ScreenShot
| Created | 2022.07.18 09:34 | Machine | s1_win7_x6403 |
| Filename | top.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 13 detected (Unsafe, malicious, high confidence, kcloud, Wacatac, score, MachineLearning, Anomalous, 100%, CLASSIC) | ||
| md5 | 3c0bcef640cd8cec9198c905982b3795 | ||
| sha256 | 7b630e4369de6bc5be7e354eb74d1a49d6ea884ad02054afdec8aad0d52e3306 | ||
| ssdeep | 3072:WyqBXv8dNx159oRNyHXIQenAKo7MMye9zurKCy5bl0EBUUffNtWEivOOOJZoeVzG:ekKfAb7nC0WEG05iTyxlLWrF1P | ||
| imphash | 013c74198fc6e42dcf33737d6c40c012 | ||
| impfuzzy | 48:NKej6W7pnOTSP9OdLhkGtpjS1teoEpNpgL4u+5RlK1gTACEG6x9V5aU95dSvrzpz:NBGWNneSPoZhkGtpjS1tIOJIHWIGQ1co | ||
Network IP location
Signature (20cnts)
| Level | Description |
|---|---|
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes executed files from disk |
| watch | File has been identified by 13 AntiVirus engines on VirusTotal as malicious |
| watch | Harvests credentials from local FTP client softwares |
| watch | Installs itself for autorun at Windows startup |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_RL_Gen_Zero | Win32 Trojan Emotet | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | Is_DotNET_EXE | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x14000d000 OpenProcessToken
0x14000d008 GetTokenInformation
0x14000d010 RegSetValueExA
0x14000d018 EqualSid
0x14000d020 RegQueryValueExA
0x14000d028 LookupPrivilegeValueA
0x14000d030 RegCreateKeyExA
0x14000d038 RegOpenKeyExA
0x14000d040 RegQueryInfoKeyA
0x14000d048 RegDeleteValueA
0x14000d050 AllocateAndInitializeSid
0x14000d058 FreeSid
0x14000d060 AdjustTokenPrivileges
0x14000d068 RegCloseKey
KERNEL32.dll
0x14000d0c0 GetPrivateProfileIntA
0x14000d0c8 GetFileAttributesA
0x14000d0d0 IsDBCSLeadByte
0x14000d0d8 GetSystemDirectoryA
0x14000d0e0 GlobalUnlock
0x14000d0e8 GetShortPathNameA
0x14000d0f0 CreateDirectoryA
0x14000d0f8 FindFirstFileA
0x14000d100 GetLastError
0x14000d108 GetProcAddress
0x14000d110 RemoveDirectoryA
0x14000d118 SetFileAttributesA
0x14000d120 GlobalFree
0x14000d128 FindClose
0x14000d130 GetPrivateProfileStringA
0x14000d138 LoadLibraryA
0x14000d140 LocalAlloc
0x14000d148 WritePrivateProfileStringA
0x14000d150 GetModuleFileNameA
0x14000d158 FindNextFileA
0x14000d160 CompareStringA
0x14000d168 _lopen
0x14000d170 CloseHandle
0x14000d178 LocalFree
0x14000d180 DeleteFileA
0x14000d188 ExitProcess
0x14000d190 DosDateTimeToFileTime
0x14000d198 CreateFileA
0x14000d1a0 FindResourceA
0x14000d1a8 SetFilePointer
0x14000d1b0 GlobalAlloc
0x14000d1b8 ExpandEnvironmentStringsA
0x14000d1c0 WaitForSingleObject
0x14000d1c8 SetEvent
0x14000d1d0 GetModuleHandleW
0x14000d1d8 FormatMessageA
0x14000d1e0 SetFileTime
0x14000d1e8 WriteFile
0x14000d1f0 GetDriveTypeA
0x14000d1f8 GetVolumeInformationA
0x14000d200 TerminateThread
0x14000d208 SizeofResource
0x14000d210 CreateEventA
0x14000d218 GetExitCodeProcess
0x14000d220 CreateProcessA
0x14000d228 ReadFile
0x14000d230 SetCurrentDirectoryA
0x14000d238 _llseek
0x14000d240 ResetEvent
0x14000d248 LockResource
0x14000d250 GetSystemInfo
0x14000d258 LoadLibraryExA
0x14000d260 CreateMutexA
0x14000d268 GetCurrentDirectoryA
0x14000d270 GetVersionExA
0x14000d278 GetVersion
0x14000d280 GetTempPathA
0x14000d288 CreateThread
0x14000d290 LocalFileTimeToFileTime
0x14000d298 Sleep
