ScreenShot
| Created | 2021.09.03 09:26 | Machine | s1_win7_x6402 |
| Filename | sefile.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 23 detected (AIDetect, malware2, malicious, high confidence, Unsafe, Save, Kryptik, Eldorado, Attribute, HighConfidence, Convagent, Static AI, Malicious PE, Sabsik, score, BScope, Mokes, CLASSIC, ZexaF, rq0@aqw1qsjG, confidence, 100%, susgen) | ||
| md5 | 83e6e738876fde792abae146193d4963 | ||
| sha256 | f150c064aa08e8d327c99a2edf0811a9bb6e06398d0d846b69a0c321ff6ab259 | ||
| ssdeep | 6144:UI7zL718A97H9E5SGCeGDJkaPtVvMG+8K:UI7zHSo7ds1Cv9tm | ||
| imphash | b7ebe503aba8ff6fce4b2b89581116dd | ||
| impfuzzy | 24:seOu9E0Z9aTcru8w5Dal/0bG242DiOStslDJ3NryvDrHlRT4CplCqbjMU/8:9ZRrpZO1Sts7NYDbc2MqLE | ||
Network IP location
Signature (29cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 23 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x42d008 SetLocalTime
0x42d00c InterlockedIncrement
0x42d010 ReadConsoleA
0x42d014 InterlockedDecrement
0x42d018 GetCurrentProcess
0x42d01c GetSystemWindowsDirectoryW
0x42d020 SetEnvironmentVariableW
0x42d024 GetEnvironmentStringsW
0x42d028 GetUserDefaultLCID
0x42d02c AddConsoleAliasW
0x42d030 SetVolumeMountPointW
0x42d034 EnumCalendarInfoExW
0x42d038 WriteFile
0x42d03c GetUserDefaultLangID
0x42d040 GetEnvironmentStrings
0x42d044 WriteConsoleOutputA
0x42d048 LeaveCriticalSection
0x42d04c lstrcpynW
0x42d050 FindNextVolumeW
0x42d054 VerifyVersionInfoA
0x42d058 HeapQueryInformation
0x42d05c GetModuleFileNameW
0x42d060 GetACP
0x42d064 GetConsoleOutputCP
0x42d068 GetProcAddress
0x42d06c GetComputerNameExW
0x42d070 VerLanguageNameA
0x42d074 CreateTimerQueueTimer
0x42d078 HeapUnlock
0x42d07c LocalAlloc
0x42d080 GetDefaultCommConfigA
0x42d084 GetModuleHandleA
0x42d088 QueueUserWorkItem
0x42d08c GetConsoleTitleW
0x42d090 PeekConsoleInputA
0x42d094 GetCPInfoExA
0x42d098 ReadConsoleInputW
0x42d09c GlobalReAlloc
0x42d0a0 LCMapStringW
0x42d0a4 PulseEvent
0x42d0a8 GetCommandLineW
0x42d0ac UnhandledExceptionFilter
0x42d0b0 SetUnhandledExceptionFilter
0x42d0b4 GetStartupInfoW
0x42d0b8 GetModuleHandleW
0x42d0bc Sleep
0x42d0c0 ExitProcess
0x42d0c4 GetLastError
0x42d0c8 GetStdHandle
0x42d0cc GetModuleFileNameA
0x42d0d0 TlsGetValue
0x42d0d4 TlsAlloc
0x42d0d8 TlsSetValue
0x42d0dc TlsFree
0x42d0e0 SetLastError
0x42d0e4 GetCurrentThreadId
0x42d0e8 EnterCriticalSection
0x42d0ec TerminateProcess
0x42d0f0 IsDebuggerPresent
0x42d0f4 HeapSize
0x42d0f8 SetHandleCount
0x42d0fc GetFileType
0x42d100 GetStartupInfoA
0x42d104 DeleteCriticalSection
0x42d108 SetFilePointer
0x42d10c FreeEnvironmentStringsW
0x42d110 HeapCreate
0x42d114 VirtualFree
0x42d118 HeapFree
0x42d11c QueryPerformanceCounter
0x42d120 GetTickCount
0x42d124 GetCurrentProcessId
0x42d128 GetSystemTimeAsFileTime
0x42d12c LoadLibraryA
0x42d130 InitializeCriticalSectionAndSpinCount
0x42d134 GetCPInfo
0x42d138 GetOEMCP
0x42d13c IsValidCodePage
0x42d140 MultiByteToWideChar
0x42d144 RtlUnwind
0x42d148 HeapAlloc
0x42d14c HeapReAlloc
