ScreenShot
| Created | 2021.08.28 17:46 | Machine | s1_win7_x6401 |
| Filename | bd.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 39 detected (malicious, high confidence, GenericKD, Unsafe, confidence, Kryptik, Eldorado, Attribute, HighConfidence, HMFJ, score, MalwareX, Artemis, ai score=81, ASMalwS, kcloud, Woreflint, BScope, Convagent, WECl2SFp+p4, Krypt, GenKryptik, FJJT, ZexaF, jy2@ayQzsSci, GdSda) | ||
| md5 | e4c49f9d53f701a8e2edecc9dd8a5057 | ||
| sha256 | 90b9d553b4883ed20e3273a86351f103d10b012dab0c82179bb6b5bfcc188b88 | ||
| ssdeep | 3072:NgS1Vn/bFL4NM9fmbv1e2s05UOsDs5rdt0EVZXtK9LYHxdj/sJEFOTlZ:pN8M9fmxHsYjtFVvK1Kdj/WE4TlZ | ||
| imphash | 340cbb019799ff7ed95694815ec3e316 | ||
| impfuzzy | 48:l8Lfp55iLSe6NZ4Wvwt8tGAtjZzuLoECACAQvkt7ZWXbi8RMEr6Fp6tKEIyDvrQ7:l8LfpHi4tSnt/ax79FSHsIxn9Ke7 | ||
Network IP location
Signature (26cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 39 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes executed files from disk |
| watch | Harvests credentials from local email clients |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process bd.exe |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (3cnts) ?
Suricata ids
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Unk.Lebov Stealer CnC Exfil
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Unk.Lebov Stealer CnC Exfil
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40813c DeleteAtom
0x408140 GetModuleHandleA
0x408144 CreateTimerQueue
0x408148 GetVersion
0x40814c GetSystemInfo
0x408150 GetCurrentThreadId
0x408154 GetCurrentProcessId
0x408158 GetCurrentProcess
0x40815c WaitForMultipleObjects
0x408160 CreateEventW
0x408164 CreateMutexW
0x408168 LeaveCriticalSection
0x40816c EnterCriticalSection
0x408170 AddAtomW
0x408174 GetProcessHeap
0x408178 HeapCreate
0x40817c QueryPerformanceFrequency
0x408180 UnlockFileEx
0x408184 SetFilePointerEx
0x408188 GetCommandLineW
0x40818c SetFilePointer
0x408190 LockFileEx
0x408194 GetLogicalDrives
0x408198 GetFileSizeEx
0x40819c GetFileSize
0x4081a0 GetFileInformationByHandle
0x4081a4 CreateFileW
0x4081a8 InitializeCriticalSection
USER32.dll
0x4081b0 LoadIconA
0x4081b4 DestroyIcon
0x4081b8 IsDialogMessageA
0x4081bc DestroyCursor
0x4081c0 LoadCursorA
0x4081c4 CheckMenuRadioItem
0x4081c8 FindWindowA
0x4081cc SetWindowLongA
0x4081d0 GetWindowLongA
0x4081d4 GetSysColorBrush
0x4081d8 GetSysColor
0x4081dc ChildWindowFromPoint
0x4081e0 ClientToScreen
0x4081e4 SetCursor
0x4081e8 MessageBoxA
0x4081ec GetWindowRect
0x4081f0 GetClientRect
0x4081f4 GetWindowTextA
0x4081f8 SetWindowTextA
0x4081fc RedrawWindow
0x408200 InvalidateRect
0x408204 SetActiveWindow
0x408208 SetMenuItemInfoA
0x40820c InsertMenuItemA
