ScreenShot
Created | 2022.04.08 09:16 | Machine | s1_win7_x6401 |
Filename | 1_KpCGvNj.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 46 detected (AIDetect, malware2, malicious, high confidence, GenericKD, Attribute, HighConfidence, Kryptik, HPAL, DropperX, CLOUD, mmaen, DownLoader44, R06CC0WCV22, moderate, score, Static AI, Suspicious PE, ai score=82, kcloud, GenericMC, Artemis, TScope, Hupw, Krypt, susgen, GenKryptik, FSEU, ZexaF, puW@aWbib6ni, confidence, 100%) | ||
md5 | 2f84afead84a3699cb870693b05c308c | ||
sha256 | 8eaf681b745ba342b3c952210ea78b6db1cf699954021ece171f71dbd9f8ac43 | ||
ssdeep | 6144:43Rp8r44IyJSnxHMZyizFb3wje3wURPmv:4szIyonxsgizFH3wURPmv | ||
imphash | ead537e66fd31bca123a6ae9ea592fed | ||
impfuzzy | 24:96GjwzizxraYz1vFtzbJnc+pl3eDoTyoOovbOIaGM1RZHu93vBP:96Gja0n1vFtzlc+pp/yn3MBP |
Network IP location
Signature (22cnts)
Level | Description |
---|---|
danger | File has been identified by 46 AntiVirus engines on VirusTotal as malicious |
danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
watch | Communicates with host for which no DNS query was performed |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
notice | A process attempted to delay the analysis task. |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
notice | Creates executable files on the filesystem |
notice | Drops a binary and executes it |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Looks up the external IP address |
notice | Performs some HTTP requests |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Collects information to fingerprint the system (MachineGuid |
info | Command line console output was observed |
info | Queries for the computername |
info | Uses Windows APIs to generate a cryptographic key |
Rules (44cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (upload) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | Network_Downloader | File Downloader | memory |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
watch | Win32_Trojan_PWS_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (download) |
notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
notice | Create_Service | Create a windows service | memory |
notice | Escalate_priviledges | Escalate priviledges | memory |
notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
notice | KeyLogger | Run a KeyLogger | memory |
notice | local_credential_Steal | Steal credential | memory |
notice | Network_DGA | Communication using DGA | memory |
notice | Network_DNS | Communications use DNS | memory |
notice | Network_FTP | Communications over FTP | memory |
notice | Network_HTTP | Communications over HTTP | memory |
notice | Network_P2P_Win | Communications over P2P network | memory |
notice | Network_TCP_Socket | Communications over RAW Socket | memory |
notice | ScreenShot | Take ScreenShot | memory |
notice | Sniff_Audio | Record Audio | memory |
notice | Str_Win32_Http_API | Match Windows Http API call | memory |
notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
info | anti_dbg | Checks if being debugged | memory |
info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
info | Check_Dlls | (no description) | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerCheck__RemoteAPI | (no description) | memory |
info | DebuggerException__ConsoleCtrl | (no description) | memory |
info | DebuggerException__SetConsoleCtrl | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | Is_DotNET_EXE | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
info | win_hook | Affect hook table | memory |
info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
Network (10cnts) ?
Suricata ids
ET POLICY External IP Lookup ip-api.com
PE API
IAT(Import Address Table) Library
USER32.dll
0x40f124 PostMessageA
0x40f128 GetWindowThreadProcessId
0x40f12c MessageBeep
