ScreenShot
| Created | 2021.10.06 13:35 | Machine | s1_win7_x6402 |
| Filename | sWpkHYi_300.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 30 detected (malicious, high confidence, score, GenericC, Unsafe, myuedw, Attribute, HighConfidence, AQ suspicious, GenericKD, FileRepMalware, Outbreak, O53UVC, kcloud, Sabsik, ai score=81, Static AI, Suspicious PE) | ||
| md5 | 2230be98a60b2f788f674d605cc79ef0 | ||
| sha256 | e649de0bee767b8eeb2c1b14cf6fa21702eabff811a0ec26b1441e715c4a0d8c | ||
| ssdeep | 24576:6YMAwUfkiEeIpWn7Vm/jkwBm00JG4uJrVhMWrPa2cw:6YM4kpeIpIY/j5DmaBP | ||
| imphash | e51ee40ae0ed0decdf850b45dd7e4ce6 | ||
| impfuzzy | 48:4b331IDOuAKpEN19avwHKd1DSV8KObpNRoACu6x9KEV45lX+ETG8twtdU95Svrz0:Wn1IDPAkEPEvwHG1DSV8KOmdVG3mj0 | ||
Network IP location
Signature (39cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 30 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | Installs itself for autorun at Windows startup |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (41cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_RL_Gen_Zero | Win32 Trojan Emotet | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Hijack_Network | Hijack network configuration | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
Network (8cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x1001000 FreeSid
0x1001004 AllocateAndInitializeSid
0x1001008 EqualSid
0x100100c GetTokenInformation
0x1001010 OpenProcessToken
0x1001014 AdjustTokenPrivileges
0x1001018 LookupPrivilegeValueA
0x100101c RegCloseKey
0x1001020 RegDeleteValueA
0x1001024 RegOpenKeyExA
0x1001028 RegQueryValueExA
0x100102c RegQueryInfoKeyA
0x1001030 RegSetValueExA
0x1001034 RegCreateKeyExA
KERNEL32.dll
0x100104c LocalFree
0x1001050 LocalAlloc
0x1001054 GetLastError
0x1001058 GetCurrentProcess
0x100105c lstrlenA
0x1001060 _lclose
0x1001064 _llseek
0x1001068 _lopen
0x100106c WritePrivateProfileStringA
0x1001070 GetWindowsDirectoryA
0x1001074 CreateDirectoryA
0x1001078 GetFileAttributesA
0x100107c GetModuleFileNameA
0x1001080 GetSystemDirectoryA
0x1001084 RemoveDirectoryA
0x1001088 FindClose
0x100108c FindNextFileA
0x1001090 DeleteFileA
0x1001094 SetFileAttributesA
0x1001098 lstrcmpA
0x100109c FindFirstFileA
0x10010a0 ExpandEnvironmentStringsA
0x10010a4 GlobalFree
0x10010a8 GlobalUnlock
0x10010ac GlobalLock
0x10010b0 GlobalAlloc
0x10010b4 IsDBCSLeadByte
0x10010b8 GetShortPathNameA
0x10010bc GetPrivateProfileStringA
0x10010c0 GetPrivateProfileIntA
0x10010c4 CompareStringA
0x10010c8 GetVersion
0x10010cc GetModuleHandleW
0x10010d0 FreeResource
0x10010d4 LockResource
0x10010d8 LoadResource
0x10010dc SizeofResource
0x10010e0 CloseHandle
0x10010e4 ReadFile
0x10010e8 WriteFile
0x10010ec SetFilePointer
0x10010f0 SetFileTime
0x10010f4 LocalFileTimeToFileTime
0x10010f8 DosDateTimeToFileTime
0x10010fc CreateFileA
0x1001100 SetCurrentDirectoryA
0x1001104 GetTempFileNameA
0x1001108 GetVolumeInformationA
0x100110c FormatMessageA
0x1001110 GetCurrentDirectoryA
0x1001114 ExitProcess
0x1001118 LoadLibraryExA
0x100111c GetVersionExA
0x1001120 GetExitCodeProcess
