ScreenShot
| Created | 2022.09.26 17:28 | Machine | s1_win7_x6403 |
| Filename | sheet.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 55 detected (AIDetect, malware1, 00x1, malicious, high confidence, Lazy, GenericRXUD, Unsafe, Save, RedLine, ABTrojan, KVQS, Attribute, HighConfidence, score, cokq, jsngmc, Mcnw, Siggen18, YXCIMZ, high, Tnega, ASMalwS, RemoteAccess, AsyncRAT, 10AFFS0, Detected, BScope, Nitol, ai score=84, DcRat, BNER4NzZWDL, Static AI, Suspicious PE, susgen, Tiny, confidence, 100%) | ||
| md5 | 1451ed9b5629e22afbde901d932f4bfc | ||
| sha256 | cdc97952b1dcf484c5ea7e924883776f60a3e354c3028d4e3ca88112c497c56a | ||
| ssdeep | 24576:9Ux3pCeQifiWVpXVE/aWumZxv/yE8gLfdryuZepwHOglrSrorrfQ8:6hpDf6WTXS/gmZ1KrgL1NNHOglrSrorV | ||
| imphash | 6f462fcc6b830b77fb3fef2add9dc570 | ||
| impfuzzy | 6:HMJqz80umyRwXJxSBS0H5sD4sIWDLb4iPEcn:sJqwRSY58PLPXn | ||
Network IP location
Signature (40cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local email clients |
| watch | Installs itself for autorun at Windows startup |
| watch | Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe |
| watch | One or more non-whitelisted processes were created |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | The process wscript.exe wrote an executable file to disk |
| watch | Wscript.exe initiated network communications indicative of a script based payload download |
| watch | wscript.exe-based dropper (JScript |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An application raised an exception which may be indicative of an exploit crash |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks whether any human activity is being performed by constantly checking whether the foreground window changed |
| notice | Connects to a Dynamic DNS Domain |
| notice | Creates (office) documents on the filesystem |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Creates hidden or system file |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | Expresses interest in specific running processes |
| notice | Looks up the external IP address |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (24cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win_Trojan_Formbook_Zero | Used Formbook | binaries (download) |
| warning | enclosed | (no description) | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | hide_executable_file | Hide executable file | binaries (download) |
| warning | VBScript_Check_All_Process | VBScript Check All Process | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | Win32_Trojan_PWS_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (download) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | Is_DotNET_EXE | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
Suricata ids
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET POLICY External IP Lookup ip-api.com
ET POLICY External IP Lookup ip-api.com
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x561ba0 malloc
0x561ba4 _sleep
0x561ba8 memset
0x561bac strcmp
0x561bb0 strcpy
0x561bb4 getenv
0x561bb8 sprintf
0x561bbc fopen
0x561bc0 fwrite
0x561bc4 fclose
0x561bc8 __argc
0x561bcc __argv
0x561bd0 _environ
0x561bd4 _XcptFilter
0x561bd8 __set_app_type
0x561bdc _controlfp
0x561be0 __getmainargs
0x561be4 exit
shell32.dll
0x561bec ShellExecuteA
kernel32.dll
0x561bf4 SetUnhandledExceptionFilter
EAT(Export Address Table) is none
msvcrt.dll
0x561ba0 malloc
0x561ba4 _sleep
0x561ba8 memset
0x561bac strcmp
0x561bb0 strcpy
0x561bb4 getenv
0x561bb8 sprintf
0x561bbc fopen
0x561bc0 fwrite
0x561bc4 fclose
0x561bc8 __argc
0x561bcc __argv
0x561bd0 _environ
0x561bd4 _XcptFilter
0x561bd8 __set_app_type
0x561bdc _controlfp
0x561be0 __getmainargs
0x561be4 exit
shell32.dll
0x561bec ShellExecuteA
kernel32.dll
0x561bf4 SetUnhandledExceptionFilter
EAT(Export Address Table) is none