ScreenShot
| Created | 2022.01.18 10:49 | Machine | s1_win7_x6403 |
| Filename | 543_1642355418_3816.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 17 detected (malicious, high confidence, Unsafe, confidence, ZexaF, 4NYaa4gZxick, Attribute, HighConfidence, Generic ML PUA, ASProtect, Sabsik, score, Static AI, Malicious PE, Genetic) | ||
| md5 | ffc7e0b51a3320c3f6d1e76163b974bd | ||
| sha256 | ace473f7276e62fafda41c68ea85dc99c091a644e74efea748ce5e5f38c9990b | ||
| ssdeep | 98304:UcNOWsyp7fehEBUKICtxzBcG29i0tkwixKuTS:NwofQsU0txz+G2k+Di0u+ | ||
| imphash | 41304e4befbbd8a63ad6ec59f252160b | ||
| impfuzzy | 3:sU9KTXzhAXwSx2AEZsWBJAEcXQ7KHKSW4L9KOmqMElaELCxol4Qn:HGDmErBJAEcXQ7VSNY3EUe | ||
Network IP location
Signature (33cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Attempts to detect Cuckoo Sandbox through the presence of a file |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects VirtualBox using WNetGetProviderName trick |
| watch | File has been identified by 17 AntiVirus engines on VirusTotal as malicious |
| watch | Harvests credentials from local email clients |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Creates a shortcut to an executable file |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | Tries to locate where the browsers are installed |
Rules (26cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| watch | ASPack_Zero | ASPack packed file | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| notice | local_credential_Steal | Steal credential | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | Lnk_Format_Zero | LNK Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | TESTYARA | (no description) | binaries (download) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
Network (7cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x962c28 GetProcAddress
0x962c2c GetModuleHandleA
0x962c30 LoadLibraryA
user32.dll
0x962d05 GetProcessWindowStation
oleaut32.dll
0x962d0d VariantChangeTypeEx
kernel32.dll
0x962d15 RaiseException
EAT(Export Address Table) is none
kernel32.dll
0x962c28 GetProcAddress
0x962c2c GetModuleHandleA
0x962c30 LoadLibraryA
user32.dll
0x962d05 GetProcessWindowStation
oleaut32.dll
0x962d0d VariantChangeTypeEx
kernel32.dll
0x962d15 RaiseException
EAT(Export Address Table) is none