ScreenShot
Created | 2021.11.18 12:55 | Machine | s1_win7_x6401 |
Filename | octafx4setup.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 1 detected (Stelega) | ||
md5 | 568e1204996456984c05f12de9201168 | ||
sha256 | 02f992c886f423ef0a2fb16bfbb31ae66309a6206baab5beb1d379891664e4cd | ||
ssdeep | 24576:44P0tnXo1pxRBlH56KNo37ig2OxyFrtRt1VnUtRJaPWHX0H/:3stnXo1pxRB/6KNo3OtOxyFZ1VUtXaPp | ||
imphash | 81b91a024710dd1fed3c03bac11a1ecd | ||
impfuzzy | 12:ov/lhcCKTAc+ABZG/DzHbcmrMbv0Ns4ITQfsAKvY:ylvC+DfsQiAKA |
Network IP location
Signature (22cnts)
Level | Description |
---|---|
danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
watch | Attempts to create or modify system certificates |
watch | Attempts to identify installed AV products by installation directory |
watch | Checks the CPU name from registry |
watch | Communicates with host for which no DNS query was performed |
watch | Creates an Alternate Data Stream (ADS) |
watch | Detects the presence of Wine emulator |
watch | Queries information on disks |
notice | A process attempted to delay the analysis task. |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
notice | Drops an executable to the user AppData folder |
notice | Executes one or more WMI queries |
notice | File has been identified by one AntiVirus engine on VirusTotal as malicious |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | The executable is compressed using UPX |
info | Checks amount of memory in system |
info | Queries for the computername |
info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (11cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | Win_Trojan_Formbook_Zero | Used Formbook | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
Network (24cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x751e6c GetAce
crypt.dll
0x751e74 BCryptGenRandom
COMCTL32.dll
0x751e7c ImageList_Draw
CRYPT32.dll
0x751e84 CertNameToStrW
dbghelp.dll
0x751e8c StackWalk64
GDI32.dll
0x751e94 BitBlt
gdiplus.dll
0x751e9c GdipFree
KERNEL32.DLL
0x751ea4 LoadLibraryA
0x751ea8 ExitProcess
0x751eac GetProcAddress
0x751eb0 VirtualProtect
MSIMG32.dll
0x751eb8 GradientFill
ole32.dll
0x751ec0 CoInitialize
OLEAUT32.dll
0x751ec8 VarUI4FromStr
Secur32.dll
0x751ed0 EncryptMessage
SHELL32.dll
0x751ed8 ShellExecuteW
SHLWAPI.dll
0x751ee0 PathCanonicalizeW
USER32.dll
0x751ee8 GetDC
VERSION.dll
0x751ef0 VerQueryValueW
WINTRUST.dll
0x751ef8 WinVerifyTrust
WS2_32.dll
0x751f00 WSACleanup
EAT(Export Address Table) is none
ADVAPI32.dll
0x751e6c GetAce
crypt.dll
0x751e74 BCryptGenRandom
COMCTL32.dll
0x751e7c ImageList_Draw
CRYPT32.dll
0x751e84 CertNameToStrW
dbghelp.dll
0x751e8c StackWalk64
GDI32.dll
0x751e94 BitBlt
gdiplus.dll
0x751e9c GdipFree
KERNEL32.DLL
0x751ea4 LoadLibraryA
0x751ea8 ExitProcess
0x751eac GetProcAddress
0x751eb0 VirtualProtect
MSIMG32.dll
0x751eb8 GradientFill
ole32.dll
0x751ec0 CoInitialize
OLEAUT32.dll
0x751ec8 VarUI4FromStr
Secur32.dll
0x751ed0 EncryptMessage
SHELL32.dll
0x751ed8 ShellExecuteW
SHLWAPI.dll
0x751ee0 PathCanonicalizeW
USER32.dll
0x751ee8 GetDC
VERSION.dll
0x751ef0 VerQueryValueW
WINTRUST.dll
0x751ef8 WinVerifyTrust
WS2_32.dll
0x751f00 WSACleanup
EAT(Export Address Table) is none