ScreenShot
| Created | 2021.09.12 14:48 | Machine | s1_win7_x6401 |
| Filename | Habit_Blink.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 33 detected (Doina, malicious, high confidence, Unsafe, Attribute, HighConfidence, a variant of Generik, GMRYELG, Phonzy, score, ai score=87, susgen, PossibleThreat, ZexaF, ruW@ay18pRcj, GdSda) | ||
| md5 | df46f7077499c629fda43a178a70d6a0 | ||
| sha256 | 754baa6b4007335878ec474d4347f7a8bb42a9955324e84365f8c98c0d376617 | ||
| ssdeep | 6144:TO9EMhhQ1rAc4wdi890rljSktzx4Fm7Lcl1nbQOa1:MEMhh6rAc4wdERj9tzT7Lc/b | ||
| imphash | 1b97638c44e28dc7f804031b638182b1 | ||
| impfuzzy | 96:VKLQ1veLA7cCdcp+1KFbNDKcR87cfzcEO9a1YfYaWI5qKMt2MQqUn:ULtC/KFb1K8VO9a1sd5qKMtrQ7n | ||
Network IP location
Signature (10cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 33 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a shortcut to an executable file |
| notice | Creates executable files on the filesystem |
| notice | Foreign language identified in PE resource |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Sends data using the HTTP POST Method |
| info | This executable has a PDB path |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | Lnk_Format_Zero | LNK Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (9cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x43403c CloseHandle
0x434040 GetLastError
0x434044 CreateMutexA
0x434048 lstrlenA
0x43404c lstrcmpA
0x434050 DeleteFileA
0x434054 GetPrivateProfileStringA
0x434058 IsProcessorFeaturePresent
0x43405c GetSystemTimeAsFileTime
0x434060 GetCurrentProcessId
0x434064 GetCurrentThreadId
0x434068 QueryPerformanceCounter
0x43406c DecodePointer
0x434070 IsDebuggerPresent
0x434074 SetUnhandledExceptionFilter
0x434078 UnhandledExceptionFilter
0x43407c GetCurrentProcess
0x434080 TerminateProcess
0x434084 EncodePointer
0x434088 GetStartupInfoW
0x43408c HeapSetInformation
0x434090 InterlockedCompareExchange
0x434094 GetPrivateProfileIntA
0x434098 lstrcpyA
0x43409c GetTempPathA
0x4340a0 GetLocalTime
0x4340a4 MultiByteToWideChar
0x4340a8 lstrcatA
0x4340ac InterlockedExchange
0x4340b0 ExpandEnvironmentStringsA
0x4340b4 LoadLibraryA
0x4340b8 GetProcAddress
0x4340bc FreeLibrary
0x4340c0 GetStdHandle
0x4340c4 GetFileType
0x4340c8 WaitForMultipleObjects
0x4340cc PeekNamedPipe
0x4340d0 ReadFile
0x4340d4 FormatMessageA
0x4340d8 WaitForSingleObject
0x4340dc VerSetConditionMask
0x4340e0 VerifyVersionInfoA
0x4340e4 SleepEx
0x4340e8 GetTickCount
0x4340ec SetLastError
0x4340f0 EnterCriticalSection
0x4340f4 LeaveCriticalSection
0x4340f8 InitializeCriticalSection
0x4340fc DeleteCriticalSection
0x434100 Sleep
USER32.dll
0x434294 CreateWindowExA
0x434298 EndDialog
0x43429c PostQuitMessage
0x4342a0 KillTimer
0x4342a4 FlashWindow
0x4342a8 EndPaint
0x4342ac BeginPaint
0x4342b0 DefWindowProcA
0x4342b4 DestroyWindow
0x4342b8 DialogBoxParamA
0x4342bc wsprintfA
0x4342c0 LoadStringA
