ScreenShot
| Created | 2022.12.14 09:50 | Machine | s1_win7_x6403 |
| Filename | bibar.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 51 detected (AIDetect, malware2, Nymaim, malicious, high confidence, Lazy, Unsafe, Save, ZexaF, puW@aukH0Mii, Amadey, Eldorado, Attribute, HighConfidence, PRIVATELOADER, YXCLNZ, score, BotX, Fdhl, S + Mal, Horst, MulDrop21, NetLoader, Static AI, Malicious PE, AGEN, kcloud, Woreflint, 01QQ87, Detected, Artemis, ai score=86, UdgJwn0396Q, Outbreak, susgen, EGTS, Genetic) | ||
| md5 | c6524cc2cb091e23be6d9526d6bcbc99 | ||
| sha256 | 37de71b43236c63687b44f238a17cde5f16bea2b2ec8c29b0ea42b62de947d6d | ||
| ssdeep | 6144:90Tn/MUTehRBZbSjpwe6N+6LzXFuz5a6EKhK6Kr3ZpO:yXg7Zb46FLBuz5aD46zO | ||
| imphash | 857774b8dd5bc6abe25ef09f890c7f72 | ||
| impfuzzy | 48:4NGXVbLJGGOBtdS1CM2c+ppZccgTg3ISF57fwSqzNW/uPg:hXVMGAtdS1CM2c+ppZct+D+OSg | ||
Network IP location
Signature (25cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 51 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| watch | Disables proxy possibly for traffic interception |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | Installs itself for autorun at Windows startup |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process gntuud.exe |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | This executable has a PDB path |
Rules (12cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_PWS_Loki_Zero | Win32 PWS Loki | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DROP Dshield Block Listed Source group 1
ET MALWARE Amadey CnC Check-In
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Amadey CnC Check-In
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x430040 CopyFileA
0x430044 GetLastError
0x430048 GetFileAttributesA
0x43004c CreateFileA
0x430050 CloseHandle
0x430054 GetSystemInfo
0x430058 CreateThread
0x43005c HeapAlloc
0x430060 GetThreadContext
0x430064 GetProcAddress
0x430068 VirtualAllocEx
0x43006c GetTempPathA
0x430070 RemoveDirectoryA
0x430074 ReadProcessMemory
0x430078 GetProcessHeap
0x43007c CreateProcessA
0x430080 CreateDirectoryA
0x430084 SetThreadContext
0x430088 WriteConsoleW
0x43008c ReadConsoleW
0x430090 SetEndOfFile
0x430094 HeapReAlloc
0x430098 HeapSize
0x43009c Sleep
0x4300a0 SetCurrentDirectoryA
0x4300a4 GetModuleHandleA
0x4300a8 ResumeThread
0x4300ac SuspendThread
0x4300b0 GetComputerNameExW
0x4300b4 GetVersionExW
0x4300b8 CreateMutexW
0x4300bc VirtualAlloc
0x4300c0 WriteFile
0x4300c4 VirtualFree
0x4300c8 HeapFree
0x4300cc WriteProcessMemory
0x4300d0 GetModuleFileNameA
0x4300d4 LocalFree
0x4300d8 ReadFile
0x4300dc SetFilePointerEx
0x4300e0 GetTimeZoneInformation
0x4300e4 GetConsoleMode
0x4300e8 GetConsoleCP
0x4300ec FlushFileBuffers
0x4300f0 GetStringTypeW
0x4300f4 SetEnvironmentVariableW
0x4300f8 FreeEnvironmentStringsW
0x4300fc GetEnvironmentStringsW
0x430100 WideCharToMultiByte
0x430104 GetCPInfo
0x430108 GetOEMCP
0x43010c GetACP
0x430110 IsValidCodePage
0x430114 FindNextFileW
0x430118 FindFirstFileExW
0x43011c FindClose
0x430120 SetStdHandle
