ScreenShot
Created | 2022.04.29 07:52 | Machine | s1_win7_x6403 |
Filename | blackmamba.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 58 detected (NeshtaB, Neshta, Unsafe, NULLSOFT PIMP INSTALL SYSTEM2, malicious, Delf, OBIX, Neshuta, high confidence, Winlock, fmobyw, Apanas, A + W32, A@3ypg, HLLP, score, ai score=82, FileInfector, Pack, Enigma, RDMK, cmRtazqeuDdQIxSGhBYOeRVFPiVt, GenAsa, Mo0tdcmmg3o, Static AI, Malicious PE, Infector, Gen9, confidence, 100%) | ||
md5 | 9a2c436c43cf9941cce0430baf92f254 | ||
sha256 | 1987e0982313d2a564a585af3d3cf8e76eb1d70c34cf2e93ed69478ff2f47fda | ||
ssdeep | 3072:sr85CtbpS3GR3kceYNSXGWLhkG57SxZ28DO4E/FaU3sdOL30k1NjcVVnLpPunbGI:k9tNS30eYUXGWLhkJ2aGR+OAQNeZmGI | ||
imphash | 9f4693fc0c511135129493f2161d1e86 | ||
impfuzzy | 48:8cfpH9rngO0Mw+4Qk90pvn3O4Ga5tQ4w6T3:8cfpHZgO0MJ430pv3l |
Network IP location
Signature (24cnts)
Level | Description |
---|---|
danger | File has been identified by 58 AntiVirus engines on VirusTotal as malicious |
danger | Executed a process and injected code into it |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Harvests credentials from local email clients |
watch | Harvests credentials from local FTP client softwares |
watch | Harvests information related to installed instant messenger clients |
watch | Installs itself for autorun at Windows startup |
watch | Putty Files |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates executable files on the filesystem |
notice | Drops a binary and executes it |
notice | Drops an executable to the user AppData folder |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Performs some HTTP requests |
notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
notice | Sends data using the HTTP POST Method |
notice | Steals private information from local Internet browsers |
info | Checks amount of memory in system |
info | Collects information to fingerprint the system (MachineGuid |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | Tries to locate where the browsers are installed |
Rules (26cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | Win32_Trojan_Emotet_1_Zero | Win32 Trojan Emotet | binaries (download) |
danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
danger | Win32_Trojan_Emotet_RL_Gen_Zero | Win32 Trojan Emotet | binaries (download) |
danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
danger | Win_Trojan_Formbook_Zero | Used Formbook | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
warning | NSIS_Installer | Null Soft Installer | binaries (download) |
warning | PhysicalDrive_20181001 | (no description) | binaries (download) |
watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
watch | Antivirus | Contains references to security software | binaries (download) |
watch | ASPack_Zero | ASPack packed file | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
watch | Win32_Trojan_PWS_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (download) |
notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
info | HWP_file_format | HWP Document File | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
Suricata ids
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Checkin
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Fake 404 Response
PE API
IAT(Import Address Table) Library
kernel32.dll
0x4150dc DeleteCriticalSection
0x4150e0 LeaveCriticalSection
0x4150e4 EnterCriticalSection
0x4150e8 InitializeCriticalSection
0x4150ec VirtualFree
0x4150f0 VirtualAlloc
0x4150f4 LocalFree
0x4150f8 LocalAlloc
0x4150fc GetVersion
0x415100 GetCurrentThreadId
0x415104 GetThreadLocale
0x415108 GetStartupInfoA
0x41510c GetLocaleInfoA
0x415110 GetCommandLineA
0x415114 FreeLibrary
0x415118 ExitProcess
0x41511c WriteFile
0x415120 UnhandledExceptionFilter
0x415124 RtlUnwind
