ScreenShot
| Created | 2021.11.01 11:35 | Machine | s1_win7_x6403 |
| Filename | yAwEhUT.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MS CAB-Installer self- | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 7 detected (Unsafe, FileRepMalware, Score, kcloud, Sabsik) | ||
| md5 | af923e132c07ab77eae004e642dfa15d | ||
| sha256 | ae98f2063823340917b2d28987b221b83e7b16d2e9c86c35bdff71e84eca5e93 | ||
| ssdeep | 24576:SfArddt0oTZx2OMm9PEzWOUDFkOaKfL5n43mlf7XT0qFALTofk0BKHuvyrxaY3H0:SfArddt0uZ9MKO4YsXIqFA3ofpHyrxaw | ||
| imphash | d287b46f6436ae965f0f1af9da8d89c9 | ||
| impfuzzy | 48:Vbp7gnQOQO0v519KJ1mshKQ59USvrzd8tGRoACpNwtEX5E+ul54LK6x9paVcM:RpknQ9O251kPmsImupM | ||
Network IP location
Signature (40cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | A process attempted to delay the analysis task. |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes executed files from disk |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | Installs itself for autorun at Windows startup |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | File has been identified by 7 AntiVirus engines on VirusTotal as malicious |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (44cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | NPKI_Zero | File included NPKI | binaries (download) |
| danger | Win32_Trojan_Emotet_RL_Gen_Zero | Win32 Trojan Emotet | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Hijack_Network | Hijack network configuration | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
Suricata ids
ET MALWARE Arechclient2 Backdoor CnC Init
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x1001000 RegCloseKey
0x1001004 AllocateAndInitializeSid
0x1001008 EqualSid
0x100100c GetTokenInformation
0x1001010 OpenProcessToken
0x1001014 AdjustTokenPrivileges
0x1001018 LookupPrivilegeValueA
0x100101c FreeSid
0x1001020 RegDeleteValueA
0x1001024 RegOpenKeyExA
0x1001028 RegSetValueExA
0x100102c RegQueryValueExA
0x1001030 RegCreateKeyExA
0x1001034 RegQueryInfoKeyA
KERNEL32.dll
0x100104c LocalAlloc
0x1001050 GetLastError
0x1001054 GetCurrentProcess
0x1001058 LoadLibraryA
0x100105c CloseHandle
0x1001060 LocalFree
0x1001064 GetFileAttributesA
0x1001068 GetPrivateProfileStringA
0x100106c GetPrivateProfileIntA
0x1001070 lstrlenA
0x1001074 lstrcmpiA
0x1001078 lstrcatA
0x100107c GetShortPathNameA
0x1001080 GetSystemDirectoryA
0x1001084 RemoveDirectoryA
0x1001088 lstrcpyA
0x100108c FindNextFileA
0x1001090 DeleteFileA
0x1001094 SetFileAttributesA
0x1001098 lstrcmpA
0x100109c FindFirstFileA
0x10010a0 _lclose
0x10010a4 _llseek
0x10010a8 _lopen
0x10010ac WritePrivateProfileStringA
0x10010b0 GetWindowsDirectoryA
0x10010b4 GetModuleFileNameA
0x10010b8 FindClose
0x10010bc GlobalFree
0x10010c0 GlobalUnlock
0x10010c4 GlobalLock
0x10010c8 GlobalAlloc
0x10010cc IsDBCSLeadByte
0x10010d0 ExitProcess
0x10010d4 GetProcAddress
0x10010d8 GetStartupInfoA
0x10010dc GetCommandLineA
0x10010e0 LoadResource
0x10010e4 FindResourceA
0x10010e8 CreateMutexA
0x10010ec SetEvent
0x10010f0 CreateEventA
0x10010f4 SetCurrentDirectoryA
0x10010f8 CreateThread
0x10010fc ResetEvent
0x1001100 TerminateThread
0x1001104 FreeLibrary
0x1001108 FormatMessageA
0x100110c GetExitCodeProcess
0x1001110 WaitForSingleObject
0x1001114 CreateProcessA
0x1001118 GetTempPathA
0x100111c FreeResource
0x1001120 LockResource
0x1001124 SizeofResource
0x1001128 CreateFileA
0x100112c ReadFile
0x1001130 WriteFile
0x1001134 SetFilePointer
0x1001138 SetFileTime
0x100113c LocalFileTimeToFileTime
0x1001140 DosDateTimeToFileTime
0x1001144 GetTempFileNameA
0x1001148 GetSystemInfo
0x100114c GetDriveTypeA
0x1001150 lstrcpynA
0x1001154 GetVolumeInformationA
0x1001158 GetCurrentDirectoryA
0x100115c LoadLibraryExA
0x1001160 GetModuleHandleA
0x1001164 CreateDirectoryA
0x1001168 ExpandEnvironmentStringsA
0x100116c GetVersionExA
0x1001170 GetDiskFreeSpaceA
0x1001174 MulDiv
GDI32.dll
0x1001044 GetDeviceCaps
USER32.dll
0x100117c wsprintfA
0x1001180 ExitWindowsEx
0x1001184 CharNextA
0x1001188 CharUpperA
