ScreenShot
| Created | 2021.09.07 19:12 | Machine | s1_win7_x6401 |
| Filename | hv.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 49 detected (SpyEyesaND, SpyEyes, malicious, high confidence, GenericKD, GenericRXMI, Unsafe, confidence, 100%, ZexaF, ou2@aaJWp7hi, RTCJ, Attribute, HighConfidence, AARD, TinyNuke, R002C0PGB21, ouzrw, ASMalwS, Mamson, score, ai score=81, BScope, Fuerboos, XUAvosWD, Static AI, Suspicious PE, InvalidSig, GdSda) | ||
| md5 | 385eccb9e711368035f0f329f98255ec | ||
| sha256 | 1e80bf1bca4a8841d973e8bf1f88e2d7cce3160793f23b2351db0aa7ea23af4e | ||
| ssdeep | 3072:zASUot4cIAg0Fuj7M1iUa2LQR/wkLsrA5vmUBmHHcTnoeYYHIwG1Opm92BuiFwdn:eLAORwAtmBHHc8eY5XOpwiFEHt1CB5O | ||
| imphash | f2b2e356d2d0eb1b0d5da0b0d4f5e934 | ||
| impfuzzy | 48:PKZGvBUsuMzLtwS1Ec+JZiXuHvyz8tjIz5n6GL4Cj5SUAQKQuR7ArHlnnon:PypsuMXtwS1Ec+Ju7E/CjK | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 49 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| watch | Uses suspicious command line tools or Windows utilities |
| watch | Uses Sysinternals tools in order to add additional command line functionality |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | ASPack_Zero | ASPack packed file | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
Suricata ids
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE Trojan Generic - POST To gate.php with no accept headers
ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
ET MALWARE Trojan Generic - POST To gate.php with no accept headers
ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x435050 Process32First
0x435054 TerminateProcess
0x435058 ReleaseMutex
0x43505c OpenProcess
0x435060 CreateToolhelp32Snapshot
0x435064 Process32Next
0x435068 GetModuleFileNameA
0x43506c MultiByteToWideChar
0x435070 SystemTimeToFileTime
0x435074 WideCharToMultiByte
0x435078 GetSystemTime
0x43507c IsWow64Process
0x435080 SetEndOfFile
0x435084 HeapSize
0x435088 GetConsoleOutputCP
0x43508c FlushFileBuffers
0x435090 CreateFileW
0x435094 GetProcessHeap
0x435098 EnumSystemLocalesW
0x43509c GetUserDefaultLCID
0x4350a0 IsValidLocale
0x4350a4 SetStdHandle
0x4350a8 SetEnvironmentVariableW
0x4350ac FreeEnvironmentStringsW
0x4350b0 GetEnvironmentStringsW
0x4350b4 GetOEMCP
0x4350b8 GetACP
0x4350bc IsValidCodePage
0x4350c0 FindNextFileW
0x4350c4 FindFirstFileExW
0x4350c8 FindClose
0x4350cc HeapReAlloc
0x4350d0 GetFileType
0x4350d4 ReadConsoleW
0x4350d8 GetConsoleMode
0x4350dc GetComputerNameW
0x4350e0 CreateMutexA
0x4350e4 CreateDirectoryA
0x4350e8 CreateFileA
0x4350ec CopyFileA
0x4350f0 WriteFile
0x4350f4 GetProcAddress
0x4350f8 GetWindowsDirectoryA
0x4350fc GetVersionExA
0x435100 lstrcpyA
0x435104 GetModuleHandleA
0x435108 TerminateThread
0x43510c lstrcatA
0x435110 lstrcmpA
0x435114 WaitForSingleObject
0x435118 CloseHandle
0x43511c LoadLibraryA
0x435120 Sleep
0x435124 GetCurrentProcess
0x435128 SetFilePointerEx
0x43512c HeapAlloc
0x435130 GetFileAttributesExW
0x435134 CreateProcessW
0x435138 GetExitCodeProcess
0x43513c HeapFree
0x435140 GetCommandLineW
0x435144 GetCommandLineA
0x435148 GetModuleFileNameW
0x43514c GetStdHandle
0x435150 GetModuleHandleExW
0x435154 ExitProcess
0x435158 ReadFile
0x43515c WriteConsoleW
0x435160 LoadLibraryExW