0x4342c4 LoadAcceleratorsA
0x4342c8 GetMessageA
0x4342cc TranslateAcceleratorA
0x4342d0 TranslateMessage
0x4342d4 DispatchMessageA
0x4342d8 UpdateWindow
0x4342dc LoadCursorA
0x4342e0 RegisterClassExA
0x4342e4 LoadIconA
0x4342e8 SetTimer
0x4342ec ShowWindow
ADVAPI32.dll
0x434000 CryptDestroyKey
0x434004 RegSetValueExA
0x434008 RegQueryValueExA
0x43400c RegCloseKey
0x434010 RegCreateKeyA
0x434014 RegOpenKeyExA
0x434018 CryptEncrypt
0x43401c CryptReleaseContext
0x434020 CryptImportKey
0x434024 CryptAcquireContextA
0x434028 CryptDestroyHash
0x43402c CryptGetHashParam
0x434030 CryptHashData
0x434034 CryptCreateHash
SHELL32.dll
0x434280 ShellExecuteA
0x434284 SHGetPathFromIDListA
0x434288 SHGetSpecialFolderLocation
0x43428c SHGetSpecialFolderPathA
ole32.dll
0x4343b0 CoUninitialize
0x4343b4 CoTaskMemFree
0x4343b8 CoCreateInstance
0x4343bc CoInitialize
urlmon.dll
0x4343c4 URLDownloadToFileA
WININET.dll
0x4342f4 DeleteUrlCacheEntry
WS2_32.dll
0x434340 ntohs
0x434344 gethostname
0x434348 ioctlsocket
0x43434c listen
0x434350 accept
0x434354 recvfrom
0x434358 WSACleanup
0x43435c WSAStartup
0x434360 __WSAFDIsSet
0x434364 WSAGetLastError
0x434368 select
0x43436c recv
0x434370 send
0x434374 WSAIoctl
0x434378 setsockopt
0x43437c getsockname
0x434380 WSASetLastError
0x434384 ind
0x434388 htons
0x43438c getsockopt
0x434390 getpeername
0x434394 closesocket
0x434398 socket
0x43439c connect
0x4343a0 freeaddrinfo
0x4343a4 getaddrinfo
0x4343a8 sendto
WLDAP32.dll
0x4342fc None
0x434300 None
0x434304 None
0x434308 None
0x43430c None
0x434310 None
0x434314 None
0x434318 None
0x43431c None
0x434320 None
0x434324 None
0x434328 None
0x43432c None
0x434330 None
0x434334 None
0x434338 None
MSVCR100.dll
0x434108 _controlfp_s
0x43410c _invoke_watson
0x434110 _except_handler4_common
0x434114 _onexit
0x434118 _lock
0x43411c __dllonexit
0x434120 _unlock
0x434124 ?_type_info_dtor_internal_method@type_info@@QAEXXZ
0x434128 ?terminate@@YAXXZ
0x43412c _crt_debugger_hook
0x434130 __set_app_type
0x434134 _fmode
0x434138 _commode
0x43413c __setusermatherr
0x434140 _configthreadlocale
0x434144 _initterm_e
0x434148 _initterm
0x43414c _acmdln
0x434150 exit
0x434154 _ismbblead
0x434158 _XcptFilter
0x43415c _exit
0x434160 _cexit
0x434164 __getmainargs
0x434168 _amsg_exit
0x43416c _strnicmp
0x434170 _stricmp
0x434174 _write
0x434178 _read
0x43417c _open
0x434180 _close
0x434184 _strdup
0x434188 isgraph
0x43418c isprint
0x434190 islower
0x434194 _stat64
0x434198 ??0exception@std@@QAE@ABQBD@Z
0x43419c ??1exception@std@@UAE@XZ
0x4341a0 ??3@YAXPAX@Z
0x4341a4 memmove
0x4341a8 ??0exception@std@@QAE@ABV01@@Z
0x4341ac ??2@YAPAXI@Z
0x4341b0 sprintf
0x4341b4 ?what@exception@std@@UBEPBDXZ
0x4341b8 _CxxThrowException
0x4341bc calloc
0x4341c0 realloc
0x4341c4 free
0x4341c8 malloc
0x4341cc memset
0x4341d0 _errno
0x4341d4 _time64
0x4341d8 tolower
0x4341dc sscanf
0x4341e0 fwrite
0x4341e4 fread
0x4341e8 __iob_func