0x14000d2a0 FreeResource
0x14000d2a8 GetWindowsDirectoryA
0x14000d2b0 lstrcmpA
0x14000d2b8 _lclose
0x14000d2c0 GlobalLock
0x14000d2c8 GetCurrentProcess
0x14000d2d0 LoadResource
0x14000d2d8 FreeLibrary
0x14000d2e0 GetStartupInfoW
0x14000d2e8 RtlCaptureContext
0x14000d2f0 RtlLookupFunctionEntry
0x14000d2f8 RtlVirtualUnwind
0x14000d300 UnhandledExceptionFilter
0x14000d308 SetUnhandledExceptionFilter
0x14000d310 TerminateProcess
0x14000d318 OutputDebugStringA
0x14000d320 QueryPerformanceCounter
0x14000d328 GetCurrentProcessId
0x14000d330 GetCurrentThreadId
0x14000d338 GetSystemTimeAsFileTime
0x14000d340 GetTickCount
0x14000d348 EnumResourceLanguagesA
0x14000d350 MulDiv
0x14000d358 GetDiskFreeSpaceA
0x14000d360 GetTempFileNameA
GDI32.dll
0x14000d0b0 GetDeviceCaps
USER32.dll
0x14000d370 SetForegroundWindow
0x14000d378 MsgWaitForMultipleObjects
0x14000d380 SendDlgItemMessageA
0x14000d388 GetWindowLongPtrA
0x14000d390 GetWindowRect
0x14000d398 GetDC
0x14000d3a0 MessageBoxA
0x14000d3a8 PeekMessageA
0x14000d3b0 ReleaseDC
0x14000d3b8 GetDlgItem
0x14000d3c0 SetWindowPos
0x14000d3c8 ShowWindow
0x14000d3d0 SetWindowLongPtrA
0x14000d3d8 DispatchMessageA
0x14000d3e0 SetWindowTextA
0x14000d3e8 EnableWindow
0x14000d3f0 CallWindowProcA
0x14000d3f8 DialogBoxIndirectParamA
0x14000d400 GetDlgItemTextA
0x14000d408 LoadStringA
0x14000d410 MessageBeep
0x14000d418 CharUpperA
0x14000d420 CharNextA
0x14000d428 ExitWindowsEx
0x14000d430 CharPrevA
0x14000d438 EndDialog
0x14000d440 GetDesktopWindow
0x14000d448 SetDlgItemTextA
0x14000d450 SendMessageA
0x14000d458 GetSystemMetrics
msvcrt.dll
0x14000d488 ?terminate@@YAXXZ
0x14000d490 _fmode
0x14000d498 _acmdln
0x14000d4a0 __C_specific_handler
0x14000d4a8 _initterm
0x14000d4b0 __setusermatherr
0x14000d4b8 _ismbblead
0x14000d4c0 _cexit
0x14000d4c8 memset
0x14000d4d0 memcpy
0x14000d4d8 _exit
0x14000d4e0 exit
0x14000d4e8 __set_app_type
0x14000d4f0 __getmainargs
0x14000d4f8 _amsg_exit
0x14000d500 _XcptFilter
0x14000d508 _errno
0x14000d510 _vsnprintf
0x14000d518 _commode
COMCTL32.dll
0x14000d078 None
Cabinet.dll
0x14000d088 None
0x14000d090 None
0x14000d098 None
0x14000d0a0 None
VERSION.dll
0x14000d468 GetFileVersionInfoA
0x14000d470 GetFileVersionInfoSizeA
0x14000d478 VerQueryValueA
EAT(Export Address Table) is none
ADVAPI32.dll
0x14000d000 OpenProcessToken
0x14000d008 GetTokenInformation
0x14000d010 RegSetValueExA
0x14000d018 EqualSid
0x14000d020 RegQueryValueExA
0x14000d028 LookupPrivilegeValueA
0x14000d030 RegCreateKeyExA
0x14000d038 RegOpenKeyExA
0x14000d040 RegQueryInfoKeyA
0x14000d048 RegDeleteValueA
0x14000d050 AllocateAndInitializeSid
0x14000d058 FreeSid
0x14000d060 AdjustTokenPrivileges
0x14000d068 RegCloseKey
KERNEL32.dll
0x14000d0c0 GetPrivateProfileIntA
0x14000d0c8 GetFileAttributesA
0x14000d0d0 IsDBCSLeadByte
0x14000d0d8 GetSystemDirectoryA
0x14000d0e0 GlobalUnlock
0x14000d0e8 GetShortPathNameA
0x14000d0f0 CreateDirectoryA
0x14000d0f8 FindFirstFileA
0x14000d100 GetLastError
0x14000d108 GetProcAddress
0x14000d110 RemoveDirectoryA
0x14000d118 SetFileAttributesA
0x14000d120 GlobalFree
0x14000d128 FindClose
0x14000d130 GetPrivateProfileStringA
0x14000d138 LoadLibraryA
0x14000d140 LocalAlloc
0x14000d148 WritePrivateProfileStringA
0x14000d150 GetModuleFileNameA
0x14000d158 FindNextFileA
0x14000d160 CompareStringA
