ScreenShot
| Created | 2021.09.28 13:59 | Machine | s1_win7_x6401 |
| Filename | build.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 6bacb42179eb54d6afac2664cd0227d7 | ||
| sha256 | d87865909f5bfd462d0f0a5110e0bb7c9a1a177ece1cb90c9755263a285949d9 | ||
| ssdeep | 24576:QN5sQXdZD4UjBEk/xf3P86KgVNgE5p4sJXuO:QPdZDxBLn86KAbhJ | ||
| imphash | f43d32468f3d02d6bc45f98f703cafd2 | ||
| impfuzzy | 48:CORcxX02inFXsYBfjObztXHacyIK9Jc+lfk:NaxXNuFXsCfjQtX6cyIQJc+lfk | ||
Network IP location
Signature (29cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | Generates some ICMP traffic |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Installs itself for autorun at Windows startup |
| watch | Network activity contains more than one unique useragent |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process build.exe |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Foreign language identified in PE resource |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (26cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_PWS_Loki_Zero | Win32 PWS Loki | memory |
| warning | infoStealer_browser_Zero | browser info stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | Win_Trojan_agentTesla_Zero | Win.Trojan.agentTesla | memory |
Network (11cnts) ?
Suricata ids
ET INFO TLS Handshake Failure
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.top domain - Likely Hostile
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible EXE Download From Suspicious TLD
ET DNS Query for .to TLD
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.top domain - Likely Hostile
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible EXE Download From Suspicious TLD
ET DNS Query for .to TLD
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41c008 CopyFileExW
0x41c00c TlsGetValue
0x41c010 InterlockedIncrement
0x41c014 GetCommState
0x41c018 GetProfileStringW
0x41c01c UnlockFile
0x41c020 CallNamedPipeW
0x41c024 FreeEnvironmentStringsA
0x41c028 GetNumberFormatA
0x41c02c FindResourceExA
0x41c030 GlobalAlloc
0x41c034 GetPrivateProfileIntA
0x41c038 GetConsoleAliasExesLengthW
0x41c03c HeapDestroy
0x41c040 CreateSemaphoreA
0x41c044 EnumResourceLanguagesA
0x41c048 GetModuleFileNameW
0x41c04c GetCompressedFileSizeA
0x41c050 GetSystemDirectoryA
0x41c054 CreateActCtxA
0x41c058 GetBinaryTypeW
0x41c05c lstrlenW
0x41c060 LCMapStringA
0x41c064 GetStartupInfoA
0x41c068 SetThreadLocale
0x41c06c GetStdHandle
0x41c070 GetThreadContext
0x41c074 FreeLibraryAndExitThread
0x41c078 GetLastError
0x41c07c GetProcAddress
0x41c080 CreateNamedPipeA
0x41c084 EnterCriticalSection
0x41c088 LoadLibraryA
0x41c08c OpenMutexA
0x41c090 WritePrivateProfileStringA
0x41c094 SetThreadIdealProcessor
0x41c098 FindAtomA
0x41c09c SetSystemTime
0x41c0a0 FindNextFileA
0x41c0a4 CreateIoCompletionPort
0x41c0a8 GetModuleHandleA
0x41c0ac FindFirstChangeNotificationA
0x41c0b0 HeapSetInformation
0x41c0b4 WriteProfileStringW
0x41c0b8 GetCurrentDirectoryA
0x41c0bc SetFileShortNameA
0x41c0c0 FindAtomW
0x41c0c4 UnregisterWaitEx
0x41c0c8 GetSystemTime
0x41c0cc DeleteFileA
0x41c0d0 GetVolumeInformationW
0x41c0d4 LocalFileTimeToFileTime
0x41c0d8 GetCPInfoExW
0x41c0dc GetCommandLineW
0x41c0e0 WideCharToMultiByte
0x41c0e4 EncodePointer
0x41c0e8 DecodePointer
0x41c0ec GetStartupInfoW
0x41c0f0 TerminateProcess
0x41c0f4 GetCurrentProcess
0x41c0f8 UnhandledExceptionFilter
0x41c0fc SetUnhandledExceptionFilter
0x41c100 IsDebuggerPresent
0x41c104 InterlockedDecrement
0x41c108 GetACP
0x41c10c GetOEMCP
0x41c110 GetCPInfo
0x41c114 IsValidCodePage
0x41c118 TlsAlloc
0x41c11c TlsSetValue
0x41c120 GetCurrentThreadId
0x41c124 TlsFree
0x41c128 GetModuleHandleW
0x41c12c SetLastError
0x41c130 HeapValidate
0x41c134 IsBadReadPtr
0x41c138 ExitProcess
0x41c13c LeaveCriticalSection
0x41c140 SetHandleCount
0x41c144 InitializeCriticalSectionAndSpinCount
0x41c148 GetFileType
