ScreenShot
| Created | 2021.10.14 17:29 | Machine | s1_win7_x6402 |
| Filename | mine.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 35 detected (Donut, malicious, high confidence, Inject4, GenericKD, Artemis, Save, VMProtect, Malware@#xkkuxstof5er, Drixed, Static AI, Malicious PE, Redcap, wmihs, ai score=80, kcloud, Sabsik, score, 0NA104JD21, Unsafe, PossibleThreat) | ||
| md5 | f64ccb9df2b5df5287485f13c727d9dd | ||
| sha256 | 370623f3b732194c8497a12cfc2e906755f145c61ab8715c22d98f6fd7cf66d4 | ||
| ssdeep | 98304:B7AJbg4GyrPsJG9Ey+K6JJkoyw4di0agX1Bv0CsG12iNM/:B7AJbgJyrr+KwV/G71F0LclNM | ||
| imphash | eca9e2758b11f815ab34f11a0fdb4a51 | ||
| impfuzzy | 96:NqLg41AXB+Zcp+qjtu86tevVBSiZXpcu/:wmR+BuPZcg | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 35 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Manipulates memory of a non-child process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (7cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x738000 strlen
0x738008 malloc
0x738010 memset
0x738018 getenv
0x738020 sprintf
0x738028 printf
0x738030 __argc
0x738038 __argv
0x738040 _environ
0x738048 _XcptFilter
0x738050 __set_app_type
0x738058 _controlfp
0x738060 __getmainargs
0x738068 exit
kernel32.dll
0x738078 Sleep
0x738080 GetModuleFileNameA
0x738088 CreateProcessA
0x738090 CloseHandle
0x738098 SetUnhandledExceptionFilter
ntdll.dll
0x7380a8 NtAllocateVirtualMemory
0x7380b0 NtWriteVirtualMemory
0x7380b8 NtCreateThreadEx
WTSAPI32.dll
0x7380c8 WTSSendMessageW
kernel32.dll
0x7380d8 GetSystemTimeAsFileTime
0x7380e0 GetModuleHandleA
0x7380e8 CreateEventA
0x7380f0 GetModuleFileNameW
0x7380f8 LoadLibraryA
0x738100 TerminateProcess
0x738108 GetCurrentProcess
0x738110 CreateToolhelp32Snapshot
0x738118 Thread32First
0x738120 GetCurrentProcessId
0x738128 GetCurrentThreadId
0x738130 OpenThread
0x738138 Thread32Next
0x738140 CloseHandle
0x738148 SuspendThread
0x738150 ResumeThread
0x738158 WriteProcessMemory
0x738160 GetSystemInfo
0x738168 VirtualAlloc
0x738170 VirtualProtect
0x738178 VirtualFree
0x738180 GetProcessAffinityMask
0x738188 SetProcessAffinityMask
0x738190 GetCurrentThread
0x738198 SetThreadAffinityMask
0x7381a0 Sleep
0x7381a8 FreeLibrary
0x7381b0 GetTickCount
0x7381b8 SystemTimeToFileTime
0x7381c0 FileTimeToSystemTime
0x7381c8 GlobalFree
0x7381d0 LocalAlloc
0x7381d8 LocalFree
0x7381e0 GetProcAddress
0x7381e8 ExitProcess
0x7381f0 EnterCriticalSection
0x7381f8 LeaveCriticalSection
0x738200 InitializeCriticalSection
0x738208 DeleteCriticalSection
0x738210 GetModuleHandleW
0x738218 LoadResource
0x738220 MultiByteToWideChar
0x738228 FindResourceExW
0x738230 FindResourceExA
0x738238 WideCharToMultiByte
0x738240 GetThreadLocale
0x738248 GetUserDefaultLCID
0x738250 GetSystemDefaultLCID
0x738258 EnumResourceNamesA
0x738260 EnumResourceNamesW
0x738268 EnumResourceLanguagesA
0x738270 EnumResourceLanguagesW
0x738278 EnumResourceTypesA
0x738280 EnumResourceTypesW
