ScreenShot
| Created | 2021.09.22 10:13 | Machine | s1_win7_x6401 |
| Filename | ntcm.dll | ||
| Type | PE32+ executable (DLL) (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 34 detected (malicious, high confidence, score, GenericKD, IcedID, confidence, 100%, txva, TrojanBanker, BankerX, Drixed, Bazar, kuqsp, ai score=89, kcloud, Tnega, 6JCWMN, Artemis, Unsafe, Static AI, Malicious PE, Behavior) | ||
| md5 | 9f3d6ad1891e088e16f93a17da7e338e | ||
| sha256 | 2f6392ed7bf24a4618ff1709a6c8ecc9c5b77aee3714a4770bf5c11cb7bbe4ec | ||
| ssdeep | 12288:yzfwpdjxfrpIt1hz+mCLeSefQZhelLv26Xxg7McGFgBfwN/GAcIHdJ3EjVneM/Ed:yzfwPjxfrpIt1R+mCLeSefQZhelLv26v | ||
| imphash | 17737ef37d45565c07115078a38f8da4 | ||
| impfuzzy | 6:5UA9j7abe1BztZXtLQABBlimRxybmRxPOLGj5XtERGD+llJHWZRHmRxT7mRx8FmM:H9j7abaFX1jRJRxOcJ2cDKMARZqRJCA2 | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 34 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to create or modify system certificates |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.top domain - Likely Hostile
ET DNS Query to a *.top domain - Likely Hostile
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1800b0000 GetCurrentThread
0x1800b0008 WaitForSingleObject
0x1800b0010 WaitForMultipleObjects
0x1800b0018 CreateThread
0x1800b0020 TlsGetValue
0x1800b0028 GetThreadPriority
0x1800b0030 DuplicateHandle
0x1800b0038 ResumeThread
0x1800b0040 CreateFileA
0x1800b0048 DeleteCriticalSection
0x1800b0050 EnterCriticalSection
0x1800b0058 GetCommandLineW
0x1800b0060 GetLastError
0x1800b0068 GetModuleHandleA
0x1800b0070 GetProcAddress
0x1800b0078 GetProcessHeap
0x1800b0080 HeapAlloc
0x1800b0088 HeapFree
0x1800b0090 HeapReAlloc
0x1800b0098 InitializeCriticalSection
0x1800b00a0 LeaveCriticalSection
0x1800b00a8 Sleep
0x1800b00b0 VirtualAlloc
0x1800b00b8 VirtualFree
0x1800b00c0 WideCharToMultiByte
0x1800b00c8 LoadLibraryA
0x1800b00d0 GetSystemTime
EAT(Export Address Table) Library
0x180001490 DllGetClassObject
0x180001440 DllRegisterServer
0x1800017c0 PluginInit
KERNEL32.dll
0x1800b0000 GetCurrentThread
0x1800b0008 WaitForSingleObject
0x1800b0010 WaitForMultipleObjects
0x1800b0018 CreateThread
0x1800b0020 TlsGetValue
0x1800b0028 GetThreadPriority
0x1800b0030 DuplicateHandle
0x1800b0038 ResumeThread
0x1800b0040 CreateFileA
0x1800b0048 DeleteCriticalSection
0x1800b0050 EnterCriticalSection
0x1800b0058 GetCommandLineW
0x1800b0060 GetLastError
0x1800b0068 GetModuleHandleA
0x1800b0070 GetProcAddress
0x1800b0078 GetProcessHeap
0x1800b0080 HeapAlloc
0x1800b0088 HeapFree
0x1800b0090 HeapReAlloc
0x1800b0098 InitializeCriticalSection
0x1800b00a0 LeaveCriticalSection
0x1800b00a8 Sleep
0x1800b00b0 VirtualAlloc
0x1800b00b8 VirtualFree
0x1800b00c0 WideCharToMultiByte
0x1800b00c8 LoadLibraryA
0x1800b00d0 GetSystemTime
EAT(Export Address Table) Library
0x180001490 DllGetClassObject
0x180001440 DllRegisterServer
0x1800017c0 PluginInit