ScreenShot
| Created | 2021.11.29 10:10 | Machine | s1_win7_x6403 |
| Filename | installer.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 24 detected (AdUpdater, Unsafe, Bundler, XXQL, Microleaves, OnlineGuard, TrojanProxy, ai score=76, susgen) | ||
| md5 | c313ddb7df24003d25bf62c5a218b215 | ||
| sha256 | e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1 | ||
| ssdeep | 98304:h35E+vGaiDnXGtwcmoQvoTn0ib3xuisXNSAngKvbN/k:/vGacofn0IGtXK | ||
| imphash | 1ee3b0da38e7b7c567f93f357ca3751c | ||
| impfuzzy | 48:JO7cSpvEuEHQPbhyV95MU1rkrJiaZMxWBrYUPyxUZfK:JmcSpvEuEHQPoVnb1rkrExW5YUP3C | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 24 AntiVirus engines on VirusTotal as malicious |
| watch | Deletes executed files from disk |
| watch | Disables proxy possibly for traffic interception |
| watch | One or more of the buffers contains an embedded PE file |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Sends data using the HTTP POST Method |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (18cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x57e000 CreateFileW
0x57e004 CloseHandle
0x57e008 WriteFile
0x57e00c DeleteFileW
0x57e010 HeapDestroy
0x57e014 HeapSize
0x57e018 HeapReAlloc
0x57e01c HeapFree
0x57e020 HeapAlloc
0x57e024 GetProcessHeap
0x57e028 RemoveDirectoryW
0x57e02c GetTempPathW
0x57e030 GetTempFileNameW
0x57e034 CreateDirectoryW
0x57e038 MoveFileW
0x57e03c GetLastError
0x57e040 SizeofResource
0x57e044 LockResource
0x57e048 LoadResource
0x57e04c FindResourceW
0x57e050 FindResourceExW
0x57e054 EnterCriticalSection
0x57e058 LeaveCriticalSection
0x57e05c GetModuleFileNameW
0x57e060 DeleteCriticalSection
0x57e064 InitializeCriticalSectionAndSpinCount
0x57e068 GetCurrentThreadId
0x57e06c RaiseException
0x57e070 SetLastError
0x57e074 GlobalUnlock
0x57e078 GlobalLock
0x57e07c GlobalAlloc
0x57e080 MulDiv
0x57e084 lstrcmpW
0x57e088 CreateEventW
0x57e08c SetEvent
0x57e090 InitializeCriticalSection
0x57e094 lstrcpynW
0x57e098 WaitForSingleObject
0x57e09c CreateThread
0x57e0a0 GetProcAddress
0x57e0a4 LoadLibraryExW
0x57e0a8 DecodePointer
0x57e0ac Sleep
0x57e0b0 GetDiskFreeSpaceExW
0x57e0b4 GetExitCodeThread
0x57e0b8 GetCurrentProcessId
0x57e0bc FreeLibrary
0x57e0c0 GetSystemDirectoryW
0x57e0c4 lstrlenW
0x57e0c8 VerifyVersionInfoW
0x57e0cc VerSetConditionMask
0x57e0d0 lstrcmpiW
0x57e0d4 GetModuleHandleW
0x57e0d8 LoadLibraryW
0x57e0dc GetDriveTypeW
0x57e0e0 CompareStringW
0x57e0e4 FindFirstFileW
0x57e0e8 FindNextFileW
0x57e0ec GetLogicalDriveStringsW
0x57e0f0 GetFileSize
0x57e0f4 GetFileAttributesW
0x57e0f8 GetShortPathNameW
0x57e0fc SetFileAttributesW
0x57e100 GetFileTime
0x57e104 CopyFileW
0x57e108 ReadFile
0x57e10c SetFilePointer
0x57e110 SystemTimeToFileTime
0x57e114 FindClose
0x57e118 MultiByteToWideChar
0x57e11c WideCharToMultiByte
0x57e120 GetCurrentProcess
0x57e124 GetSystemInfo
0x57e128 WaitForMultipleObjects
0x57e12c ReadConsoleW
0x57e130 VirtualProtect
0x57e134 VirtualQuery
0x57e138 LoadLibraryExA
0x57e13c GetStringTypeW
0x57e140 SetUnhandledExceptionFilter
0x57e144 FileTimeToSystemTime
0x57e148 GetEnvironmentVariableW
0x57e14c GetEnvironmentStringsW
0x57e150 FormatMessageW
0x57e154 LocalFree
0x57e158 InitializeCriticalSectionEx
0x57e15c LoadLibraryA
0x57e160 GetModuleFileNameA
0x57e164 GetFullPathNameW
0x57e168 GetCurrentThread
0x57e16c GetConsoleOutputCP
0x57e170 FlushFileBuffers
