ScreenShot
| Created | 2022.05.23 09:41 | Machine | s1_win7_x6403 |
| Filename | 11hYk3bHJ | ||
| Type | PE32+ executable (DLL) (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 21 detected (malicious, high confidence, Siggen17, FWJC, Emotet, Unsafe, Eldorado, GenKryptik, FUWI, clts, BankerX, ai score=85, Wacatac, Kryptik, CLOUD, susgen) | ||
| md5 | dc718a4e9da03bbc0673313cd6d7715c | ||
| sha256 | 67c21491d013e6dbe6e123530f6686010163e75ef3df41ceebf7601c78692434 | ||
| ssdeep | 3072:JI0AM0yQkR9M6lglELtJUNjiWGyWcTD0JUiA2tqZ4IvUlDAj7UOjVifSwHEDQVLK:i5MR9M6y3TeRIvgMSS3AyUrhYu3j | ||
| imphash | ad5c5b0f3e2e211c551f3b5059e614d7 | ||
| impfuzzy | 24:yXv+1dOovBtQzgxrmJbOafDSIlyvp688T4CcPOKyxTuKjM/wg:yX21IKtBZalKpkcCcexuVR | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| warning | File has been identified by 21 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to remove evidence of file being downloaded from the Internet |
| watch | Communicates with host for which no DNS query was performed |
| watch | Created a service where a service was also not started |
| watch | Installs itself for autorun at Windows startup |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Expresses interest in specific running processes |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (14cnts) ?
Suricata ids
ET CNC Feodo Tracker Reported CnC Server group 4
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 18
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 18
ET INFO TLS Handshake Failure
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x180022000 GetTimeFormatA
0x180022008 GetDateFormatA
0x180022010 GetThreadLocale
0x180022018 FileTimeToSystemTime
0x180022020 VirtualAlloc
0x180022028 ExitProcess
0x180022030 CloseHandle
0x180022038 CreateFileW
0x180022040 SetStdHandle
0x180022048 GetCurrentThreadId
0x180022050 FlsSetValue
0x180022058 GetCommandLineA
0x180022060 TerminateProcess
0x180022068 GetCurrentProcess
0x180022070 UnhandledExceptionFilter
0x180022078 SetUnhandledExceptionFilter
0x180022080 IsDebuggerPresent
0x180022088 RtlVirtualUnwind
0x180022090 RtlLookupFunctionEntry
0x180022098 RtlCaptureContext
0x1800220a0 RtlUnwindEx
0x1800220a8 EncodePointer
0x1800220b0 FlsGetValue
0x1800220b8 FlsAlloc
0x1800220c0 FlsFree
0x1800220c8 SetLastError
0x1800220d0 GetLastError
0x1800220d8 HeapSize
0x1800220e0 HeapValidate
0x1800220e8 IsBadReadPtr
0x1800220f0 DecodePointer
0x1800220f8 GetProcAddress
0x180022100 GetModuleHandleW
0x180022108 SetHandleCount
0x180022110 GetStdHandle
0x180022118 InitializeCriticalSectionAndSpinCount
0x180022120 GetFileType
0x180022128 GetStartupInfoW
0x180022130 DeleteCriticalSection
0x180022138 GetModuleFileNameA
0x180022140 FreeEnvironmentStringsW
0x180022148 WideCharToMultiByte
0x180022150 GetEnvironmentStringsW
0x180022158 HeapSetInformation
0x180022160 GetVersion
0x180022168 HeapCreate
0x180022170 HeapDestroy
0x180022178 QueryPerformanceCounter
0x180022180 GetTickCount
0x180022188 GetCurrentProcessId
0x180022190 GetSystemTimeAsFileTime
0x180022198 EnterCriticalSection
0x1800221a0 LeaveCriticalSection
0x1800221a8 GetACP
0x1800221b0 GetOEMCP
0x1800221b8 GetCPInfo
