ScreenShot
| Created | 2021.09.02 09:44 | Machine | s1_win7_x6402 |
| Filename | XNO.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 36 detected (malicious, high confidence, Razy, Unsafe, GenKryptik, VBKrypt, Eldorado, Attribute, HighConfidence, FJTP, FileRepMalware, Static AI, Suspicious PE, ai score=83, kcloud, Sabsik, score, Outbreak, ZevbaF, Bm0@aqeH, GdSda, confidence, susgen) | ||
| md5 | 36909bb88f91e69d271e206ab3fa8f00 | ||
| sha256 | 75591cb23ef20e0a1bc8d01a392621d608b83ee25bcf37b330d3e966d2c8a50b | ||
| ssdeep | 6144:swnXSYbm2at3ZjyPt7Z3CZzw+38Pt7cjqJWa:bSwatJuP5N8H8P5cEWa | ||
| imphash | c4b3ef5cd2bacd05c5793b6be4b1aeae | ||
| impfuzzy | 24:nwwwzQwgOSwRVky8xR3uyB+lxr1SxgPT/ESFNg1DGemMD+ZLVTSwpwMG:nhwzQwgPwjkRxR3uC8xr1SxgPTlFNg1H | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 36 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates a windows hook that monitors keyboard input (keylogger) |
| watch | Enumerates services |
| watch | Installs itself for autorun at Windows startup |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Connects to a Dynamic DNS Domain |
| notice | Drops a binary and executes it |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
Rules (35cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vba | (no description) | memory |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
Network (4cnts) ?
Suricata ids
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET MALWARE Generic .bin download from Dotted Quad
ET MALWARE Remcos RAT Checkin 23
ET MALWARE Generic .bin download from Dotted Quad
ET MALWARE Remcos RAT Checkin 23
PE API
IAT(Import Address Table) Library
MSVBVM60.DLL
0x401000 None
0x401004 _CIcos
0x401008 _adj_fptan
0x40100c __vbaFreeVar
0x401010 __vbaStrVarMove
0x401014 __vbaFreeVarList
0x401018 _adj_fdiv_m64
0x40101c __vbaFreeObjList
0x401020 None
0x401024 _adj_fprem1
0x401028 __vbaSetSystemError
0x40102c __vbaHresultCheckObj
0x401030 _adj_fdiv_m32
0x401034 __vbaAryDestruct
0x401038 __vbaObjSet
0x40103c __vbaOnError
0x401040 _adj_fdiv_m16i
0x401044 None
0x401048 _adj_fdivr_m16i
0x40104c None
0x401050 None
0x401054 _CIsin
0x401058 __vbaChkstk
0x40105c EVENT_SINK_AddRef
0x401060 __vbaGenerateBoundsError
0x401064 __vbaStrCmp
0x401068 __vbaAryConstruct2
0x40106c __vbaR4Str
0x401070 DllFunctionCall
0x401074 _adj_fpatan
0x401078 EVENT_SINK_Release
0x40107c _CIsqrt
0x401080 EVENT_SINK_QueryInterface
0x401084 __vbaExceptHandler
0x401088 _adj_fprem
0x40108c _adj_fdivr_m64
0x401090 __vbaFPException
0x401094 None
0x401098 _CIlog
0x40109c None
0x4010a0 __vbaNew2
0x4010a4 _adj_fdiv_m32i
0x4010a8 None
0x4010ac _adj_fdivr_m32i
0x4010b0 __vbaStrCopy
0x4010b4 _adj_fdivr_m32
0x4010b8 _adj_fdiv_r
0x4010bc None
0x4010c0 __vbaLateMemCall
0x4010c4 None
0x4010c8 __vbaStrToAnsi
0x4010cc None
0x4010d0 __vbaFpI4
0x4010d4 _CIatan
0x4010d8 __vbaStrMove
0x4010dc __vbaCastObj
0x4010e0 None
0x4010e4 _allmul
0x4010e8 _CItan
0x4010ec _CIexp
0x4010f0 __vbaFreeStr
0x4010f4 __vbaFreeObj
0x4010f8 None
EAT(Export Address Table) is none
MSVBVM60.DLL
0x401000 None
0x401004 _CIcos
0x401008 _adj_fptan
0x40100c __vbaFreeVar
0x401010 __vbaStrVarMove
0x401014 __vbaFreeVarList
0x401018 _adj_fdiv_m64
0x40101c __vbaFreeObjList
0x401020 None
0x401024 _adj_fprem1
0x401028 __vbaSetSystemError
0x40102c __vbaHresultCheckObj
0x401030 _adj_fdiv_m32
0x401034 __vbaAryDestruct
0x401038 __vbaObjSet
0x40103c __vbaOnError
0x401040 _adj_fdiv_m16i
0x401044 None
0x401048 _adj_fdivr_m16i
0x40104c None
0x401050 None
0x401054 _CIsin
0x401058 __vbaChkstk
0x40105c EVENT_SINK_AddRef
0x401060 __vbaGenerateBoundsError
0x401064 __vbaStrCmp
0x401068 __vbaAryConstruct2
0x40106c __vbaR4Str
0x401070 DllFunctionCall
0x401074 _adj_fpatan
0x401078 EVENT_SINK_Release
0x40107c _CIsqrt
0x401080 EVENT_SINK_QueryInterface
0x401084 __vbaExceptHandler
0x401088 _adj_fprem
0x40108c _adj_fdivr_m64
0x401090 __vbaFPException
0x401094 None
0x401098 _CIlog
0x40109c None
0x4010a0 __vbaNew2
0x4010a4 _adj_fdiv_m32i
0x4010a8 None
0x4010ac _adj_fdivr_m32i
0x4010b0 __vbaStrCopy
0x4010b4 _adj_fdivr_m32
0x4010b8 _adj_fdiv_r
0x4010bc None
0x4010c0 __vbaLateMemCall
0x4010c4 None
0x4010c8 __vbaStrToAnsi
0x4010cc None
0x4010d0 __vbaFpI4
0x4010d4 _CIatan
0x4010d8 __vbaStrMove
0x4010dc __vbaCastObj
0x4010e0 None
0x4010e4 _allmul
0x4010e8 _CItan
0x4010ec _CIexp
0x4010f0 __vbaFreeStr
0x4010f4 __vbaFreeObj
0x4010f8 None
EAT(Export Address Table) is none