ScreenShot
| Created | 2021.10.06 13:27 | Machine | s1_win7_x6402 |
| Filename | Build18_1950eu.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 42 detected (AIDetect, malware2, malicious, high confidence, GenericKD, Unsafe, Save, confidence, ZexaF, fHW@aG7cIeeG, Attribute, HighConfidence, R002H07J421, acma, UMal, hwoix@0, R + Mal, EncPk, PSWSteal, QO697Z, KVMH008, kcloud, Woreflint, score, SquirrelWaffle, R444149, Artemis, ai score=80, BScope, TrojanPSW, Papras, Probably Heur, ExeHeaderH, Generic@ML, RDML, bqTs4Q+SE, 1YS3ShmQcu4w, Static AI, Malicious PE, Kryptik, HMLF) | ||
| md5 | 5f251ddf1f41eb3ccc330508f173152a | ||
| sha256 | b7bd5421b8f7404d03566396d802acd841f32156f4d6195338249d677ce8224d | ||
| ssdeep | 3072:GP6X6qcNEUzZELeUoPxwAnjaPM76DBQ+E0RqfUE+kvHTz96K6ScIOj3K:GPcukLvBlRqfR+2Tz96KncIOja | ||
| imphash | 08dbf1a5c98fd4931a5aa7dc687e7799 | ||
| impfuzzy | 6:HGDYBJAEtwyRlbVUAWnAHDeHAJ6HAWCQg5k18Qj0jbKontPQDcm:mDoAPqTWnAvl9B5k1URw | ||
Network IP location
Signature (27cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 42 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes executed files from disk |
| watch | Harvests credentials from local email clients |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process build18_1950eu.exe |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (19cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (9cnts) ?
Suricata ids
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
PE API
IAT(Import Address Table) Library
kernel32.dll
0x492d000 GetProcAddress
0x492d004 LoadLibraryA
0x492d008 VirtualAlloc
0x492d00c VirtualProtect
0x492d010 GetCurrentThread
user32.dll
0x492d03c ShowCursor
0x492d040 SetFocus
0x492d044 SetWindowPos
0x492d048 GetAsyncKeyState
0x492d04c ShowWindow
0x492d050 GetActiveWindow
oledlg.dll
0x492d028 OleUIBusyW
0x492d02c OleUIConvertW
0x492d030 OleUIConvertA
0x492d034 OleUIBusyA
oleaut32.dll
0x492d020 VarSub
msimg32.dll
0x492d018 DllInitialize
EAT(Export Address Table) Library
0x4555f6 GetSound
kernel32.dll
0x492d000 GetProcAddress
0x492d004 LoadLibraryA
0x492d008 VirtualAlloc
0x492d00c VirtualProtect
0x492d010 GetCurrentThread
user32.dll
0x492d03c ShowCursor
0x492d040 SetFocus
0x492d044 SetWindowPos
0x492d048 GetAsyncKeyState
0x492d04c ShowWindow
0x492d050 GetActiveWindow
oledlg.dll
0x492d028 OleUIBusyW
0x492d02c OleUIConvertW
0x492d030 OleUIConvertA
0x492d034 OleUIBusyA
oleaut32.dll
0x492d020 VarSub
msimg32.dll
0x492d018 DllInitialize
EAT(Export Address Table) Library
0x4555f6 GetSound