0x408210 TrackPopupMenu
0x408214 RemoveMenu
0x408218 AppendMenuA
0x40821c GetSubMenu
0x408220 EnableMenuItem
0x408224 CheckMenuItem
0x408228 DestroyMenu
0x40822c CreatePopupMenu
0x408230 GetSystemMenu
0x408234 GetMenu
0x408238 GetSystemMetrics
0x40823c TranslateAcceleratorA
0x408240 DestroyAcceleratorTable
0x408244 LoadAcceleratorsA
0x408248 EnableWindow
0x40824c KillTimer
0x408250 SetTimer
0x408254 GetActiveWindow
0x408258 SetFocus
0x40825c CharLowerBuffA
0x408260 CharUpperA
0x408264 EmptyClipboard
0x408268 EnumClipboardFormats
0x40826c GetClipboardData
0x408270 SetClipboardData
0x408274 CloseClipboard
0x408278 OpenClipboard
0x40827c DefDlgProcA
0x408280 SendDlgItemMessageA
0x408284 IsDlgButtonChecked
0x408288 CheckRadioButton
0x40828c CheckDlgButton
0x408290 GetDlgItemTextA
0x408294 SetDlgItemTextA
0x408298 SetDlgItemInt
0x40829c GetDlgItem
0x4082a0 EndDialog
0x4082a4 DialogBoxParamA
0x4082a8 CreateDialogParamA
0x4082ac SetWindowPlacement
0x4082b0 GetWindowPlacement
0x4082b4 SetWindowPos
0x4082b8 MoveWindow
0x4082bc DestroyWindow
0x4082c0 IsMenu
0x4082c4 wvsprintfA
0x4082c8 wsprintfA
0x4082cc GetMessageA
0x4082d0 TranslateMessage
0x4082d4 DispatchMessageA
0x4082d8 IsWindow
0x4082dc GetClassInfoA
0x4082e0 UnregisterClassA
0x4082e4 RegisterClassA
0x4082e8 CallWindowProcA
0x4082ec PostQuitMessage
0x4082f0 PostMessageA
0x4082f4 SendMessageA
0x4082f8 GetCursorPos
GDI32.dll
0x40803c GetTextCharacterExtra
0x408040 GetTextExtentPoint32W
0x408044 GetFontUnicodeRanges
0x408048 GetCharWidthI
0x40804c RemoveFontResourceExW
0x408050 RemoveFontMemResourceEx
0x408054 GetRandomRgn
0x408058 PatBlt
0x40805c RestoreDC
0x408060 ResetDCW
0x408064 RemoveFontResourceW
0x408068 RoundRect
0x40806c SelectClipRgn
0x408070 GetObjectType
0x408074 GetDIBits
0x408078 GetCurrentObject
0x40807c GetCharABCWidthsW
0x408080 GetCharWidthFloatW
0x408084 GetCharWidth32W
0x408088 GetROP2
0x40808c ExtFloodFill
0x408090 EqualRgn
0x408094 EnumFontFamiliesW
0x408098 DeleteObject
0x40809c GetStockObject
0x4080a0 CreateFontIndirectA
0x4080a4 OffsetRgn
0x4080a8 SelectObject
0x4080ac GdiSetBatchLimit
0x4080b0 UnrealizeObject
0x4080b4 SetViewportOrgEx
0x4080b8 PolylineTo
0x4080bc PolyBezierTo
0x4080c0 LPtoDP
0x4080c4 GetObjectW
0x4080c8 GetObjectA
0x4080cc GetArcDirection
0x4080d0 StrokePath
0x4080d4 GetPath
0x4080d8 FillPath
0x4080dc AbortPath
0x4080e0 SetDIBColorTable
0x4080e4 ModifyWorldTransform
0x4080e8 SetWinMetaFileBits
0x4080ec GetEnhMetaFilePaletteEntries
0x4080f0 GetEnhMetaFileHeader
0x4080f4 EnumEnhMetaFile
0x4080f8 GdiTransparentBlt
0x4080fc GdiAlphaBlend
0x408100 SetTextJustification
0x408104 SetTextAlign
0x408108 SetTextColor
0x40810c SetSystemPaletteUse
0x408110 SetRectRgn
0x408114 StretchBlt
