ScreenShot
| Created | 2023.03.05 14:32 | Machine | s1_win7_x6403 |
| Filename | 1.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 43 detected (Malicious, score, Artemis, Semper, Vls7, Meterpreter, confidence, 100%, Attribute, HighConfidence, a variant of WinGo, Aurora, Coins, Agen, Jmnw, AURORASTEALER, YXDCDZ, Dapato, adom, Sabsik, Casdet, Detected, ai score=85, CLASSIC, susgen, GoAgent) | ||
| md5 | c1e0847bb381373f3206d346cbe36048 | ||
| sha256 | de6a505d15313427ffff2dff04ab85cf7d2d387f3ffa43bce0e4a74beaf110e1 | ||
| ssdeep | 49152:VoXYiVIj11zpXVLuuK/wRPBU0aD5EjN9aLDdIHNm7Gplk1oG:VobypXO7EKLRItmKG | ||
| imphash | 9cbefe68f395e67356e2a5d8d1b285c0 | ||
| impfuzzy | 24:UbVjhNwO+VuT2oLtXOr6kwmDruMztxdEr6tP:KwO+VAXOmGx0oP | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
| watch | Appends a known multi-family ransomware file extension to files that have been encrypted |
| watch | Collects information on the system (ipconfig |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects the presence of Wine emulator |
| watch | Harvests credentials from local email clients |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (8cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
kernel32.dll
0x706260 WriteFile
0x706268 WriteConsoleW
0x706270 WaitForMultipleObjects
0x706278 WaitForSingleObject
0x706280 VirtualQuery
0x706288 VirtualFree
0x706290 VirtualAlloc
0x706298 SwitchToThread
0x7062a0 SuspendThread
0x7062a8 SetWaitableTimer
0x7062b0 SetUnhandledExceptionFilter
0x7062b8 SetProcessPriorityBoost
0x7062c0 SetEvent
0x7062c8 SetErrorMode
0x7062d0 SetConsoleCtrlHandler
0x7062d8 ResumeThread
0x7062e0 PostQueuedCompletionStatus
0x7062e8 LoadLibraryA
0x7062f0 LoadLibraryW
0x7062f8 SetThreadContext
0x706300 GetThreadContext
0x706308 GetSystemInfo
0x706310 GetSystemDirectoryA
0x706318 GetStdHandle
0x706320 GetQueuedCompletionStatusEx
0x706328 GetProcessAffinityMask
0x706330 GetProcAddress
0x706338 GetEnvironmentStringsW
0x706340 GetConsoleMode
0x706348 FreeEnvironmentStringsW
0x706350 ExitProcess
0x706358 DuplicateHandle
0x706360 CreateWaitableTimerExW
0x706368 CreateThread
0x706370 CreateIoCompletionPort
0x706378 CreateFileA
0x706380 CreateEventA
0x706388 CloseHandle
0x706390 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x706260 WriteFile
0x706268 WriteConsoleW
0x706270 WaitForMultipleObjects
0x706278 WaitForSingleObject
0x706280 VirtualQuery
0x706288 VirtualFree
0x706290 VirtualAlloc
0x706298 SwitchToThread
0x7062a0 SuspendThread
0x7062a8 SetWaitableTimer
0x7062b0 SetUnhandledExceptionFilter
0x7062b8 SetProcessPriorityBoost
0x7062c0 SetEvent
0x7062c8 SetErrorMode
0x7062d0 SetConsoleCtrlHandler
0x7062d8 ResumeThread
0x7062e0 PostQueuedCompletionStatus
0x7062e8 LoadLibraryA
0x7062f0 LoadLibraryW
0x7062f8 SetThreadContext
0x706300 GetThreadContext
0x706308 GetSystemInfo
0x706310 GetSystemDirectoryA
0x706318 GetStdHandle
0x706320 GetQueuedCompletionStatusEx
0x706328 GetProcessAffinityMask
0x706330 GetProcAddress
0x706338 GetEnvironmentStringsW
0x706340 GetConsoleMode
0x706348 FreeEnvironmentStringsW
0x706350 ExitProcess
0x706358 DuplicateHandle
0x706360 CreateWaitableTimerExW
0x706368 CreateThread
0x706370 CreateIoCompletionPort
0x706378 CreateFileA
0x706380 CreateEventA
0x706388 CloseHandle
0x706390 AddVectoredExceptionHandler
EAT(Export Address Table) is none