ScreenShot
| Created | 2023.02.20 18:15 | Machine | s1_win7_x6403 |
| Filename | hill.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 35 detected (malicious, high confidence, Nemesis, Unsafe, Save, confidence, 100%, ZexaF, suW@auYN5Kki, NSISPacker, ESRY, score, PWSX, AGEN, moderate, Static AI, Suspicious PE, ai score=81, Woreflint, Detected, F0D1C00BK23) | ||
| md5 | bebfe80156455464fd3d296dae2e55b7 | ||
| sha256 | 27581ab44d1ea9116059d6d244296669e618e9d82b85d3b8fc699401ee244bc8 | ||
| ssdeep | 6144:/Ya6zCz6TUhqri7HjLSQyEvAkzf9Op9CHK1C:/YZCmT0qrOfSzEvcCHKk | ||
| imphash | 61259b55b8912888e90f516ca08dc514 | ||
| impfuzzy | 48://dKexsvEqY80DoS5rAJKQ9P7+nzFwqQ7/llLHAOe+ztlk4Or8L5Sv0WbX06Uyv3:HdKexJUGKR5U50Pw849 | ||
Network IP location
Signature (20cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 35 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | Putty Files |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x408000 RegCreateKeyExW
0x408004 RegEnumKeyW
0x408008 RegQueryValueExW
0x40800c RegSetValueExW
0x408010 RegCloseKey
0x408014 RegDeleteValueW
0x408018 RegDeleteKeyW
0x40801c AdjustTokenPrivileges
0x408020 LookupPrivilegeValueW
0x408024 OpenProcessToken
0x408028 SetFileSecurityW
0x40802c RegOpenKeyExW
0x408030 RegEnumValueW
SHELL32.dll
0x408178 SHGetSpecialFolderLocation
0x40817c SHFileOperationW
0x408180 SHBrowseForFolderW
0x408184 SHGetPathFromIDListW
0x408188 ShellExecuteExW
0x40818c SHGetFileInfoW
ole32.dll
0x408298 OleInitialize
0x40829c OleUninitialize
0x4082a0 CoCreateInstance
0x4082a4 IIDFromString
0x4082a8 CoTaskMemFree
COMCTL32.dll
0x408038 None
0x40803c ImageList_Create
0x408040 ImageList_Destroy
0x408044 ImageList_AddMasked
USER32.dll
0x408194 GetClientRect
0x408198 EndPaint
0x40819c DrawTextW
0x4081a0 IsWindowEnabled
0x4081a4 DispatchMessageW
0x4081a8 wsprintfA
0x4081ac CharNextA
0x4081b0 CharPrevW
0x4081b4 MessageBoxIndirectW
0x4081b8 GetDlgItemTextW
0x4081bc SetDlgItemTextW
0x4081c0 GetSystemMetrics
0x4081c4 FillRect
0x4081c8 AppendMenuW
0x4081cc TrackPopupMenu
0x4081d0 OpenClipboard
0x4081d4 SetClipboardData
0x4081d8 CloseClipboard
0x4081dc IsWindowVisible
0x4081e0 CallWindowProcW
0x4081e4 GetMessagePos
0x4081e8 CheckDlgButton
0x4081ec LoadCursorW
0x4081f0 SetCursor
0x4081f4 GetSysColor
0x4081f8 SetWindowPos
0x4081fc GetWindowLongW
0x408200 PeekMessageW
0x408204 SetClassLongW
0x408208 GetSystemMenu
0x40820c EnableMenuItem
0x408210 GetWindowRect
0x408214 ScreenToClient
0x408218 EndDialog
0x40821c RegisterClassW
0x408220 SystemParametersInfoW
0x408224 CreateWindowExW
0x408228 GetClassInfoW
0x40822c DialogBoxParamW
0x408230 CharNextW
0x408234 ExitWindowsEx
0x408238 DestroyWindow
0x40823c CreateDialogParamW
0x408240 SetTimer
0x408244 SetWindowTextW
0x408248 PostQuitMessage
0x40824c SetForegroundWindow
0x408250 ShowWindow
0x408254 wsprintfW
0x408258 SendMessageTimeoutW
0x40825c FindWindowExW
0x408260 IsWindow
0x408264 GetDlgItem
0x408268 SetWindowLongW
0x40826c LoadImageW
0x408270 GetDC
