ScreenShot
| Created | 2023.01.19 08:14 | Machine | s1_win7_x6403 |
| Filename | 111.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 8 detected (malicious, moderate confidence, CobaltStrike, Obfuscated, HackTool, susgen, confidence, 100%) | ||
| md5 | e0e3ca76d27943d890cad7e341d3a477 | ||
| sha256 | cedf2f478d0acc217522682a10f37c28894733f15f80df85333c7894043dcd98 | ||
| ssdeep | 24576:XucvBP7N6G7Thv+aHnL4oL/80naUviycsak1/uWpW1f:l79MoLxnNKW | ||
| imphash | 3e57ff142f73fb4395fb4fdc78fa7435 | ||
| impfuzzy | 48:dzBba1Zmq29cc+Ur5teS1TBgvwXC9EEyIpNnB6U0JaSv/15Q8l0v4S5SepgTGp3c:dNKWyc+UdteS1TBgIXCx+PM/Zy1 | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| watch | Attempts to create or modify system certificates |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | File has been identified by 8 AntiVirus engines on VirusTotal as malicious |
| notice | Foreign language identified in PE resource |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (6cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
COMCTL32.dll
0x14007d000 None
KERNEL32.dll
0x14007d058 SetStdHandle
0x14007d060 SetEnvironmentVariableW
0x14007d068 SetEnvironmentVariableA
0x14007d070 FreeEnvironmentStringsW
0x14007d078 GetEnvironmentStringsW
0x14007d080 GetCommandLineW
0x14007d088 GetCommandLineA
0x14007d090 GetOEMCP
0x14007d098 IsValidCodePage
0x14007d0a0 FindNextFileW
0x14007d0a8 FindNextFileA
0x14007d0b0 FindFirstFileExW
0x14007d0b8 FindFirstFileExA
0x14007d0c0 GetProcessHeap
0x14007d0c8 CreateThread
0x14007d0d0 WaitForSingleObjectEx
0x14007d0d8 CloseHandle
0x14007d0e0 OutputDebugStringW
0x14007d0e8 OutputDebugStringA
0x14007d0f0 GetTimeZoneInformation
0x14007d0f8 SetConsoleCtrlHandler
0x14007d100 HeapReAlloc
0x14007d108 EnumSystemLocalesW
0x14007d110 GetUserDefaultLCID
0x14007d118 IsValidLocale
0x14007d120 GetTimeFormatW
0x14007d128 GetDateFormatW
0x14007d130 GetFileType
0x14007d138 HeapSize
0x14007d140 GetConsoleCP
0x14007d148 GetConsoleMode
0x14007d150 SetFilePointerEx
0x14007d158 FlushFileBuffers
0x14007d160 WriteConsoleW
0x14007d168 CreateFileW
0x14007d170 GetCurrentProcess
0x14007d178 FindClose
0x14007d180 WideCharToMultiByte
0x14007d188 FormatMessageW
0x14007d190 GetLastError
0x14007d198 EnterCriticalSection
0x14007d1a0 LeaveCriticalSection
0x14007d1a8 DeleteCriticalSection
0x14007d1b0 EncodePointer
0x14007d1b8 DecodePointer
0x14007d1c0 MultiByteToWideChar
0x14007d1c8 SetLastError
0x14007d1d0 InitializeCriticalSectionAndSpinCount
0x14007d1d8 CreateEventW
0x14007d1e0 SwitchToThread
0x14007d1e8 TlsAlloc
0x14007d1f0 TlsGetValue
0x14007d1f8 TlsSetValue
0x14007d200 TlsFree
0x14007d208 GetSystemTimeAsFileTime
0x14007d210 GetTickCount
0x14007d218 GetModuleHandleW
0x14007d220 GetProcAddress
0x14007d228 CompareStringW
0x14007d230 LCMapStringW
0x14007d238 GetLocaleInfoW
0x14007d240 GetStringTypeW
0x14007d248 GetCPInfo
0x14007d250 RtlCaptureContext
0x14007d258 RtlLookupFunctionEntry
