ScreenShot
| Created | 2021.09.20 09:44 | Machine | s1_win7_x6401 |
| Filename | Stubchik.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 29 detected (AIDetect, malware2, Razy, Unsafe, malicious, Attribute, HighConfidence, GenKryptik, FKHS, TrojanX, Generic@ML, RDML, gcGNDPpHmx85, rcIUhgf+g, Score, ZPACK, CoinMinerInj, BScope, Nitol, ai score=83, MachineLearning, Anomalous, 100%, Tiny) | ||
| md5 | d5d4f07e59ffad621f322b68c12e411e | ||
| sha256 | 42506f9e15ffdab6fce67556b602075ff779e2e84c6a40058a3941f0f71071b2 | ||
| ssdeep | 49152:8qgCWU4cUagFjTlMnE1mrswa9dKsxGzVCRRU30ZLozGEXwacq3QTPXq+2:8qgzjrDFP+VrvaJx0C03xi+rgDq | ||
| imphash | 2a2a662be9dffc461398e7c94d0b55b4 | ||
| impfuzzy | 6:HbJq4wX0pyYJxSBS0H5sD4sIW0oFUAliPEcn:7Jq4wMY58xaPXn | ||
Network IP location
Signature (30cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 29 AntiVirus engines on VirusTotal as malicious |
| warning | Generates some ICMP traffic |
| watch | Attempts to create or modify system certificates |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Uses Sysinternals tools in order to add additional command line functionality |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
Rules (40cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Network_Downloader | File Downloader | memory |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | Is_DotNET_EXE | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
Network (9cnts) ?
Suricata ids
ET POLICY External IP Lookup ip-api.com
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x6af6bc strlen
0x6af6c0 malloc
0x6af6c4 fopen
0x6af6c8 fwrite
0x6af6cc fclose
0x6af6d0 memset
0x6af6d4 getenv
0x6af6d8 sprintf
0x6af6dc __argc
0x6af6e0 __argv
0x6af6e4 _environ
0x6af6e8 _XcptFilter
0x6af6ec __set_app_type
0x6af6f0 _controlfp
0x6af6f4 __getmainargs
0x6af6f8 exit
kernel32.dll
0x6af700 CreateProcessA
0x6af704 CloseHandle
0x6af708 SetUnhandledExceptionFilter
EAT(Export Address Table) is none
msvcrt.dll
0x6af6bc strlen
0x6af6c0 malloc
0x6af6c4 fopen
0x6af6c8 fwrite
0x6af6cc fclose
0x6af6d0 memset
0x6af6d4 getenv
0x6af6d8 sprintf
0x6af6dc __argc
0x6af6e0 __argv
0x6af6e4 _environ
0x6af6e8 _XcptFilter
0x6af6ec __set_app_type
0x6af6f0 _controlfp
0x6af6f4 __getmainargs
0x6af6f8 exit
kernel32.dll
0x6af700 CreateProcessA
0x6af704 CloseHandle
0x6af708 SetUnhandledExceptionFilter
EAT(Export Address Table) is none