0x408274 ReleaseDC
0x408278 EnableWindow
0x40827c InvalidateRect
0x408280 SendMessageW
0x408284 DefWindowProcW
0x408288 BeginPaint
0x40828c EmptyClipboard
0x408290 CreatePopupMenu
GDI32.dll
0x40804c SetBkMode
0x408050 SetBkColor
0x408054 GetDeviceCaps
0x408058 CreateFontIndirectW
0x40805c CreateBrushIndirect
0x408060 DeleteObject
0x408064 SetTextColor
0x408068 SelectObject
KERNEL32.dll
0x408070 GetExitCodeProcess
0x408074 WaitForSingleObject
0x408078 GetModuleHandleA
0x40807c GetProcAddress
0x408080 GetSystemDirectoryW
0x408084 lstrcatW
0x408088 Sleep
0x40808c lstrcpyA
0x408090 WriteFile
0x408094 GetTempFileNameW
0x408098 lstrcmpiA
0x40809c RemoveDirectoryW
0x4080a0 CreateProcessW
0x4080a4 CreateDirectoryW
0x4080a8 GetLastError
0x4080ac CreateThread
0x4080b0 GlobalLock
0x4080b4 GlobalUnlock
0x4080b8 GetDiskFreeSpaceW
0x4080bc WideCharToMultiByte
0x4080c0 lstrcpynW
0x4080c4 lstrlenW
0x4080c8 SetErrorMode
0x4080cc GetVersionExW
0x4080d0 GetCommandLineW
0x4080d4 GetTempPathW
0x4080d8 GetWindowsDirectoryW
0x4080dc SetEnvironmentVariableW
0x4080e0 CopyFileW
0x4080e4 ExitProcess
0x4080e8 GetCurrentProcess
0x4080ec GetModuleFileNameW
0x4080f0 GetFileSize
0x4080f4 CreateFileW
0x4080f8 GetTickCount
0x4080fc MulDiv
0x408100 SetFileAttributesW
0x408104 GetFileAttributesW
0x408108 SetCurrentDirectoryW
0x40810c MoveFileW
0x408110 GetFullPathNameW
0x408114 GetShortPathNameW
0x408118 SearchPathW
0x40811c CompareFileTime
0x408120 SetFileTime
0x408124 CloseHandle
0x408128 lstrcmpiW
0x40812c lstrcmpW
0x408130 ExpandEnvironmentStringsW
0x408134 GlobalFree
0x408138 GlobalAlloc
0x40813c GetModuleHandleW
0x408140 LoadLibraryExW
0x408144 MoveFileExW
0x408148 FreeLibrary
0x40814c WritePrivateProfileStringW
0x408150 GetPrivateProfileStringW
0x408154 lstrlenA
0x408158 MultiByteToWideChar
0x40815c ReadFile
0x408160 SetFilePointer
0x408164 FindClose
0x408168 FindNextFileW
0x40816c FindFirstFileW
0x408170 DeleteFileW
EAT(Export Address Table) is none
ADVAPI32.dll
0x408000 RegCreateKeyExW
0x408004 RegEnumKeyW
0x408008 RegQueryValueExW
0x40800c RegSetValueExW
0x408010 RegCloseKey
0x408014 RegDeleteValueW
0x408018 RegDeleteKeyW
0x40801c AdjustTokenPrivileges
0x408020 LookupPrivilegeValueW
0x408024 OpenProcessToken
0x408028 SetFileSecurityW
0x40802c RegOpenKeyExW
0x408030 RegEnumValueW
SHELL32.dll
0x408178 SHGetSpecialFolderLocation
0x40817c SHFileOperationW
0x408180 SHBrowseForFolderW
0x408184 SHGetPathFromIDListW
0x408188 ShellExecuteExW
0x40818c SHGetFileInfoW
ole32.dll
0x408298 OleInitialize
0x40829c OleUninitialize
0x4082a0 CoCreateInstance
0x4082a4 IIDFromString
0x4082a8 CoTaskMemFree
COMCTL32.dll
0x408038 None
0x40803c ImageList_Create
0x408040 ImageList_Destroy
0x408044 ImageList_AddMasked
USER32.dll
0x408194 GetClientRect
0x408198 EndPaint
0x40819c DrawTextW
0x4081a0 IsWindowEnabled
0x4081a4 DispatchMessageW
0x4081a8 wsprintfA
0x4081ac CharNextA
0x4081b0 CharPrevW
0x4081b4 MessageBoxIndirectW
0x4081b8 GetDlgItemTextW
0x4081bc SetDlgItemTextW
