ScreenShot
| Created | 2021.09.29 11:22 | Machine | s1_win7_x6402 |
| Filename | Shipping Documents-BL#SE20100068001.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 42 detected (AIDetect, malware2, NanoBot, malicious, high confidence, GenericKD, Unsafe, Save, confidence, 100%, ZevbaF, gm0@aOJ7r4g, GenKryptik, FJMX, besg, Inject4, VBObfus, eysw, Kryptik, orgtl, Sabsik, score, GuLoader, FDCP, ai score=88, BScope, Mucc, AvsArher, bTx33N, Static AI, Suspicious PE, GdSda, susgen) | ||
| md5 | 8993ca9025df7cdfee64edc454377def | ||
| sha256 | 07f726f72e8ce44a69de17da2822ad4cba08e29e64c644f3f62954cfeb8b96d1 | ||
| ssdeep | 1536:fDT8vLrQ9Y2YBrAGTBGhLJk2/fBAMIOafDoD+:rA4YBAgGh3BAMIOq | ||
| imphash | ff24a027dfc3b9e5934ec374a09b35a4 | ||
| impfuzzy | 48:njxQwzxwgPwegkRxkx43L3zcSYx1SxgdIGbwTlFNDyjUhw+/+Zx4SbSTC4wMSwC:njxQGxfPZgkRxkx47jcSYxwxgdIG8lFM | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 42 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Enumerates services |
| watch | One or more of the buffers contains an embedded PE file |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Connects to a Dynamic DNS Domain |
| notice | Creates a suspicious process |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (8cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY DNS Query to DynDNS Domain *.hopto .org
ET POLICY DNS Query to DynDNS Domain *.hopto .org
PE API
IAT(Import Address Table) Library
MSVBVM60.DLL
0x401000 None
0x401004 _CIcos
0x401008 _adj_fptan
0x40100c __vbaAryMove
0x401010 __vbaFreeVar
0x401014 __vbaStrVarMove
0x401018 None
0x40101c __vbaFreeVarList
0x401020 _adj_fdiv_m64
0x401024 __vbaFreeObjList
0x401028 _adj_fprem1
0x40102c __vbaStrCat
0x401030 __vbaSetSystemError
0x401034 __vbaHresultCheckObj
0x401038 _adj_fdiv_m32
0x40103c __vbaAryVar
0x401040 __vbaAryDestruct
0x401044 None
0x401048 __vbaObjSet
0x40104c _adj_fdiv_m16i
0x401050 __vbaObjSetAddref
0x401054 None
0x401058 _adj_fdivr_m16i
0x40105c None
0x401060 None
0x401064 __vbaFpR8
0x401068 None
0x40106c _CIsin
0x401070 __vbaChkstk
0x401074 EVENT_SINK_AddRef
0x401078 __vbaStrCmp
0x40107c __vbaAryConstruct2
0x401080 __vbaVarTstEq
0x401084 __vbaR4Str
0x401088 __vbaI2I4
0x40108c DllFunctionCall
0x401090 _adj_fpatan
0x401094 __vbaLateIdCallLd
0x401098 None
0x40109c EVENT_SINK_Release
0x4010a0 _CIsqrt
0x4010a4 EVENT_SINK_QueryInterface
0x4010a8 __vbaExceptHandler
0x4010ac _adj_fprem
0x4010b0 _adj_fdivr_m64
0x4010b4 __vbaFPException
0x4010b8 _CIlog
0x4010bc None
0x4010c0 __vbaFileOpen
0x4010c4 None
0x4010c8 __vbaNew2
0x4010cc __vbaVar2Vec
0x4010d0 _adj_fdiv_m32i
0x4010d4 _adj_fdivr_m32i
0x4010d8 None
0x4010dc __vbaStrCopy
0x4010e0 __vbaFreeStrList
0x4010e4 _adj_fdivr_m32
0x4010e8 _adj_fdiv_r
0x4010ec None
0x4010f0 __vbaI4Var
0x4010f4 None
0x4010f8 __vbaStrToAnsi
0x4010fc None
0x401100 None
0x401104 _CIatan
0x401108 __vbaStrMove
0x40110c __vbaAryCopy
0x401110 __vbaCastObj
0x401114 _allmul
0x401118 __vbaLateIdSt
0x40111c _CItan
0x401120 _CIexp
0x401124 None
0x401128 __vbaFreeObj
0x40112c __vbaFreeStr
EAT(Export Address Table) is none
MSVBVM60.DLL
0x401000 None
0x401004 _CIcos
0x401008 _adj_fptan
0x40100c __vbaAryMove
0x401010 __vbaFreeVar
0x401014 __vbaStrVarMove
0x401018 None
0x40101c __vbaFreeVarList
0x401020 _adj_fdiv_m64
0x401024 __vbaFreeObjList
0x401028 _adj_fprem1
0x40102c __vbaStrCat
0x401030 __vbaSetSystemError
0x401034 __vbaHresultCheckObj
0x401038 _adj_fdiv_m32
0x40103c __vbaAryVar
0x401040 __vbaAryDestruct
0x401044 None
0x401048 __vbaObjSet
0x40104c _adj_fdiv_m16i
0x401050 __vbaObjSetAddref
0x401054 None
0x401058 _adj_fdivr_m16i
0x40105c None
0x401060 None
0x401064 __vbaFpR8
0x401068 None
0x40106c _CIsin
0x401070 __vbaChkstk
0x401074 EVENT_SINK_AddRef
0x401078 __vbaStrCmp
0x40107c __vbaAryConstruct2
0x401080 __vbaVarTstEq
0x401084 __vbaR4Str
0x401088 __vbaI2I4
0x40108c DllFunctionCall
0x401090 _adj_fpatan
0x401094 __vbaLateIdCallLd
0x401098 None
0x40109c EVENT_SINK_Release
0x4010a0 _CIsqrt
0x4010a4 EVENT_SINK_QueryInterface
0x4010a8 __vbaExceptHandler
0x4010ac _adj_fprem
0x4010b0 _adj_fdivr_m64
0x4010b4 __vbaFPException
0x4010b8 _CIlog
0x4010bc None
0x4010c0 __vbaFileOpen
0x4010c4 None
0x4010c8 __vbaNew2
0x4010cc __vbaVar2Vec
0x4010d0 _adj_fdiv_m32i
0x4010d4 _adj_fdivr_m32i
0x4010d8 None
0x4010dc __vbaStrCopy
0x4010e0 __vbaFreeStrList
0x4010e4 _adj_fdivr_m32
0x4010e8 _adj_fdiv_r
0x4010ec None
0x4010f0 __vbaI4Var
0x4010f4 None
0x4010f8 __vbaStrToAnsi
0x4010fc None
0x401100 None
0x401104 _CIatan
0x401108 __vbaStrMove
0x40110c __vbaAryCopy
0x401110 __vbaCastObj
0x401114 _allmul
0x401118 __vbaLateIdSt
0x40111c _CItan
0x401120 _CIexp
0x401124 None
0x401128 __vbaFreeObj
0x40112c __vbaFreeStr
EAT(Export Address Table) is none