0x4341ec strchr
0x4341f0 strncpy
0x4341f4 memcpy
0x4341f8 strtol
0x4341fc strrchr
0x434200 isalpha
0x434204 strncmp
0x434208 isxdigit
0x43420c strstr
0x434210 strtoul
0x434214 strpbrk
0x434218 _strtoi64
0x43421c qsort
0x434220 fclose
0x434224 fputs
0x434228 fopen
0x43422c fgets
0x434230 isdigit
0x434234 fputc
0x434238 _beginthreadex
0x43423c strerror
0x434240 __sys_nerr
0x434244 isalnum
0x434248 isspace
0x43424c _getpid
0x434250 memchr
0x434254 _fstat64
0x434258 _lseeki64
0x43425c atoi
0x434260 getenv
0x434264 fflush
0x434268 fseek
0x43426c _gmtime64
0x434270 isupper
0x434274 toupper
0x434278 __CxxFrameHandler3
EAT(Export Address Table) is none
KERNEL32.dll
0x43403c CloseHandle
0x434040 GetLastError
0x434044 CreateMutexA
0x434048 lstrlenA
0x43404c lstrcmpA
0x434050 DeleteFileA
0x434054 GetPrivateProfileStringA
0x434058 IsProcessorFeaturePresent
0x43405c GetSystemTimeAsFileTime
0x434060 GetCurrentProcessId
0x434064 GetCurrentThreadId
0x434068 QueryPerformanceCounter
0x43406c DecodePointer
0x434070 IsDebuggerPresent
0x434074 SetUnhandledExceptionFilter
0x434078 UnhandledExceptionFilter
0x43407c GetCurrentProcess
0x434080 TerminateProcess
0x434084 EncodePointer
0x434088 GetStartupInfoW
0x43408c HeapSetInformation
0x434090 InterlockedCompareExchange
0x434094 GetPrivateProfileIntA
0x434098 lstrcpyA
0x43409c GetTempPathA
0x4340a0 GetLocalTime
0x4340a4 MultiByteToWideChar
0x4340a8 lstrcatA
0x4340ac InterlockedExchange
0x4340b0 ExpandEnvironmentStringsA
0x4340b4 LoadLibraryA
0x4340b8 GetProcAddress
0x4340bc FreeLibrary
0x4340c0 GetStdHandle
0x4340c4 GetFileType
0x4340c8 WaitForMultipleObjects
0x4340cc PeekNamedPipe
0x4340d0 ReadFile
0x4340d4 FormatMessageA
0x4340d8 WaitForSingleObject
0x4340dc VerSetConditionMask
0x4340e0 VerifyVersionInfoA
0x4340e4 SleepEx
0x4340e8 GetTickCount
0x4340ec SetLastError
0x4340f0 EnterCriticalSection
0x4340f4 LeaveCriticalSection
0x4340f8 InitializeCriticalSection
0x4340fc DeleteCriticalSection
0x434100 Sleep
USER32.dll
0x434294 CreateWindowExA
0x434298 EndDialog
0x43429c PostQuitMessage
0x4342a0 KillTimer
0x4342a4 FlashWindow
0x4342a8 EndPaint
0x4342ac BeginPaint
0x4342b0 DefWindowProcA
0x4342b4 DestroyWindow
0x4342b8 DialogBoxParamA
0x4342bc wsprintfA
0x4342c0 LoadStringA
0x4342c4 LoadAcceleratorsA
0x4342c8 GetMessageA
0x4342cc TranslateAcceleratorA
0x4342d0 TranslateMessage
0x4342d4 DispatchMessageA
0x4342d8 UpdateWindow
0x4342dc LoadCursorA
0x4342e0 RegisterClassExA
0x4342e4 LoadIconA
0x4342e8 SetTimer
0x4342ec ShowWindow
ADVAPI32.dll
0x434000 CryptDestroyKey
0x434004 RegSetValueExA
0x434008 RegQueryValueExA
0x43400c RegCloseKey
0x434010 RegCreateKeyA
0x434014 RegOpenKeyExA
0x434018 CryptEncrypt
0x43401c CryptReleaseContext
0x434020 CryptImportKey
0x434024 CryptAcquireContextA
0x434028 CryptDestroyHash
0x43402c CryptGetHashParam
0x434030 CryptHashData
0x434034 CryptCreateHash
SHELL32.dll
0x434280 ShellExecuteA
