ScreenShot
| Created | 2023.03.05 03:54 | Machine | s1_win7_x6402 |
| Filename | .win32.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 8c3c941efdc044a57a89a4163918acb2 | ||
| sha256 | 1f973d307ac6766796e6abcaf1c71b8e506859ebf82d9d176fafc564383b2e20 | ||
| ssdeep | 3072:25mJMInhU7WuCr4VT+3HmDqg4Aa2oAnq5mnzL/:3PhCWuCryT+Wm8a5QP | ||
| imphash | 27ccc1110d648cca84e0bb30f9afcab7 | ||
| impfuzzy | 24:Vw9b7rDIlOKxJMkWCb3kSwEbG2bFV4WPvytpOLZkKJtgcrIlyv9CFHOT4nsjMAd6:fOmmWZHHJtgcEK9C4cn8dAc4X | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An application raised an exception which may be indicative of an exploit crash |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
Rules (39cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Hijack_Network | Hijack network configuration | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
Network (2cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET INFO TLS Handshake Failure
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO Executable Download from dotted-quad Host
ET INFO TLS Handshake Failure
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x401000 LoadLibraryA
0x401004 WriteConsoleInputW
0x401008 GetWindowsDirectoryW
0x40100c FindFirstVolumeMountPointW
0x401010 FindFirstChangeNotificationW
0x401014 WaitForMultipleObjects
0x401018 ReadConsoleInputA
0x40101c VerifyVersionInfoW
0x401020 GetVersionExA
0x401024 OpenEventA
0x401028 SetLocaleInfoW
0x40102c GetProcAddress
0x401030 LocalAlloc
0x401034 SetConsoleTitleW
0x401038 DeleteFileA
0x40103c EnumResourceTypesW
0x401040 GetLongPathNameW
0x401044 LoadLibraryW
0x401048 GetBinaryTypeA
0x40104c SetLastError
0x401050 LocalShrink
0x401054 WriteProfileStringA
0x401058 GetComputerNameExA
0x40105c GetConsoleAliasA
0x401060 WriteProfileSectionW
0x401064 GetModuleHandleA
0x401068 GetSystemPowerStatus
0x40106c GetModuleHandleW
0x401070 EnumResourceLanguagesW
0x401074 SetDefaultCommConfigA
0x401078 EnumDateFormatsW
0x40107c SetVolumeMountPointA
0x401080 MoveFileExW
0x401084 WritePrivateProfileStringW
0x401088 GetSystemDirectoryW
0x40108c GetStringTypeW
0x401090 GetShortPathNameW
0x401094 FindNextFileW
0x401098 EnumCalendarInfoA
0x40109c AddRefActCtx
0x4010a0 GetLastError
0x4010a4 HeapSize
0x4010a8 WriteConsoleW
0x4010ac MultiByteToWideChar
0x4010b0 WideCharToMultiByte
0x4010b4 HeapReAlloc
0x4010b8 HeapFree
0x4010bc GetCommandLineW
0x4010c0 HeapSetInformation
0x4010c4 GetStartupInfoW
0x4010c8 EncodePointer
0x4010cc DecodePointer
0x4010d0 IsProcessorFeaturePresent
0x4010d4 GetCPInfo
0x4010d8 InterlockedIncrement
0x4010dc InterlockedDecrement
0x4010e0 GetACP
0x4010e4 GetOEMCP
0x4010e8 IsValidCodePage
0x4010ec TlsAlloc
0x4010f0 TlsGetValue
0x4010f4 TlsSetValue
0x4010f8 TlsFree
0x4010fc GetCurrentThreadId
0x401100 UnhandledExceptionFilter
0x401104 SetUnhandledExceptionFilter
0x401108 IsDebuggerPresent
0x40110c TerminateProcess
0x401110 GetCurrentProcess
0x401114 SetFilePointer
0x401118 EnterCriticalSection
0x40111c LeaveCriticalSection
0x401120 CloseHandle
0x401124 HeapCreate
0x401128 HeapAlloc
0x40112c SetHandleCount
0x401130 GetStdHandle
0x401134 InitializeCriticalSectionAndSpinCount
0x401138 GetFileType
0x40113c DeleteCriticalSection