0x14007d260 RtlVirtualUnwind
0x14007d268 UnhandledExceptionFilter
0x14007d270 SetUnhandledExceptionFilter
0x14007d278 TerminateProcess
0x14007d280 IsProcessorFeaturePresent
0x14007d288 QueryPerformanceCounter
0x14007d290 GetCurrentProcessId
0x14007d298 GetCurrentThreadId
0x14007d2a0 InitializeSListHead
0x14007d2a8 IsDebuggerPresent
0x14007d2b0 GetStartupInfoW
0x14007d2b8 RtlUnwindEx
0x14007d2c0 RtlPcToFileHeader
0x14007d2c8 RaiseException
0x14007d2d0 InterlockedPushEntrySList
0x14007d2d8 InterlockedFlushSList
0x14007d2e0 FreeLibrary
0x14007d2e8 LoadLibraryExW
0x14007d2f0 GetStdHandle
0x14007d2f8 WriteFile
0x14007d300 GetModuleFileNameW
0x14007d308 GetModuleFileNameA
0x14007d310 ExitProcess
0x14007d318 GetModuleHandleExW
0x14007d320 GetACP
0x14007d328 GetCurrentThread
0x14007d330 HeapFree
0x14007d338 HeapAlloc
0x14007d340 RtlUnwind
USER32.dll
0x14007d350 BeginPaint
0x14007d358 EnableWindow
0x14007d360 SetTimer
0x14007d368 KillTimer
0x14007d370 SendDlgItemMessageA
0x14007d378 PostQuitMessage
0x14007d380 DialogBoxParamA
0x14007d388 IsDlgButtonChecked
0x14007d390 GetDlgItemInt
0x14007d398 EndDialog
0x14007d3a0 DefWindowProcA
0x14007d3a8 GetProcessWindowStation
0x14007d3b0 EnumDesktopsW
0x14007d3b8 CreateWindowExA
0x14007d3c0 RegisterClassExA
0x14007d3c8 LoadCursorA
0x14007d3d0 EndPaint
0x14007d3d8 LoadIconA
0x14007d3e0 GetWindowLongPtrA
0x14007d3e8 DispatchMessageA
0x14007d3f0 TranslateMessage
0x14007d3f8 TranslateAcceleratorA
0x14007d400 GetMessageA
0x14007d408 LoadAcceleratorsA
0x14007d410 LoadStringA
0x14007d418 MessageBoxA
0x14007d420 MessageBoxW
0x14007d428 GetDlgItem
0x14007d430 ShowWindow
0x14007d438 InvalidateRect
0x14007d440 GetClientRect
0x14007d448 SetDlgItemTextA
0x14007d450 SetDlgItemInt
0x14007d458 PostMessageA
GDI32.dll
0x14007d010 TextOutA
0x14007d018 SetTextColor
0x14007d020 SetBkMode
0x14007d028 Ellipse
0x14007d030 CreateSolidBrush
0x14007d038 CreatePen
0x14007d040 SelectObject
0x14007d048 Rectangle
EAT(Export Address Table) is none
COMCTL32.dll
0x14007d000 None
KERNEL32.dll
0x14007d058 SetStdHandle
0x14007d060 SetEnvironmentVariableW
0x14007d068 SetEnvironmentVariableA
0x14007d070 FreeEnvironmentStringsW
0x14007d078 GetEnvironmentStringsW
0x14007d080 GetCommandLineW
0x14007d088 GetCommandLineA
0x14007d090 GetOEMCP
0x14007d098 IsValidCodePage
0x14007d0a0 FindNextFileW
0x14007d0a8 FindNextFileA
0x14007d0b0 FindFirstFileExW
0x14007d0b8 FindFirstFileExA
0x14007d0c0 GetProcessHeap
0x14007d0c8 CreateThread
0x14007d0d0 WaitForSingleObjectEx
0x14007d0d8 CloseHandle
0x14007d0e0 OutputDebugStringW
0x14007d0e8 OutputDebugStringA
0x14007d0f0 GetTimeZoneInformation
0x14007d0f8 SetConsoleCtrlHandler
0x14007d100 HeapReAlloc
0x14007d108 EnumSystemLocalesW
0x14007d110 GetUserDefaultLCID
0x14007d118 IsValidLocale
0x14007d120 GetTimeFormatW
0x14007d128 GetDateFormatW
0x14007d130 GetFileType
0x14007d138 HeapSize
0x14007d140 GetConsoleCP
0x14007d148 GetConsoleMode
0x14007d150 SetFilePointerEx