0x408118 SetLayout
0x40811c SetGraphicsMode
0x408120 SetDIBitsToDevice
0x408124 SetBitmapBits
0x408128 SetBkMode
0x40812c SetDCPenColor
0x408130 SetDCBrushColor
0x408134 Chord
WINSPOOL.DRV
0x408300 ScheduleJob
0x408304 ReadPrinter
0x408308 FindFirstPrinterChangeNotification
0x40830c FindClosePrinterChangeNotification
COMDLG32.dll
0x408030 GetSaveFileNameA
0x408034 GetOpenFileNameA
ADVAPI32.dll
0x408000 GetUserNameA
0x408004 RegQueryValueExA
0x408008 OpenProcessToken
0x40800c AdjustTokenPrivileges
0x408010 DecryptFileW
0x408014 LookupPrivilegeValueA
0x408018 RegSetValueA
0x40801c RegCloseKey
0x408020 RegCreateKeyA
0x408024 RegDeleteKeyA
0x408028 RegOpenKeyExA
EAT(Export Address Table) is none
KERNEL32.dll
0x40813c DeleteAtom
0x408140 GetModuleHandleA
0x408144 CreateTimerQueue
0x408148 GetVersion
0x40814c GetSystemInfo
0x408150 GetCurrentThreadId
0x408154 GetCurrentProcessId
0x408158 GetCurrentProcess
0x40815c WaitForMultipleObjects
0x408160 CreateEventW
0x408164 CreateMutexW
0x408168 LeaveCriticalSection
0x40816c EnterCriticalSection
0x408170 AddAtomW
0x408174 GetProcessHeap
0x408178 HeapCreate
0x40817c QueryPerformanceFrequency
0x408180 UnlockFileEx
0x408184 SetFilePointerEx
0x408188 GetCommandLineW
0x40818c SetFilePointer
0x408190 LockFileEx
0x408194 GetLogicalDrives
0x408198 GetFileSizeEx
0x40819c GetFileSize
0x4081a0 GetFileInformationByHandle
0x4081a4 CreateFileW
0x4081a8 InitializeCriticalSection
USER32.dll
0x4081b0 LoadIconA
0x4081b4 DestroyIcon
0x4081b8 IsDialogMessageA
0x4081bc DestroyCursor
0x4081c0 LoadCursorA
0x4081c4 CheckMenuRadioItem
0x4081c8 FindWindowA
0x4081cc SetWindowLongA
0x4081d0 GetWindowLongA
0x4081d4 GetSysColorBrush
0x4081d8 GetSysColor
0x4081dc ChildWindowFromPoint
0x4081e0 ClientToScreen
0x4081e4 SetCursor
0x4081e8 MessageBoxA
0x4081ec GetWindowRect
0x4081f0 GetClientRect
0x4081f4 GetWindowTextA
0x4081f8 SetWindowTextA
0x4081fc RedrawWindow
0x408200 InvalidateRect
0x408204 SetActiveWindow
0x408208 SetMenuItemInfoA
0x40820c InsertMenuItemA
0x408210 TrackPopupMenu
0x408214 RemoveMenu
0x408218 AppendMenuA
0x40821c GetSubMenu
0x408220 EnableMenuItem
0x408224 CheckMenuItem
0x408228 DestroyMenu
0x40822c CreatePopupMenu
0x408230 GetSystemMenu
0x408234 GetMenu
0x408238 GetSystemMetrics
0x40823c TranslateAcceleratorA
0x408240 DestroyAcceleratorTable
0x408244 LoadAcceleratorsA
0x408248 EnableWindow
0x40824c KillTimer
0x408250 SetTimer
0x408254 GetActiveWindow
0x408258 SetFocus
0x40825c CharLowerBuffA
0x408260 CharUpperA
0x408264 EmptyClipboard
0x408268 EnumClipboardFormats
0x40826c GetClipboardData
0x408270 SetClipboardData
0x408274 CloseClipboard
0x408278 OpenClipboard
0x40827c DefDlgProcA
0x408280 SendDlgItemMessageA
0x408284 IsDlgButtonChecked
