ScreenShot
| Created | 2023.01.19 12:41 | Machine | s1_win7_x6401 |
| Filename | buildppb.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 46 detected (Tasker, malicious, moderate confidence, Babar, Unsafe, confidence, 100%, TAAZ, Attribute, HighConfidence, a variant of WinGo, score, Aurora, jugzao, Bkjl, XPACK, TrojanVeil, ai score=88, Casdet, Detected, Artemis, BScope, Nacra, R002H0CAI23, Generic@AI, RDML, nCzToSOXvAFJZFcGpBMd2Q, TitanStealer, susgen, GoAgent, ZexaF, @BZ@aKLnmOe, Genetic) | ||
| md5 | 03f0c3802261406b2967dbcfb79908a3 | ||
| sha256 | 912f7d82ed878471ace2ca79a7e17ecad0b2bdf430570e646efaa940b01fc579 | ||
| ssdeep | 49152:HPF2LUHXcw7ADxCzjNNTpGktKDJ3Mx3Cww7JrzDNp0maVtGJUdBn02F1eNt:HN2L4Xcwcx+jvIrzFJUWN | ||
| imphash | 9cbefe68f395e67356e2a5d8d1b285c0 | ||
| impfuzzy | 24:UbVjhNwO+VuT2oLtXOr6kwmDruMztxdEr6tP:KwO+VAXOmGx0oP | ||
Network IP location
Signature (20cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 46 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Appends a known multi-family ransomware file extension to files that have been encrypted |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects the presence of Wine emulator |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Executes one or more WMI queries |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | NPKI_Zero | File included NPKI | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
kernel32.dll
0x7f4220 WriteFile
0x7f4224 WriteConsoleW
0x7f4228 WaitForMultipleObjects
0x7f422c WaitForSingleObject
0x7f4230 VirtualQuery
0x7f4234 VirtualFree
0x7f4238 VirtualAlloc
0x7f423c SwitchToThread
0x7f4240 SuspendThread
0x7f4244 SetWaitableTimer
0x7f4248 SetUnhandledExceptionFilter
0x7f424c SetProcessPriorityBoost
0x7f4250 SetEvent
0x7f4254 SetErrorMode
0x7f4258 SetConsoleCtrlHandler
0x7f425c ResumeThread
0x7f4260 PostQueuedCompletionStatus
0x7f4264 LoadLibraryA
0x7f4268 LoadLibraryW
0x7f426c SetThreadContext
0x7f4270 GetThreadContext
0x7f4274 GetSystemInfo
0x7f4278 GetSystemDirectoryA
0x7f427c GetStdHandle
0x7f4280 GetQueuedCompletionStatusEx
0x7f4284 GetProcessAffinityMask
0x7f4288 GetProcAddress
0x7f428c GetEnvironmentStringsW
0x7f4290 GetConsoleMode
0x7f4294 FreeEnvironmentStringsW
0x7f4298 ExitProcess
0x7f429c DuplicateHandle
0x7f42a0 CreateWaitableTimerExW
0x7f42a4 CreateThread
0x7f42a8 CreateIoCompletionPort
0x7f42ac CreateFileA
0x7f42b0 CreateEventA
0x7f42b4 CloseHandle
0x7f42b8 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x7f4220 WriteFile
0x7f4224 WriteConsoleW
0x7f4228 WaitForMultipleObjects
0x7f422c WaitForSingleObject
0x7f4230 VirtualQuery
0x7f4234 VirtualFree
0x7f4238 VirtualAlloc
0x7f423c SwitchToThread
0x7f4240 SuspendThread
0x7f4244 SetWaitableTimer
0x7f4248 SetUnhandledExceptionFilter
0x7f424c SetProcessPriorityBoost
0x7f4250 SetEvent
0x7f4254 SetErrorMode
0x7f4258 SetConsoleCtrlHandler
0x7f425c ResumeThread
0x7f4260 PostQueuedCompletionStatus
0x7f4264 LoadLibraryA
0x7f4268 LoadLibraryW
0x7f426c SetThreadContext
0x7f4270 GetThreadContext
0x7f4274 GetSystemInfo
0x7f4278 GetSystemDirectoryA
0x7f427c GetStdHandle
0x7f4280 GetQueuedCompletionStatusEx
0x7f4284 GetProcessAffinityMask
0x7f4288 GetProcAddress
0x7f428c GetEnvironmentStringsW
0x7f4290 GetConsoleMode
0x7f4294 FreeEnvironmentStringsW
0x7f4298 ExitProcess
0x7f429c DuplicateHandle
0x7f42a0 CreateWaitableTimerExW
0x7f42a4 CreateThread
0x7f42a8 CreateIoCompletionPort
0x7f42ac CreateFileA
0x7f42b0 CreateEventA
0x7f42b4 CloseHandle
0x7f42b8 AddVectoredExceptionHandler
EAT(Export Address Table) is none