ScreenShot
| Created | 2022.12.21 17:52 | Machine | s1_win7_x6403 |
| Filename | nppshell32.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 52 detected (AIDetect, malware1, Strab, GenericKD, Unsafe, Save, ZexaF, gwX@aq9pclei, Genus, ABRisk, AYTS, Attribute, HighConfidence, malicious, high confidence, a variant of Generik, JOOGERF, jtxljk, CrypterX, Hmnw, Malware@#1ry3fywg1p1gw, VIDAR, YXCLOZ, MultiPlug, score, GenKD, Detected, GenSteal, ctcjt, GenKryptik, kcloud, Sabsik, Woreflint, Artemis, ai score=85, BScope, GenCBL, C8z95tZPbLD, susgen, PossibleThreat, confidence, 100%) | ||
| md5 | a05a3305d0474756476862801e8b7da0 | ||
| sha256 | dc1d7f4ca1fc8217390f2f58971a2e695fb293b49d0ceda0bc962c72a12139bd | ||
| ssdeep | 49152:6ZU9M4/hhEuoKOdKS+mBQPDpKo38lusg2XEzr:T9MyhhOdrhQt/3Cd2n | ||
| imphash | da426df48912de4f1bc39b4ee6afe080 | ||
| impfuzzy | 24:3hTzo3OJxeds7O/WsrctWGhnDck/HuOZyvDwRTNfrplD4KESwkghk5a:RXBD7O/WsrctWGXuDsxflF4KX/gC5a | ||
Network IP location
Signature (30cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 52 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Attempts to detect Cuckoo Sandbox through the presence of a file |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects VirtualBox using WNetGetProviderName trick |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Creates a shortcut to an executable file |
| notice | Creates executable files on the filesystem |
| notice | Executes one or more WMI queries |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO Dotted Quad Host ZIP Request
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x557008 GetFileSize
0x55700c GetSystemDefaultUILanguage
0x557010 HeapAlloc
0x557014 GetCurrentProcess
0x557018 HeapFree
0x55701c GetProcessHeap
0x557020 IsBadReadPtr
0x557024 OpenProcess
0x557028 LoadLibraryW
0x55702c HeapCreate
0x557030 ReadFile
0x557034 GetModuleFileNameW
0x557038 CreateFileW
0x55703c SetLastError
0x557040 Process32FirstW
0x557044 ExitProcess
0x557048 Process32NextW
0x55704c CreateToolhelp32Snapshot
0x557050 GetCurrentThreadId
0x557054 CloseHandle
0x557058 DeleteFileW
0x55705c GetCurrentProcessId
0x557060 LCMapStringW
0x557064 WideCharToMultiByte
0x557068 LCMapStringA
0x55706c GetOEMCP
0x557070 GetSystemDefaultLangID
0x557074 GetStringTypeW
0x557078 MultiByteToWideChar
0x55707c TerminateProcess
0x557080 UnhandledExceptionFilter
0x557084 SetUnhandledExceptionFilter
0x557088 IsDebuggerPresent
0x55708c GetStartupInfoW
0x557090 RaiseException
0x557094 RtlUnwind
0x557098 GetLastError
0x55709c GetModuleHandleW
0x5570a0 GetProcAddress
0x5570a4 TlsGetValue
0x5570a8 TlsAlloc
0x5570ac TlsSetValue
0x5570b0 TlsFree
0x5570b4 InterlockedIncrement
0x5570b8 InterlockedDecrement
0x5570bc Sleep
0x5570c0 WriteFile
0x5570c4 GetStdHandle
0x5570c8 GetModuleFileNameA
0x5570cc FreeEnvironmentStringsW
0x5570d0 GetEnvironmentStringsW
0x5570d4 GetCommandLineW
