ScreenShot
| Created | 2021.10.21 10:40 | Machine | s1_win7_x6401 |
| Filename | Porcal4.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 8 detected (Artemis!27828516C387, Backdoor.Remcos.A, Backdoor.Win32.Remcos, Win32.Backdoor.Remcos.7YHCVI, Trojan.Win32.Chapak.gen, HEUR:Trojan.Win32.Chapak.gen, Trojan.Win32.Chapak.4!c, PossibleThreat.MU) | ||
| md5 | 27828516c38739491a3d20e733850aa5 | ||
| sha256 | 2e8b750d6a8b14cff802d89ba55447014d63ffd4c5c711f36e900d6a9aff66df | ||
| ssdeep | 196608:QL6ocnTV67JnbhUtuvbPORiE9Z1v8KMf4UUIHSMi:a6JnTE7Jn1UGW7v8HQsi | ||
| imphash | 0748c08f838865e5d72743f7fd7e551e | ||
| impfuzzy | 48:JO3cSpvEHEHQPbRxV95EU1rkrJiaZMxWBrYUPyxUZfO:J+cSpvEHEHQPLVnD1rkrExW5YUP3W | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | File has been identified by 12 AntiVirus engines on VirusTotal as malicious |
| watch | Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An application raised an exception which may be indicative of an exploit crash |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
Rules (40cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Hijack_Network | Hijack network configuration | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
Suricata ids
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x585000 CreateFileW
0x585004 CloseHandle
0x585008 WriteFile
0x58500c DeleteFileW
0x585010 HeapDestroy
0x585014 HeapSize
0x585018 HeapReAlloc
0x58501c HeapFree
0x585020 HeapAlloc
0x585024 GetProcessHeap
0x585028 SizeofResource
0x58502c LockResource
0x585030 LoadResource
0x585034 FindResourceW
0x585038 FindResourceExW
0x58503c RemoveDirectoryW
0x585040 GetTempPathW
0x585044 GetTempFileNameW
0x585048 CreateDirectoryW
0x58504c MoveFileW
0x585050 GetLastError
0x585054 EnterCriticalSection
0x585058 LeaveCriticalSection
0x58505c GetModuleFileNameW
0x585060 DeleteCriticalSection
0x585064 InitializeCriticalSectionAndSpinCount
0x585068 GetCurrentThreadId
0x58506c RaiseException
0x585070 SetLastError
0x585074 GlobalUnlock
0x585078 GlobalLock
0x58507c GlobalAlloc
0x585080 MulDiv
0x585084 lstrcmpW
0x585088 CreateEventW
0x58508c FindClose
0x585090 FindFirstFileW
0x585094 GetFullPathNameW
0x585098 SetEvent
0x58509c InitializeCriticalSection
0x5850a0 lstrcpynW
0x5850a4 WaitForSingleObject
0x5850a8 CreateThread
0x5850ac GetProcAddress
0x5850b0 LoadLibraryExW
0x5850b4 DecodePointer
0x5850b8 Sleep
0x5850bc GetDiskFreeSpaceExW
0x5850c0 GetExitCodeThread
0x5850c4 GetCurrentProcessId
0x5850c8 FreeLibrary
0x5850cc GetSystemDirectoryW
0x5850d0 lstrlenW
0x5850d4 VerifyVersionInfoW
0x5850d8 VerSetConditionMask
0x5850dc lstrcmpiW
0x5850e0 GetModuleHandleW
0x5850e4 LoadLibraryW
0x5850e8 GetDriveTypeW
0x5850ec CompareStringW
0x5850f0 FindNextFileW
0x5850f4 GetLogicalDriveStringsW
0x5850f8 GetFileSize
0x5850fc GetFileAttributesW
0x585100 GetShortPathNameW
0x585104 SetFileAttributesW
0x585108 GetFileTime
0x58510c CopyFileW
0x585110 ReadFile
0x585114 SetFilePointer
0x585118 SystemTimeToFileTime
0x58511c MultiByteToWideChar
0x585120 WideCharToMultiByte
0x585124 GetCurrentProcess
0x585128 GetSystemInfo
0x58512c WaitForMultipleObjects
0x585130 VirtualProtect
0x585134 VirtualQuery
0x585138 LoadLibraryExA
0x58513c GetStringTypeW
0x585140 SetUnhandledExceptionFilter
0x585144 FileTimeToSystemTime
0x585148 GetEnvironmentVariableW
0x58514c GetEnvironmentStringsW
0x585150 FormatMessageW
0x585154 LocalFree
0x585158 InitializeCriticalSectionEx
0x58515c LoadLibraryA
