ScreenShot
| Created | 2021.09.11 15:25 | Machine | s1_win7_x6401 |
| Filename | c0dda7a83d4cc964b37957b563b1b6ff6fd64256.smile | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 35 detected (AIDetect, malware2, malicious, high confidence, score, GenericRXJR, Unsafe, confidence, Zusy, Attribute, HighConfidence, Raccoon, Racealer, MalwareX, Static AI, Malicious PE, AGEN, Sabsik, BScope, ai score=80, CLASSIC, Racoon, ZexaF, JqW@aWTUtAj, Genetic) | ||
| md5 | fa3bea9c92a88ee35e69036fd79c9169 | ||
| sha256 | 8d83c8cd1c00fda08e1e524c4be95484070cfe1a87b38162a31cd6c86aec566b | ||
| ssdeep | 12288:HPyvUhuDGncJlujEpr8qEFRkbNZ5tWDmp4NAc15Kp3CIF5j1QwZPDrE:Qwckyr8RkJXampEhoPa2PDw | ||
| imphash | 35279f0bcb93fbb246a2ff5f9995bdc1 | ||
| impfuzzy | 96:WrznXQjOqeX23mGz8v0LVGxgcpVeceb4nlEHdkNAM6lYo:wjX2eX2A9e8lAdkNeYo | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 35 AntiVirus engines on VirusTotal as malicious |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| notice | A process created a hidden window |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Sends data using the HTTP POST Method |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| watch | ASPack_Zero | ASPack packed file | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
Network (7cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x46d088 WaitForSingleObject
0x46d08c GetModuleHandleA
0x46d090 GetLocaleInfoA
0x46d094 Sleep
0x46d098 RemoveDirectoryTransactedA
0x46d09c GetUserDefaultLCID
0x46d0a0 CreateThread
0x46d0a4 GetLastError
0x46d0a8 DeleteFileA
0x46d0ac HeapAlloc
0x46d0b0 lstrcpynA
0x46d0b4 lstrcmpiW
0x46d0b8 GetModuleFileNameA
0x46d0bc GetCurrentProcess
0x46d0c0 GetSystemPowerStatus
0x46d0c4 CreateMutexA
0x46d0c8 OpenProcess
0x46d0cc CreateToolhelp32Snapshot
0x46d0d0 MultiByteToWideChar
0x46d0d4 GetSystemWow64DirectoryW
0x46d0d8 GetTimeZoneInformation
0x46d0dc OpenMutexA
0x46d0e0 Process32NextW
0x46d0e4 GlobalAlloc
0x46d0e8 GetEnvironmentVariableA
0x46d0ec Process32FirstW
0x46d0f0 GlobalFree
0x46d0f4 GetSystemInfo
0x46d0f8 GetLogicalDriveStringsA
0x46d0fc GlobalMemoryStatusEx
0x46d100 WideCharToMultiByte
0x46d104 CreateProcessA
0x46d108 GetComputerNameA
0x46d10c UnmapViewOfFile
0x46d110 GetFileInformationByHandle
0x46d114 CloseHandle
0x46d118 GetLocalTime
0x46d11c CreateFileMappingA
0x46d120 MapViewOfFile
0x46d124 GetTickCount
0x46d128 SetStdHandle
0x46d12c FreeEnvironmentStringsW
0x46d130 GetEnvironmentStringsW
0x46d134 GetOEMCP
0x46d138 GetACP
0x46d13c IsValidCodePage
0x46d140 HeapReAlloc
0x46d144 OutputDebugStringW
0x46d148 lstrlenA
0x46d14c GetFileSize
0x46d150 lstrcpyW
