ScreenShot
| Created | 2022.12.13 10:06 | Machine | s1_win7_x6403 |
| Filename | CLEP.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 57 detected (AIDetect, malware2, ClipBanker, tscz, malicious, moderate confidence, Tasker, Unsafe, Vv2b, Genus, Eldorado, Attribute, HighConfidence, a variant of WinGo, score, axla, jtndev, Ssmw, XPACK, ClipSpy, R002C0PKS22, 1XHSUKC, InversedShelma, Cycbot, kcloud, Trickbot, Detected, R535472, FTRG, ai score=85, LClipper, LaplasClipper, CLASSIC, Cometer, susgen, Chgt) | ||
| md5 | 2b3bff5880cb5d9ab44c302bd1047313 | ||
| sha256 | e65f40ce3d58d2634807945b468acf0fbc3f6b06631d499dcd99536ed4fae4bc | ||
| ssdeep | 49152:l7LFs2B0KVUUzpyZ9vAaE5FKY/t76oUz7UQqAOiyjrbsnHzvSP9rsvl/m9NjJTnP:RpsC/VyZpoUzJqTknTRQdXOY | ||
| imphash | 9cbefe68f395e67356e2a5d8d1b285c0 | ||
| impfuzzy | 24:UbVjhNwO+VuT2oLtXOr6kwmDruMztxdEr6tP:KwO+VAXOmGx0oP | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 57 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Detects the presence of Wine emulator |
| watch | Installs itself for autorun at Windows startup |
| watch | Uses Sysinternals tools in order to add additional command line functionality |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Performs some HTTP requests |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | NPKI_Zero | File included NPKI | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (4cnts) ?
Suricata ids
ET USER_AGENTS Go HTTP Client User-Agent
PE API
IAT(Import Address Table) Library
kernel32.dll
0x84c100 WriteFile
0x84c104 WriteConsoleW
0x84c108 WaitForMultipleObjects
0x84c10c WaitForSingleObject
0x84c110 VirtualQuery
0x84c114 VirtualFree
0x84c118 VirtualAlloc
0x84c11c SwitchToThread
0x84c120 SuspendThread
0x84c124 SetWaitableTimer
0x84c128 SetUnhandledExceptionFilter
0x84c12c SetProcessPriorityBoost
0x84c130 SetEvent
0x84c134 SetErrorMode
0x84c138 SetConsoleCtrlHandler
0x84c13c ResumeThread
0x84c140 PostQueuedCompletionStatus
0x84c144 LoadLibraryA
0x84c148 LoadLibraryW
0x84c14c SetThreadContext
0x84c150 GetThreadContext
0x84c154 GetSystemInfo
0x84c158 GetSystemDirectoryA
0x84c15c GetStdHandle
0x84c160 GetQueuedCompletionStatusEx
0x84c164 GetProcessAffinityMask
0x84c168 GetProcAddress
0x84c16c GetEnvironmentStringsW
0x84c170 GetConsoleMode
0x84c174 FreeEnvironmentStringsW
0x84c178 ExitProcess
0x84c17c DuplicateHandle
0x84c180 CreateWaitableTimerExW
0x84c184 CreateThread
0x84c188 CreateIoCompletionPort
0x84c18c CreateFileA
0x84c190 CreateEventA
0x84c194 CloseHandle
0x84c198 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x84c100 WriteFile
0x84c104 WriteConsoleW
0x84c108 WaitForMultipleObjects
0x84c10c WaitForSingleObject
0x84c110 VirtualQuery
0x84c114 VirtualFree
0x84c118 VirtualAlloc
0x84c11c SwitchToThread
0x84c120 SuspendThread
0x84c124 SetWaitableTimer
0x84c128 SetUnhandledExceptionFilter
0x84c12c SetProcessPriorityBoost
0x84c130 SetEvent
0x84c134 SetErrorMode
0x84c138 SetConsoleCtrlHandler
0x84c13c ResumeThread
0x84c140 PostQueuedCompletionStatus
0x84c144 LoadLibraryA
0x84c148 LoadLibraryW
0x84c14c SetThreadContext
0x84c150 GetThreadContext
0x84c154 GetSystemInfo
0x84c158 GetSystemDirectoryA
0x84c15c GetStdHandle
0x84c160 GetQueuedCompletionStatusEx
0x84c164 GetProcessAffinityMask
0x84c168 GetProcAddress
0x84c16c GetEnvironmentStringsW
0x84c170 GetConsoleMode
0x84c174 FreeEnvironmentStringsW
0x84c178 ExitProcess
0x84c17c DuplicateHandle
0x84c180 CreateWaitableTimerExW
0x84c184 CreateThread
0x84c188 CreateIoCompletionPort
0x84c18c CreateFileA
0x84c190 CreateEventA
0x84c194 CloseHandle
0x84c198 AddVectoredExceptionHandler
EAT(Export Address Table) is none