ScreenShot
| Created | 2021.08.28 17:53 | Machine | s1_win7_x6401 |
| Filename | good.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 30 detected (Racealer, Razy, Unsafe, Kryptik, Eldorado, Attribute, HighConfidence, HMFJ, DropperX, Falsesign, IMT@5j9hh2, Artemis, ai score=82, kcloud, Sabsik, Malicious, score, PasswordStealer, ZexaF, jy2@aS7Ct1ji, GdSda, confidence) | ||
| md5 | 072769a3e8b70e0f24b31278c5f4c897 | ||
| sha256 | 120a50bdd5effe67ea0270aa7f938039e7a5e6a589a13e9371e381f4d1518dcd | ||
| ssdeep | 3072:rL4wuR3N7eK96CPeaxIPYla4K0np7lxxLh1OxZ73aTj/sJEFOTlZ:H8R9sba2YFxLqxZzgj/WE4TlZ | ||
| imphash | 7e4a49baed74fc5fdf2cc2a93738ac6b | ||
| impfuzzy | 48:l8bLLItLNSeZ4Wvwt8tGAtjZDzuLoECACAQvkt7ZWXbi8RMEr6Fp6tKEIyDvrQU4:l8HLItrdSnE/qx79EOFctOmafjTn9Ke7 | ||
Network IP location
Signature (25cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 30 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process good.exe |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (3cnts) ?
Suricata ids
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Unk.Lebov Stealer CnC Exfil
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Unk.Lebov Stealer CnC Exfil
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40a18c DeleteAtom
0x40a190 GetModuleHandleA
0x40a194 CreateTimerQueue
0x40a198 GetVersion
0x40a19c GetSystemInfo
0x40a1a0 GetCurrentThreadId
0x40a1a4 GetCurrentProcessId
0x40a1a8 GetCurrentProcess
0x40a1ac CreateEventW
0x40a1b0 CreateMutexW
0x40a1b4 GetCommandLineW
0x40a1b8 WaitForSingleObject
0x40a1bc AddAtomW
0x40a1c0 GetProcessHeap
0x40a1c4 HeapCreate
0x40a1c8 QueryPerformanceFrequency
0x40a1cc QueryPerformanceCounter
0x40a1d0 UnlockFileEx
0x40a1d4 SetFilePointerEx
0x40a1d8 SetFilePointer
0x40a1dc LockFileEx
0x40a1e0 LockFile
0x40a1e4 GetLogicalDrives
0x40a1e8 GetFileSizeEx
0x40a1ec GetFileInformationByHandle
0x40a1f0 CreateFileW
0x40a1f4 InitializeCriticalSection
USER32.dll
0x40a1fc IsDialogMessageA
0x40a200 LoadIconA
0x40a204 DestroyCursor
0x40a208 LoadCursorA
0x40a20c CheckMenuRadioItem
0x40a210 FindWindowA
0x40a214 SetWindowLongA
0x40a218 GetWindowLongA
0x40a21c GetSysColorBrush
0x40a220 GetSysColor
0x40a224 ChildWindowFromPoint
0x40a228 ClientToScreen
0x40a22c GetCursorPos
0x40a230 SetCursor
0x40a234 MessageBoxA
0x40a238 GetWindowRect
0x40a23c GetClientRect
0x40a240 GetWindowTextA
0x40a244 SetWindowTextA
0x40a248 RedrawWindow
0x40a24c InvalidateRect
0x40a250 SetActiveWindow
0x40a254 SetMenuItemInfoA
0x40a258 InsertMenuItemA
0x40a25c TrackPopupMenu
0x40a260 RemoveMenu
0x40a264 AppendMenuA
0x40a268 GetSubMenu
0x40a26c EnableMenuItem
0x40a270 CheckMenuItem
0x40a274 DestroyMenu
0x40a278 CreatePopupMenu
0x40a27c GetSystemMenu
0x40a280 GetMenu
0x40a284 GetSystemMetrics
0x40a288 TranslateAcceleratorA
0x40a28c DestroyAcceleratorTable
0x40a290 LoadAcceleratorsA
0x40a294 EnableWindow
0x40a298 KillTimer
0x40a29c SetTimer
