ScreenShot
| Created | 2021.09.22 22:32 | Machine | s1_win7_x6402 |
| Filename | 18.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 19 detected (malicious, high confidence, Unsafe, Save, ZexaF, xHW@aeeYgBiG, Attribute, HighConfidence, a variant of Generik, HHYMXTP, Generic@ML, RDML, 0Y21KlbUqf8IoVxoX5blAA, Static AI, Malicious PE, susgen, Sabsik, score, Artemis, confidence) | ||
| md5 | 5389b036dc60417f5d0df36e82131b63 | ||
| sha256 | 79f06415909bec7ef3aff251d728968654f8cc0e4a108f29a606acd5d677ce40 | ||
| ssdeep | 3072:CORDINSkUIWnxw8CmtqvylJ10nkcvryr5dqT0NMdIp2uogBpUDZyL+UoPxwAnjac:Ti+qg0vryiT0NMd+2u/NLGb | ||
| imphash | 15cdf6e35545e491e70d9cafb0fc7871 | ||
| impfuzzy | 3:sU9KTXzhAXwWBJAEPwEBJJ67EQaxRAAbsSHXX0AXtJ3aAXw3hyw3uB1adbW/zy:HGDYBJAEtwyRlbVUAuylT1cye | ||
Network IP location
Signature (27cnts)
| Level | Description |
|---|---|
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes executed files from disk |
| watch | File has been identified by 19 AntiVirus engines on VirusTotal as malicious |
| watch | Harvests credentials from local email clients |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process 18.exe |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (18cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (9cnts) ?
Suricata ids
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Unk.Lebov Stealer CnC Exfil
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Unk.Lebov Stealer CnC Exfil
PE API
IAT(Import Address Table) Library
kernel32.dll
0x434000 GetProcAddress
0x434004 LoadLibraryA
0x434008 VirtualAlloc
0x43400c VirtualProtect
0x434010 GetCurrentThread
0x434014 lstrlenA
0x434018 lstrcatA
0x43401c lstrcmpA
user32.dll
0x434024 CsrBroadcastSystemMessageExW
EAT(Export Address Table) is none
kernel32.dll
0x434000 GetProcAddress
0x434004 LoadLibraryA
0x434008 VirtualAlloc
0x43400c VirtualProtect
0x434010 GetCurrentThread
0x434014 lstrlenA
0x434018 lstrcatA
0x43401c lstrcmpA
user32.dll
0x434024 CsrBroadcastSystemMessageExW
EAT(Export Address Table) is none