0x738288 CreateFileW
0x738290 LoadLibraryW
0x738298 GetLastError
0x7382a0 FlushFileBuffers
0x7382a8 CreateFileA
0x7382b0 WriteConsoleW
0x7382b8 GetConsoleOutputCP
0x7382c0 WriteConsoleA
0x7382c8 SetStdHandle
0x7382d0 FlsSetValue
0x7382d8 GetCommandLineA
0x7382e0 RaiseException
0x7382e8 RtlPcToFileHeader
0x7382f0 RtlLookupFunctionEntry
0x7382f8 RtlUnwindEx
0x738300 HeapFree
0x738308 GetCPInfo
0x738310 GetACP
0x738318 GetOEMCP
0x738320 IsValidCodePage
0x738328 EncodePointer
0x738330 DecodePointer
0x738338 FlsGetValue
0x738340 FlsFree
0x738348 SetLastError
0x738350 FlsAlloc
0x738358 UnhandledExceptionFilter
0x738360 SetUnhandledExceptionFilter
0x738368 IsDebuggerPresent
0x738370 RtlVirtualUnwind
0x738378 RtlCaptureContext
0x738380 HeapAlloc
0x738388 LCMapStringA
0x738390 LCMapStringW
0x738398 SetHandleCount
0x7383a0 GetStdHandle
0x7383a8 GetFileType
0x7383b0 GetStartupInfoA
0x7383b8 GetModuleFileNameA
0x7383c0 FreeEnvironmentStringsA
0x7383c8 GetEnvironmentStrings
0x7383d0 FreeEnvironmentStringsW
0x7383d8 GetEnvironmentStringsW
0x7383e0 HeapSetInformation
0x7383e8 HeapCreate
0x7383f0 HeapDestroy
0x7383f8 QueryPerformanceCounter
0x738400 GetStringTypeA
0x738408 GetStringTypeW
0x738410 GetLocaleInfoA
0x738418 HeapSize
0x738420 WriteFile
0x738428 SetFilePointer
0x738430 GetConsoleCP
0x738438 GetConsoleMode
0x738440 HeapReAlloc
0x738448 InitializeCriticalSectionAndSpinCount
USER32.dll
0x738458 GetUserObjectInformationW
0x738460 CharUpperBuffW
0x738468 MessageBoxW
0x738470 GetProcessWindowStation
kernel32.dll
0x738480 LocalAlloc
0x738488 LocalFree
0x738490 GetModuleFileNameW
0x738498 GetProcessAffinityMask
0x7384a0 SetProcessAffinityMask
0x7384a8 SetThreadAffinityMask
0x7384b0 Sleep
0x7384b8 ExitProcess
0x7384c0 FreeLibrary
0x7384c8 LoadLibraryA
0x7384d0 GetModuleHandleA
0x7384d8 GetProcAddress
USER32.dll
0x7384e8 GetProcessWindowStation
0x7384f0 GetUserObjectInformationW
EAT(Export Address Table) is none
msvcrt.dll
0x738000 strlen
0x738008 malloc
0x738010 memset
0x738018 getenv
0x738020 sprintf
0x738028 printf
0x738030 __argc
0x738038 __argv
0x738040 _environ
0x738048 _XcptFilter
0x738050 __set_app_type
0x738058 _controlfp
0x738060 __getmainargs
0x738068 exit
kernel32.dll
0x738078 Sleep
0x738080 GetModuleFileNameA
0x738088 CreateProcessA
0x738090 CloseHandle
0x738098 SetUnhandledExceptionFilter
ntdll.dll
0x7380a8 NtAllocateVirtualMemory
0x7380b0 NtWriteVirtualMemory
0x7380b8 NtCreateThreadEx
WTSAPI32.dll
0x7380c8 WTSSendMessageW
kernel32.dll
0x7380d8 GetSystemTimeAsFileTime
0x7380e0 GetModuleHandleA
0x7380e8 CreateEventA
0x7380f0 GetModuleFileNameW
0x7380f8 LoadLibraryA
0x738100 TerminateProcess
0x738108 GetCurrentProcess
0x738110 CreateToolhelp32Snapshot
0x738118 Thread32First
0x738120 GetCurrentProcessId
0x738128 GetCurrentThreadId
0x738130 OpenThread
0x738138 Thread32Next
0x738140 CloseHandle
0x738148 SuspendThread
0x738150 ResumeThread
0x738158 WriteProcessMemory
