ScreenShot
| Created | 2021.08.29 12:43 | Machine | s1_win7_x6402 |
| Filename | vpn_client.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 38 detected (malicious, high confidence, GenericKD, Unsafe, jzbs, XPACK, Attribute, HighConfidence, Pcsh, TrojanVeil, aeuo, ai score=85, kcloud, Wacatac, score, GenericRXAA, Generic@ML, RDMK, bonnXIpeH4ftqcE9yEwxYw, susgen) | ||
| md5 | b42b568e5b6056dc84df89494d7b68c7 | ||
| sha256 | 59d926026fc65ebc3b130a9f65c65676e75eb523482ca81d9a4379eecad68685 | ||
| ssdeep | 49152:wfGHhtTcVMgg7WK8eHUsCOTpHYuxaHD3363spPYgfEXcKiWaUN4tEmoawrh6Gjgk:weXc4Tp4uQDH63spPYgfswrfJAiV | ||
| imphash | 93a138801d9601e4c36e6274c8b9d111 | ||
| impfuzzy | 24:UbVjhNwO+VuTnvYzoLtXOr6kwmDruMztir6UP:KwO+VIc+XOmG8nP | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 38 AntiVirus engines on VirusTotal as malicious |
| watch | Collects information on the system (ipconfig |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects the presence of Wine emulator |
| watch | Expresses interest in specific running processes |
| watch | Looks for the Windows Idle Time to determine the uptime |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (8cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PNG_Format_Zero | PNG Format | binaries (download) |
Suricata ids
ET USER_AGENTS Go HTTP Client User-Agent
ET MALWARE Windows netstat Microsoft Windows DOS prompt command exit OUTBOUND
ET MALWARE Windows arp -a Microsoft Windows DOS prompt command exit OUTBOUND
ET MALWARE Windows netstat Microsoft Windows DOS prompt command exit OUTBOUND
ET MALWARE Windows arp -a Microsoft Windows DOS prompt command exit OUTBOUND
PE API
IAT(Import Address Table) Library
kernel32.dll
0x846020 WriteFile
0x846024 WriteConsoleW
0x846028 WaitForMultipleObjects
0x84602c WaitForSingleObject
0x846030 VirtualQuery
0x846034 VirtualFree
0x846038 VirtualAlloc
0x84603c SwitchToThread
0x846040 SuspendThread
0x846044 SetWaitableTimer
0x846048 SetUnhandledExceptionFilter
0x84604c SetProcessPriorityBoost
0x846050 SetEvent
0x846054 SetErrorMode
0x846058 SetConsoleCtrlHandler
0x84605c ResumeThread
0x846060 QueryFullProcessImageNameA
0x846064 ProcessIdToSessionId
0x846068 PostQueuedCompletionStatus
0x84606c OpenProcess
0x846070 LoadLibraryA
0x846074 LoadLibraryW
0x846078 SetThreadContext
0x84607c GetThreadContext
0x846080 GetSystemInfo
0x846084 GetSystemDirectoryA
0x846088 GetStdHandle
0x84608c GetQueuedCompletionStatusEx
0x846090 GetProcessAffinityMask
0x846094 GetProcAddress
0x846098 GetEnvironmentStringsW
0x84609c GetConsoleMode
0x8460a0 FreeEnvironmentStringsW
0x8460a4 ExitProcess
0x8460a8 DuplicateHandle
0x8460ac CreateThread
0x8460b0 CreateIoCompletionPort
0x8460b4 CreateEventA
0x8460b8 CloseHandle
0x8460bc AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x846020 WriteFile
0x846024 WriteConsoleW
0x846028 WaitForMultipleObjects
0x84602c WaitForSingleObject
0x846030 VirtualQuery
0x846034 VirtualFree
0x846038 VirtualAlloc
0x84603c SwitchToThread
0x846040 SuspendThread
0x846044 SetWaitableTimer
0x846048 SetUnhandledExceptionFilter
0x84604c SetProcessPriorityBoost
0x846050 SetEvent
0x846054 SetErrorMode
0x846058 SetConsoleCtrlHandler
0x84605c ResumeThread
0x846060 QueryFullProcessImageNameA
0x846064 ProcessIdToSessionId
0x846068 PostQueuedCompletionStatus
0x84606c OpenProcess
0x846070 LoadLibraryA
0x846074 LoadLibraryW
0x846078 SetThreadContext
0x84607c GetThreadContext
0x846080 GetSystemInfo
0x846084 GetSystemDirectoryA
0x846088 GetStdHandle
0x84608c GetQueuedCompletionStatusEx
0x846090 GetProcessAffinityMask
0x846094 GetProcAddress
0x846098 GetEnvironmentStringsW
0x84609c GetConsoleMode
0x8460a0 FreeEnvironmentStringsW
0x8460a4 ExitProcess
0x8460a8 DuplicateHandle
0x8460ac CreateThread
0x8460b0 CreateIoCompletionPort
0x8460b4 CreateEventA
0x8460b8 CloseHandle
0x8460bc AddVectoredExceptionHandler
EAT(Export Address Table) is none