0x430124 GetFullPathNameW
0x430128 GetCurrentDirectoryW
0x43012c DeleteFileW
0x430130 DecodePointer
0x430134 UnhandledExceptionFilter
0x430138 SetUnhandledExceptionFilter
0x43013c GetCurrentProcess
0x430140 TerminateProcess
0x430144 IsProcessorFeaturePresent
0x430148 IsDebuggerPresent
0x43014c GetStartupInfoW
0x430150 GetModuleHandleW
0x430154 QueryPerformanceCounter
0x430158 GetCurrentProcessId
0x43015c GetCurrentThreadId
0x430160 GetSystemTimeAsFileTime
0x430164 InitializeSListHead
0x430168 RtlUnwind
0x43016c RaiseException
0x430170 SetLastError
0x430174 EncodePointer
0x430178 EnterCriticalSection
0x43017c LeaveCriticalSection
0x430180 DeleteCriticalSection
0x430184 InitializeCriticalSectionAndSpinCount
0x430188 TlsAlloc
0x43018c TlsGetValue
0x430190 TlsSetValue
0x430194 TlsFree
0x430198 FreeLibrary
0x43019c LoadLibraryExW
0x4301a0 ExitProcess
0x4301a4 GetModuleHandleExW
0x4301a8 CreateFileW
0x4301ac GetDriveTypeW
0x4301b0 GetFileInformationByHandle
0x4301b4 GetFileType
0x4301b8 PeekNamedPipe
0x4301bc SystemTimeToTzSpecificLocalTime
0x4301c0 FileTimeToSystemTime
0x4301c4 GetModuleFileNameW
0x4301c8 GetStdHandle
0x4301cc GetCommandLineA
0x4301d0 GetCommandLineW
0x4301d4 MultiByteToWideChar
0x4301d8 CompareStringW
0x4301dc LCMapStringW
USER32.dll
0x4301f4 GetSystemMetrics
0x4301f8 ReleaseDC
0x4301fc GetDC
GDI32.dll
0x430028 CreateCompatibleBitmap
0x43002c SelectObject
0x430030 CreateCompatibleDC
0x430034 DeleteObject
0x430038 BitBlt
ADVAPI32.dll
0x430000 RegCloseKey
0x430004 RegGetValueA
0x430008 RegQueryValueExA
0x43000c GetUserNameA
0x430010 RegSetValueExA
0x430014 RegOpenKeyExA
0x430018 ConvertSidToStringSidW
0x43001c GetUserNameW
0x430020 LookupAccountNameW
SHELL32.dll
0x4301e4 ShellExecuteA
0x4301e8 None
0x4301ec SHGetFolderPathA
WININET.dll
0x430204 HttpOpenRequestA
0x430208 InternetOpenUrlW
0x43020c InternetReadFile
0x430210 InternetConnectA
0x430214 HttpSendRequestA
0x430218 InternetCloseHandle
0x43021c InternetOpenA
0x430220 HttpAddRequestHeadersA
0x430224 HttpSendRequestExW
0x430228 HttpEndRequestA
0x43022c InternetOpenW
0x430230 InternetOpenUrlA
0x430234 InternetWriteFile
gdiplus.dll
0x43023c GdipSaveImageToFile
0x430240 GdipGetImageEncodersSize
0x430244 GdipDisposeImage
0x430248 GdipCreateBitmapFromHBITMAP
0x43024c GdipGetImageEncoders
0x430250 GdiplusShutdown
0x430254 GdiplusStartup
EAT(Export Address Table) is none
KERNEL32.dll
0x430040 CopyFileA
0x430044 GetLastError
0x430048 GetFileAttributesA
0x43004c CreateFileA
0x430050 CloseHandle
0x430054 GetSystemInfo
0x430058 CreateThread
0x43005c HeapAlloc
0x430060 GetThreadContext
0x430064 GetProcAddress
0x430068 VirtualAllocEx
0x43006c GetTempPathA
0x430070 RemoveDirectoryA
0x430074 ReadProcessMemory
0x430078 GetProcessHeap
0x43007c CreateProcessA
0x430080 CreateDirectoryA
0x430084 SetThreadContext
0x430088 WriteConsoleW
0x43008c ReadConsoleW
0x430090 SetEndOfFile
0x430094 HeapReAlloc
0x430098 HeapSize
0x43009c Sleep
0x4300a0 SetCurrentDirectoryA
0x4300a4 GetModuleHandleA
0x4300a8 ResumeThread
0x4300ac SuspendThread
0x4300b0 GetComputerNameExW