0x585160 GetModuleFileNameA
0x585164 GetCurrentThread
0x585168 GetConsoleOutputCP
0x58516c FlushFileBuffers
0x585170 SetConsoleTextAttribute
0x585174 GetStdHandle
0x585178 GetConsoleScreenBufferInfo
0x58517c OutputDebugStringW
0x585180 CreateProcessW
0x585184 GetExitCodeProcess
0x585188 GetTickCount
0x58518c GetCommandLineW
0x585190 SetCurrentDirectoryW
0x585194 SetEndOfFile
0x585198 EnumResourceLanguagesW
0x58519c GetLocaleInfoW
0x5851a0 GetSystemDefaultLangID
0x5851a4 GetUserDefaultLangID
0x5851a8 GetWindowsDirectoryW
0x5851ac GetSystemTime
0x5851b0 GetDateFormatW
0x5851b4 GetTimeFormatW
0x5851b8 CreateToolhelp32Snapshot
0x5851bc Process32FirstW
0x5851c0 Process32NextW
0x5851c4 ResetEvent
0x5851c8 GlobalFree
0x5851cc GetPrivateProfileStringW
0x5851d0 GetPrivateProfileSectionNamesW
0x5851d4 WritePrivateProfileStringW
0x5851d8 GetLocalTime
0x5851dc CreateNamedPipeW
0x5851e0 ConnectNamedPipe
0x5851e4 Wow64DisableWow64FsRedirection
0x5851e8 Wow64RevertWow64FsRedirection
0x5851ec IsWow64Process
0x5851f0 TerminateThread
0x5851f4 LocalAlloc
0x5851f8 CompareFileTime
0x5851fc CopyFileExW
0x585200 OpenEventW
0x585204 PeekNamedPipe
0x585208 IsDebuggerPresent
0x58520c EncodePointer
0x585210 InitializeSListHead
0x585214 InterlockedPopEntrySList
0x585218 InterlockedPushEntrySList
0x58521c FlushInstructionCache
0x585220 IsProcessorFeaturePresent
0x585224 VirtualAlloc
0x585228 VirtualFree
0x58522c QueryPerformanceCounter
0x585230 QueryPerformanceFrequency
0x585234 LCMapStringEx
0x585238 GetSystemTimeAsFileTime
0x58523c CompareStringEx
0x585240 GetCPInfo
0x585244 WaitForSingleObjectEx
0x585248 UnhandledExceptionFilter
0x58524c TerminateProcess
0x585250 GetStartupInfoW
0x585254 RtlUnwind
0x585258 TlsAlloc
0x58525c TlsGetValue
0x585260 TlsSetValue
0x585264 TlsFree
0x585268 ExitProcess
0x58526c GetModuleHandleExW
0x585270 GetFileType
0x585274 GetTimeZoneInformation
0x585278 LCMapStringW
0x58527c IsValidLocale
0x585280 GetUserDefaultLCID
0x585284 EnumSystemLocalesW
0x585288 GetConsoleMode
0x58528c IsValidCodePage
0x585290 GetACP
0x585294 GetOEMCP
0x585298 GetFileSizeEx
0x58529c SetFilePointerEx
0x5852a0 FindFirstFileExW
0x5852a4 GetCommandLineA
0x5852a8 FreeEnvironmentStringsW
0x5852ac SetEnvironmentVariableW
0x5852b0 SetStdHandle
0x5852b4 ReadConsoleW
0x5852b8 WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x585000 CreateFileW
0x585004 CloseHandle
0x585008 WriteFile
0x58500c DeleteFileW
0x585010 HeapDestroy
0x585014 HeapSize
0x585018 HeapReAlloc
0x58501c HeapFree
0x585020 HeapAlloc
0x585024 GetProcessHeap
0x585028 SizeofResource
0x58502c LockResource
0x585030 LoadResource
0x585034 FindResourceW
0x585038 FindResourceExW
0x58503c RemoveDirectoryW
0x585040 GetTempPathW
0x585044 GetTempFileNameW
0x585048 CreateDirectoryW
0x58504c MoveFileW
0x585050 GetLastError
0x585054 EnterCriticalSection
0x585058 LeaveCriticalSection
0x58505c GetModuleFileNameW
0x585060 DeleteCriticalSection
0x585064 InitializeCriticalSectionAndSpinCount
0x585068 GetCurrentThreadId
0x58506c RaiseException
0x585070 SetLastError
0x585074 GlobalUnlock
0x585078 GlobalLock
0x58507c GlobalAlloc
0x585080 MulDiv
0x585084 lstrcmpW
0x585088 CreateEventW
0x58508c FindClose
0x585090 FindFirstFileW
0x585094 GetFullPathNameW
0x585098 SetEvent
0x58509c InitializeCriticalSection
0x5850a0 lstrcpynW
0x5850a4 WaitForSingleObject
0x5850a8 CreateThread
0x5850ac GetProcAddress
0x5850b0 LoadLibraryExW
0x5850b4 DecodePointer
