ScreenShot
| Created | 2021.09.22 09:55 | Machine | s1_win7_x6401 |
| Filename | 21.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 26 detected (AIDetect, malware1, malicious, high confidence, score, Artemis, Unsafe, Save, confidence, ZexaF, tDW@auGD2kki, Attribute, HighConfidence, GenKryptik, FKXF, FileRepMalware, Generic@ML, RDML, nsijWaEzNuuOqjcQTtMK+Q, R + Mal, EncPk, Woreflint, Limpopo, Static AI, Malicious PE) | ||
| md5 | 9495761e569d1589af99bb520cd01a54 | ||
| sha256 | b61909aa48c3bd53bc5c94589078acba1a719998b4bb3be33a6207c104771dd1 | ||
| ssdeep | 3072:OpGSYF1aI2LsEBsabgMArKjXGI3UbSLctvkn7aOKzXgVg3Zeu2GBlF0W:qFYF1aI2LsYsGsrKD03vplF | ||
| imphash | 5511694027f5c5aab51d18a076c7a70f | ||
| impfuzzy | 6:HGDvcvbZBJAEtwyRlbVUAILX0I1u2+VGKXzVGKjOA6pfkgKGfRPVOO63Qu0jaTY:mDqAPqTMkIA2+0Kj0Kjz6ShGfRP/H | ||
Network IP location
Signature (26cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 26 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process 21.exe |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Unk.Lebov Stealer CnC Exfil
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Unk.Lebov Stealer CnC Exfil
PE API
IAT(Import Address Table) Library
kernel32.dll
0x427800 GetProcAddress
0x427804 GetVersion
0x427808 LoadLibraryA
0x42780c VirtualAlloc
0x427810 VirtualProtect
0x427814 GetCurrentThread
0x427818 SetPriorityClass
user32.dll
0x427830 GetWindowDC
0x427834 ReleaseDC
0x427838 GetCursorInfo
0x42783c GetCursorPos
0x427840 GetMenu
0x427844 CharLowerBuffW
0x427848 ToAscii
0x42784c InsertMenuItemW
ole32.dll
0x427820 GetConvertStg
0x427824 CoRevertToSelf
0x427828 CoUnmarshalInterface
EAT(Export Address Table) is none
kernel32.dll
0x427800 GetProcAddress
0x427804 GetVersion
0x427808 LoadLibraryA
0x42780c VirtualAlloc
0x427810 VirtualProtect
0x427814 GetCurrentThread
0x427818 SetPriorityClass
user32.dll
0x427830 GetWindowDC
0x427834 ReleaseDC
0x427838 GetCursorInfo
0x42783c GetCursorPos
0x427840 GetMenu
0x427844 CharLowerBuffW
0x427848 ToAscii
0x42784c InsertMenuItemW
ole32.dll
0x427820 GetConvertStg
0x427824 CoRevertToSelf
0x427828 CoUnmarshalInterface
EAT(Export Address Table) is none