ScreenShot
| Created | 2021.10.06 13:57 | Machine | s1_win7_x6401 |
| Filename | 507913557.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 38 detected (Malicious, score, Artemis, Unsafe, Save, Miner, VMProtect, Razy, apso, GenericKD, Hxqb, Generic ML PUA, Static AI, Malicious PE, pjtux, ai score=81, Tnega, Ilgergop, BMPRZK, Sabsik, R002C0WJ221, PossibleThreat, PALLAS) | ||
| md5 | 99f51633e0f6419c6310a9e08d3626a1 | ||
| sha256 | 77e702d254b785a06bcf595edf09601d6cffc172cf019646145c7631091e20a9 | ||
| ssdeep | 196608:vg+4e5gFmXm5lxO8nTg0S4Two7zex35w:vg+FWLOpzqzeE | ||
| imphash | 9a9e6c9ce6105ad0da2a6340043f0b25 | ||
| impfuzzy | 12:Bt57d/9T7SyvJnwfP9qZGoQtXJxZGb9AJcDfA5kLfP9m:rtdFvSYJwaQtXJHc9NDI5Q8 | ||
Network IP location
Signature (25cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 38 AntiVirus engines on VirusTotal as malicious |
| warning | Generates some ICMP traffic |
| warning | Stops Windows services |
| watch | Installs itself for autorun at Windows startup |
| watch | One or more non-whitelisted processes were created |
| watch | Operates on local firewall's policies and settings |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | Lnk_Format_Zero | LNK Format | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (6cnts) ?
Suricata ids
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140566000 SizeofResource
USER32.dll
0x140566010 ShowWindow
ADVAPI32.dll
0x140566020 GetUserNameA
SHELL32.dll
0x140566030 SHGetSpecialFolderPathW
ole32.dll
0x140566040 CoInitializeEx
WININET.dll
0x140566050 HttpOpenRequestW
urlmon.dll
0x140566060 URLDownloadToFileW
dxgi.dll
0x140566070 CreateDXGIFactory
WTSAPI32.dll
0x140566080 WTSSendMessageW
KERNEL32.dll
0x140566090 GetSystemTimeAsFileTime
USER32.dll
0x1405660a0 GetUserObjectInformationW
KERNEL32.dll
0x1405660b0 LocalAlloc
0x1405660b8 LocalFree
0x1405660c0 GetModuleFileNameW
0x1405660c8 GetProcessAffinityMask
0x1405660d0 SetProcessAffinityMask
0x1405660d8 SetThreadAffinityMask
0x1405660e0 Sleep
0x1405660e8 ExitProcess
0x1405660f0 FreeLibrary
0x1405660f8 LoadLibraryA
0x140566100 GetModuleHandleA
0x140566108 GetProcAddress
USER32.dll
0x140566118 GetProcessWindowStation
0x140566120 GetUserObjectInformationW
EAT(Export Address Table) is none
KERNEL32.dll
0x140566000 SizeofResource
USER32.dll
0x140566010 ShowWindow
ADVAPI32.dll
0x140566020 GetUserNameA
SHELL32.dll
0x140566030 SHGetSpecialFolderPathW
ole32.dll
0x140566040 CoInitializeEx
WININET.dll
0x140566050 HttpOpenRequestW
urlmon.dll
0x140566060 URLDownloadToFileW
dxgi.dll
0x140566070 CreateDXGIFactory
WTSAPI32.dll
0x140566080 WTSSendMessageW
KERNEL32.dll
0x140566090 GetSystemTimeAsFileTime
USER32.dll
0x1405660a0 GetUserObjectInformationW
KERNEL32.dll
0x1405660b0 LocalAlloc
0x1405660b8 LocalFree
0x1405660c0 GetModuleFileNameW
0x1405660c8 GetProcessAffinityMask
0x1405660d0 SetProcessAffinityMask
0x1405660d8 SetThreadAffinityMask
0x1405660e0 Sleep
0x1405660e8 ExitProcess
0x1405660f0 FreeLibrary
0x1405660f8 LoadLibraryA
0x140566100 GetModuleHandleA
0x140566108 GetProcAddress
USER32.dll
0x140566118 GetProcessWindowStation
0x140566120 GetUserObjectInformationW
EAT(Export Address Table) is none