0x401140 ExitProcess
0x401144 WriteFile
0x401148 GetModuleFileNameW
0x40114c FreeEnvironmentStringsW
0x401150 GetEnvironmentStringsW
0x401154 QueryPerformanceCounter
0x401158 GetTickCount
0x40115c GetCurrentProcessId
0x401160 GetSystemTimeAsFileTime
0x401164 RaiseException
0x401168 LCMapStringW
0x40116c Sleep
0x401170 SetStdHandle
0x401174 GetConsoleCP
0x401178 GetConsoleMode
0x40117c FlushFileBuffers
0x401180 RtlUnwind
0x401184 CreateFileW
USER32.dll
0x401194 LoadMenuA
SHELL32.dll
0x40118c CommandLineToArgvW
EAT(Export Address Table) is none
KERNEL32.dll
0x401000 LoadLibraryA
0x401004 WriteConsoleInputW
0x401008 GetWindowsDirectoryW
0x40100c FindFirstVolumeMountPointW
0x401010 FindFirstChangeNotificationW
0x401014 WaitForMultipleObjects
0x401018 ReadConsoleInputA
0x40101c VerifyVersionInfoW
0x401020 GetVersionExA
0x401024 OpenEventA
0x401028 SetLocaleInfoW
0x40102c GetProcAddress
0x401030 LocalAlloc
0x401034 SetConsoleTitleW
0x401038 DeleteFileA
0x40103c EnumResourceTypesW
0x401040 GetLongPathNameW
0x401044 LoadLibraryW
0x401048 GetBinaryTypeA
0x40104c SetLastError
0x401050 LocalShrink
0x401054 WriteProfileStringA
0x401058 GetComputerNameExA
0x40105c GetConsoleAliasA
0x401060 WriteProfileSectionW
0x401064 GetModuleHandleA
0x401068 GetSystemPowerStatus
0x40106c GetModuleHandleW
0x401070 EnumResourceLanguagesW
0x401074 SetDefaultCommConfigA
0x401078 EnumDateFormatsW
0x40107c SetVolumeMountPointA
0x401080 MoveFileExW
0x401084 WritePrivateProfileStringW
0x401088 GetSystemDirectoryW
0x40108c GetStringTypeW
0x401090 GetShortPathNameW
0x401094 FindNextFileW
0x401098 EnumCalendarInfoA
0x40109c AddRefActCtx
0x4010a0 GetLastError
0x4010a4 HeapSize
0x4010a8 WriteConsoleW
0x4010ac MultiByteToWideChar
0x4010b0 WideCharToMultiByte
0x4010b4 HeapReAlloc
0x4010b8 HeapFree
0x4010bc GetCommandLineW
0x4010c0 HeapSetInformation
0x4010c4 GetStartupInfoW
0x4010c8 EncodePointer
0x4010cc DecodePointer
0x4010d0 IsProcessorFeaturePresent
0x4010d4 GetCPInfo
0x4010d8 InterlockedIncrement
0x4010dc InterlockedDecrement
0x4010e0 GetACP
0x4010e4 GetOEMCP
0x4010e8 IsValidCodePage
0x4010ec TlsAlloc
0x4010f0 TlsGetValue
0x4010f4 TlsSetValue
0x4010f8 TlsFree
0x4010fc GetCurrentThreadId
0x401100 UnhandledExceptionFilter
0x401104 SetUnhandledExceptionFilter
0x401108 IsDebuggerPresent
0x40110c TerminateProcess
0x401110 GetCurrentProcess
0x401114 SetFilePointer
0x401118 EnterCriticalSection
0x40111c LeaveCriticalSection
0x401120 CloseHandle
0x401124 HeapCreate
0x401128 HeapAlloc
0x40112c SetHandleCount
0x401130 GetStdHandle
0x401134 InitializeCriticalSectionAndSpinCount
0x401138 GetFileType
0x40113c DeleteCriticalSection
0x401140 ExitProcess
0x401144 WriteFile
0x401148 GetModuleFileNameW
0x40114c FreeEnvironmentStringsW
0x401150 GetEnvironmentStringsW
0x401154 QueryPerformanceCounter
0x401158 GetTickCount
0x40115c GetCurrentProcessId
0x401160 GetSystemTimeAsFileTime
0x401164 RaiseException
0x401168 LCMapStringW
0x40116c Sleep
0x401170 SetStdHandle
0x401174 GetConsoleCP
0x401178 GetConsoleMode
0x40117c FlushFileBuffers
0x401180 RtlUnwind
0x401184 CreateFileW
USER32.dll
0x401194 LoadMenuA
SHELL32.dll
0x40118c CommandLineToArgvW
EAT(Export Address Table) is none