ScreenShot
| Created | 2021.11.07 10:27 | Machine | s1_win7_x6403 |
| Filename | eflairpany.png | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 39c19b40099fc77f06afe98ddebace2d | ||
| sha256 | f65a605e05b0dbe8eafdb89b05abf2c94193273b2a53eb1cc53c9f3575b1e26f | ||
| ssdeep | 12288:5nZndx1krxFPqBSPt7bQ9k03GxGprGwbKM:9ZdxuQSPt72k034GJGf | ||
| imphash | 2a49715e49b2891839bf716e121ca434 | ||
| impfuzzy | 24:8IbUHTcklqdZ+fc3zvMfpOovnJ3zD+tgzHRnlyv0T46OcjMZYZAxAFK3:8D4dZ+fczMkG2tgxK0c0Z2AFK3 | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Terminates another process |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | This executable has a PDB path |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (7cnts) ?
Suricata ids
ET CNC Feodo Tracker Reported CnC Server group 15
ET CNC Feodo Tracker Reported CnC Server group 2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
SURICATA Applayer Mismatch protocol both directions
ET POLICY Signed TLS Certificate with md5WithRSAEncryption
ET CNC Feodo Tracker Reported CnC Server group 1
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET CNC Feodo Tracker Reported CnC Server group 2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
SURICATA Applayer Mismatch protocol both directions
ET POLICY Signed TLS Certificate with md5WithRSAEncryption
ET CNC Feodo Tracker Reported CnC Server group 1
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x44826c MultiByteToWideChar
0x448270 lstrlenA
0x448274 LoadResource
0x448278 SizeofResource
0x44827c VirtualAlloc
0x448280 FindResourceA
0x448284 SetStdHandle
0x448288 WriteConsoleW
0x44828c LoadLibraryW
0x448290 FreeLibrary
0x448294 SetConsoleCtrlHandler
0x448298 InterlockedIncrement
0x44829c InterlockedDecrement
0x4482a0 WideCharToMultiByte
0x4482a4 EncodePointer
0x4482a8 DecodePointer
0x4482ac Sleep
0x4482b0 InterlockedExchange
0x4482b4 InitializeCriticalSection
0x4482b8 DeleteCriticalSection
0x4482bc EnterCriticalSection
0x4482c0 LeaveCriticalSection
0x4482c4 InterlockedCompareExchange
0x4482c8 GetLastError
0x4482cc HeapAlloc
0x4482d0 RtlUnwind
0x4482d4 RaiseException
0x4482d8 HeapFree
0x4482dc GetCommandLineA
0x4482e0 HeapSetInformation
0x4482e4 GetStartupInfoW
0x4482e8 LCMapStringW
0x4482ec GetCPInfo
0x4482f0 GetACP
0x4482f4 GetOEMCP
0x4482f8 IsValidCodePage
0x4482fc TlsAlloc
0x448300 TlsGetValue
0x448304 TlsSetValue
0x448308 TlsFree
0x44830c GetModuleHandleW
0x448310 SetLastError
0x448314 GetCurrentThreadId
0x448318 GetCurrentThread
0x44831c GetProcAddress
0x448320 UnhandledExceptionFilter
0x448324 SetUnhandledExceptionFilter
0x448328 IsDebuggerPresent
0x44832c TerminateProcess
0x448330 GetCurrentProcess
0x448334 ExitProcess
0x448338 WriteFile
0x44833c GetStdHandle
0x448340 GetModuleFileNameW
0x448344 HeapCreate
0x448348 HeapDestroy
0x44834c IsProcessorFeaturePresent
0x448350 GetModuleFileNameA
0x448354 FreeEnvironmentStringsW
0x448358 GetEnvironmentStringsW
