ScreenShot
| Created | 2022.12.12 09:42 | Machine | s1_win7_x6403 |
| Filename | 11.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 20 detected (Unsafe, Attribute, HighConfidence, malicious, high confidence, score, Reline, PWSX, StealerNET, high, AGEN, Sabsik, ua3vGMabA0L, Mokes, ZexaF, tuY@a4AoIPli, confidence) | ||
| md5 | d718535b14065b8645d4c3310451a67e | ||
| sha256 | 622018b4ba76871cc14437cf779a5b842b66b324ad3da1bf9cff13ed54a4bf28 | ||
| ssdeep | 6144:Ve7GIU+3MmZNr7rSXuvXOrdaSsz6TU/Qgc:Ve7GIU+3hIrdPsz1Qn | ||
| imphash | d71d7fdd44a947be9fe6de2a6620b3f7 | ||
| impfuzzy | 24:9bj3EOZS1jtYGhlJnc+pl3eDo/YoOovSkPvRRZHu9oGM5:9bHZS1jtYG5c+ppsnunF | ||
Network IP location
Signature (25cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 20 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to create or modify system certificates |
| watch | Collects information about installed applications |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
SHELL32.dll
0x417120 CommandLineToArgvW
0x417124 SHGetFolderPathAndSubDirW
GDI32.dll
0x417000 GetPolyFillMode
0x417004 ArcTo
KERNEL32.dll
0x41700c CreateFileW
0x417010 WriteConsoleW
0x417014 GetModuleHandleExW
0x417018 GetCommandLineW
0x41701c LocalFree
0x417020 QueryPerformanceCounter
0x417024 GetCurrentProcessId
0x417028 GetCurrentThreadId
0x41702c GetSystemTimeAsFileTime
0x417030 InitializeSListHead
0x417034 IsDebuggerPresent
0x417038 UnhandledExceptionFilter
0x41703c SetUnhandledExceptionFilter
0x417040 GetStartupInfoW
0x417044 IsProcessorFeaturePresent
0x417048 GetModuleHandleW
0x41704c GetCurrentProcess
0x417050 TerminateProcess
0x417054 RaiseException
0x417058 RtlUnwind
0x41705c GetLastError
0x417060 SetLastError
0x417064 EnterCriticalSection
0x417068 LeaveCriticalSection
0x41706c DeleteCriticalSection
0x417070 InitializeCriticalSectionAndSpinCount
0x417074 TlsAlloc
0x417078 TlsGetValue
0x41707c TlsSetValue
0x417080 TlsFree
0x417084 FreeLibrary
0x417088 GetProcAddress
0x41708c LoadLibraryExW
0x417090 EncodePointer
0x417094 GetStdHandle
0x417098 WriteFile
0x41709c GetModuleFileNameW
0x4170a0 ExitProcess
0x4170a4 DecodePointer
0x4170a8 GetCommandLineA
0x4170ac HeapAlloc
0x4170b0 HeapFree
0x4170b4 CompareStringW
0x4170b8 LCMapStringW
0x4170bc GetFileType
0x4170c0 FindClose
0x4170c4 FindFirstFileExW
0x4170c8 FindNextFileW
0x4170cc IsValidCodePage
0x4170d0 GetACP
0x4170d4 GetOEMCP
0x4170d8 GetCPInfo
0x4170dc MultiByteToWideChar
0x4170e0 WideCharToMultiByte
0x4170e4 GetEnvironmentStringsW
0x4170e8 FreeEnvironmentStringsW
0x4170ec SetEnvironmentVariableW
0x4170f0 SetStdHandle
0x4170f4 GetStringTypeW
0x4170f8 GetProcessHeap
0x4170fc FlushFileBuffers
0x417100 GetConsoleOutputCP
0x417104 GetConsoleMode
0x417108 GetFileSizeEx
0x41710c SetFilePointerEx
0x417110 HeapSize
0x417114 HeapReAlloc
0x417118 CloseHandle
EAT(Export Address Table) is none
SHELL32.dll
0x417120 CommandLineToArgvW
0x417124 SHGetFolderPathAndSubDirW
GDI32.dll
0x417000 GetPolyFillMode
0x417004 ArcTo
KERNEL32.dll
0x41700c CreateFileW
0x417010 WriteConsoleW
0x417014 GetModuleHandleExW
0x417018 GetCommandLineW
0x41701c LocalFree
0x417020 QueryPerformanceCounter
0x417024 GetCurrentProcessId
0x417028 GetCurrentThreadId
0x41702c GetSystemTimeAsFileTime
0x417030 InitializeSListHead
0x417034 IsDebuggerPresent
0x417038 UnhandledExceptionFilter
0x41703c SetUnhandledExceptionFilter
0x417040 GetStartupInfoW
0x417044 IsProcessorFeaturePresent
0x417048 GetModuleHandleW
0x41704c GetCurrentProcess
0x417050 TerminateProcess
0x417054 RaiseException
0x417058 RtlUnwind
0x41705c GetLastError
0x417060 SetLastError
0x417064 EnterCriticalSection
0x417068 LeaveCriticalSection
0x41706c DeleteCriticalSection
0x417070 InitializeCriticalSectionAndSpinCount
0x417074 TlsAlloc
0x417078 TlsGetValue
0x41707c TlsSetValue
0x417080 TlsFree
0x417084 FreeLibrary
0x417088 GetProcAddress
0x41708c LoadLibraryExW
0x417090 EncodePointer
0x417094 GetStdHandle
0x417098 WriteFile
0x41709c GetModuleFileNameW
0x4170a0 ExitProcess
0x4170a4 DecodePointer
0x4170a8 GetCommandLineA
0x4170ac HeapAlloc
0x4170b0 HeapFree
0x4170b4 CompareStringW
0x4170b8 LCMapStringW
0x4170bc GetFileType
0x4170c0 FindClose
0x4170c4 FindFirstFileExW
0x4170c8 FindNextFileW
0x4170cc IsValidCodePage
0x4170d0 GetACP
0x4170d4 GetOEMCP
0x4170d8 GetCPInfo
0x4170dc MultiByteToWideChar
0x4170e0 WideCharToMultiByte
0x4170e4 GetEnvironmentStringsW
0x4170e8 FreeEnvironmentStringsW
0x4170ec SetEnvironmentVariableW
0x4170f0 SetStdHandle
0x4170f4 GetStringTypeW
0x4170f8 GetProcessHeap
0x4170fc FlushFileBuffers
0x417100 GetConsoleOutputCP
0x417104 GetConsoleMode
0x417108 GetFileSizeEx
0x41710c SetFilePointerEx
0x417110 HeapSize
0x417114 HeapReAlloc
0x417118 CloseHandle
EAT(Export Address Table) is none