0x408288 CheckRadioButton
0x40828c CheckDlgButton
0x408290 GetDlgItemTextA
0x408294 SetDlgItemTextA
0x408298 SetDlgItemInt
0x40829c GetDlgItem
0x4082a0 EndDialog
0x4082a4 DialogBoxParamA
0x4082a8 CreateDialogParamA
0x4082ac SetWindowPlacement
0x4082b0 GetWindowPlacement
0x4082b4 SetWindowPos
0x4082b8 MoveWindow
0x4082bc DestroyWindow
0x4082c0 IsMenu
0x4082c4 wvsprintfA
0x4082c8 wsprintfA
0x4082cc GetMessageA
0x4082d0 TranslateMessage
0x4082d4 DispatchMessageA
0x4082d8 IsWindow
0x4082dc GetClassInfoA
0x4082e0 UnregisterClassA
0x4082e4 RegisterClassA
0x4082e8 CallWindowProcA
0x4082ec PostQuitMessage
0x4082f0 PostMessageA
0x4082f4 SendMessageA
0x4082f8 GetCursorPos
GDI32.dll
0x40803c GetTextCharacterExtra
0x408040 GetTextExtentPoint32W
0x408044 GetFontUnicodeRanges
0x408048 GetCharWidthI
0x40804c RemoveFontResourceExW
0x408050 RemoveFontMemResourceEx
0x408054 GetRandomRgn
0x408058 PatBlt
0x40805c RestoreDC
0x408060 ResetDCW
0x408064 RemoveFontResourceW
0x408068 RoundRect
0x40806c SelectClipRgn
0x408070 GetObjectType
0x408074 GetDIBits
0x408078 GetCurrentObject
0x40807c GetCharABCWidthsW
0x408080 GetCharWidthFloatW
0x408084 GetCharWidth32W
0x408088 GetROP2
0x40808c ExtFloodFill
0x408090 EqualRgn
0x408094 EnumFontFamiliesW
0x408098 DeleteObject
0x40809c GetStockObject
0x4080a0 CreateFontIndirectA
0x4080a4 OffsetRgn
0x4080a8 SelectObject
0x4080ac GdiSetBatchLimit
0x4080b0 UnrealizeObject
0x4080b4 SetViewportOrgEx
0x4080b8 PolylineTo
0x4080bc PolyBezierTo
0x4080c0 LPtoDP
0x4080c4 GetObjectW
0x4080c8 GetObjectA
0x4080cc GetArcDirection
0x4080d0 StrokePath
0x4080d4 GetPath
0x4080d8 FillPath
0x4080dc AbortPath
0x4080e0 SetDIBColorTable
0x4080e4 ModifyWorldTransform
0x4080e8 SetWinMetaFileBits
0x4080ec GetEnhMetaFilePaletteEntries
0x4080f0 GetEnhMetaFileHeader
0x4080f4 EnumEnhMetaFile
0x4080f8 GdiTransparentBlt
0x4080fc GdiAlphaBlend
0x408100 SetTextJustification
0x408104 SetTextAlign
0x408108 SetTextColor
0x40810c SetSystemPaletteUse
0x408110 SetRectRgn
0x408114 StretchBlt
0x408118 SetLayout
0x40811c SetGraphicsMode
0x408120 SetDIBitsToDevice
0x408124 SetBitmapBits
0x408128 SetBkMode
0x40812c SetDCPenColor
0x408130 SetDCBrushColor
0x408134 Chord
WINSPOOL.DRV
0x408300 ScheduleJob
0x408304 ReadPrinter
0x408308 FindFirstPrinterChangeNotification
0x40830c FindClosePrinterChangeNotification
COMDLG32.dll
0x408030 GetSaveFileNameA
0x408034 GetOpenFileNameA
ADVAPI32.dll
0x408000 GetUserNameA
0x408004 RegQueryValueExA
0x408008 OpenProcessToken
0x40800c AdjustTokenPrivileges
0x408010 DecryptFileW
0x408014 LookupPrivilegeValueA
0x408018 RegSetValueA
0x40801c RegCloseKey
0x408020 RegCreateKeyA
0x408024 RegDeleteKeyA
0x408028 RegOpenKeyExA
EAT(Export Address Table) is none