0x738160 GetSystemInfo
0x738168 VirtualAlloc
0x738170 VirtualProtect
0x738178 VirtualFree
0x738180 GetProcessAffinityMask
0x738188 SetProcessAffinityMask
0x738190 GetCurrentThread
0x738198 SetThreadAffinityMask
0x7381a0 Sleep
0x7381a8 FreeLibrary
0x7381b0 GetTickCount
0x7381b8 SystemTimeToFileTime
0x7381c0 FileTimeToSystemTime
0x7381c8 GlobalFree
0x7381d0 LocalAlloc
0x7381d8 LocalFree
0x7381e0 GetProcAddress
0x7381e8 ExitProcess
0x7381f0 EnterCriticalSection
0x7381f8 LeaveCriticalSection
0x738200 InitializeCriticalSection
0x738208 DeleteCriticalSection
0x738210 GetModuleHandleW
0x738218 LoadResource
0x738220 MultiByteToWideChar
0x738228 FindResourceExW
0x738230 FindResourceExA
0x738238 WideCharToMultiByte
0x738240 GetThreadLocale
0x738248 GetUserDefaultLCID
0x738250 GetSystemDefaultLCID
0x738258 EnumResourceNamesA
0x738260 EnumResourceNamesW
0x738268 EnumResourceLanguagesA
0x738270 EnumResourceLanguagesW
0x738278 EnumResourceTypesA
0x738280 EnumResourceTypesW
0x738288 CreateFileW
0x738290 LoadLibraryW
0x738298 GetLastError
0x7382a0 FlushFileBuffers
0x7382a8 CreateFileA
0x7382b0 WriteConsoleW
0x7382b8 GetConsoleOutputCP
0x7382c0 WriteConsoleA
0x7382c8 SetStdHandle
0x7382d0 FlsSetValue
0x7382d8 GetCommandLineA
0x7382e0 RaiseException
0x7382e8 RtlPcToFileHeader
0x7382f0 RtlLookupFunctionEntry
0x7382f8 RtlUnwindEx
0x738300 HeapFree
0x738308 GetCPInfo
0x738310 GetACP
0x738318 GetOEMCP
0x738320 IsValidCodePage
0x738328 EncodePointer
0x738330 DecodePointer
0x738338 FlsGetValue
0x738340 FlsFree
0x738348 SetLastError
0x738350 FlsAlloc
0x738358 UnhandledExceptionFilter
0x738360 SetUnhandledExceptionFilter
0x738368 IsDebuggerPresent
0x738370 RtlVirtualUnwind
0x738378 RtlCaptureContext
0x738380 HeapAlloc
0x738388 LCMapStringA
0x738390 LCMapStringW
0x738398 SetHandleCount
0x7383a0 GetStdHandle
0x7383a8 GetFileType
0x7383b0 GetStartupInfoA
0x7383b8 GetModuleFileNameA
0x7383c0 FreeEnvironmentStringsA
0x7383c8 GetEnvironmentStrings
0x7383d0 FreeEnvironmentStringsW
0x7383d8 GetEnvironmentStringsW
0x7383e0 HeapSetInformation
0x7383e8 HeapCreate
0x7383f0 HeapDestroy
0x7383f8 QueryPerformanceCounter
0x738400 GetStringTypeA
0x738408 GetStringTypeW
0x738410 GetLocaleInfoA
0x738418 HeapSize
0x738420 WriteFile
0x738428 SetFilePointer
0x738430 GetConsoleCP
0x738438 GetConsoleMode
0x738440 HeapReAlloc
0x738448 InitializeCriticalSectionAndSpinCount
USER32.dll
0x738458 GetUserObjectInformationW
0x738460 CharUpperBuffW
0x738468 MessageBoxW
0x738470 GetProcessWindowStation
kernel32.dll
0x738480 LocalAlloc
0x738488 LocalFree
0x738490 GetModuleFileNameW
0x738498 GetProcessAffinityMask
0x7384a0 SetProcessAffinityMask
0x7384a8 SetThreadAffinityMask
0x7384b0 Sleep
0x7384b8 ExitProcess
0x7384c0 FreeLibrary
0x7384c8 LoadLibraryA
0x7384d0 GetModuleHandleA
0x7384d8 GetProcAddress
USER32.dll
0x7384e8 GetProcessWindowStation
0x7384f0 GetUserObjectInformationW
EAT(Export Address Table) is none