ScreenShot
| Created | 2021.09.05 16:47 | Machine | s1_win7_x6401 |
| Filename | httpd.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 33 detected (Mint, Zard, Unsafe, malicious, ZexaF, JuW@aKdFqNci, Static AI, Suspicious PE, gfejo, Tnega, score, BScope, Glupteba, ai score=86, Behavior, susgen) | ||
| VT API (url) | |||
| md5 | 0fa802e8a7eafd690f71460f97be0140 | ||
| sha256 | df787884cb15802a125a3aab9b0e15c55952db0b8825814cc8e7ddde24249ad1 | ||
| ssdeep | 12288:wAc9dbM4F1Gtsra204wDOs8t1VMa7V8ceU6/IEzkNwRyZ8FuTyCtN8wtIy:BKdbM4F1GtseJTKGceU6/I/wRj9gL | ||
| imphash | bafb5d14bcfe53a31e955e0f42b2f373 | ||
| impfuzzy | 24:V0DgNjeOxTT9tMS1O9Gc+XOJBliPyNGzpa9ro0OovbOgOPZMv5jMAnlEZHu9oBDB:SOxNtMS1O9Gc+qtNGzUZ+3TPZG6oE | ||
Network IP location
Signature (25cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 33 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Created a service where a service was also not started |
| watch | Detects Virtual Machines through their custom firmware |
| watch | Installs itself for autorun at Windows startup |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process httpd.exe |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | This executable has a PDB path |
Rules (32cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| notice | BitCoin | Perform crypto currency mining | memory |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
Network (9cnts) ?
Suricata ids
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY Cryptocurrency Miner Checkin
ET POLICY Cryptocurrency Miner Checkin
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x47301c LoadLibraryA
0x473020 GetProcAddress
0x473024 GetModuleFileNameA
0x473028 GetWindowsDirectoryA
0x47302c WaitForSingleObject
0x473030 WriteConsoleW
0x473034 CopyFileA
0x473038 DeleteFileA
0x47303c CreateFileW
0x473040 HeapSize
0x473044 GetTimeZoneInformation
0x473048 HeapReAlloc
0x47304c SetConsoleCtrlHandler
0x473050 UnhandledExceptionFilter
0x473054 SetUnhandledExceptionFilter
0x473058 GetCurrentProcess
0x47305c TerminateProcess
0x473060 IsProcessorFeaturePresent
0x473064 QueryPerformanceCounter
0x473068 GetCurrentProcessId
0x47306c GetCurrentThreadId
0x473070 GetSystemTimeAsFileTime
0x473074 InitializeSListHead
0x473078 IsDebuggerPresent
0x47307c GetStartupInfoW
0x473080 GetModuleHandleW
0x473084 FormatMessageA
0x473088 EnterCriticalSection
0x47308c LeaveCriticalSection
0x473090 DeleteCriticalSection
0x473094 LocalFree
0x473098 EncodePointer
0x47309c DecodePointer
0x4730a0 MultiByteToWideChar
0x4730a4 WideCharToMultiByte
0x4730a8 SetLastError
0x4730ac InitializeCriticalSectionAndSpinCount
0x4730b0 CreateEventW
0x4730b4 SwitchToThread
0x4730b8 TlsAlloc
0x4730bc TlsGetValue
0x4730c0 TlsSetValue
0x4730c4 TlsFree
0x4730c8 GetTickCount
0x4730cc CompareStringW
0x4730d0 LCMapStringW
0x4730d4 GetLocaleInfoW
0x4730d8 GetStringTypeW
0x4730dc GetCPInfo
0x4730e0 RaiseException
0x4730e4 RtlUnwind
0x4730e8 InterlockedPushEntrySList
0x4730ec InterlockedFlushSList
0x4730f0 GetLastError
0x4730f4 FreeLibrary
0x4730f8 LoadLibraryExW
0x4730fc ExitProcess
0x473100 GetModuleHandleExW
0x473104 GetStdHandle
0x473108 WriteFile
0x47310c GetModuleFileNameW
0x473110 GetCommandLineA
0x473114 GetCommandLineW
0x473118 GetCurrentThread
0x47311c HeapAlloc
0x473120 HeapFree
0x473124 GetDateFormatW
0x473128 GetTimeFormatW
0x47312c IsValidLocale
0x473130 GetUserDefaultLCID
0x473134 EnumSystemLocalesW
0x473138 GetFileType
0x47313c CloseHandle