0x40a2a0 GetActiveWindow
0x40a2a4 SetFocus
0x40a2a8 CharLowerBuffA
0x40a2ac CharUpperA
0x40a2b0 DestroyIcon
0x40a2b4 EnumClipboardFormats
0x40a2b8 GetClipboardData
0x40a2bc SetClipboardData
0x40a2c0 CloseClipboard
0x40a2c4 OpenClipboard
0x40a2c8 DefDlgProcA
0x40a2cc SendDlgItemMessageA
0x40a2d0 IsDlgButtonChecked
0x40a2d4 CheckRadioButton
0x40a2d8 CheckDlgButton
0x40a2dc GetDlgItemTextA
0x40a2e0 SetDlgItemTextA
0x40a2e4 SetDlgItemInt
0x40a2e8 GetDlgItem
0x40a2ec EndDialog
0x40a2f0 DialogBoxParamA
0x40a2f4 CreateDialogParamA
0x40a2f8 SetWindowPlacement
0x40a2fc GetWindowPlacement
0x40a300 SetWindowPos
0x40a304 MoveWindow
0x40a308 DestroyWindow
0x40a30c IsMenu
0x40a310 EmptyClipboard
0x40a314 wvsprintfA
0x40a318 wsprintfA
0x40a31c GetMessageA
0x40a320 TranslateMessage
0x40a324 DispatchMessageA
0x40a328 SendMessageA
0x40a32c IsWindow
0x40a330 GetClassInfoA
0x40a334 UnregisterClassA
0x40a338 RegisterClassA
0x40a33c CallWindowProcA
0x40a340 PostQuitMessage
0x40a344 PostMessageA
GDI32.dll
0x40a03c GetBrushOrgEx
0x40a040 GetCharWidthFloatW
0x40a044 GetCharABCWidthsW
0x40a048 GetCharABCWidthsFloatW
0x40a04c GetMetaRgn
0x40a050 CombineRgn
0x40a054 GetGraphicsMode
0x40a058 GetNearestPaletteIndex
0x40a05c GetObjectType
0x40a060 GetOutlineTextMetricsW
0x40a064 GetPixel
0x40a068 GetRgnBox
0x40a06c CopyMetaFileW
0x40a070 CreateFontIndirectA
0x40a074 DeleteObject
0x40a078 Ellipse
0x40a07c EnumFontFamiliesW
0x40a080 EqualRgn
0x40a084 ExtFloodFill
0x40a088 FrameRgn
0x40a08c GetROP2
0x40a090 GetDCBrushColor
0x40a094 GetDCPenColor
0x40a098 GetBoundsRect
0x40a09c GetBkMode
0x40a0a0 GetDIBits
0x40a0a4 GetStockObject
0x40a0a8 GdiFlush
0x40a0ac UnrealizeObject
0x40a0b0 SetBitmapDimensionEx
0x40a0b4 ScaleWindowExtEx
0x40a0b8 OffsetWindowOrgEx
0x40a0bc SetWindowExtEx
0x40a0c0 SetViewportExtEx
0x40a0c4 PolyBezier
0x40a0c8 Polyline
0x40a0cc LPtoDP
0x40a0d0 ExtTextOutW
0x40a0d4 GetObjectA
0x40a0d8 GetArcDirection
0x40a0dc GetMiterLimit
0x40a0e0 StrokePath
0x40a0e4 SelectClipPath
0x40a0e8 AbortPath
0x40a0ec ModifyWorldTransform
0x40a0f0 GdiComment
0x40a0f4 PlayEnhMetaFileRecord
0x40a0f8 GetWinMetaFileBits
0x40a0fc CopyEnhMetaFileW
0x40a100 EnumMetaFile
0x40a104 PlayMetaFileRecord
0x40a108 GdiTransparentBlt
0x40a10c GdiAlphaBlend
0x40a110 UpdateColors
0x40a114 SetTextColor
0x40a118 SetTextCharacterExtra
0x40a11c SetROP2
0x40a120 StretchBlt
0x40a124 SetPaletteEntries
0x40a128 SetDIBitsToDevice
0x40a12c SetBitmapBits
0x40a130 SetBkMode
0x40a134 SetDCPenColor
0x40a138 SelectObject
0x40a13c ExtSelectClipRgn
0x40a140 SelectClipRgn
0x40a144 ResizePalette
0x40a148 RoundRect
0x40a14c RealizePalette
0x40a150 RestoreDC
0x40a154 RectVisible
0x40a158 PtInRegion
0x40a15c PolyPolygon
0x40a160 PaintRgn
0x40a164 OffsetRgn
0x40a168 PlgBlt
0x40a16c MaskBlt
0x40a170 LineTo
0x40a174 InvertRgn
0x40a178 GetWindowOrgEx
0x40a17c GetCharWidthI
0x40a180 GetTextAlign
