ScreenShot
| Created | 2023.03.05 04:18 | Machine | s1_win7_x6401 |
| Filename | loader.dat | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 9275ae35733730eda1da5e7e29bdf8db | ||
| sha256 | cc3bd53d7288359c8a25bb27b44d324b679b0a61466bf0fa79991d5639eb53ee | ||
| ssdeep | 98304:7KrF3sCrgxhqVvTCxW1WnH3hSE23Yp+T3O2ptNvmHRJZ07NQJDZpk:7KrF3Tr2IVGMql23X3jptNvmHLZ00Xk | ||
| imphash | 4670763b03e0378772271f1bc906b792 | ||
| impfuzzy | 24:j8XDLfgyxYisQsIn8u5FnaQtXJHc9NDI5Q8:AXI2OQsy8AnXpcM5Q8 | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An application raised an exception which may be indicative of an exploit crash |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
Rules (37cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Network_Downloader | File Downloader | memory |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Hijack_Network | Hijack network configuration | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE64 | (no description) | binaries (download) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
Suricata ids
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1403cd000 GetConsoleScreenBufferInfo
USER32.dll
0x1403cd010 SetLayeredWindowAttributes
ADVAPI32.dll
0x1403cd020 GetCurrentHwProfileA
MSVCP140.dll
0x1403cd030 _To_wide
WS2_32.dll
0x1403cd040 recv
VCRUNTIME140.dll
0x1403cd050 memchr
api-ms-win-crt-runtime-l1-1-0.dll
0x1403cd060 _initterm
api-ms-win-crt-heap-l1-1-0.dll
0x1403cd070 _callnewh
api-ms-win-crt-utility-l1-1-0.dll
0x1403cd080 srand
api-ms-win-crt-stdio-l1-1-0.dll
0x1403cd090 _set_fmode
api-ms-win-crt-string-l1-1-0.dll
0x1403cd0a0 strcpy_s
api-ms-win-crt-time-l1-1-0.dll
0x1403cd0b0 _time64
api-ms-win-crt-convert-l1-1-0.dll
0x1403cd0c0 _itoa_s
api-ms-win-crt-environment-l1-1-0.dll
0x1403cd0d0 getenv
api-ms-win-crt-math-l1-1-0.dll
0x1403cd0e0 sin
api-ms-win-crt-locale-l1-1-0.dll
0x1403cd0f0 _configthreadlocale
WTSAPI32.dll
0x1403cd100 WTSSendMessageW
KERNEL32.dll
0x1403cd110 GetSystemTimeAsFileTime
USER32.dll
0x1403cd120 GetUserObjectInformationW
KERNEL32.dll
0x1403cd130 LocalAlloc
0x1403cd138 LocalFree
0x1403cd140 GetModuleFileNameW
0x1403cd148 GetProcessAffinityMask
0x1403cd150 SetProcessAffinityMask
0x1403cd158 SetThreadAffinityMask
0x1403cd160 Sleep
0x1403cd168 ExitProcess
0x1403cd170 FreeLibrary
0x1403cd178 LoadLibraryA
0x1403cd180 GetModuleHandleA
0x1403cd188 GetProcAddress
USER32.dll
0x1403cd198 GetProcessWindowStation
0x1403cd1a0 GetUserObjectInformationW
EAT(Export Address Table) is none
KERNEL32.dll
0x1403cd000 GetConsoleScreenBufferInfo
USER32.dll
0x1403cd010 SetLayeredWindowAttributes
ADVAPI32.dll
0x1403cd020 GetCurrentHwProfileA
MSVCP140.dll
0x1403cd030 _To_wide
WS2_32.dll
0x1403cd040 recv
VCRUNTIME140.dll
0x1403cd050 memchr
api-ms-win-crt-runtime-l1-1-0.dll
0x1403cd060 _initterm
api-ms-win-crt-heap-l1-1-0.dll
0x1403cd070 _callnewh
api-ms-win-crt-utility-l1-1-0.dll
0x1403cd080 srand
api-ms-win-crt-stdio-l1-1-0.dll
0x1403cd090 _set_fmode
api-ms-win-crt-string-l1-1-0.dll
0x1403cd0a0 strcpy_s
api-ms-win-crt-time-l1-1-0.dll
0x1403cd0b0 _time64
api-ms-win-crt-convert-l1-1-0.dll
0x1403cd0c0 _itoa_s
api-ms-win-crt-environment-l1-1-0.dll
0x1403cd0d0 getenv
api-ms-win-crt-math-l1-1-0.dll
0x1403cd0e0 sin
api-ms-win-crt-locale-l1-1-0.dll
0x1403cd0f0 _configthreadlocale
WTSAPI32.dll
0x1403cd100 WTSSendMessageW
KERNEL32.dll
0x1403cd110 GetSystemTimeAsFileTime
USER32.dll
0x1403cd120 GetUserObjectInformationW
KERNEL32.dll
0x1403cd130 LocalAlloc
0x1403cd138 LocalFree
0x1403cd140 GetModuleFileNameW
0x1403cd148 GetProcessAffinityMask
0x1403cd150 SetProcessAffinityMask
0x1403cd158 SetThreadAffinityMask
0x1403cd160 Sleep
0x1403cd168 ExitProcess
0x1403cd170 FreeLibrary
0x1403cd178 LoadLibraryA
0x1403cd180 GetModuleHandleA
0x1403cd188 GetProcAddress
USER32.dll
0x1403cd198 GetProcessWindowStation
0x1403cd1a0 GetUserObjectInformationW
EAT(Export Address Table) is none