0x1800221c0 IsValidCodePage
0x1800221c8 HeapAlloc
0x1800221d0 GetModuleFileNameW
0x1800221d8 HeapReAlloc
0x1800221e0 HeapQueryInformation
0x1800221e8 HeapFree
0x1800221f0 WriteFile
0x1800221f8 LoadLibraryW
0x180022200 LCMapStringW
0x180022208 MultiByteToWideChar
0x180022210 GetStringTypeW
0x180022218 OutputDebugStringA
0x180022220 WriteConsoleW
0x180022228 OutputDebugStringW
0x180022230 RaiseException
0x180022238 RtlPcToFileHeader
0x180022240 SetFilePointer
0x180022248 GetConsoleCP
0x180022250 GetConsoleMode
0x180022258 FlushFileBuffers
USER32.dll
0x180022268 MessageBoxA
ole32.dll
0x180022278 CoTaskMemFree
0x180022280 CoTaskMemAlloc
0x180022288 CoLoadLibrary
EAT(Export Address Table) Library
0x180001140 AddIn_FileTime
0x1800010b0 AddIn_SystemTime
0x180003110 DllRegisterServer
KERNEL32.dll
0x180022000 GetTimeFormatA
0x180022008 GetDateFormatA
0x180022010 GetThreadLocale
0x180022018 FileTimeToSystemTime
0x180022020 VirtualAlloc
0x180022028 ExitProcess
0x180022030 CloseHandle
0x180022038 CreateFileW
0x180022040 SetStdHandle
0x180022048 GetCurrentThreadId
0x180022050 FlsSetValue
0x180022058 GetCommandLineA
0x180022060 TerminateProcess
0x180022068 GetCurrentProcess
0x180022070 UnhandledExceptionFilter
0x180022078 SetUnhandledExceptionFilter
0x180022080 IsDebuggerPresent
0x180022088 RtlVirtualUnwind
0x180022090 RtlLookupFunctionEntry
0x180022098 RtlCaptureContext
0x1800220a0 RtlUnwindEx
0x1800220a8 EncodePointer
0x1800220b0 FlsGetValue
0x1800220b8 FlsAlloc
0x1800220c0 FlsFree
0x1800220c8 SetLastError
0x1800220d0 GetLastError
0x1800220d8 HeapSize
0x1800220e0 HeapValidate
0x1800220e8 IsBadReadPtr
0x1800220f0 DecodePointer
0x1800220f8 GetProcAddress
0x180022100 GetModuleHandleW
0x180022108 SetHandleCount
0x180022110 GetStdHandle
0x180022118 InitializeCriticalSectionAndSpinCount
0x180022120 GetFileType
0x180022128 GetStartupInfoW
0x180022130 DeleteCriticalSection
0x180022138 GetModuleFileNameA
0x180022140 FreeEnvironmentStringsW
0x180022148 WideCharToMultiByte
0x180022150 GetEnvironmentStringsW
0x180022158 HeapSetInformation
0x180022160 GetVersion
0x180022168 HeapCreate
0x180022170 HeapDestroy
0x180022178 QueryPerformanceCounter
0x180022180 GetTickCount
0x180022188 GetCurrentProcessId
0x180022190 GetSystemTimeAsFileTime
0x180022198 EnterCriticalSection
0x1800221a0 LeaveCriticalSection
0x1800221a8 GetACP
0x1800221b0 GetOEMCP
0x1800221b8 GetCPInfo
0x1800221c0 IsValidCodePage
0x1800221c8 HeapAlloc
0x1800221d0 GetModuleFileNameW
0x1800221d8 HeapReAlloc
0x1800221e0 HeapQueryInformation
0x1800221e8 HeapFree
0x1800221f0 WriteFile
0x1800221f8 LoadLibraryW
0x180022200 LCMapStringW
0x180022208 MultiByteToWideChar
0x180022210 GetStringTypeW
0x180022218 OutputDebugStringA
0x180022220 WriteConsoleW
0x180022228 OutputDebugStringW
0x180022230 RaiseException
0x180022238 RtlPcToFileHeader
0x180022240 SetFilePointer
0x180022248 GetConsoleCP
0x180022250 GetConsoleMode
0x180022258 FlushFileBuffers
USER32.dll
0x180022268 MessageBoxA
ole32.dll
0x180022278 CoTaskMemFree
0x180022280 CoTaskMemAlloc
0x180022288 CoLoadLibrary
EAT(Export Address Table) Library
0x180001140 AddIn_FileTime
0x1800010b0 AddIn_SystemTime
0x180003110 DllRegisterServer