0x40a184 GetBitmapDimensionEx
WINSPOOL.DRV
0x40a34c FindNextPrinterChangeNotification
0x40a350 FindFirstPrinterChangeNotification
0x40a354 ScheduleJob
0x40a358 AbortPrinter
0x40a35c WritePrinter
0x40a360 FindClosePrinterChangeNotification
COMDLG32.dll
0x40a030 GetSaveFileNameA
0x40a034 GetOpenFileNameA
ADVAPI32.dll
0x40a000 GetUserNameA
0x40a004 RegQueryValueExA
0x40a008 OpenProcessToken
0x40a00c AdjustTokenPrivileges
0x40a010 DecryptFileW
0x40a014 LookupPrivilegeValueA
0x40a018 RegSetValueA
0x40a01c RegCloseKey
0x40a020 RegCreateKeyA
0x40a024 RegDeleteKeyA
0x40a028 RegOpenKeyExA
EAT(Export Address Table) is none
KERNEL32.dll
0x40a18c DeleteAtom
0x40a190 GetModuleHandleA
0x40a194 CreateTimerQueue
0x40a198 GetVersion
0x40a19c GetSystemInfo
0x40a1a0 GetCurrentThreadId
0x40a1a4 GetCurrentProcessId
0x40a1a8 GetCurrentProcess
0x40a1ac CreateEventW
0x40a1b0 CreateMutexW
0x40a1b4 GetCommandLineW
0x40a1b8 WaitForSingleObject
0x40a1bc AddAtomW
0x40a1c0 GetProcessHeap
0x40a1c4 HeapCreate
0x40a1c8 QueryPerformanceFrequency
0x40a1cc QueryPerformanceCounter
0x40a1d0 UnlockFileEx
0x40a1d4 SetFilePointerEx
0x40a1d8 SetFilePointer
0x40a1dc LockFileEx
0x40a1e0 LockFile
0x40a1e4 GetLogicalDrives
0x40a1e8 GetFileSizeEx
0x40a1ec GetFileInformationByHandle
0x40a1f0 CreateFileW
0x40a1f4 InitializeCriticalSection
USER32.dll
0x40a1fc IsDialogMessageA
0x40a200 LoadIconA
0x40a204 DestroyCursor
0x40a208 LoadCursorA
0x40a20c CheckMenuRadioItem
0x40a210 FindWindowA
0x40a214 SetWindowLongA
0x40a218 GetWindowLongA
0x40a21c GetSysColorBrush
0x40a220 GetSysColor
0x40a224 ChildWindowFromPoint
0x40a228 ClientToScreen
0x40a22c GetCursorPos
0x40a230 SetCursor
0x40a234 MessageBoxA
0x40a238 GetWindowRect
0x40a23c GetClientRect
0x40a240 GetWindowTextA
0x40a244 SetWindowTextA
0x40a248 RedrawWindow
0x40a24c InvalidateRect
0x40a250 SetActiveWindow
0x40a254 SetMenuItemInfoA
0x40a258 InsertMenuItemA
0x40a25c TrackPopupMenu
0x40a260 RemoveMenu
0x40a264 AppendMenuA
0x40a268 GetSubMenu
0x40a26c EnableMenuItem
0x40a270 CheckMenuItem
0x40a274 DestroyMenu
0x40a278 CreatePopupMenu
0x40a27c GetSystemMenu
0x40a280 GetMenu
0x40a284 GetSystemMetrics
0x40a288 TranslateAcceleratorA
0x40a28c DestroyAcceleratorTable
0x40a290 LoadAcceleratorsA
0x40a294 EnableWindow
0x40a298 KillTimer
0x40a29c SetTimer
0x40a2a0 GetActiveWindow
0x40a2a4 SetFocus
0x40a2a8 CharLowerBuffA
0x40a2ac CharUpperA
0x40a2b0 DestroyIcon
0x40a2b4 EnumClipboardFormats
0x40a2b8 GetClipboardData
0x40a2bc SetClipboardData
0x40a2c0 CloseClipboard
0x40a2c4 OpenClipboard
0x40a2c8 DefDlgProcA
0x40a2cc SendDlgItemMessageA
0x40a2d0 IsDlgButtonChecked
0x40a2d4 CheckRadioButton
0x40a2d8 CheckDlgButton
0x40a2dc GetDlgItemTextA
0x40a2e0 SetDlgItemTextA
0x40a2e4 SetDlgItemInt
0x40a2e8 GetDlgItem
0x40a2ec EndDialog
0x40a2f0 DialogBoxParamA
0x40a2f4 CreateDialogParamA
0x40a2f8 SetWindowPlacement
0x40a2fc GetWindowPlacement
0x40a300 SetWindowPos