0x4081c0 GetSystemMetrics
0x4081c4 FillRect
0x4081c8 AppendMenuW
0x4081cc TrackPopupMenu
0x4081d0 OpenClipboard
0x4081d4 SetClipboardData
0x4081d8 CloseClipboard
0x4081dc IsWindowVisible
0x4081e0 CallWindowProcW
0x4081e4 GetMessagePos
0x4081e8 CheckDlgButton
0x4081ec LoadCursorW
0x4081f0 SetCursor
0x4081f4 GetSysColor
0x4081f8 SetWindowPos
0x4081fc GetWindowLongW
0x408200 PeekMessageW
0x408204 SetClassLongW
0x408208 GetSystemMenu
0x40820c EnableMenuItem
0x408210 GetWindowRect
0x408214 ScreenToClient
0x408218 EndDialog
0x40821c RegisterClassW
0x408220 SystemParametersInfoW
0x408224 CreateWindowExW
0x408228 GetClassInfoW
0x40822c DialogBoxParamW
0x408230 CharNextW
0x408234 ExitWindowsEx
0x408238 DestroyWindow
0x40823c CreateDialogParamW
0x408240 SetTimer
0x408244 SetWindowTextW
0x408248 PostQuitMessage
0x40824c SetForegroundWindow
0x408250 ShowWindow
0x408254 wsprintfW
0x408258 SendMessageTimeoutW
0x40825c FindWindowExW
0x408260 IsWindow
0x408264 GetDlgItem
0x408268 SetWindowLongW
0x40826c LoadImageW
0x408270 GetDC
0x408274 ReleaseDC
0x408278 EnableWindow
0x40827c InvalidateRect
0x408280 SendMessageW
0x408284 DefWindowProcW
0x408288 BeginPaint
0x40828c EmptyClipboard
0x408290 CreatePopupMenu
GDI32.dll
0x40804c SetBkMode
0x408050 SetBkColor
0x408054 GetDeviceCaps
0x408058 CreateFontIndirectW
0x40805c CreateBrushIndirect
0x408060 DeleteObject
0x408064 SetTextColor
0x408068 SelectObject
KERNEL32.dll
0x408070 GetExitCodeProcess
0x408074 WaitForSingleObject
0x408078 GetModuleHandleA
0x40807c GetProcAddress
0x408080 GetSystemDirectoryW
0x408084 lstrcatW
0x408088 Sleep
0x40808c lstrcpyA
0x408090 WriteFile
0x408094 GetTempFileNameW
0x408098 lstrcmpiA
0x40809c RemoveDirectoryW
0x4080a0 CreateProcessW
0x4080a4 CreateDirectoryW
0x4080a8 GetLastError
0x4080ac CreateThread
0x4080b0 GlobalLock
0x4080b4 GlobalUnlock
0x4080b8 GetDiskFreeSpaceW
0x4080bc WideCharToMultiByte
0x4080c0 lstrcpynW
0x4080c4 lstrlenW
0x4080c8 SetErrorMode
0x4080cc GetVersionExW
0x4080d0 GetCommandLineW
0x4080d4 GetTempPathW
0x4080d8 GetWindowsDirectoryW
0x4080dc SetEnvironmentVariableW
0x4080e0 CopyFileW
0x4080e4 ExitProcess
0x4080e8 GetCurrentProcess
0x4080ec GetModuleFileNameW
0x4080f0 GetFileSize
0x4080f4 CreateFileW
0x4080f8 GetTickCount
0x4080fc MulDiv
0x408100 SetFileAttributesW
0x408104 GetFileAttributesW
0x408108 SetCurrentDirectoryW
0x40810c MoveFileW
0x408110 GetFullPathNameW
0x408114 GetShortPathNameW
0x408118 SearchPathW
0x40811c CompareFileTime
0x408120 SetFileTime
0x408124 CloseHandle
0x408128 lstrcmpiW
0x40812c lstrcmpW
0x408130 ExpandEnvironmentStringsW
0x408134 GlobalFree
0x408138 GlobalAlloc
0x40813c GetModuleHandleW
0x408140 LoadLibraryExW
0x408144 MoveFileExW
0x408148 FreeLibrary
0x40814c WritePrivateProfileStringW
0x408150 GetPrivateProfileStringW
0x408154 lstrlenA
0x408158 MultiByteToWideChar
0x40815c ReadFile
0x408160 SetFilePointer
0x408164 FindClose
0x408168 FindNextFileW
0x40816c FindFirstFileW
0x408170 DeleteFileW
EAT(Export Address Table) is none