0x46d154 lstrcatW
0x46d158 GetVersionExW
0x46d15c lstrlenW
0x46d160 CreateDirectoryA
0x46d164 lstrcpyA
0x46d168 SystemTimeToFileTime
0x46d16c CreateFileA
0x46d170 GetFileAttributesA
0x46d174 LocalFileTimeToFileTime
0x46d178 SetCurrentDirectoryA
0x46d17c GetCurrentDirectoryA
0x46d180 SetFilePointer
0x46d184 SetFileTime
0x46d188 WriteFile
0x46d18c ReadFile
0x46d190 FindClose
0x46d194 GetDriveTypeA
0x46d198 CopyFileTransactedA
0x46d19c FreeLibrary
0x46d1a0 GetProcessHeap
0x46d1a4 LocalFree
0x46d1a8 GetProcAddress
0x46d1ac LoadLibraryA
0x46d1b0 LocalAlloc
0x46d1b4 DeleteFileTransactedA
0x46d1b8 SetEnvironmentVariableW
0x46d1bc ReadConsoleW
0x46d1c0 EnumSystemLocalesW
0x46d1c4 IsValidLocale
0x46d1c8 GetLocaleInfoW
0x46d1cc LCMapStringW
0x46d1d0 CompareStringW
0x46d1d4 GetTimeFormatW
0x46d1d8 GetDateFormatW
0x46d1dc GetConsoleMode
0x46d1e0 GetConsoleCP
0x46d1e4 FlushFileBuffers
0x46d1e8 GetFileSizeEx
0x46d1ec HeapSize
0x46d1f0 GetCommandLineW
0x46d1f4 GetCommandLineA
0x46d1f8 WriteConsoleW
0x46d1fc GetModuleFileNameW
0x46d200 GetFileType
0x46d204 GetStdHandle
0x46d208 GetModuleHandleExW
0x46d20c HeapFree
0x46d210 FileTimeToSystemTime
0x46d214 CreateDirectoryTransactedA
0x46d218 ExitProcess
0x46d21c LoadLibraryExW
0x46d220 TlsFree
0x46d224 TlsSetValue
0x46d228 TlsGetValue
0x46d22c TlsAlloc
0x46d230 InitializeCriticalSectionAndSpinCount
0x46d234 SetLastError
0x46d238 RaiseException
0x46d23c RtlUnwind
0x46d240 TerminateProcess
0x46d244 InitializeSListHead
0x46d248 GetSystemTimeAsFileTime
0x46d24c GetCurrentThreadId
0x46d250 GetCurrentProcessId
0x46d254 QueryPerformanceCounter
0x46d258 GetModuleHandleW
0x46d25c GetStartupInfoW
0x46d260 SetUnhandledExceptionFilter
0x46d264 UnhandledExceptionFilter
0x46d268 IsDebuggerPresent
0x46d26c IsProcessorFeaturePresent
0x46d270 GetCPInfo
0x46d274 SetCurrentDirectoryW
0x46d278 CreateDirectoryW
0x46d27c CreateFileW
0x46d280 FindFirstFileExW
0x46d284 FindNextFileW
0x46d288 GetFileAttributesExW
0x46d28c SetEndOfFile
0x46d290 SetFilePointerEx
0x46d294 AreFileApisANSI
0x46d298 DeviceIoControl
0x46d29c CopyFileW
0x46d2a0 CreateHardLinkW
0x46d2a4 GetFileInformationByHandleEx
0x46d2a8 CreateSymbolicLinkW
0x46d2ac FormatMessageA
0x46d2b0 EnterCriticalSection
0x46d2b4 LeaveCriticalSection
0x46d2b8 InitializeCriticalSectionEx
0x46d2bc DeleteCriticalSection
0x46d2c0 EncodePointer
0x46d2c4 DecodePointer
0x46d2c8 LCMapStringEx
0x46d2cc GetStringTypeW
USER32.dll
0x46d2f4 wsprintfW
0x46d2f8 wsprintfA
0x46d2fc GetWindowRect
0x46d300 GetSystemMetrics
0x46d304 GetWindowDC
0x46d308 EnumDisplayDevicesA
0x46d30c GetDesktopWindow
GDI32.dll