0x473140 FlushFileBuffers
0x473144 GetConsoleCP
0x473148 GetConsoleMode
0x47314c ReadFile
0x473150 GetFileSizeEx
0x473154 SetFilePointerEx
0x473158 ReadConsoleW
0x47315c GetFileAttributesExW
0x473160 OutputDebugStringW
0x473164 FindClose
0x473168 FindFirstFileExW
0x47316c FindNextFileW
0x473170 IsValidCodePage
0x473174 GetACP
0x473178 GetOEMCP
0x47317c GetEnvironmentStringsW
0x473180 FreeEnvironmentStringsW
0x473184 SetEnvironmentVariableW
0x473188 SetStdHandle
0x47318c GetProcessHeap
0x473190 SetEndOfFile
ADVAPI32.dll
0x473000 CreateServiceA
0x473004 CloseServiceHandle
0x473008 RegSetValueExA
0x47300c RegOpenKeyExA
0x473010 RegCloseKey
0x473014 OpenSCManagerA
SHELL32.dll
0x473198 ShellExecuteExA
0x47319c ShellExecuteA
WININET.dll
0x4731a4 DeleteUrlCacheEntry
EAT(Export Address Table) is none
KERNEL32.dll
0x47301c LoadLibraryA
0x473020 GetProcAddress
0x473024 GetModuleFileNameA
0x473028 GetWindowsDirectoryA
0x47302c WaitForSingleObject
0x473030 WriteConsoleW
0x473034 CopyFileA
0x473038 DeleteFileA
0x47303c CreateFileW
0x473040 HeapSize
0x473044 GetTimeZoneInformation
0x473048 HeapReAlloc
0x47304c SetConsoleCtrlHandler
0x473050 UnhandledExceptionFilter
0x473054 SetUnhandledExceptionFilter
0x473058 GetCurrentProcess
0x47305c TerminateProcess
0x473060 IsProcessorFeaturePresent
0x473064 QueryPerformanceCounter
0x473068 GetCurrentProcessId
0x47306c GetCurrentThreadId
0x473070 GetSystemTimeAsFileTime
0x473074 InitializeSListHead
0x473078 IsDebuggerPresent
0x47307c GetStartupInfoW
0x473080 GetModuleHandleW
0x473084 FormatMessageA
0x473088 EnterCriticalSection
0x47308c LeaveCriticalSection
0x473090 DeleteCriticalSection
0x473094 LocalFree
0x473098 EncodePointer
0x47309c DecodePointer
0x4730a0 MultiByteToWideChar
0x4730a4 WideCharToMultiByte
0x4730a8 SetLastError
0x4730ac InitializeCriticalSectionAndSpinCount
0x4730b0 CreateEventW
0x4730b4 SwitchToThread
0x4730b8 TlsAlloc
0x4730bc TlsGetValue
0x4730c0 TlsSetValue
0x4730c4 TlsFree
0x4730c8 GetTickCount
0x4730cc CompareStringW
0x4730d0 LCMapStringW
0x4730d4 GetLocaleInfoW
0x4730d8 GetStringTypeW
0x4730dc GetCPInfo
0x4730e0 RaiseException
0x4730e4 RtlUnwind
0x4730e8 InterlockedPushEntrySList
0x4730ec InterlockedFlushSList
0x4730f0 GetLastError
0x4730f4 FreeLibrary
0x4730f8 LoadLibraryExW
0x4730fc ExitProcess
0x473100 GetModuleHandleExW
0x473104 GetStdHandle
0x473108 WriteFile
0x47310c GetModuleFileNameW
0x473110 GetCommandLineA
0x473114 GetCommandLineW
0x473118 GetCurrentThread
0x47311c HeapAlloc
0x473120 HeapFree
0x473124 GetDateFormatW
0x473128 GetTimeFormatW
0x47312c IsValidLocale
0x473130 GetUserDefaultLCID
0x473134 EnumSystemLocalesW
0x473138 GetFileType
0x47313c CloseHandle
0x473140 FlushFileBuffers
0x473144 GetConsoleCP
0x473148 GetConsoleMode
0x47314c ReadFile
0x473150 GetFileSizeEx
0x473154 SetFilePointerEx
0x473158 ReadConsoleW
0x47315c GetFileAttributesExW
0x473160 OutputDebugStringW
0x473164 FindClose
0x473168 FindFirstFileExW
0x47316c FindNextFileW
0x473170 IsValidCodePage
0x473174 GetACP
0x473178 GetOEMCP
0x47317c GetEnvironmentStringsW
0x473180 FreeEnvironmentStringsW
0x473184 SetEnvironmentVariableW
0x473188 SetStdHandle
0x47318c GetProcessHeap
0x473190 SetEndOfFile
ADVAPI32.dll
0x473000 CreateServiceA
0x473004 CloseServiceHandle
0x473008 RegSetValueExA
0x47300c RegOpenKeyExA
0x473010 RegCloseKey
0x473014 OpenSCManagerA
SHELL32.dll
0x473198 ShellExecuteExA
0x47319c ShellExecuteA
WININET.dll
0x4731a4 DeleteUrlCacheEntry
EAT(Export Address Table) is none