0x5570d8 SetHandleCount
0x5570dc GetFileType
0x5570e0 GetStartupInfoA
0x5570e4 DeleteCriticalSection
0x5570e8 VirtualFree
0x5570ec QueryPerformanceCounter
0x5570f0 GetTickCount
0x5570f4 GetSystemTimeAsFileTime
0x5570f8 LeaveCriticalSection
0x5570fc EnterCriticalSection
0x557100 VirtualAlloc
0x557104 HeapReAlloc
0x557108 GetCPInfo
0x55710c GetACP
0x557110 IsValidCodePage
0x557114 HeapSize
0x557118 LoadLibraryA
0x55711c InitializeCriticalSectionAndSpinCount
0x557120 GetLocaleInfoA
0x557124 GetStringTypeA
0x557128 GetModuleHandleA
USER32.dll
0x557138 GetDC
0x55713c ShowWindow
0x557140 CreateWindowExW
0x557144 MessageBoxW
0x557148 UpdateWindow
0x55714c ReleaseDC
0x557150 FillRect
GDI32.dll
0x557000 GetStockObject
PSAPI.DLL
0x557130 GetModuleFileNameExW
EAT(Export Address Table) is none
KERNEL32.dll
0x557008 GetFileSize
0x55700c GetSystemDefaultUILanguage
0x557010 HeapAlloc
0x557014 GetCurrentProcess
0x557018 HeapFree
0x55701c GetProcessHeap
0x557020 IsBadReadPtr
0x557024 OpenProcess
0x557028 LoadLibraryW
0x55702c HeapCreate
0x557030 ReadFile
0x557034 GetModuleFileNameW
0x557038 CreateFileW
0x55703c SetLastError
0x557040 Process32FirstW
0x557044 ExitProcess
0x557048 Process32NextW
0x55704c CreateToolhelp32Snapshot
0x557050 GetCurrentThreadId
0x557054 CloseHandle
0x557058 DeleteFileW
0x55705c GetCurrentProcessId
0x557060 LCMapStringW
0x557064 WideCharToMultiByte
0x557068 LCMapStringA
0x55706c GetOEMCP
0x557070 GetSystemDefaultLangID
0x557074 GetStringTypeW
0x557078 MultiByteToWideChar
0x55707c TerminateProcess
0x557080 UnhandledExceptionFilter
0x557084 SetUnhandledExceptionFilter
0x557088 IsDebuggerPresent
0x55708c GetStartupInfoW
0x557090 RaiseException
0x557094 RtlUnwind
0x557098 GetLastError
0x55709c GetModuleHandleW
0x5570a0 GetProcAddress
0x5570a4 TlsGetValue
0x5570a8 TlsAlloc
0x5570ac TlsSetValue
0x5570b0 TlsFree
0x5570b4 InterlockedIncrement
0x5570b8 InterlockedDecrement
0x5570bc Sleep
0x5570c0 WriteFile
0x5570c4 GetStdHandle
0x5570c8 GetModuleFileNameA
0x5570cc FreeEnvironmentStringsW
0x5570d0 GetEnvironmentStringsW
0x5570d4 GetCommandLineW
0x5570d8 SetHandleCount
0x5570dc GetFileType
0x5570e0 GetStartupInfoA
0x5570e4 DeleteCriticalSection
0x5570e8 VirtualFree
0x5570ec QueryPerformanceCounter
0x5570f0 GetTickCount
0x5570f4 GetSystemTimeAsFileTime
0x5570f8 LeaveCriticalSection
0x5570fc EnterCriticalSection
0x557100 VirtualAlloc
0x557104 HeapReAlloc
0x557108 GetCPInfo
0x55710c GetACP
0x557110 IsValidCodePage
0x557114 HeapSize
0x557118 LoadLibraryA
0x55711c InitializeCriticalSectionAndSpinCount
0x557120 GetLocaleInfoA
0x557124 GetStringTypeA
0x557128 GetModuleHandleA
USER32.dll
0x557138 GetDC
0x55713c ShowWindow
0x557140 CreateWindowExW
0x557144 MessageBoxW
0x557148 UpdateWindow
0x55714c ReleaseDC
0x557150 FillRect
GDI32.dll
0x557000 GetStockObject
PSAPI.DLL
0x557130 GetModuleFileNameExW
EAT(Export Address Table) is none