0x14000d168 _lopen
0x14000d170 CloseHandle
0x14000d178 LocalFree
0x14000d180 DeleteFileA
0x14000d188 ExitProcess
0x14000d190 DosDateTimeToFileTime
0x14000d198 CreateFileA
0x14000d1a0 FindResourceA
0x14000d1a8 SetFilePointer
0x14000d1b0 GlobalAlloc
0x14000d1b8 ExpandEnvironmentStringsA
0x14000d1c0 WaitForSingleObject
0x14000d1c8 SetEvent
0x14000d1d0 GetModuleHandleW
0x14000d1d8 FormatMessageA
0x14000d1e0 SetFileTime
0x14000d1e8 WriteFile
0x14000d1f0 GetDriveTypeA
0x14000d1f8 GetVolumeInformationA
0x14000d200 TerminateThread
0x14000d208 SizeofResource
0x14000d210 CreateEventA
0x14000d218 GetExitCodeProcess
0x14000d220 CreateProcessA
0x14000d228 ReadFile
0x14000d230 SetCurrentDirectoryA
0x14000d238 _llseek
0x14000d240 ResetEvent
0x14000d248 LockResource
0x14000d250 GetSystemInfo
0x14000d258 LoadLibraryExA
0x14000d260 CreateMutexA
0x14000d268 GetCurrentDirectoryA
0x14000d270 GetVersionExA
0x14000d278 GetVersion
0x14000d280 GetTempPathA
0x14000d288 CreateThread
0x14000d290 LocalFileTimeToFileTime
0x14000d298 Sleep
0x14000d2a0 FreeResource
0x14000d2a8 GetWindowsDirectoryA
0x14000d2b0 lstrcmpA
0x14000d2b8 _lclose
0x14000d2c0 GlobalLock
0x14000d2c8 GetCurrentProcess
0x14000d2d0 LoadResource
0x14000d2d8 FreeLibrary
0x14000d2e0 GetStartupInfoW
0x14000d2e8 RtlCaptureContext
0x14000d2f0 RtlLookupFunctionEntry
0x14000d2f8 RtlVirtualUnwind
0x14000d300 UnhandledExceptionFilter
0x14000d308 SetUnhandledExceptionFilter
0x14000d310 TerminateProcess
0x14000d318 OutputDebugStringA
0x14000d320 QueryPerformanceCounter
0x14000d328 GetCurrentProcessId
0x14000d330 GetCurrentThreadId
0x14000d338 GetSystemTimeAsFileTime
0x14000d340 GetTickCount
0x14000d348 EnumResourceLanguagesA
0x14000d350 MulDiv
0x14000d358 GetDiskFreeSpaceA
0x14000d360 GetTempFileNameA
GDI32.dll
0x14000d0b0 GetDeviceCaps
USER32.dll
0x14000d370 SetForegroundWindow
0x14000d378 MsgWaitForMultipleObjects
0x14000d380 SendDlgItemMessageA
0x14000d388 GetWindowLongPtrA
0x14000d390 GetWindowRect
0x14000d398 GetDC
0x14000d3a0 MessageBoxA
0x14000d3a8 PeekMessageA
0x14000d3b0 ReleaseDC
0x14000d3b8 GetDlgItem
0x14000d3c0 SetWindowPos
0x14000d3c8 ShowWindow
0x14000d3d0 SetWindowLongPtrA
0x14000d3d8 DispatchMessageA
0x14000d3e0 SetWindowTextA
0x14000d3e8 EnableWindow
0x14000d3f0 CallWindowProcA
0x14000d3f8 DialogBoxIndirectParamA
0x14000d400 GetDlgItemTextA
0x14000d408 LoadStringA
0x14000d410 MessageBeep
0x14000d418 CharUpperA
0x14000d420 CharNextA
0x14000d428 ExitWindowsEx
0x14000d430 CharPrevA
0x14000d438 EndDialog
0x14000d440 GetDesktopWindow
0x14000d448 SetDlgItemTextA
0x14000d450 SendMessageA
0x14000d458 GetSystemMetrics
msvcrt.dll
0x14000d488 ?terminate@@YAXXZ
0x14000d490 _fmode
0x14000d498 _acmdln
0x14000d4a0 __C_specific_handler
0x14000d4a8 _initterm
0x14000d4b0 __setusermatherr
0x14000d4b8 _ismbblead
0x14000d4c0 _cexit
0x14000d4c8 memset
0x14000d4d0 memcpy
0x14000d4d8 _exit
0x14000d4e0 exit
0x14000d4e8 __set_app_type
0x14000d4f0 __getmainargs
0x14000d4f8 _amsg_exit
0x14000d500 _XcptFilter
0x14000d508 _errno
0x14000d510 _vsnprintf
0x14000d518 _commode
COMCTL32.dll
0x14000d078 None
Cabinet.dll
0x14000d088 None
0x14000d090 None
0x14000d098 None
0x14000d0a0 None
VERSION.dll
0x14000d468 GetFileVersionInfoA
0x14000d470 GetFileVersionInfoSizeA
0x14000d478 VerQueryValueA
EAT(Export Address Table) is none