0x435164 FreeLibrary
0x435168 RtlUnwind
0x43516c RaiseException
0x435170 GetCPInfo
0x435174 GetStringTypeW
0x435178 GetLocaleInfoW
0x43517c LCMapStringW
0x435180 CompareStringW
0x435184 DecodePointer
0x435188 EncodePointer
0x43518c UnhandledExceptionFilter
0x435190 SetUnhandledExceptionFilter
0x435194 IsProcessorFeaturePresent
0x435198 QueryPerformanceCounter
0x43519c GetCurrentProcessId
0x4351a0 GetCurrentThreadId
0x4351a4 GetSystemTimeAsFileTime
0x4351a8 InitializeSListHead
0x4351ac IsDebuggerPresent
0x4351b0 GetStartupInfoW
0x4351b4 GetModuleHandleW
0x4351b8 GetLastError
0x4351bc EnterCriticalSection
0x4351c0 LeaveCriticalSection
0x4351c4 DeleteCriticalSection
0x4351c8 SetLastError
0x4351cc InitializeCriticalSectionAndSpinCount
0x4351d0 SwitchToThread
0x4351d4 TlsAlloc
0x4351d8 TlsGetValue
0x4351dc TlsSetValue
0x4351e0 TlsFree
USER32.dll
0x435208 MoveWindow
0x43520c SendMessageA
0x435210 PrintWindow
0x435214 MenuItemFromPoint
0x435218 FindWindowA
0x43521c GetTopWindow
0x435220 GetWindowLongA
0x435224 CloseDesktop
0x435228 GetWindowPlacement
0x43522c WindowFromPoint
0x435230 ScreenToClient
0x435234 PostMessageA
0x435238 IsWindowVisible
0x43523c GetDC
0x435240 PtInRect
0x435244 ChildWindowFromPoint
0x435248 ReleaseDC
0x43524c RealGetWindowClassA
0x435250 GetMenuItemID
0x435254 CharUpperBuffA
0x435258 wsprintfA
0x43525c MessageBoxA
0x435260 GetWindow
0x435264 GetWindowRect
GDI32.dll
0x435028 BitBlt
0x43502c CreateCompatibleBitmap
0x435030 SelectObject
0x435034 CreateCompatibleDC
0x435038 StretchBlt
0x43503c GetDIBits
0x435040 DeleteDC
0x435044 SetStretchBltMode
0x435048 DeleteObject
COMDLG32.dll
0x435020 GetOpenFileNameA
ADVAPI32.dll
0x435000 RegSetValueExA
0x435004 RegEnumKeyA
0x435008 RegCloseKey
0x43500c RegOpenKeyA
0x435010 RegQueryValueExA
0x435014 RegOpenKeyExA
0x435018 GetUserNameW
SHELL32.dll
0x4351e8 SHAppBarMessage
0x4351ec SHFileOperationA
0x4351f0 SHGetFolderPathA
WS2_32.dll
0x435290 closesocket
0x435294 gethostbyname
0x435298 WSAStartup
0x43529c send
0x4352a0 socket
0x4352a4 connect
0x4352a8 recv
0x4352ac htons
SHLWAPI.dll
0x4351f8 StrChrA
0x4351fc StrToIntA
0x435200 PathFileExistsA
WININET.dll
0x43526c InternetOpenUrlA
0x435270 InternetReadFile
0x435274 InternetConnectA
0x435278 HttpSendRequestA
0x43527c InternetCloseHandle
0x435280 InternetOpenA
0x435284 HttpOpenRequestA
0x435288 HttpQueryInfoA
EAT(Export Address Table) is none
KERNEL32.dll
0x435050 Process32First
0x435054 TerminateProcess
0x435058 ReleaseMutex
0x43505c OpenProcess
0x435060 CreateToolhelp32Snapshot
0x435064 Process32Next
0x435068 GetModuleFileNameA
0x43506c MultiByteToWideChar
0x435070 SystemTimeToFileTime
0x435074 WideCharToMultiByte
0x435078 GetSystemTime
0x43507c IsWow64Process
0x435080 SetEndOfFile
0x435084 HeapSize
0x435088 GetConsoleOutputCP
0x43508c FlushFileBuffers
0x435090 CreateFileW
0x435094 GetProcessHeap
0x435098 EnumSystemLocalesW
0x43509c GetUserDefaultLCID
0x4350a0 IsValidLocale
0x4350a4 SetStdHandle
0x4350a8 SetEnvironmentVariableW
0x4350ac FreeEnvironmentStringsW
0x4350b0 GetEnvironmentStringsW
0x4350b4 GetOEMCP
0x4350b8 GetACP
0x4350bc IsValidCodePage
0x4350c0 FindNextFileW
0x4350c4 FindFirstFileExW
0x4350c8 FindClose
0x4350cc HeapReAlloc
0x4350d0 GetFileType