0x46d060 BitBlt
0x46d064 SaveDC
0x46d068 SelectObject
0x46d06c CreateDIBSection
0x46d070 CreateCompatibleDC
0x46d074 GetDeviceCaps
0x46d078 DeleteDC
0x46d07c RestoreDC
0x46d080 DeleteObject
ADVAPI32.dll
0x46d000 GetTokenInformation
0x46d004 CryptGetHashParam
0x46d008 CryptDestroyHash
0x46d00c RegQueryValueExA
0x46d010 GetUserNameA
0x46d014 CreateProcessWithTokenW
0x46d018 OpenProcessToken
0x46d01c RegOpenKeyExA
0x46d020 ConvertSidToStringSidW
0x46d024 DuplicateTokenEx
0x46d028 RegQueryValueExW
0x46d02c CryptReleaseContext
0x46d030 RegCloseKey
0x46d034 RegEnumKeyExW
0x46d038 RegOpenKeyExW
0x46d03c CryptAcquireContextA
0x46d040 CredEnumerateW
0x46d044 CredFree
0x46d048 CryptCreateHash
0x46d04c CryptHashData
SHELL32.dll
0x46d2d4 SHGetFolderPathA
0x46d2d8 ShellExecuteA
0x46d2dc SHGetSpecialFolderPathW
ole32.dll
0x46d39c CoInitialize
0x46d3a0 CoUninitialize
0x46d3a4 CoTaskMemFree
0x46d3a8 CoCreateInstance
USERENV.dll
0x46d314 GetUserProfileDirectoryA
ktmw32.dll
0x46d38c CreateTransaction
0x46d390 RollbackTransaction
0x46d394 CommitTransaction
crypt.dll
0x46d344 BCryptDecrypt
0x46d348 BCryptDestroyKey
0x46d34c BCryptGenerateSymmetricKey
0x46d350 BCryptOpenAlgorithmProvider
0x46d354 BCryptCloseAlgorithmProvider
0x46d358 BCryptSetProperty
CRYPT32.dll
0x46d054 CryptStringToBinaryA
0x46d058 CryptUnprotectData
SHLWAPI.dll
0x46d2e4 StrCmpNW
0x46d2e8 StrToIntA
0x46d2ec StrStrIW
WINHTTP.dll
0x46d31c WinHttpSendRequest
0x46d320 WinHttpConnect
0x46d324 WinHttpQueryDataAvailable
0x46d328 WinHttpOpenRequest
0x46d32c WinHttpCloseHandle
0x46d330 WinHttpOpen
0x46d334 WinHttpSetOption
0x46d338 WinHttpReceiveResponse
0x46d33c WinHttpReadData
gdiplus.dll
0x46d360 GdiplusStartup
0x46d364 GdipGetImageEncodersSize
0x46d368 GdipFree
0x46d36c GdipDisposeImage
0x46d370 GdipCreateBitmapFromHBITMAP
0x46d374 GdipAlloc
0x46d378 GdipCloneImage
0x46d37c GdipGetImageEncoders
0x46d380 GdiplusShutdown
0x46d384 GdipSaveImageToFile
EAT(Export Address Table) is none
KERNEL32.dll
0x46d088 WaitForSingleObject
0x46d08c GetModuleHandleA
0x46d090 GetLocaleInfoA
0x46d094 Sleep
0x46d098 RemoveDirectoryTransactedA
0x46d09c GetUserDefaultLCID
0x46d0a0 CreateThread
0x46d0a4 GetLastError
0x46d0a8 DeleteFileA
0x46d0ac HeapAlloc
0x46d0b0 lstrcpynA
0x46d0b4 lstrcmpiW
0x46d0b8 GetModuleFileNameA
0x46d0bc GetCurrentProcess
0x46d0c0 GetSystemPowerStatus
0x46d0c4 CreateMutexA
0x46d0c8 OpenProcess
0x46d0cc CreateToolhelp32Snapshot
0x46d0d0 MultiByteToWideChar
0x46d0d4 GetSystemWow64DirectoryW
0x46d0d8 GetTimeZoneInformation
0x46d0dc OpenMutexA
0x46d0e0 Process32NextW
0x46d0e4 GlobalAlloc
0x46d0e8 GetEnvironmentVariableA
