ScreenShot
| Created | 2021.09.25 17:36 | Machine | s1_win7_x6401 |
| Filename | dd.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 37 detected (AIDetect, malware1, Bsymem, malicious, high confidence, GenericKD, GenericRXQB, Unsafe, confidence, Dorpal, ali1000029, FakeAlert, Attribute, HighConfidence, AGEN, ai score=84, virusname, kcloud, AgentTesla, score, BScope, Nitol, USMANIO21, Generic@ML, RDML, IWq+ylDYe24eNwh8xOOxvw, Tiny) | ||
| md5 | 745e57d1e9ef58647a60e3d341589d0f | ||
| sha256 | dc633709fc89e2c8596d97b71135911f73fb51bd4b9e7adbac5692fc287b0165 | ||
| ssdeep | 98304:8lTmkKs5QV/57/Alz6eun3QqBAnzrMDMNBY5rr07JTZIIWSOhWu:NhsKVS56/3QCAnvjsrI7JTWIWSOT | ||
| imphash | 2a2a662be9dffc461398e7c94d0b55b4 | ||
| impfuzzy | 6:HbJq4wX0pyYJxSBS0H5sD4sIW0oFUAliPEcn:7Jq4wMY58xaPXn | ||
Network IP location
Signature (20cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 37 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (38cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Network_Downloader | File Downloader | memory |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x82cd9c strlen
0x82cda0 malloc
0x82cda4 fopen
0x82cda8 fwrite
0x82cdac fclose
0x82cdb0 memset
0x82cdb4 getenv
0x82cdb8 sprintf
0x82cdbc __argc
0x82cdc0 __argv
0x82cdc4 _environ
0x82cdc8 _XcptFilter
0x82cdcc __set_app_type
0x82cdd0 _controlfp
0x82cdd4 __getmainargs
0x82cdd8 exit
kernel32.dll
0x82cde0 CreateProcessA
0x82cde4 CloseHandle
0x82cde8 SetUnhandledExceptionFilter
EAT(Export Address Table) is none
msvcrt.dll
0x82cd9c strlen
0x82cda0 malloc
0x82cda4 fopen
0x82cda8 fwrite
0x82cdac fclose
0x82cdb0 memset
0x82cdb4 getenv
0x82cdb8 sprintf
0x82cdbc __argc
0x82cdc0 __argv
0x82cdc4 _environ
0x82cdc8 _XcptFilter
0x82cdcc __set_app_type
0x82cdd0 _controlfp
0x82cdd4 __getmainargs
0x82cdd8 exit
kernel32.dll
0x82cde0 CreateProcessA
0x82cde4 CloseHandle
0x82cde8 SetUnhandledExceptionFilter
EAT(Export Address Table) is none