0x415128 RaiseException
0x41512c GetStdHandle
user32.dll
0x415134 GetKeyboardType
0x415138 MessageBoxA
advapi32.dll
0x415140 RegQueryValueExA
0x415144 RegOpenKeyExA
0x415148 RegCloseKey
oleaut32.dll
0x415150 SysFreeString
0x415154 SysReAllocStringLen
kernel32.dll
0x41515c TlsSetValue
0x415160 TlsGetValue
0x415164 LocalAlloc
0x415168 GetModuleHandleA
advapi32.dll
0x415170 RegSetValueExA
0x415174 RegOpenKeyExA
0x415178 RegCloseKey
kernel32.dll
0x415180 WriteFile
0x415184 WinExec
0x415188 SetFilePointer
0x41518c SetFileAttributesA
0x415190 SetEndOfFile
0x415194 SetCurrentDirectoryA
0x415198 ReleaseMutex
0x41519c ReadFile
0x4151a0 GetWindowsDirectoryA
0x4151a4 GetTempPathA
0x4151a8 GetShortPathNameA
0x4151ac GetModuleFileNameA
0x4151b0 GetLogicalDriveStringsA
0x4151b4 GetLocalTime
0x4151b8 GetLastError
0x4151bc GetFileSize
0x4151c0 GetFileAttributesA
0x4151c4 GetDriveTypeA
0x4151c8 GetCommandLineA
0x4151cc FreeLibrary
0x4151d0 FindNextFileA
0x4151d4 FindFirstFileA
0x4151d8 FindClose
0x4151dc DeleteFileA
0x4151e0 CreateMutexA
0x4151e4 CreateFileA
0x4151e8 CreateDirectoryA
0x4151ec CloseHandle
gdi32.dll
0x4151f4 StretchDIBits
0x4151f8 SetDIBits
0x4151fc SelectObject
0x415200 GetObjectA
0x415204 GetDIBits
0x415208 DeleteObject
0x41520c DeleteDC
0x415210 CreateSolidBrush
0x415214 CreateDIBSection
0x415218 CreateCompatibleDC
0x41521c CreateCompatibleBitmap
0x415220 BitBlt
user32.dll
0x415228 ReleaseDC
0x41522c GetSysColor
0x415230 GetIconInfo
0x415234 GetDC
0x415238 FillRect
0x41523c DestroyIcon
0x415240 CopyImage
0x415244 CharLowerBuffA
shell32.dll
0x41524c ShellExecuteA
0x415250 ExtractIconA
EAT(Export Address Table) is none
kernel32.dll
0x4150dc DeleteCriticalSection
0x4150e0 LeaveCriticalSection
0x4150e4 EnterCriticalSection
0x4150e8 InitializeCriticalSection
0x4150ec VirtualFree
0x4150f0 VirtualAlloc
0x4150f4 LocalFree
0x4150f8 LocalAlloc
0x4150fc GetVersion
0x415100 GetCurrentThreadId
0x415104 GetThreadLocale
0x415108 GetStartupInfoA
0x41510c GetLocaleInfoA
0x415110 GetCommandLineA
0x415114 FreeLibrary
0x415118 ExitProcess
0x41511c WriteFile
0x415120 UnhandledExceptionFilter
0x415124 RtlUnwind
0x415128 RaiseException
0x41512c GetStdHandle
user32.dll
0x415134 GetKeyboardType
0x415138 MessageBoxA
advapi32.dll
0x415140 RegQueryValueExA
0x415144 RegOpenKeyExA
0x415148 RegCloseKey
oleaut32.dll
0x415150 SysFreeString
0x415154 SysReAllocStringLen
kernel32.dll
0x41515c TlsSetValue
0x415160 TlsGetValue
0x415164 LocalAlloc
0x415168 GetModuleHandleA
advapi32.dll
0x415170 RegSetValueExA
0x415174 RegOpenKeyExA
0x415178 RegCloseKey
kernel32.dll
0x415180 WriteFile
0x415184 WinExec
0x415188 SetFilePointer
0x41518c SetFileAttributesA
0x415190 SetEndOfFile
0x415194 SetCurrentDirectoryA
0x415198 ReleaseMutex
0x41519c ReadFile
0x4151a0 GetWindowsDirectoryA
0x4151a4 GetTempPathA
0x4151a8 GetShortPathNameA
0x4151ac GetModuleFileNameA
0x4151b0 GetLogicalDriveStringsA
0x4151b4 GetLocalTime
0x4151b8 GetLastError
0x4151bc GetFileSize
0x4151c0 GetFileAttributesA
0x4151c4 GetDriveTypeA
0x4151c8 GetCommandLineA
0x4151cc FreeLibrary
0x4151d0 FindNextFileA
0x4151d4 FindFirstFileA
0x4151d8 FindClose
0x4151dc DeleteFileA
0x4151e0 CreateMutexA
0x4151e4 CreateFileA
0x4151e8 CreateDirectoryA
0x4151ec CloseHandle
gdi32.dll
0x4151f4 StretchDIBits
0x4151f8 SetDIBits
0x4151fc SelectObject
0x415200 GetObjectA
0x415204 GetDIBits
0x415208 DeleteObject
0x41520c DeleteDC
0x415210 CreateSolidBrush
0x415214 CreateDIBSection
0x415218 CreateCompatibleDC
0x41521c CreateCompatibleBitmap
0x415220 BitBlt
user32.dll
0x415228 ReleaseDC
0x41522c GetSysColor
0x415230 GetIconInfo
0x415234 GetDC
0x415238 FillRect
0x41523c DestroyIcon
0x415240 CopyImage
0x415244 CharLowerBuffA
shell32.dll
0x41524c ShellExecuteA
0x415250 ExtractIconA
EAT(Export Address Table) is none