0x57e174 SetConsoleTextAttribute
0x57e178 GetStdHandle
0x57e17c GetConsoleScreenBufferInfo
0x57e180 OutputDebugStringW
0x57e184 CreateProcessW
0x57e188 GetExitCodeProcess
0x57e18c GetTickCount
0x57e190 GetCommandLineW
0x57e194 SetCurrentDirectoryW
0x57e198 SetEndOfFile
0x57e19c EnumResourceLanguagesW
0x57e1a0 GetLocaleInfoW
0x57e1a4 GetSystemDefaultLangID
0x57e1a8 GetUserDefaultLangID
0x57e1ac GetWindowsDirectoryW
0x57e1b0 GetSystemTime
0x57e1b4 GetDateFormatW
0x57e1b8 GetTimeFormatW
0x57e1bc CreateToolhelp32Snapshot
0x57e1c0 Process32FirstW
0x57e1c4 Process32NextW
0x57e1c8 ResetEvent
0x57e1cc GlobalFree
0x57e1d0 GetPrivateProfileStringW
0x57e1d4 GetPrivateProfileSectionNamesW
0x57e1d8 WritePrivateProfileStringW
0x57e1dc GetLocalTime
0x57e1e0 CreateNamedPipeW
0x57e1e4 ConnectNamedPipe
0x57e1e8 Wow64DisableWow64FsRedirection
0x57e1ec Wow64RevertWow64FsRedirection
0x57e1f0 IsWow64Process
0x57e1f4 TerminateThread
0x57e1f8 LocalAlloc
0x57e1fc CompareFileTime
0x57e200 CopyFileExW
0x57e204 OpenEventW
0x57e208 PeekNamedPipe
0x57e20c IsDebuggerPresent
0x57e210 EncodePointer
0x57e214 InitializeSListHead
0x57e218 InterlockedPopEntrySList
0x57e21c InterlockedPushEntrySList
0x57e220 FlushInstructionCache
0x57e224 IsProcessorFeaturePresent
0x57e228 VirtualAlloc
0x57e22c VirtualFree
0x57e230 QueryPerformanceCounter
0x57e234 QueryPerformanceFrequency
0x57e238 LCMapStringEx
0x57e23c GetSystemTimeAsFileTime
0x57e240 CompareStringEx
0x57e244 GetCPInfo
0x57e248 WaitForSingleObjectEx
0x57e24c UnhandledExceptionFilter
0x57e250 TerminateProcess
0x57e254 GetStartupInfoW
0x57e258 RtlUnwind
0x57e25c TlsAlloc
0x57e260 TlsGetValue
0x57e264 TlsSetValue
0x57e268 TlsFree
0x57e26c ExitProcess
0x57e270 GetModuleHandleExW
0x57e274 GetFileType
0x57e278 GetTimeZoneInformation
0x57e27c LCMapStringW
0x57e280 IsValidLocale
0x57e284 GetUserDefaultLCID
0x57e288 EnumSystemLocalesW
0x57e28c GetConsoleMode
0x57e290 IsValidCodePage
0x57e294 GetACP
0x57e298 GetOEMCP
0x57e29c GetFileSizeEx
0x57e2a0 SetFilePointerEx
0x57e2a4 FindFirstFileExW
0x57e2a8 GetCommandLineA
0x57e2ac FreeEnvironmentStringsW
0x57e2b0 SetEnvironmentVariableW
0x57e2b4 SetStdHandle
0x57e2b8 WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x57e000 CreateFileW
0x57e004 CloseHandle
0x57e008 WriteFile
0x57e00c DeleteFileW
0x57e010 HeapDestroy
0x57e014 HeapSize
0x57e018 HeapReAlloc
0x57e01c HeapFree
0x57e020 HeapAlloc
0x57e024 GetProcessHeap
0x57e028 RemoveDirectoryW
0x57e02c GetTempPathW
0x57e030 GetTempFileNameW
0x57e034 CreateDirectoryW
0x57e038 MoveFileW
0x57e03c GetLastError
0x57e040 SizeofResource
0x57e044 LockResource
0x57e048 LoadResource
0x57e04c FindResourceW
0x57e050 FindResourceExW
0x57e054 EnterCriticalSection
0x57e058 LeaveCriticalSection
0x57e05c GetModuleFileNameW
0x57e060 DeleteCriticalSection
0x57e064 InitializeCriticalSectionAndSpinCount
0x57e068 GetCurrentThreadId
0x57e06c RaiseException
0x57e070 SetLastError
0x57e074 GlobalUnlock
0x57e078 GlobalLock
0x57e07c GlobalAlloc
0x57e080 MulDiv
0x57e084 lstrcmpW
0x57e088 CreateEventW
0x57e08c SetEvent
0x57e090 InitializeCriticalSection
0x57e094 lstrcpynW
0x57e098 WaitForSingleObject
0x57e09c CreateThread
0x57e0a0 GetProcAddress
0x57e0a4 LoadLibraryExW
0x57e0a8 DecodePointer
0x57e0ac Sleep
0x57e0b0 GetDiskFreeSpaceExW
0x57e0b4 GetExitCodeThread
0x57e0b8 GetCurrentProcessId
0x57e0bc FreeLibrary