0x42d150 VirtualAlloc
0x42d154 WideCharToMultiByte
0x42d158 SetStdHandle
0x42d15c GetLocaleInfoA
0x42d160 GetStringTypeA
0x42d164 GetStringTypeW
0x42d168 LCMapStringA
0x42d16c GetConsoleCP
0x42d170 GetConsoleMode
0x42d174 FlushFileBuffers
0x42d178 CloseHandle
0x42d17c WriteConsoleA
0x42d180 WriteConsoleW
0x42d184 CreateFileA
USER32.dll
0x42d18c RealGetWindowClassW
GDI32.dll
0x42d000 GetCharWidthFloatA
EAT(Export Address Table) is none
KERNEL32.dll
0x42d008 SetLocalTime
0x42d00c InterlockedIncrement
0x42d010 ReadConsoleA
0x42d014 InterlockedDecrement
0x42d018 GetCurrentProcess
0x42d01c GetSystemWindowsDirectoryW
0x42d020 SetEnvironmentVariableW
0x42d024 GetEnvironmentStringsW
0x42d028 GetUserDefaultLCID
0x42d02c AddConsoleAliasW
0x42d030 SetVolumeMountPointW
0x42d034 EnumCalendarInfoExW
0x42d038 WriteFile
0x42d03c GetUserDefaultLangID
0x42d040 GetEnvironmentStrings
0x42d044 WriteConsoleOutputA
0x42d048 LeaveCriticalSection
0x42d04c lstrcpynW
0x42d050 FindNextVolumeW
0x42d054 VerifyVersionInfoA
0x42d058 HeapQueryInformation
0x42d05c GetModuleFileNameW
0x42d060 GetACP
0x42d064 GetConsoleOutputCP
0x42d068 GetProcAddress
0x42d06c GetComputerNameExW
0x42d070 VerLanguageNameA
0x42d074 CreateTimerQueueTimer
0x42d078 HeapUnlock
0x42d07c LocalAlloc
0x42d080 GetDefaultCommConfigA
0x42d084 GetModuleHandleA
0x42d088 QueueUserWorkItem
0x42d08c GetConsoleTitleW
0x42d090 PeekConsoleInputA
0x42d094 GetCPInfoExA
0x42d098 ReadConsoleInputW
0x42d09c GlobalReAlloc
0x42d0a0 LCMapStringW
0x42d0a4 PulseEvent
0x42d0a8 GetCommandLineW
0x42d0ac UnhandledExceptionFilter
0x42d0b0 SetUnhandledExceptionFilter
0x42d0b4 GetStartupInfoW
0x42d0b8 GetModuleHandleW
0x42d0bc Sleep
0x42d0c0 ExitProcess
0x42d0c4 GetLastError
0x42d0c8 GetStdHandle
0x42d0cc GetModuleFileNameA
0x42d0d0 TlsGetValue
0x42d0d4 TlsAlloc
0x42d0d8 TlsSetValue
0x42d0dc TlsFree
0x42d0e0 SetLastError
0x42d0e4 GetCurrentThreadId
0x42d0e8 EnterCriticalSection
0x42d0ec TerminateProcess
0x42d0f0 IsDebuggerPresent
0x42d0f4 HeapSize
0x42d0f8 SetHandleCount
0x42d0fc GetFileType
0x42d100 GetStartupInfoA
0x42d104 DeleteCriticalSection
0x42d108 SetFilePointer
0x42d10c FreeEnvironmentStringsW
0x42d110 HeapCreate
0x42d114 VirtualFree
0x42d118 HeapFree
0x42d11c QueryPerformanceCounter
0x42d120 GetTickCount
0x42d124 GetCurrentProcessId
0x42d128 GetSystemTimeAsFileTime
0x42d12c LoadLibraryA
0x42d130 InitializeCriticalSectionAndSpinCount
0x42d134 GetCPInfo
0x42d138 GetOEMCP
0x42d13c IsValidCodePage
0x42d140 MultiByteToWideChar
0x42d144 RtlUnwind
0x42d148 HeapAlloc
0x42d14c HeapReAlloc
0x42d150 VirtualAlloc
0x42d154 WideCharToMultiByte
0x42d158 SetStdHandle
0x42d15c GetLocaleInfoA
0x42d160 GetStringTypeA
0x42d164 GetStringTypeW
0x42d168 LCMapStringA
0x42d16c GetConsoleCP
0x42d170 GetConsoleMode
0x42d174 FlushFileBuffers
0x42d178 CloseHandle
0x42d17c WriteConsoleA
0x42d180 WriteConsoleW
0x42d184 CreateFileA
USER32.dll
0x42d18c RealGetWindowClassW
GDI32.dll
0x42d000 GetCharWidthFloatA
EAT(Export Address Table) is none