ScreenShot
| Created | 2021.09.09 09:03 | Machine | s1_win7_x6402 |
| Filename | abdcffc9bcf6d5c536c89f879e95ed21.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 42 detected (GenericKD, GenericRXAA, Unsafe, WUMX, Attribute, HighConfidence, Malicious, MalwareX, Gencirc, Generic ML PUA, Malware@#21hkfnn4u4u4t, Inject4, Artemis, Redcap, wider, ASMalwS, PSWTroj, kcloud, Sabsik, 1HNXF2S, score, ai score=84, Zenlod, Farfli, PossibleThreat, GdSda) | ||
| md5 | 7411bd9a32735dfdeee38ee1f6629a7f | ||
| sha256 | 18af72f75d6dbdffa8f8319d5d76f9b1a8cb51e99e1b937948bdcc7af6665511 | ||
| ssdeep | 1536:jJZJldymYVraPfFIdeD4P2ZDNjHSSu9tK66hdwY3VtqRsWEcdWEs8nBsRVuwtEBg:jNFp2kDzDZySmI6UwyzqRWZDNtEB6c/ | ||
| imphash | 7bda1659fc16105398114c734c6c6738 | ||
| impfuzzy | 24:FXlpgbD3UMUGviucHRGcSt9S18YbJh9roHOovbOuqNyTSwxJEYBq1EHEQm:hQHbvcSt9S1RDZB3dQKYZk9 | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 42 AntiVirus engines on VirusTotal as malicious |
| warning | Uses WMI to create a new process |
| watch | Creates or sets a registry key to a long series of bytes |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Expresses interest in specific running processes |
| notice | Foreign language identified in PE resource |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (8cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (19cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup ip-api.com
ET POLICY External IP Lookup ip-api.com
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x410000 WriteFile
0x410004 InterlockedDecrement
0x410008 InitializeCriticalSectionAndSpinCount
0x41000c CreateFileW
0x410010 GetModuleHandleA
0x410014 GetLastError
0x410018 lstrcatW
0x41001c CloseHandle
0x410020 RaiseException
0x410024 DecodePointer
0x410028 GetProcAddress
0x41002c DeleteCriticalSection
0x410030 WriteConsoleW
0x410034 SetFilePointerEx
0x410038 GetConsoleMode
0x41003c GetConsoleCP
0x410040 FlushFileBuffers
0x410044 GetStringTypeW
0x410048 SetStdHandle
0x41004c GetFileType
0x410050 GetProcessHeap
0x410054 SetEnvironmentVariableA
0x410058 FreeEnvironmentStringsW
0x41005c GetEnvironmentStringsW
0x410060 GetCPInfo
0x410064 GetOEMCP
0x410068 IsValidCodePage
0x41006c FindNextFileA
0x410070 IsDebuggerPresent
0x410074 OutputDebugStringW
0x410078 EnterCriticalSection
0x41007c LeaveCriticalSection
0x410080 MultiByteToWideChar
0x410084 WideCharToMultiByte
0x410088 LocalFree
0x41008c UnhandledExceptionFilter
0x410090 SetUnhandledExceptionFilter
0x410094 GetCurrentProcess
0x410098 TerminateProcess
0x41009c IsProcessorFeaturePresent
0x4100a0 GetStartupInfoW
0x4100a4 GetModuleHandleW
0x4100a8 QueryPerformanceCounter
0x4100ac GetCurrentProcessId
0x4100b0 GetCurrentThreadId
0x4100b4 GetSystemTimeAsFileTime
0x4100b8 InitializeSListHead
0x4100bc EncodePointer
0x4100c0 RtlUnwind
0x4100c4 SetLastError
0x4100c8 TlsAlloc
0x4100cc TlsGetValue
0x4100d0 TlsSetValue
0x4100d4 TlsFree
0x4100d8 FreeLibrary
0x4100dc LoadLibraryExW
0x4100e0 ExitProcess
0x4100e4 GetModuleHandleExW
0x4100e8 GetModuleFileNameA
0x4100ec GetStdHandle
0x4100f0 GetCommandLineA
0x4100f4 GetCommandLineW