0x14007d158 FlushFileBuffers
0x14007d160 WriteConsoleW
0x14007d168 CreateFileW
0x14007d170 GetCurrentProcess
0x14007d178 FindClose
0x14007d180 WideCharToMultiByte
0x14007d188 FormatMessageW
0x14007d190 GetLastError
0x14007d198 EnterCriticalSection
0x14007d1a0 LeaveCriticalSection
0x14007d1a8 DeleteCriticalSection
0x14007d1b0 EncodePointer
0x14007d1b8 DecodePointer
0x14007d1c0 MultiByteToWideChar
0x14007d1c8 SetLastError
0x14007d1d0 InitializeCriticalSectionAndSpinCount
0x14007d1d8 CreateEventW
0x14007d1e0 SwitchToThread
0x14007d1e8 TlsAlloc
0x14007d1f0 TlsGetValue
0x14007d1f8 TlsSetValue
0x14007d200 TlsFree
0x14007d208 GetSystemTimeAsFileTime
0x14007d210 GetTickCount
0x14007d218 GetModuleHandleW
0x14007d220 GetProcAddress
0x14007d228 CompareStringW
0x14007d230 LCMapStringW
0x14007d238 GetLocaleInfoW
0x14007d240 GetStringTypeW
0x14007d248 GetCPInfo
0x14007d250 RtlCaptureContext
0x14007d258 RtlLookupFunctionEntry
0x14007d260 RtlVirtualUnwind
0x14007d268 UnhandledExceptionFilter
0x14007d270 SetUnhandledExceptionFilter
0x14007d278 TerminateProcess
0x14007d280 IsProcessorFeaturePresent
0x14007d288 QueryPerformanceCounter
0x14007d290 GetCurrentProcessId
0x14007d298 GetCurrentThreadId
0x14007d2a0 InitializeSListHead
0x14007d2a8 IsDebuggerPresent
0x14007d2b0 GetStartupInfoW
0x14007d2b8 RtlUnwindEx
0x14007d2c0 RtlPcToFileHeader
0x14007d2c8 RaiseException
0x14007d2d0 InterlockedPushEntrySList
0x14007d2d8 InterlockedFlushSList
0x14007d2e0 FreeLibrary
0x14007d2e8 LoadLibraryExW
0x14007d2f0 GetStdHandle
0x14007d2f8 WriteFile
0x14007d300 GetModuleFileNameW
0x14007d308 GetModuleFileNameA
0x14007d310 ExitProcess
0x14007d318 GetModuleHandleExW
0x14007d320 GetACP
0x14007d328 GetCurrentThread
0x14007d330 HeapFree
0x14007d338 HeapAlloc
0x14007d340 RtlUnwind
USER32.dll
0x14007d350 BeginPaint
0x14007d358 EnableWindow
0x14007d360 SetTimer
0x14007d368 KillTimer
0x14007d370 SendDlgItemMessageA
0x14007d378 PostQuitMessage
0x14007d380 DialogBoxParamA
0x14007d388 IsDlgButtonChecked
0x14007d390 GetDlgItemInt
0x14007d398 EndDialog
0x14007d3a0 DefWindowProcA
0x14007d3a8 GetProcessWindowStation
0x14007d3b0 EnumDesktopsW
0x14007d3b8 CreateWindowExA
0x14007d3c0 RegisterClassExA
0x14007d3c8 LoadCursorA
0x14007d3d0 EndPaint
0x14007d3d8 LoadIconA
0x14007d3e0 GetWindowLongPtrA
0x14007d3e8 DispatchMessageA
0x14007d3f0 TranslateMessage
0x14007d3f8 TranslateAcceleratorA
0x14007d400 GetMessageA
0x14007d408 LoadAcceleratorsA
0x14007d410 LoadStringA
0x14007d418 MessageBoxA
0x14007d420 MessageBoxW
0x14007d428 GetDlgItem
0x14007d430 ShowWindow
0x14007d438 InvalidateRect
0x14007d440 GetClientRect
0x14007d448 SetDlgItemTextA
0x14007d450 SetDlgItemInt
0x14007d458 PostMessageA
GDI32.dll
0x14007d010 TextOutA
0x14007d018 SetTextColor
0x14007d020 SetBkMode
0x14007d028 Ellipse
0x14007d030 CreateSolidBrush
0x14007d038 CreatePen
0x14007d040 SelectObject
0x14007d048 Rectangle
EAT(Export Address Table) is none