0x40f130 GetForegroundWindow
0x40f134 SendMessageA
SHELL32.dll
0x40f11c ShellExecuteA
KERNEL32.dll
0x40f000 GetModuleHandleExW
0x40f004 WriteConsoleW
0x40f008 SetEndOfFile
0x40f00c HeapReAlloc
0x40f010 HeapSize
0x40f014 ReadConsoleW
0x40f018 ReadFile
0x40f01c CreateFileW
0x40f020 GetLastError
0x40f024 Sleep
0x40f028 GetCurrentProcessId
0x40f02c GetCurrentThreadId
0x40f030 QueryPerformanceCounter
0x40f034 GetSystemTimeAsFileTime
0x40f038 InitializeSListHead
0x40f03c IsDebuggerPresent
0x40f040 UnhandledExceptionFilter
0x40f044 SetUnhandledExceptionFilter
0x40f048 GetStartupInfoW
0x40f04c IsProcessorFeaturePresent
0x40f050 GetModuleHandleW
0x40f054 GetCurrentProcess
0x40f058 TerminateProcess
0x40f05c FlushFileBuffers
0x40f060 RtlUnwind
0x40f064 SetLastError
0x40f068 EnterCriticalSection
0x40f06c LeaveCriticalSection
0x40f070 DeleteCriticalSection
0x40f074 InitializeCriticalSectionAndSpinCount
0x40f078 TlsAlloc
0x40f07c TlsGetValue
0x40f080 TlsSetValue
0x40f084 TlsFree
0x40f088 FreeLibrary
0x40f08c GetProcAddress
0x40f090 LoadLibraryExW
0x40f094 RaiseException
0x40f098 GetStdHandle
0x40f09c WriteFile
0x40f0a0 GetModuleFileNameW
0x40f0a4 ExitProcess
0x40f0a8 DecodePointer
0x40f0ac GetCommandLineA
0x40f0b0 GetCommandLineW
0x40f0b4 HeapFree
0x40f0b8 HeapAlloc
0x40f0bc CloseHandle
0x40f0c0 GetConsoleOutputCP
0x40f0c4 GetConsoleMode
0x40f0c8 GetFileSizeEx
0x40f0cc SetFilePointerEx
0x40f0d0 FindClose
0x40f0d4 FindFirstFileExW
0x40f0d8 FindNextFileW
0x40f0dc IsValidCodePage
0x40f0e0 GetACP
0x40f0e4 GetOEMCP
0x40f0e8 GetCPInfo
0x40f0ec MultiByteToWideChar
0x40f0f0 WideCharToMultiByte
0x40f0f4 GetEnvironmentStringsW
0x40f0f8 FreeEnvironmentStringsW
0x40f0fc SetEnvironmentVariableW
0x40f100 SetStdHandle
0x40f104 GetFileType
0x40f108 GetStringTypeW
0x40f10c CompareStringW
0x40f110 LCMapStringW
0x40f114 GetProcessHeap
EAT(Export Address Table) is none
USER32.dll
0x40f124 PostMessageA
0x40f128 GetWindowThreadProcessId
0x40f12c MessageBeep
0x40f130 GetForegroundWindow
0x40f134 SendMessageA
SHELL32.dll
0x40f11c ShellExecuteA
KERNEL32.dll
0x40f000 GetModuleHandleExW
0x40f004 WriteConsoleW
0x40f008 SetEndOfFile
0x40f00c HeapReAlloc
0x40f010 HeapSize
0x40f014 ReadConsoleW
0x40f018 ReadFile
0x40f01c CreateFileW
0x40f020 GetLastError
0x40f024 Sleep
0x40f028 GetCurrentProcessId
0x40f02c GetCurrentThreadId
0x40f030 QueryPerformanceCounter
0x40f034 GetSystemTimeAsFileTime
0x40f038 InitializeSListHead
0x40f03c IsDebuggerPresent
0x40f040 UnhandledExceptionFilter
0x40f044 SetUnhandledExceptionFilter
0x40f048 GetStartupInfoW
0x40f04c IsProcessorFeaturePresent
0x40f050 GetModuleHandleW
0x40f054 GetCurrentProcess
0x40f058 TerminateProcess
0x40f05c FlushFileBuffers
0x40f060 RtlUnwind
0x40f064 SetLastError
0x40f068 EnterCriticalSection
0x40f06c LeaveCriticalSection
0x40f070 DeleteCriticalSection
0x40f074 InitializeCriticalSectionAndSpinCount
0x40f078 TlsAlloc
0x40f07c TlsGetValue
0x40f080 TlsSetValue
0x40f084 TlsFree
0x40f088 FreeLibrary
0x40f08c GetProcAddress
0x40f090 LoadLibraryExW
0x40f094 RaiseException
0x40f098 GetStdHandle
0x40f09c WriteFile
0x40f0a0 GetModuleFileNameW
0x40f0a4 ExitProcess
0x40f0a8 DecodePointer
0x40f0ac GetCommandLineA
0x40f0b0 GetCommandLineW
0x40f0b4 HeapFree
0x40f0b8 HeapAlloc
0x40f0bc CloseHandle
0x40f0c0 GetConsoleOutputCP
0x40f0c4 GetConsoleMode
0x40f0c8 GetFileSizeEx
0x40f0cc SetFilePointerEx
0x40f0d0 FindClose
0x40f0d4 FindFirstFileExW
0x40f0d8 FindNextFileW
0x40f0dc IsValidCodePage
0x40f0e0 GetACP
0x40f0e4 GetOEMCP
0x40f0e8 GetCPInfo
0x40f0ec MultiByteToWideChar
0x40f0f0 WideCharToMultiByte
0x40f0f4 GetEnvironmentStringsW
0x40f0f8 FreeEnvironmentStringsW
0x40f0fc SetEnvironmentVariableW
0x40f100 SetStdHandle
0x40f104 GetFileType
0x40f108 GetStringTypeW
0x40f10c CompareStringW
0x40f110 LCMapStringW
0x40f114 GetProcessHeap
EAT(Export Address Table) is none