0x4350d4 ReadConsoleW
0x4350d8 GetConsoleMode
0x4350dc GetComputerNameW
0x4350e0 CreateMutexA
0x4350e4 CreateDirectoryA
0x4350e8 CreateFileA
0x4350ec CopyFileA
0x4350f0 WriteFile
0x4350f4 GetProcAddress
0x4350f8 GetWindowsDirectoryA
0x4350fc GetVersionExA
0x435100 lstrcpyA
0x435104 GetModuleHandleA
0x435108 TerminateThread
0x43510c lstrcatA
0x435110 lstrcmpA
0x435114 WaitForSingleObject
0x435118 CloseHandle
0x43511c LoadLibraryA
0x435120 Sleep
0x435124 GetCurrentProcess
0x435128 SetFilePointerEx
0x43512c HeapAlloc
0x435130 GetFileAttributesExW
0x435134 CreateProcessW
0x435138 GetExitCodeProcess
0x43513c HeapFree
0x435140 GetCommandLineW
0x435144 GetCommandLineA
0x435148 GetModuleFileNameW
0x43514c GetStdHandle
0x435150 GetModuleHandleExW
0x435154 ExitProcess
0x435158 ReadFile
0x43515c WriteConsoleW
0x435160 LoadLibraryExW
0x435164 FreeLibrary
0x435168 RtlUnwind
0x43516c RaiseException
0x435170 GetCPInfo
0x435174 GetStringTypeW
0x435178 GetLocaleInfoW
0x43517c LCMapStringW
0x435180 CompareStringW
0x435184 DecodePointer
0x435188 EncodePointer
0x43518c UnhandledExceptionFilter
0x435190 SetUnhandledExceptionFilter
0x435194 IsProcessorFeaturePresent
0x435198 QueryPerformanceCounter
0x43519c GetCurrentProcessId
0x4351a0 GetCurrentThreadId
0x4351a4 GetSystemTimeAsFileTime
0x4351a8 InitializeSListHead
0x4351ac IsDebuggerPresent
0x4351b0 GetStartupInfoW
0x4351b4 GetModuleHandleW
0x4351b8 GetLastError
0x4351bc EnterCriticalSection
0x4351c0 LeaveCriticalSection
0x4351c4 DeleteCriticalSection
0x4351c8 SetLastError
0x4351cc InitializeCriticalSectionAndSpinCount
0x4351d0 SwitchToThread
0x4351d4 TlsAlloc
0x4351d8 TlsGetValue
0x4351dc TlsSetValue
0x4351e0 TlsFree
USER32.dll
0x435208 MoveWindow
0x43520c SendMessageA
0x435210 PrintWindow
0x435214 MenuItemFromPoint
0x435218 FindWindowA
0x43521c GetTopWindow
0x435220 GetWindowLongA
0x435224 CloseDesktop
0x435228 GetWindowPlacement
0x43522c WindowFromPoint
0x435230 ScreenToClient
0x435234 PostMessageA
0x435238 IsWindowVisible
0x43523c GetDC
0x435240 PtInRect
0x435244 ChildWindowFromPoint
0x435248 ReleaseDC
0x43524c RealGetWindowClassA
0x435250 GetMenuItemID
0x435254 CharUpperBuffA
0x435258 wsprintfA
0x43525c MessageBoxA
0x435260 GetWindow
0x435264 GetWindowRect
GDI32.dll
0x435028 BitBlt
0x43502c CreateCompatibleBitmap
0x435030 SelectObject
0x435034 CreateCompatibleDC
0x435038 StretchBlt
0x43503c GetDIBits
0x435040 DeleteDC
0x435044 SetStretchBltMode
0x435048 DeleteObject
COMDLG32.dll
0x435020 GetOpenFileNameA
ADVAPI32.dll
0x435000 RegSetValueExA
0x435004 RegEnumKeyA
0x435008 RegCloseKey
0x43500c RegOpenKeyA
0x435010 RegQueryValueExA
0x435014 RegOpenKeyExA
0x435018 GetUserNameW
SHELL32.dll
0x4351e8 SHAppBarMessage
0x4351ec SHFileOperationA
0x4351f0 SHGetFolderPathA
WS2_32.dll
0x435290 closesocket
0x435294 gethostbyname
0x435298 WSAStartup
0x43529c send
0x4352a0 socket
0x4352a4 connect
0x4352a8 recv
0x4352ac htons
SHLWAPI.dll
0x4351f8 StrChrA
0x4351fc StrToIntA
0x435200 PathFileExistsA
WININET.dll
0x43526c InternetOpenUrlA
0x435270 InternetReadFile
0x435274 InternetConnectA
0x435278 HttpSendRequestA
0x43527c InternetCloseHandle
0x435280 InternetOpenA
0x435284 HttpOpenRequestA
0x435288 HttpQueryInfoA
EAT(Export Address Table) is none