ScreenShot
| Created | 2022.12.09 10:26 | Machine | s1_win7_x6402 |
| Filename | aloy64.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 20 detected (CobaltStrike, malicious, high confidence, Artemis, confidence, 100%, Attribute, HighConfidence, Cobalt, high, score, kcloud, Sabsik, CLOUD, TrojanX) | ||
| md5 | 1cb5a9c2bc4adfe101f6069d525ba9b2 | ||
| sha256 | 40ab463703114d972269c34abeecf0f796c88c20cceaaf0e582ed0a132e556fa | ||
| ssdeep | 6144:fduncjk3xxCY3Z57rsM/f+xpnW3IpULzArfC43Qp951nHhZW4oI29NyA6xUjqQ43:f1jkRLsGGxpnWjL8G4qot9NGxUjqQ4L | ||
| imphash | a35f121ed76d9b1e75ce64250798b7ea | ||
| impfuzzy | 12:8JZI+3Mmfh+i7hxvGuQZGB80qXJXPXJwdzrJEnDx9A41mLRBRZqRq0sfbZHur:iqSMmVrvJwK80qteJEnDx95uc/ObZHur | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 20 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Performs some HTTP requests |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (8cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140019000 CreateFileA
0x140019008 CloseHandle
0x140019010 GetLastError
0x140019018 CreateActCtxA
0x140019020 ActivateActCtx
0x140019028 DeactivateActCtx
0x140019030 CreateThread
0x140019038 ResumeThread
0x140019040 FindFirstFileA
0x140019048 FindNextFileA
0x140019050 GetStdHandle
0x140019058 ReadFile
0x140019060 GetFileSize
0x140019068 SetFileAttributesA
0x140019070 ReleaseActCtx
0x140019078 CreateFileMappingA
0x140019080 CreateNamedPipeA
0x140019088 PeekNamedPipe
0x140019090 ExitProcess
0x140019098 VirtualAlloc
0x1400190a0 RaiseException
0x1400190a8 RtlCaptureContext
0x1400190b0 RtlLookupFunctionEntry
0x1400190b8 RtlVirtualUnwind
0x1400190c0 IsDebuggerPresent
0x1400190c8 UnhandledExceptionFilter
0x1400190d0 SetUnhandledExceptionFilter
0x1400190d8 GetCurrentProcess
0x1400190e0 TerminateProcess
0x1400190e8 IsProcessorFeaturePresent
0x1400190f0 SetLastError
0x1400190f8 HeapAlloc
0x140019100 HeapFree
0x140019108 GetModuleHandleW
0x140019110 GetProcAddress
0x140019118 TlsGetValue
0x140019120 TlsSetValue
0x140019128 FreeLibrary
0x140019130 LoadLibraryExW
0x140019138 CompareStringW
0x140019140 LCMapStringW
0x140019148 EnterCriticalSection
0x140019150 LeaveCriticalSection
0x140019158 IsValidCodePage
0x140019160 GetACP
0x140019168 GetOEMCP
0x140019170 GetCPInfo
0x140019178 GetModuleHandleExW
0x140019180 GetStringTypeW
0x140019188 MultiByteToWideChar
0x140019190 WideCharToMultiByte
0x140019198 HeapSize
0x1400191a0 HeapReAlloc
0x1400191a8 RtlUnwindEx
0x1400191b0 GetEnvironmentStringsW
0x1400191b8 FreeEnvironmentStringsW
0x1400191c0 SetEnvironmentVariableA
EAT(Export Address Table) Library
KERNEL32.dll
0x140019000 CreateFileA
0x140019008 CloseHandle
0x140019010 GetLastError
0x140019018 CreateActCtxA
0x140019020 ActivateActCtx
0x140019028 DeactivateActCtx
0x140019030 CreateThread
0x140019038 ResumeThread
0x140019040 FindFirstFileA
0x140019048 FindNextFileA
0x140019050 GetStdHandle
0x140019058 ReadFile
0x140019060 GetFileSize
0x140019068 SetFileAttributesA
0x140019070 ReleaseActCtx
0x140019078 CreateFileMappingA
0x140019080 CreateNamedPipeA
0x140019088 PeekNamedPipe
0x140019090 ExitProcess
0x140019098 VirtualAlloc
0x1400190a0 RaiseException
0x1400190a8 RtlCaptureContext
0x1400190b0 RtlLookupFunctionEntry
0x1400190b8 RtlVirtualUnwind
0x1400190c0 IsDebuggerPresent
0x1400190c8 UnhandledExceptionFilter
0x1400190d0 SetUnhandledExceptionFilter
0x1400190d8 GetCurrentProcess
0x1400190e0 TerminateProcess
0x1400190e8 IsProcessorFeaturePresent
0x1400190f0 SetLastError
0x1400190f8 HeapAlloc
0x140019100 HeapFree
0x140019108 GetModuleHandleW
0x140019110 GetProcAddress
0x140019118 TlsGetValue
0x140019120 TlsSetValue
0x140019128 FreeLibrary
0x140019130 LoadLibraryExW
0x140019138 CompareStringW
0x140019140 LCMapStringW
0x140019148 EnterCriticalSection
0x140019150 LeaveCriticalSection
0x140019158 IsValidCodePage
0x140019160 GetACP
0x140019168 GetOEMCP
0x140019170 GetCPInfo
0x140019178 GetModuleHandleExW
0x140019180 GetStringTypeW
0x140019188 MultiByteToWideChar
0x140019190 WideCharToMultiByte
0x140019198 HeapSize
0x1400191a0 HeapReAlloc
0x1400191a8 RtlUnwindEx
0x1400191b0 GetEnvironmentStringsW
0x1400191b8 FreeEnvironmentStringsW
0x1400191c0 SetEnvironmentVariableA
EAT(Export Address Table) Library