0x40a304 MoveWindow
0x40a308 DestroyWindow
0x40a30c IsMenu
0x40a310 EmptyClipboard
0x40a314 wvsprintfA
0x40a318 wsprintfA
0x40a31c GetMessageA
0x40a320 TranslateMessage
0x40a324 DispatchMessageA
0x40a328 SendMessageA
0x40a32c IsWindow
0x40a330 GetClassInfoA
0x40a334 UnregisterClassA
0x40a338 RegisterClassA
0x40a33c CallWindowProcA
0x40a340 PostQuitMessage
0x40a344 PostMessageA
GDI32.dll
0x40a03c GetBrushOrgEx
0x40a040 GetCharWidthFloatW
0x40a044 GetCharABCWidthsW
0x40a048 GetCharABCWidthsFloatW
0x40a04c GetMetaRgn
0x40a050 CombineRgn
0x40a054 GetGraphicsMode
0x40a058 GetNearestPaletteIndex
0x40a05c GetObjectType
0x40a060 GetOutlineTextMetricsW
0x40a064 GetPixel
0x40a068 GetRgnBox
0x40a06c CopyMetaFileW
0x40a070 CreateFontIndirectA
0x40a074 DeleteObject
0x40a078 Ellipse
0x40a07c EnumFontFamiliesW
0x40a080 EqualRgn
0x40a084 ExtFloodFill
0x40a088 FrameRgn
0x40a08c GetROP2
0x40a090 GetDCBrushColor
0x40a094 GetDCPenColor
0x40a098 GetBoundsRect
0x40a09c GetBkMode
0x40a0a0 GetDIBits
0x40a0a4 GetStockObject
0x40a0a8 GdiFlush
0x40a0ac UnrealizeObject
0x40a0b0 SetBitmapDimensionEx
0x40a0b4 ScaleWindowExtEx
0x40a0b8 OffsetWindowOrgEx
0x40a0bc SetWindowExtEx
0x40a0c0 SetViewportExtEx
0x40a0c4 PolyBezier
0x40a0c8 Polyline
0x40a0cc LPtoDP
0x40a0d0 ExtTextOutW
0x40a0d4 GetObjectA
0x40a0d8 GetArcDirection
0x40a0dc GetMiterLimit
0x40a0e0 StrokePath
0x40a0e4 SelectClipPath
0x40a0e8 AbortPath
0x40a0ec ModifyWorldTransform
0x40a0f0 GdiComment
0x40a0f4 PlayEnhMetaFileRecord
0x40a0f8 GetWinMetaFileBits
0x40a0fc CopyEnhMetaFileW
0x40a100 EnumMetaFile
0x40a104 PlayMetaFileRecord
0x40a108 GdiTransparentBlt
0x40a10c GdiAlphaBlend
0x40a110 UpdateColors
0x40a114 SetTextColor
0x40a118 SetTextCharacterExtra
0x40a11c SetROP2
0x40a120 StretchBlt
0x40a124 SetPaletteEntries
0x40a128 SetDIBitsToDevice
0x40a12c SetBitmapBits
0x40a130 SetBkMode
0x40a134 SetDCPenColor
0x40a138 SelectObject
0x40a13c ExtSelectClipRgn
0x40a140 SelectClipRgn
0x40a144 ResizePalette
0x40a148 RoundRect
0x40a14c RealizePalette
0x40a150 RestoreDC
0x40a154 RectVisible
0x40a158 PtInRegion
0x40a15c PolyPolygon
0x40a160 PaintRgn
0x40a164 OffsetRgn
0x40a168 PlgBlt
0x40a16c MaskBlt
0x40a170 LineTo
0x40a174 InvertRgn
0x40a178 GetWindowOrgEx
0x40a17c GetCharWidthI
0x40a180 GetTextAlign
0x40a184 GetBitmapDimensionEx
WINSPOOL.DRV
0x40a34c FindNextPrinterChangeNotification
0x40a350 FindFirstPrinterChangeNotification
0x40a354 ScheduleJob
0x40a358 AbortPrinter
0x40a35c WritePrinter
0x40a360 FindClosePrinterChangeNotification
COMDLG32.dll
0x40a030 GetSaveFileNameA
0x40a034 GetOpenFileNameA
ADVAPI32.dll
0x40a000 GetUserNameA
0x40a004 RegQueryValueExA
0x40a008 OpenProcessToken
0x40a00c AdjustTokenPrivileges
0x40a010 DecryptFileW
0x40a014 LookupPrivilegeValueA
0x40a018 RegSetValueA
0x40a01c RegCloseKey
0x40a020 RegCreateKeyA
0x40a024 RegDeleteKeyA
0x40a028 RegOpenKeyExA
EAT(Export Address Table) is none