatchMessageA
0x40e238 DestroyWindow
0x40e23c CreateWindowExA
0x40e240 CallWindowProcA
0x40e244 CharPrevA
comctl32.dll
0x40e24c InitCommonControls
advapi32.dll
0x40e254 AdjustTokenPrivileges
EAT(Export Address Table) is none