0x46d0ec Process32FirstW
0x46d0f0 GlobalFree
0x46d0f4 GetSystemInfo
0x46d0f8 GetLogicalDriveStringsA
0x46d0fc GlobalMemoryStatusEx
0x46d100 WideCharToMultiByte
0x46d104 CreateProcessA
0x46d108 GetComputerNameA
0x46d10c UnmapViewOfFile
0x46d110 GetFileInformationByHandle
0x46d114 CloseHandle
0x46d118 GetLocalTime
0x46d11c CreateFileMappingA
0x46d120 MapViewOfFile
0x46d124 GetTickCount
0x46d128 SetStdHandle
0x46d12c FreeEnvironmentStringsW
0x46d130 GetEnvironmentStringsW
0x46d134 GetOEMCP
0x46d138 GetACP
0x46d13c IsValidCodePage
0x46d140 HeapReAlloc
0x46d144 OutputDebugStringW
0x46d148 lstrlenA
0x46d14c GetFileSize
0x46d150 lstrcpyW
0x46d154 lstrcatW
0x46d158 GetVersionExW
0x46d15c lstrlenW
0x46d160 CreateDirectoryA
0x46d164 lstrcpyA
0x46d168 SystemTimeToFileTime
0x46d16c CreateFileA
0x46d170 GetFileAttributesA
0x46d174 LocalFileTimeToFileTime
0x46d178 SetCurrentDirectoryA
0x46d17c GetCurrentDirectoryA
0x46d180 SetFilePointer
0x46d184 SetFileTime
0x46d188 WriteFile
0x46d18c ReadFile
0x46d190 FindClose
0x46d194 GetDriveTypeA
0x46d198 CopyFileTransactedA
0x46d19c FreeLibrary
0x46d1a0 GetProcessHeap
0x46d1a4 LocalFree
0x46d1a8 GetProcAddress
0x46d1ac LoadLibraryA
0x46d1b0 LocalAlloc
0x46d1b4 DeleteFileTransactedA
0x46d1b8 SetEnvironmentVariableW
0x46d1bc ReadConsoleW
0x46d1c0 EnumSystemLocalesW
0x46d1c4 IsValidLocale
0x46d1c8 GetLocaleInfoW
0x46d1cc LCMapStringW
0x46d1d0 CompareStringW
0x46d1d4 GetTimeFormatW
0x46d1d8 GetDateFormatW
0x46d1dc GetConsoleMode
0x46d1e0 GetConsoleCP
0x46d1e4 FlushFileBuffers
0x46d1e8 GetFileSizeEx
0x46d1ec HeapSize
0x46d1f0 GetCommandLineW
0x46d1f4 GetCommandLineA
0x46d1f8 WriteConsoleW
0x46d1fc GetModuleFileNameW
0x46d200 GetFileType
0x46d204 GetStdHandle
0x46d208 GetModuleHandleExW
0x46d20c HeapFree
0x46d210 FileTimeToSystemTime
0x46d214 CreateDirectoryTransactedA
0x46d218 ExitProcess
0x46d21c LoadLibraryExW
0x46d220 TlsFree
0x46d224 TlsSetValue
0x46d228 TlsGetValue
0x46d22c TlsAlloc
0x46d230 InitializeCriticalSectionAndSpinCount
0x46d234 SetLastError
0x46d238 RaiseException
0x46d23c RtlUnwind
0x46d240 TerminateProcess
0x46d244 InitializeSListHead
0x46d248 GetSystemTimeAsFileTime
0x46d24c GetCurrentThreadId
0x46d250 GetCurrentProcessId
0x46d254 QueryPerformanceCounter
0x46d258 GetModuleHandleW
0x46d25c GetStartupInfoW
0x46d260 SetUnhandledExceptionFilter
0x46d264 UnhandledExceptionFilter
0x46d268 IsDebuggerPresent
0x46d26c IsProcessorFeaturePresent
0x46d270 GetCPInfo
0x46d274 SetCurrentDirectoryW
0x46d278 CreateDirectoryW
0x46d27c CreateFileW
0x46d280 FindFirstFileExW
0x46d284 FindNextFileW
0x46d288 GetFileAttributesExW