0x4300b4 GetVersionExW
0x4300b8 CreateMutexW
0x4300bc VirtualAlloc
0x4300c0 WriteFile
0x4300c4 VirtualFree
0x4300c8 HeapFree
0x4300cc WriteProcessMemory
0x4300d0 GetModuleFileNameA
0x4300d4 LocalFree
0x4300d8 ReadFile
0x4300dc SetFilePointerEx
0x4300e0 GetTimeZoneInformation
0x4300e4 GetConsoleMode
0x4300e8 GetConsoleCP
0x4300ec FlushFileBuffers
0x4300f0 GetStringTypeW
0x4300f4 SetEnvironmentVariableW
0x4300f8 FreeEnvironmentStringsW
0x4300fc GetEnvironmentStringsW
0x430100 WideCharToMultiByte
0x430104 GetCPInfo
0x430108 GetOEMCP
0x43010c GetACP
0x430110 IsValidCodePage
0x430114 FindNextFileW
0x430118 FindFirstFileExW
0x43011c FindClose
0x430120 SetStdHandle
0x430124 GetFullPathNameW
0x430128 GetCurrentDirectoryW
0x43012c DeleteFileW
0x430130 DecodePointer
0x430134 UnhandledExceptionFilter
0x430138 SetUnhandledExceptionFilter
0x43013c GetCurrentProcess
0x430140 TerminateProcess
0x430144 IsProcessorFeaturePresent
0x430148 IsDebuggerPresent
0x43014c GetStartupInfoW
0x430150 GetModuleHandleW
0x430154 QueryPerformanceCounter
0x430158 GetCurrentProcessId
0x43015c GetCurrentThreadId
0x430160 GetSystemTimeAsFileTime
0x430164 InitializeSListHead
0x430168 RtlUnwind
0x43016c RaiseException
0x430170 SetLastError
0x430174 EncodePointer
0x430178 EnterCriticalSection
0x43017c LeaveCriticalSection
0x430180 DeleteCriticalSection
0x430184 InitializeCriticalSectionAndSpinCount
0x430188 TlsAlloc
0x43018c TlsGetValue
0x430190 TlsSetValue
0x430194 TlsFree
0x430198 FreeLibrary
0x43019c LoadLibraryExW
0x4301a0 ExitProcess
0x4301a4 GetModuleHandleExW
0x4301a8 CreateFileW
0x4301ac GetDriveTypeW
0x4301b0 GetFileInformationByHandle
0x4301b4 GetFileType
0x4301b8 PeekNamedPipe
0x4301bc SystemTimeToTzSpecificLocalTime
0x4301c0 FileTimeToSystemTime
0x4301c4 GetModuleFileNameW
0x4301c8 GetStdHandle
0x4301cc GetCommandLineA
0x4301d0 GetCommandLineW
0x4301d4 MultiByteToWideChar
0x4301d8 CompareStringW
0x4301dc LCMapStringW
USER32.dll
0x4301f4 GetSystemMetrics
0x4301f8 ReleaseDC
0x4301fc GetDC
GDI32.dll
0x430028 CreateCompatibleBitmap
0x43002c SelectObject
0x430030 CreateCompatibleDC
0x430034 DeleteObject
0x430038 BitBlt
ADVAPI32.dll
0x430000 RegCloseKey
0x430004 RegGetValueA
0x430008 RegQueryValueExA
0x43000c GetUserNameA
0x430010 RegSetValueExA
0x430014 RegOpenKeyExA
0x430018 ConvertSidToStringSidW
0x43001c GetUserNameW
0x430020 LookupAccountNameW
SHELL32.dll
0x4301e4 ShellExecuteA
0x4301e8 None
0x4301ec SHGetFolderPathA
WININET.dll
0x430204 HttpOpenRequestA
0x430208 InternetOpenUrlW
0x43020c InternetReadFile
0x430210 InternetConnectA
0x430214 HttpSendRequestA
0x430218 InternetCloseHandle
0x43021c InternetOpenA
0x430220 HttpAddRequestHeadersA
0x430224 HttpSendRequestExW
0x430228 HttpEndRequestA
0x43022c InternetOpenW
0x430230 InternetOpenUrlA
0x430234 InternetWriteFile
gdiplus.dll
0x43023c GdipSaveImageToFile
0x430240 GdipGetImageEncodersSize
0x430244 GdipDisposeImage
0x430248 GdipCreateBitmapFromHBITMAP
0x43024c GdipGetImageEncoders
0x430250 GdiplusShutdown
0x430254 GdiplusStartup
EAT(Export Address Table) is none