0x5850b8 Sleep
0x5850bc GetDiskFreeSpaceExW
0x5850c0 GetExitCodeThread
0x5850c4 GetCurrentProcessId
0x5850c8 FreeLibrary
0x5850cc GetSystemDirectoryW
0x5850d0 lstrlenW
0x5850d4 VerifyVersionInfoW
0x5850d8 VerSetConditionMask
0x5850dc lstrcmpiW
0x5850e0 GetModuleHandleW
0x5850e4 LoadLibraryW
0x5850e8 GetDriveTypeW
0x5850ec CompareStringW
0x5850f0 FindNextFileW
0x5850f4 GetLogicalDriveStringsW
0x5850f8 GetFileSize
0x5850fc GetFileAttributesW
0x585100 GetShortPathNameW
0x585104 SetFileAttributesW
0x585108 GetFileTime
0x58510c CopyFileW
0x585110 ReadFile
0x585114 SetFilePointer
0x585118 SystemTimeToFileTime
0x58511c MultiByteToWideChar
0x585120 WideCharToMultiByte
0x585124 GetCurrentProcess
0x585128 GetSystemInfo
0x58512c WaitForMultipleObjects
0x585130 VirtualProtect
0x585134 VirtualQuery
0x585138 LoadLibraryExA
0x58513c GetStringTypeW
0x585140 SetUnhandledExceptionFilter
0x585144 FileTimeToSystemTime
0x585148 GetEnvironmentVariableW
0x58514c GetEnvironmentStringsW
0x585150 FormatMessageW
0x585154 LocalFree
0x585158 InitializeCriticalSectionEx
0x58515c LoadLibraryA
0x585160 GetModuleFileNameA
0x585164 GetCurrentThread
0x585168 GetConsoleOutputCP
0x58516c FlushFileBuffers
0x585170 SetConsoleTextAttribute
0x585174 GetStdHandle
0x585178 GetConsoleScreenBufferInfo
0x58517c OutputDebugStringW
0x585180 CreateProcessW
0x585184 GetExitCodeProcess
0x585188 GetTickCount
0x58518c GetCommandLineW
0x585190 SetCurrentDirectoryW
0x585194 SetEndOfFile
0x585198 EnumResourceLanguagesW
0x58519c GetLocaleInfoW
0x5851a0 GetSystemDefaultLangID
0x5851a4 GetUserDefaultLangID
0x5851a8 GetWindowsDirectoryW
0x5851ac GetSystemTime
0x5851b0 GetDateFormatW
0x5851b4 GetTimeFormatW
0x5851b8 CreateToolhelp32Snapshot
0x5851bc Process32FirstW
0x5851c0 Process32NextW
0x5851c4 ResetEvent
0x5851c8 GlobalFree
0x5851cc GetPrivateProfileStringW
0x5851d0 GetPrivateProfileSectionNamesW
0x5851d4 WritePrivateProfileStringW
0x5851d8 GetLocalTime
0x5851dc CreateNamedPipeW
0x5851e0 ConnectNamedPipe
0x5851e4 Wow64DisableWow64FsRedirection
0x5851e8 Wow64RevertWow64FsRedirection
0x5851ec IsWow64Process
0x5851f0 TerminateThread
0x5851f4 LocalAlloc
0x5851f8 CompareFileTime
0x5851fc CopyFileExW
0x585200 OpenEventW
0x585204 PeekNamedPipe
0x585208 IsDebuggerPresent
0x58520c EncodePointer
0x585210 InitializeSListHead
0x585214 InterlockedPopEntrySList
0x585218 InterlockedPushEntrySList
0x58521c FlushInstructionCache
0x585220 IsProcessorFeaturePresent
0x585224 VirtualAlloc
0x585228 VirtualFree
0x58522c QueryPerformanceCounter
0x585230 QueryPerformanceFrequency
0x585234 LCMapStringEx
0x585238 GetSystemTimeAsFileTime
0x58523c CompareStringEx
0x585240 GetCPInfo
0x585244 WaitForSingleObjectEx
0x585248 UnhandledExceptionFilter
0x58524c TerminateProcess
0x585250 GetStartupInfoW
0x585254 RtlUnwind
0x585258 TlsAlloc
0x58525c TlsGetValue
0x585260 TlsSetValue
0x585264 TlsFree
0x585268 ExitProcess
0x58526c GetModuleHandleExW
0x585270 GetFileType
0x585274 GetTimeZoneInformation
0x585278 LCMapStringW
0x58527c IsValidLocale
0x585280 GetUserDefaultLCID
0x585284 EnumSystemLocalesW
0x585288 GetConsoleMode
0x58528c IsValidCodePage
0x585290 GetACP
0x585294 GetOEMCP
0x585298 GetFileSizeEx
0x58529c SetFilePointerEx
0x5852a0 FindFirstFileExW
0x5852a4 GetCommandLineA
0x5852a8 FreeEnvironmentStringsW
0x5852ac SetEnvironmentVariableW
0x5852b0 SetStdHandle
0x5852b4 ReadConsoleW
0x5852b8 WriteConsoleW
EAT(Export Address Table) is none