0x1001124 GetProcAddress
0x1001128 CreateProcessA
0x100112c GetTempPathA
0x1001130 GetSystemInfo
0x1001134 CreateMutexA
0x1001138 SetEvent
0x100113c CreateEventA
0x1001140 CreateThread
0x1001144 ResetEvent
0x1001148 TerminateThread
0x100114c GetDriveTypeA
0x1001150 FindResourceA
0x1001154 LoadLibraryA
0x1001158 FreeLibrary
0x100115c InterlockedExchange
0x1001160 Sleep
0x1001164 InterlockedCompareExchange
0x1001168 GetStartupInfoA
0x100116c RtlUnwind
0x1001170 SetUnhandledExceptionFilter
0x1001174 GetModuleHandleA
0x1001178 QueryPerformanceCounter
0x100117c GetTickCount
0x1001180 GetCurrentThreadId
0x1001184 GetCurrentProcessId
0x1001188 GetSystemTimeAsFileTime
0x100118c TerminateProcess
0x1001190 UnhandledExceptionFilter
0x1001194 EnumResourceLanguagesA
0x1001198 MulDiv
0x100119c GetDiskFreeSpaceA
0x10011a0 WaitForSingleObject
GDI32.dll
0x1001044 GetDeviceCaps
USER32.dll
0x10011a8 SendDlgItemMessageA
0x10011ac GetDlgItem
0x10011b0 SetForegroundWindow
0x10011b4 SetWindowTextA
0x10011b8 MessageBoxA
0x10011bc DialogBoxIndirectParamA
0x10011c0 ShowWindow
0x10011c4 EnableWindow
0x10011c8 GetDlgItemTextA
0x10011cc GetDC
0x10011d0 ReleaseDC
0x10011d4 SetWindowPos
0x10011d8 SendMessageA
0x10011dc PeekMessageA
0x10011e0 MsgWaitForMultipleObjects
0x10011e4 DispatchMessageA
0x10011e8 CallWindowProcA
0x10011ec GetWindowLongA
0x10011f0 SetWindowLongA
0x10011f4 CharPrevA
0x10011f8 CharUpperA
0x10011fc CharNextA
0x1001200 ExitWindowsEx
0x1001204 EndDialog
0x1001208 GetDesktopWindow
0x100120c LoadStringA
0x1001210 SetDlgItemTextA
0x1001214 MessageBeep
0x1001218 GetWindowRect
0x100121c GetSystemMetrics
msvcrt.dll
0x1001234 _cexit
0x1001238 _exit
0x100123c _XcptFilter
0x1001240 _ismbblead
0x1001244 exit
0x1001248 _acmdln
0x100124c _initterm
0x1001250 _amsg_exit
0x1001254 __setusermatherr
0x1001258 _adjust_fdiv
0x100125c __p__commode
0x1001260 __p__fmode
0x1001264 __set_app_type
0x1001268 ?terminate@@YAXXZ
0x100126c _controlfp
0x1001270 __getmainargs
0x1001274 memcpy
0x1001278 memset
0x100127c _vsnprintf
COMCTL32.dll
0x100103c None
VERSION.dll
0x1001224 GetFileVersionInfoSizeA
0x1001228 GetFileVersionInfoA
0x100122c VerQueryValueA
EAT(Export Address Table) is none
ADVAPI32.dll
0x1001000 FreeSid
0x1001004 AllocateAndInitializeSid
0x1001008 EqualSid
0x100100c GetTokenInformation
0x1001010 OpenProcessToken
0x1001014 AdjustTokenPrivileges
0x1001018 LookupPrivilegeValueA
0x100101c RegCloseKey
0x1001020 RegDeleteValueA
0x1001024 RegOpenKeyExA
0x1001028 RegQueryValueExA
0x100102c RegQueryInfoKeyA
0x1001030 RegSetValueExA
0x1001034 RegCreateKeyExA
KERNEL32.dll
0x100104c LocalFree
0x1001050 LocalAlloc
0x1001054 GetLastError
0x1001058 GetCurrentProcess
0x100105c lstrlenA
0x1001060 _lclose
0x1001064 _llseek
0x1001068 _lopen
0x100106c WritePrivateProfileStringA
0x1001070 GetWindowsDirectoryA
0x1001074 CreateDirectoryA
0x1001078 GetFileAttributesA
0x100107c GetModuleFileNameA
0x1001080 GetSystemDirectoryA
0x1001084 RemoveDirectoryA
0x1001088 FindClose
0x100108c FindNextFileA
0x1001090 DeleteFileA
0x1001094 SetFileAttributesA
0x1001098 lstrcmpA