0x44835c SetHandleCount
0x448360 InitializeCriticalSectionAndSpinCount
0x448364 GetFileType
0x448368 QueryPerformanceCounter
0x44836c GetTickCount
0x448370 GetCurrentProcessId
0x448374 GetSystemTimeAsFileTime
0x448378 FatalAppExitA
0x44837c GetConsoleCP
0x448380 GetConsoleMode
0x448384 FlushFileBuffers
0x448388 ReadFile
0x44838c SetFilePointer
0x448390 CloseHandle
0x448394 HeapSize
0x448398 GetLocaleInfoW
0x44839c GetUserDefaultLCID
0x4483a0 GetLocaleInfoA
0x4483a4 EnumSystemLocalesA
0x4483a8 IsValidLocale
0x4483ac GetStringTypeW
0x4483b0 HeapReAlloc
0x4483b4 CreateFileW
USER32.dll
0x448454 GetSystemMetrics
0x448458 GetDC
SHELL32.dll
0x448424 SHGetFolderPathA
EAT(Export Address Table) is none
KERNEL32.dll
0x44826c MultiByteToWideChar
0x448270 lstrlenA
0x448274 LoadResource
0x448278 SizeofResource
0x44827c VirtualAlloc
0x448280 FindResourceA
0x448284 SetStdHandle
0x448288 WriteConsoleW
0x44828c LoadLibraryW
0x448290 FreeLibrary
0x448294 SetConsoleCtrlHandler
0x448298 InterlockedIncrement
0x44829c InterlockedDecrement
0x4482a0 WideCharToMultiByte
0x4482a4 EncodePointer
0x4482a8 DecodePointer
0x4482ac Sleep
0x4482b0 InterlockedExchange
0x4482b4 InitializeCriticalSection
0x4482b8 DeleteCriticalSection
0x4482bc EnterCriticalSection
0x4482c0 LeaveCriticalSection
0x4482c4 InterlockedCompareExchange
0x4482c8 GetLastError
0x4482cc HeapAlloc
0x4482d0 RtlUnwind
0x4482d4 RaiseException
0x4482d8 HeapFree
0x4482dc GetCommandLineA
0x4482e0 HeapSetInformation
0x4482e4 GetStartupInfoW
0x4482e8 LCMapStringW
0x4482ec GetCPInfo
0x4482f0 GetACP
0x4482f4 GetOEMCP
0x4482f8 IsValidCodePage
0x4482fc TlsAlloc
0x448300 TlsGetValue
0x448304 TlsSetValue
0x448308 TlsFree
0x44830c GetModuleHandleW
0x448310 SetLastError
0x448314 GetCurrentThreadId
0x448318 GetCurrentThread
0x44831c GetProcAddress
0x448320 UnhandledExceptionFilter
0x448324 SetUnhandledExceptionFilter
0x448328 IsDebuggerPresent
0x44832c TerminateProcess
0x448330 GetCurrentProcess
0x448334 ExitProcess
0x448338 WriteFile
0x44833c GetStdHandle
0x448340 GetModuleFileNameW
0x448344 HeapCreate
0x448348 HeapDestroy
0x44834c IsProcessorFeaturePresent
0x448350 GetModuleFileNameA
0x448354 FreeEnvironmentStringsW
0x448358 GetEnvironmentStringsW
0x44835c SetHandleCount
0x448360 InitializeCriticalSectionAndSpinCount
0x448364 GetFileType
0x448368 QueryPerformanceCounter
0x44836c GetTickCount
0x448370 GetCurrentProcessId
0x448374 GetSystemTimeAsFileTime
0x448378 FatalAppExitA
0x44837c GetConsoleCP
0x448380 GetConsoleMode
0x448384 FlushFileBuffers
0x448388 ReadFile
0x44838c SetFilePointer
0x448390 CloseHandle
0x448394 HeapSize
0x448398 GetLocaleInfoW
0x44839c GetUserDefaultLCID
0x4483a0 GetLocaleInfoA
0x4483a4 EnumSystemLocalesA
0x4483a8 IsValidLocale
0x4483ac GetStringTypeW
0x4483b0 HeapReAlloc
0x4483b4 CreateFileW
USER32.dll
0x448454 GetSystemMetrics
0x448458 GetDC
SHELL32.dll
0x448424 SHGetFolderPathA
EAT(Export Address Table) is none