0x434284 SHGetPathFromIDListA
0x434288 SHGetSpecialFolderLocation
0x43428c SHGetSpecialFolderPathA
ole32.dll
0x4343b0 CoUninitialize
0x4343b4 CoTaskMemFree
0x4343b8 CoCreateInstance
0x4343bc CoInitialize
urlmon.dll
0x4343c4 URLDownloadToFileA
WININET.dll
0x4342f4 DeleteUrlCacheEntry
WS2_32.dll
0x434340 ntohs
0x434344 gethostname
0x434348 ioctlsocket
0x43434c listen
0x434350 accept
0x434354 recvfrom
0x434358 WSACleanup
0x43435c WSAStartup
0x434360 __WSAFDIsSet
0x434364 WSAGetLastError
0x434368 select
0x43436c recv
0x434370 send
0x434374 WSAIoctl
0x434378 setsockopt
0x43437c getsockname
0x434380 WSASetLastError
0x434384 ind
0x434388 htons
0x43438c getsockopt
0x434390 getpeername
0x434394 closesocket
0x434398 socket
0x43439c connect
0x4343a0 freeaddrinfo
0x4343a4 getaddrinfo
0x4343a8 sendto
WLDAP32.dll
0x4342fc None
0x434300 None
0x434304 None
0x434308 None
0x43430c None
0x434310 None
0x434314 None
0x434318 None
0x43431c None
0x434320 None
0x434324 None
0x434328 None
0x43432c None
0x434330 None
0x434334 None
0x434338 None
MSVCR100.dll
0x434108 _controlfp_s
0x43410c _invoke_watson
0x434110 _except_handler4_common
0x434114 _onexit
0x434118 _lock
0x43411c __dllonexit
0x434120 _unlock
0x434124 ?_type_info_dtor_internal_method@type_info@@QAEXXZ
0x434128 ?terminate@@YAXXZ
0x43412c _crt_debugger_hook
0x434130 __set_app_type
0x434134 _fmode
0x434138 _commode
0x43413c __setusermatherr
0x434140 _configthreadlocale
0x434144 _initterm_e
0x434148 _initterm
0x43414c _acmdln
0x434150 exit
0x434154 _ismbblead
0x434158 _XcptFilter
0x43415c _exit
0x434160 _cexit
0x434164 __getmainargs
0x434168 _amsg_exit
0x43416c _strnicmp
0x434170 _stricmp
0x434174 _write
0x434178 _read
0x43417c _open
0x434180 _close
0x434184 _strdup
0x434188 isgraph
0x43418c isprint
0x434190 islower
0x434194 _stat64
0x434198 ??0exception@std@@QAE@ABQBD@Z
0x43419c ??1exception@std@@UAE@XZ
0x4341a0 ??3@YAXPAX@Z
0x4341a4 memmove
0x4341a8 ??0exception@std@@QAE@ABV01@@Z
0x4341ac ??2@YAPAXI@Z
0x4341b0 sprintf
0x4341b4 ?what@exception@std@@UBEPBDXZ
0x4341b8 _CxxThrowException
0x4341bc calloc
0x4341c0 realloc
0x4341c4 free
0x4341c8 malloc
0x4341cc memset
0x4341d0 _errno
0x4341d4 _time64
0x4341d8 tolower
0x4341dc sscanf
0x4341e0 fwrite
0x4341e4 fread
0x4341e8 __iob_func
0x4341ec strchr
0x4341f0 strncpy
0x4341f4 memcpy
0x4341f8 strtol
0x4341fc strrchr
0x434200 isalpha
0x434204 strncmp
0x434208 isxdigit
0x43420c strstr
0x434210 strtoul
0x434214 strpbrk
0x434218 _strtoi64
0x43421c qsort
0x434220 fclose
0x434224 fputs
0x434228 fopen
0x43422c fgets
0x434230 isdigit
0x434234 fputc
0x434238 _beginthreadex
0x43423c strerror
0x434240 __sys_nerr
0x434244 isalnum
0x434248 isspace
0x43424c _getpid
0x434250 memchr
0x434254 _fstat64
0x434258 _lseeki64
0x43425c atoi
0x434260 getenv
0x434264 fflush
0x434268 fseek
0x43426c _gmtime64
0x434270 isupper
0x434274 toupper
0x434278 __CxxFrameHandler3
EAT(Export Address Table) is none