0x100109c FindFirstFileA
0x10010a0 ExpandEnvironmentStringsA
0x10010a4 GlobalFree
0x10010a8 GlobalUnlock
0x10010ac GlobalLock
0x10010b0 GlobalAlloc
0x10010b4 IsDBCSLeadByte
0x10010b8 GetShortPathNameA
0x10010bc GetPrivateProfileStringA
0x10010c0 GetPrivateProfileIntA
0x10010c4 CompareStringA
0x10010c8 GetVersion
0x10010cc GetModuleHandleW
0x10010d0 FreeResource
0x10010d4 LockResource
0x10010d8 LoadResource
0x10010dc SizeofResource
0x10010e0 CloseHandle
0x10010e4 ReadFile
0x10010e8 WriteFile
0x10010ec SetFilePointer
0x10010f0 SetFileTime
0x10010f4 LocalFileTimeToFileTime
0x10010f8 DosDateTimeToFileTime
0x10010fc CreateFileA
0x1001100 SetCurrentDirectoryA
0x1001104 GetTempFileNameA
0x1001108 GetVolumeInformationA
0x100110c FormatMessageA
0x1001110 GetCurrentDirectoryA
0x1001114 ExitProcess
0x1001118 LoadLibraryExA
0x100111c GetVersionExA
0x1001120 GetExitCodeProcess
0x1001124 GetProcAddress
0x1001128 CreateProcessA
0x100112c GetTempPathA
0x1001130 GetSystemInfo
0x1001134 CreateMutexA
0x1001138 SetEvent
0x100113c CreateEventA
0x1001140 CreateThread
0x1001144 ResetEvent
0x1001148 TerminateThread
0x100114c GetDriveTypeA
0x1001150 FindResourceA
0x1001154 LoadLibraryA
0x1001158 FreeLibrary
0x100115c InterlockedExchange
0x1001160 Sleep
0x1001164 InterlockedCompareExchange
0x1001168 GetStartupInfoA
0x100116c RtlUnwind
0x1001170 SetUnhandledExceptionFilter
0x1001174 GetModuleHandleA
0x1001178 QueryPerformanceCounter
0x100117c GetTickCount
0x1001180 GetCurrentThreadId
0x1001184 GetCurrentProcessId
0x1001188 GetSystemTimeAsFileTime
0x100118c TerminateProcess
0x1001190 UnhandledExceptionFilter
0x1001194 EnumResourceLanguagesA
0x1001198 MulDiv
0x100119c GetDiskFreeSpaceA
0x10011a0 WaitForSingleObject
GDI32.dll
0x1001044 GetDeviceCaps
USER32.dll
0x10011a8 SendDlgItemMessageA
0x10011ac GetDlgItem
0x10011b0 SetForegroundWindow
0x10011b4 SetWindowTextA
0x10011b8 MessageBoxA
0x10011bc DialogBoxIndirectParamA
0x10011c0 ShowWindow
0x10011c4 EnableWindow
0x10011c8 GetDlgItemTextA
0x10011cc GetDC
0x10011d0 ReleaseDC
0x10011d4 SetWindowPos
0x10011d8 SendMessageA
0x10011dc PeekMessageA
0x10011e0 MsgWaitForMultipleObjects
0x10011e4 DispatchMessageA
0x10011e8 CallWindowProcA
0x10011ec GetWindowLongA
0x10011f0 SetWindowLongA
0x10011f4 CharPrevA
0x10011f8 CharUpperA
0x10011fc CharNextA
0x1001200 ExitWindowsEx
0x1001204 EndDialog
0x1001208 GetDesktopWindow
0x100120c LoadStringA
0x1001210 SetDlgItemTextA
0x1001214 MessageBeep
0x1001218 GetWindowRect
0x100121c GetSystemMetrics
msvcrt.dll
0x1001234 _cexit
0x1001238 _exit
0x100123c _XcptFilter
0x1001240 _ismbblead
0x1001244 exit
0x1001248 _acmdln
0x100124c _initterm
0x1001250 _amsg_exit
0x1001254 __setusermatherr
0x1001258 _adjust_fdiv
0x100125c __p__commode
0x1001260 __p__fmode
0x1001264 __set_app_type
0x1001268 ?terminate@@YAXXZ
0x100126c _controlfp
0x1001270 __getmainargs
0x1001274 memcpy
0x1001278 memset
0x100127c _vsnprintf
COMCTL32.dll
0x100103c None
VERSION.dll
0x1001224 GetFileVersionInfoSizeA
0x1001228 GetFileVersionInfoA
0x100122c VerQueryValueA
EAT(Export Address Table) is none