0x41c14c DeleteCriticalSection
0x41c150 QueryPerformanceCounter
0x41c154 GetTickCount
0x41c158 GetCurrentProcessId
0x41c15c GetSystemTimeAsFileTime
0x41c160 FreeEnvironmentStringsW
0x41c164 GetEnvironmentStringsW
0x41c168 HeapCreate
0x41c16c WriteFile
0x41c170 IsProcessorFeaturePresent
0x41c174 OutputDebugStringA
0x41c178 WriteConsoleW
0x41c17c OutputDebugStringW
0x41c180 LoadLibraryW
0x41c184 RtlUnwind
0x41c188 LCMapStringW
0x41c18c MultiByteToWideChar
0x41c190 GetStringTypeW
0x41c194 SetFilePointer
0x41c198 GetConsoleCP
0x41c19c GetConsoleMode
0x41c1a0 HeapAlloc
0x41c1a4 GetModuleFileNameA
0x41c1a8 HeapReAlloc
0x41c1ac HeapSize
0x41c1b0 HeapQueryInformation
0x41c1b4 HeapFree
0x41c1b8 SetStdHandle
0x41c1bc FlushFileBuffers
0x41c1c0 RaiseException
0x41c1c4 CreateFileW
0x41c1c8 CloseHandle
GDI32.dll
0x41c000 GetCharWidthW
EAT(Export Address Table) is none
KERNEL32.dll
0x41c008 CopyFileExW
0x41c00c TlsGetValue
0x41c010 InterlockedIncrement
0x41c014 GetCommState
0x41c018 GetProfileStringW
0x41c01c UnlockFile
0x41c020 CallNamedPipeW
0x41c024 FreeEnvironmentStringsA
0x41c028 GetNumberFormatA
0x41c02c FindResourceExA
0x41c030 GlobalAlloc
0x41c034 GetPrivateProfileIntA
0x41c038 GetConsoleAliasExesLengthW
0x41c03c HeapDestroy
0x41c040 CreateSemaphoreA
0x41c044 EnumResourceLanguagesA
0x41c048 GetModuleFileNameW
0x41c04c GetCompressedFileSizeA
0x41c050 GetSystemDirectoryA
0x41c054 CreateActCtxA
0x41c058 GetBinaryTypeW
0x41c05c lstrlenW
0x41c060 LCMapStringA
0x41c064 GetStartupInfoA
0x41c068 SetThreadLocale
0x41c06c GetStdHandle
0x41c070 GetThreadContext
0x41c074 FreeLibraryAndExitThread
0x41c078 GetLastError
0x41c07c GetProcAddress
0x41c080 CreateNamedPipeA
0x41c084 EnterCriticalSection
0x41c088 LoadLibraryA
0x41c08c OpenMutexA
0x41c090 WritePrivateProfileStringA
0x41c094 SetThreadIdealProcessor
0x41c098 FindAtomA
0x41c09c SetSystemTime
0x41c0a0 FindNextFileA
0x41c0a4 CreateIoCompletionPort
0x41c0a8 GetModuleHandleA
0x41c0ac FindFirstChangeNotificationA
0x41c0b0 HeapSetInformation
0x41c0b4 WriteProfileStringW
0x41c0b8 GetCurrentDirectoryA
0x41c0bc SetFileShortNameA
0x41c0c0 FindAtomW
0x41c0c4 UnregisterWaitEx
0x41c0c8 GetSystemTime
0x41c0cc DeleteFileA
0x41c0d0 GetVolumeInformationW
0x41c0d4 LocalFileTimeToFileTime
0x41c0d8 GetCPInfoExW
0x41c0dc GetCommandLineW
0x41c0e0 WideCharToMultiByte
0x41c0e4 EncodePointer
0x41c0e8 DecodePointer
0x41c0ec GetStartupInfoW
0x41c0f0 TerminateProcess
0x41c0f4 GetCurrentProcess
0x41c0f8 UnhandledExceptionFilter
0x41c0fc SetUnhandledExceptionFilter
0x41c100 IsDebuggerPresent
0x41c104 InterlockedDecrement
0x41c108 GetACP
0x41c10c GetOEMCP
0x41c110 GetCPInfo
0x41c114 IsValidCodePage
0x41c118 TlsAlloc
0x41c11c TlsSetValue
0x41c120 GetCurrentThreadId
0x41c124 TlsFree
0x41c128 GetModuleHandleW
0x41c12c SetLastError
0x41c130 HeapValidate
0x41c134 IsBadReadPtr
0x41c138 ExitProcess
0x41c13c LeaveCriticalSection
0x41c140 SetHandleCount
0x41c144 InitializeCriticalSectionAndSpinCount
0x41c148 GetFileType
0x41c14c DeleteCriticalSection
0x41c150 QueryPerformanceCounter
0x41c154 GetTickCount
0x41c158 GetCurrentProcessId
0x41c15c GetSystemTimeAsFileTime
0x41c160 FreeEnvironmentStringsW
0x41c164 GetEnvironmentStringsW
0x41c168 HeapCreate
0x41c16c WriteFile
0x41c170 IsProcessorFeaturePresent
0x41c174 OutputDebugStringA
0x41c178 WriteConsoleW
0x41c17c OutputDebugStringW
0x41c180 LoadLibraryW
0x41c184 RtlUnwind
0x41c188 LCMapStringW
0x41c18c MultiByteToWideChar
0x41c190 GetStringTypeW
0x41c194 SetFilePointer
0x41c198 GetConsoleCP
0x41c19c GetConsoleMode
0x41c1a0 HeapAlloc
0x41c1a4 GetModuleFileNameA
0x41c1a8 HeapReAlloc
0x41c1ac HeapSize
0x41c1b0 HeapQueryInformation
0x41c1b4 HeapFree
0x41c1b8 SetStdHandle
0x41c1bc FlushFileBuffers
0x41c1c0 RaiseException
0x41c1c4 CreateFileW
0x41c1c8 CloseHandle
GDI32.dll
0x41c000 GetCharWidthW
EAT(Export Address Table) is none