ScreenShot
| Created | 2022.12.07 09:43 | Machine | s1_win7_x6402 |
| Filename | lib32.hta | ||
| Type | HTML document, ASCII text, with very long lines, with CRLF line terminators | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | f959e6882af46c0c9b31d88d596444df | ||
| sha256 | 752a84ba60cc53ec23642402ff87c1eee074ca6ae7703bec7b1ef9e600f63e9a | ||
| ssdeep | 1536:5eg8M3o0bT0HFUsmYQY1OaN2SDgzAbhnMGpJUTpGJtgDezN+wEN1:5es40bwHFwzYUaTDgzk63TpagsNNEN1 | ||
| imphash | |||
| impfuzzy | |||
Network IP location
Signature (24cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates a suspicious Powershell process |
| watch | Drops a binary and executes it |
| watch | Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe |
| watch | One or more non-whitelisted processes were created |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Poweshell is sending data to a remote host |
| notice | URL downloaded by powershell script |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win_Trojan_Formbook_Zero | Used Formbook | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| info | PowerShell | PowerShell script | scripts |
| info | PowershellDI | Extract Download/Invoke calls from powershell script | scripts |
Network (6cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO PowerShell NoProfile Command Received In Powershell Stagers
ET INFO PowerShell Hidden Window Command Common In Powershell Stagers M1
ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M1
ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M2
ET INFO Powershell Base64 Decode Command Inbound
ET INFO PowerShell NoProfile Command Received In Powershell Stagers
ET INFO PowerShell Hidden Window Command Common In Powershell Stagers M1
ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M1
ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M2
ET INFO Powershell Base64 Decode Command Inbound