0x4100f8 GetACP
0x4100fc HeapFree
0x410100 HeapAlloc
0x410104 HeapSize
0x410108 HeapReAlloc
0x41010c CompareStringW
0x410110 LCMapStringW
0x410114 FindClose
0x410118 FindFirstFileExA
ole32.dll
0x410160 CoUninitialize
0x410164 CoSetProxyBlanket
0x410168 CoInitializeSecurity
0x41016c CoCreateInstance
0x410170 CoInitialize
OLEAUT32.dll
0x410120 SafeArrayGetDim
0x410124 VariantInit
0x410128 SafeArrayGetUBound
0x41012c SafeArrayGetLBound
0x410130 SysFreeString
0x410134 SysStringByteLen
0x410138 SysAllocStringByteLen
0x41013c SysAllocString
0x410140 VariantCopy
0x410144 SysStringLen
0x410148 SafeArrayUnaccessData
0x41014c SysAllocStringLen
0x410150 SafeArrayAccessData
0x410154 VariantClear
0x410158 GetErrorInfo
EAT(Export Address Table) is none
KERNEL32.dll
0x410000 WriteFile
0x410004 InterlockedDecrement
0x410008 InitializeCriticalSectionAndSpinCount
0x41000c CreateFileW
0x410010 GetModuleHandleA
0x410014 GetLastError
0x410018 lstrcatW
0x41001c CloseHandle
0x410020 RaiseException
0x410024 DecodePointer
0x410028 GetProcAddress
0x41002c DeleteCriticalSection
0x410030 WriteConsoleW
0x410034 SetFilePointerEx
0x410038 GetConsoleMode
0x41003c GetConsoleCP
0x410040 FlushFileBuffers
0x410044 GetStringTypeW
0x410048 SetStdHandle
0x41004c GetFileType
0x410050 GetProcessHeap
0x410054 SetEnvironmentVariableA
0x410058 FreeEnvironmentStringsW
0x41005c GetEnvironmentStringsW
0x410060 GetCPInfo
0x410064 GetOEMCP
0x410068 IsValidCodePage
0x41006c FindNextFileA
0x410070 IsDebuggerPresent
0x410074 OutputDebugStringW
0x410078 EnterCriticalSection
0x41007c LeaveCriticalSection
0x410080 MultiByteToWideChar
0x410084 WideCharToMultiByte
0x410088 LocalFree
0x41008c UnhandledExceptionFilter
0x410090 SetUnhandledExceptionFilter
0x410094 GetCurrentProcess
0x410098 TerminateProcess
0x41009c IsProcessorFeaturePresent
0x4100a0 GetStartupInfoW
0x4100a4 GetModuleHandleW
0x4100a8 QueryPerformanceCounter
0x4100ac GetCurrentProcessId
0x4100b0 GetCurrentThreadId
0x4100b4 GetSystemTimeAsFileTime
0x4100b8 InitializeSListHead
0x4100bc EncodePointer
0x4100c0 RtlUnwind
0x4100c4 SetLastError
0x4100c8 TlsAlloc
0x4100cc TlsGetValue
0x4100d0 TlsSetValue
0x4100d4 TlsFree
0x4100d8 FreeLibrary
0x4100dc LoadLibraryExW
0x4100e0 ExitProcess
0x4100e4 GetModuleHandleExW
0x4100e8 GetModuleFileNameA
0x4100ec GetStdHandle
0x4100f0 GetCommandLineA
0x4100f4 GetCommandLineW
0x4100f8 GetACP
0x4100fc HeapFree
0x410100 HeapAlloc
0x410104 HeapSize
0x410108 HeapReAlloc
0x41010c CompareStringW
0x410110 LCMapStringW
0x410114 FindClose
0x410118 FindFirstFileExA
ole32.dll
0x410160 CoUninitialize
0x410164 CoSetProxyBlanket
0x410168 CoInitializeSecurity
0x41016c CoCreateInstance
0x410170 CoInitialize
OLEAUT32.dll
0x410120 SafeArrayGetDim
0x410124 VariantInit
0x410128 SafeArrayGetUBound
0x41012c SafeArrayGetLBound
0x410130 SysFreeString
0x410134 SysStringByteLen
0x410138 SysAllocStringByteLen
0x41013c SysAllocString
0x410140 VariantCopy
0x410144 SysStringLen
0x410148 SafeArrayUnaccessData
0x41014c SysAllocStringLen
0x410150 SafeArrayAccessData
0x410154 VariantClear
0x410158 GetErrorInfo
EAT(Export Address Table) is none