0x57e0c0 GetSystemDirectoryW
0x57e0c4 lstrlenW
0x57e0c8 VerifyVersionInfoW
0x57e0cc VerSetConditionMask
0x57e0d0 lstrcmpiW
0x57e0d4 GetModuleHandleW
0x57e0d8 LoadLibraryW
0x57e0dc GetDriveTypeW
0x57e0e0 CompareStringW
0x57e0e4 FindFirstFileW
0x57e0e8 FindNextFileW
0x57e0ec GetLogicalDriveStringsW
0x57e0f0 GetFileSize
0x57e0f4 GetFileAttributesW
0x57e0f8 GetShortPathNameW
0x57e0fc SetFileAttributesW
0x57e100 GetFileTime
0x57e104 CopyFileW
0x57e108 ReadFile
0x57e10c SetFilePointer
0x57e110 SystemTimeToFileTime
0x57e114 FindClose
0x57e118 MultiByteToWideChar
0x57e11c WideCharToMultiByte
0x57e120 GetCurrentProcess
0x57e124 GetSystemInfo
0x57e128 WaitForMultipleObjects
0x57e12c ReadConsoleW
0x57e130 VirtualProtect
0x57e134 VirtualQuery
0x57e138 LoadLibraryExA
0x57e13c GetStringTypeW
0x57e140 SetUnhandledExceptionFilter
0x57e144 FileTimeToSystemTime
0x57e148 GetEnvironmentVariableW
0x57e14c GetEnvironmentStringsW
0x57e150 FormatMessageW
0x57e154 LocalFree
0x57e158 InitializeCriticalSectionEx
0x57e15c LoadLibraryA
0x57e160 GetModuleFileNameA
0x57e164 GetFullPathNameW
0x57e168 GetCurrentThread
0x57e16c GetConsoleOutputCP
0x57e170 FlushFileBuffers
0x57e174 SetConsoleTextAttribute
0x57e178 GetStdHandle
0x57e17c GetConsoleScreenBufferInfo
0x57e180 OutputDebugStringW
0x57e184 CreateProcessW
0x57e188 GetExitCodeProcess
0x57e18c GetTickCount
0x57e190 GetCommandLineW
0x57e194 SetCurrentDirectoryW
0x57e198 SetEndOfFile
0x57e19c EnumResourceLanguagesW
0x57e1a0 GetLocaleInfoW
0x57e1a4 GetSystemDefaultLangID
0x57e1a8 GetUserDefaultLangID
0x57e1ac GetWindowsDirectoryW
0x57e1b0 GetSystemTime
0x57e1b4 GetDateFormatW
0x57e1b8 GetTimeFormatW
0x57e1bc CreateToolhelp32Snapshot
0x57e1c0 Process32FirstW
0x57e1c4 Process32NextW
0x57e1c8 ResetEvent
0x57e1cc GlobalFree
0x57e1d0 GetPrivateProfileStringW
0x57e1d4 GetPrivateProfileSectionNamesW
0x57e1d8 WritePrivateProfileStringW
0x57e1dc GetLocalTime
0x57e1e0 CreateNamedPipeW
0x57e1e4 ConnectNamedPipe
0x57e1e8 Wow64DisableWow64FsRedirection
0x57e1ec Wow64RevertWow64FsRedirection
0x57e1f0 IsWow64Process
0x57e1f4 TerminateThread
0x57e1f8 LocalAlloc
0x57e1fc CompareFileTime
0x57e200 CopyFileExW
0x57e204 OpenEventW
0x57e208 PeekNamedPipe
0x57e20c IsDebuggerPresent
0x57e210 EncodePointer
0x57e214 InitializeSListHead
0x57e218 InterlockedPopEntrySList
0x57e21c InterlockedPushEntrySList
0x57e220 FlushInstructionCache
0x57e224 IsProcessorFeaturePresent
0x57e228 VirtualAlloc
0x57e22c VirtualFree
0x57e230 QueryPerformanceCounter
0x57e234 QueryPerformanceFrequency
0x57e238 LCMapStringEx
0x57e23c GetSystemTimeAsFileTime
0x57e240 CompareStringEx
0x57e244 GetCPInfo
0x57e248 WaitForSingleObjectEx
0x57e24c UnhandledExceptionFilter
0x57e250 TerminateProcess
0x57e254 GetStartupInfoW
0x57e258 RtlUnwind
0x57e25c TlsAlloc
0x57e260 TlsGetValue
0x57e264 TlsSetValue
0x57e268 TlsFree
0x57e26c ExitProcess
0x57e270 GetModuleHandleExW
0x57e274 GetFileType
0x57e278 GetTimeZoneInformation
0x57e27c LCMapStringW
0x57e280 IsValidLocale
0x57e284 GetUserDefaultLCID
0x57e288 EnumSystemLocalesW
0x57e28c GetConsoleMode
0x57e290 IsValidCodePage
0x57e294 GetACP
0x57e298 GetOEMCP
0x57e29c GetFileSizeEx
0x57e2a0 SetFilePointerEx
0x57e2a4 FindFirstFileExW
0x57e2a8 GetCommandLineA
0x57e2ac FreeEnvironmentStringsW
0x57e2b0 SetEnvironmentVariableW
0x57e2b4 SetStdHandle
0x57e2b8 WriteConsoleW
EAT(Export Address Table) is none