0x46d28c SetEndOfFile
0x46d290 SetFilePointerEx
0x46d294 AreFileApisANSI
0x46d298 DeviceIoControl
0x46d29c CopyFileW
0x46d2a0 CreateHardLinkW
0x46d2a4 GetFileInformationByHandleEx
0x46d2a8 CreateSymbolicLinkW
0x46d2ac FormatMessageA
0x46d2b0 EnterCriticalSection
0x46d2b4 LeaveCriticalSection
0x46d2b8 InitializeCriticalSectionEx
0x46d2bc DeleteCriticalSection
0x46d2c0 EncodePointer
0x46d2c4 DecodePointer
0x46d2c8 LCMapStringEx
0x46d2cc GetStringTypeW
USER32.dll
0x46d2f4 wsprintfW
0x46d2f8 wsprintfA
0x46d2fc GetWindowRect
0x46d300 GetSystemMetrics
0x46d304 GetWindowDC
0x46d308 EnumDisplayDevicesA
0x46d30c GetDesktopWindow
GDI32.dll
0x46d060 BitBlt
0x46d064 SaveDC
0x46d068 SelectObject
0x46d06c CreateDIBSection
0x46d070 CreateCompatibleDC
0x46d074 GetDeviceCaps
0x46d078 DeleteDC
0x46d07c RestoreDC
0x46d080 DeleteObject
ADVAPI32.dll
0x46d000 GetTokenInformation
0x46d004 CryptGetHashParam
0x46d008 CryptDestroyHash
0x46d00c RegQueryValueExA
0x46d010 GetUserNameA
0x46d014 CreateProcessWithTokenW
0x46d018 OpenProcessToken
0x46d01c RegOpenKeyExA
0x46d020 ConvertSidToStringSidW
0x46d024 DuplicateTokenEx
0x46d028 RegQueryValueExW
0x46d02c CryptReleaseContext
0x46d030 RegCloseKey
0x46d034 RegEnumKeyExW
0x46d038 RegOpenKeyExW
0x46d03c CryptAcquireContextA
0x46d040 CredEnumerateW
0x46d044 CredFree
0x46d048 CryptCreateHash
0x46d04c CryptHashData
SHELL32.dll
0x46d2d4 SHGetFolderPathA
0x46d2d8 ShellExecuteA
0x46d2dc SHGetSpecialFolderPathW
ole32.dll
0x46d39c CoInitialize
0x46d3a0 CoUninitialize
0x46d3a4 CoTaskMemFree
0x46d3a8 CoCreateInstance
USERENV.dll
0x46d314 GetUserProfileDirectoryA
ktmw32.dll
0x46d38c CreateTransaction
0x46d390 RollbackTransaction
0x46d394 CommitTransaction
crypt.dll
0x46d344 BCryptDecrypt
0x46d348 BCryptDestroyKey
0x46d34c BCryptGenerateSymmetricKey
0x46d350 BCryptOpenAlgorithmProvider
0x46d354 BCryptCloseAlgorithmProvider
0x46d358 BCryptSetProperty
CRYPT32.dll
0x46d054 CryptStringToBinaryA
0x46d058 CryptUnprotectData
SHLWAPI.dll
0x46d2e4 StrCmpNW
0x46d2e8 StrToIntA
0x46d2ec StrStrIW
WINHTTP.dll
0x46d31c WinHttpSendRequest
0x46d320 WinHttpConnect
0x46d324 WinHttpQueryDataAvailable
0x46d328 WinHttpOpenRequest
0x46d32c WinHttpCloseHandle
0x46d330 WinHttpOpen
0x46d334 WinHttpSetOption
0x46d338 WinHttpReceiveResponse
0x46d33c WinHttpReadData
gdiplus.dll
0x46d360 GdiplusStartup
0x46d364 GdipGetImageEncodersSize
0x46d368 GdipFree
0x46d36c GdipDisposeImage
0x46d370 GdipCreateBitmapFromHBITMAP
0x46d374 GdipAlloc
0x46d378 GdipCloneImage
0x46d37c GdipGetImageEncoders
0x46d380 GdiplusShutdown
0x46d384 GdipSaveImageToFile
EAT(Export Address Table) is none