0x100118c EndDialog
0x1001190 GetDesktopWindow
0x1001194 CharPrevA
0x1001198 GetWindowLongA
0x100119c CallWindowProcA
0x10011a0 GetDlgItem
0x10011a4 SetForegroundWindow
0x10011a8 SetWindowTextA
0x10011ac SendDlgItemMessageA
0x10011b0 SetWindowLongA
0x10011b4 EnableWindow
0x10011b8 SendMessageA
0x10011bc LoadStringA
0x10011c0 MsgWaitForMultipleObjects
0x10011c4 PeekMessageA
0x10011c8 MessageBoxA
0x10011cc SetWindowPos
0x10011d0 ReleaseDC
0x10011d4 GetDC
0x10011d8 GetWindowRect
0x10011dc ShowWindow
0x10011e0 DialogBoxIndirectParamA
0x10011e4 SetDlgItemTextA
0x10011e8 MessageBeep
0x10011ec GetDlgItemTextA
0x10011f0 DispatchMessageA
COMCTL32.dll
0x100103c None
VERSION.dll
0x10011f8 GetFileVersionInfoA
0x10011fc VerQueryValueA
0x1001200 GetFileVersionInfoSizeA
EAT(Export Address Table) is none
ADVAPI32.dll
0x1001000 RegCloseKey
0x1001004 AllocateAndInitializeSid
0x1001008 EqualSid
0x100100c GetTokenInformation
0x1001010 OpenProcessToken
0x1001014 AdjustTokenPrivileges
0x1001018 LookupPrivilegeValueA
0x100101c FreeSid
0x1001020 RegDeleteValueA
0x1001024 RegOpenKeyExA
0x1001028 RegSetValueExA
0x100102c RegQueryValueExA
0x1001030 RegCreateKeyExA
0x1001034 RegQueryInfoKeyA
KERNEL32.dll
0x100104c LocalAlloc
0x1001050 GetLastError
0x1001054 GetCurrentProcess
0x1001058 LoadLibraryA
0x100105c CloseHandle
0x1001060 LocalFree
0x1001064 GetFileAttributesA
0x1001068 GetPrivateProfileStringA
0x100106c GetPrivateProfileIntA
0x1001070 lstrlenA
0x1001074 lstrcmpiA
0x1001078 lstrcatA
0x100107c GetShortPathNameA
0x1001080 GetSystemDirectoryA
0x1001084 RemoveDirectoryA
0x1001088 lstrcpyA
0x100108c FindNextFileA
0x1001090 DeleteFileA
0x1001094 SetFileAttributesA
0x1001098 lstrcmpA
0x100109c FindFirstFileA
0x10010a0 _lclose
0x10010a4 _llseek
0x10010a8 _lopen
0x10010ac WritePrivateProfileStringA
0x10010b0 GetWindowsDirectoryA
0x10010b4 GetModuleFileNameA
0x10010b8 FindClose
0x10010bc GlobalFree
0x10010c0 GlobalUnlock
0x10010c4 GlobalLock
0x10010c8 GlobalAlloc
0x10010cc IsDBCSLeadByte
0x10010d0 ExitProcess
0x10010d4 GetProcAddress
0x10010d8 GetStartupInfoA
0x10010dc GetCommandLineA
0x10010e0 LoadResource
0x10010e4 FindResourceA
0x10010e8 CreateMutexA
0x10010ec SetEvent
0x10010f0 CreateEventA
0x10010f4 SetCurrentDirectoryA
0x10010f8 CreateThread
0x10010fc ResetEvent
0x1001100 TerminateThread
0x1001104 FreeLibrary
0x1001108 FormatMessageA
0x100110c GetExitCodeProcess
0x1001110 WaitForSingleObject
0x1001114 CreateProcessA
0x1001118 GetTempPathA
0x100111c FreeResource
0x1001120 LockResource
0x1001124 SizeofResource
0x1001128 CreateFileA
0x100112c ReadFile
0x1001130 WriteFile
0x1001134 SetFilePointer
0x1001138 SetFileTime
0x100113c LocalFileTimeToFileTime
0x1001140 DosDateTimeToFileTime
0x1001144 GetTempFileNameA
0x1001148 GetSystemInfo
0x100114c GetDriveTypeA
0x1001150 lstrcpynA
0x1001154 GetVolumeInformationA
0x1001158 GetCurrentDirectoryA
0x100115c LoadLibraryExA
0x1001160 GetModuleHandleA
0x1001164 CreateDirectoryA
0x1001168 ExpandEnvironmentStringsA
0x100116c GetVersionExA
0x1001170 GetDiskFreeSpaceA
0x1001174 MulDiv
GDI32.dll
0x1001044 GetDeviceCaps
USER32.dll
0x100117c wsprintfA
0x1001180 ExitWindowsEx
0x1001184 CharNextA
0x1001188 CharUpperA
0x100118c EndDialog
0x1001190 GetDesktopWindow
0x1001194 CharPrevA
0x1001198 GetWindowLongA
0x100119c CallWindowProcA
0x10011a0 GetDlgItem
0x10011a4 SetForegroundWindow
0x10011a8 SetWindowTextA
0x10011ac SendDlgItemMessageA
0x10011b0 SetWindowLongA
0x10011b4 EnableWindow
0x10011b8 SendMessageA
0x10011bc LoadStringA
0x10011c0 MsgWaitForMultipleObjects
0x10011c4 PeekMessageA
0x10011c8 MessageBoxA
0x10011cc SetWindowPos
0x10011d0 ReleaseDC
0x10011d4 GetDC
0x10011d8 GetWindowRect
0x10011dc ShowWindow
0x10011e0 DialogBoxIndirectParamA
0x10011e4 SetDlgItemTextA
0x10011e8 MessageBeep
0x10011ec GetDlgItemTextA
0x10011f0 DispatchMessageA
COMCTL32.dll
0x100103c None
VERSION.dll
0x10011f8 GetFileVersionInfoA
0x10011fc VerQueryValueA
0x1001200 GetFileVersionInfoSizeA
EAT(Export Address Table) is none