ScreenShot
| Created | 2023.03.09 17:41 | Machine | s1_win7_x6401 |
| Filename | dd_64.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 23 detected (malicious, high confidence, score, Artemis, Lazy, V9z8, confidence, 100%, Attribute, HighConfidence, SelfDel, icct, FileRepMalware, Misc, NetLoader, ai score=86, CLOUD, susgen) | ||
| md5 | 9029a43c6034a4f0b3408fd38936beb9 | ||
| sha256 | 91a6e2bae07280209aa0a6cc69e76915326cbf41cef338dbe6fbed040a8bf9f8 | ||
| ssdeep | 6144:YIXxajWVr8qF3YyLaa3uFtEfC8KZohOT1YRHKy:vXxajWl8MYrxtWKZoAqH | ||
| imphash | 57b146c278fb2ac0214007b236451fbd | ||
| impfuzzy | 48:GFrRVEODkBeyZ0vcpVem5toS1CBgqLycLwYsMmE:GFrAseccpVem5toS1CBgpK | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 23 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Reads the systems User Agent and subsequently performs requests |
| notice | Sends data using the HTTP POST Method |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (7cnts) ?
Suricata ids
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140041010 LoadLibraryA
0x140041018 GetProcAddress
0x140041020 FreeLibrary
0x140041028 CreateDirectoryW
0x140041030 GetVolumeInformationW
0x140041038 FindFirstFileW
0x140041040 FindNextFileW
0x140041048 ExpandEnvironmentStringsW
0x140041050 GetModuleFileNameW
0x140041058 GetEnvironmentVariableW
0x140041060 CreateMutexW
0x140041068 FindClose
0x140041070 GetFileAttributesW
0x140041078 Sleep
0x140041080 GetLastError
0x140041088 CloseHandle
0x140041090 lstrlenA
0x140041098 GetComputerNameW
0x1400410a0 CreateProcessW
0x1400410a8 CopyFileW
0x1400410b0 lstrcpyW
0x1400410b8 lstrcmpW
0x1400410c0 MultiByteToWideChar
0x1400410c8 ReadFile
0x1400410d0 WriteFile
0x1400410d8 RemoveDirectoryW
0x1400410e0 GetTempPathW
0x1400410e8 CreateFileW
0x1400410f0 DeleteFileW
0x1400410f8 GetFileSize
0x140041100 WideCharToMultiByte
0x140041108 WriteConsoleW
0x140041110 HeapSize
0x140041118 SetEndOfFile
0x140041120 ExitProcess
0x140041128 lstrlenW
0x140041130 GetProcessHeap
0x140041138 SetEnvironmentVariableW
0x140041140 FreeEnvironmentStringsW
0x140041148 GetEnvironmentStringsW
0x140041150 GetCommandLineW
0x140041158 GetCommandLineA
0x140041160 GetOEMCP
0x140041168 GetACP
0x140041170 IsValidCodePage
0x140041178 FindFirstFileExW
0x140041180 ReadConsoleW
0x140041188 SetFilePointerEx
0x140041190 GetFileSizeEx
0x140041198 HeapReAlloc
0x1400411a0 GetConsoleMode
0x1400411a8 GetConsoleOutputCP
0x1400411b0 FlushFileBuffers
0x1400411b8 GetTimeZoneInformation
0x1400411c0 SetStdHandle
0x1400411c8 EnumSystemLocalesW
0x1400411d0 GetUserDefaultLCID
0x1400411d8 IsValidLocale
0x1400411e0 GetLocaleInfoW
0x1400411e8 LCMapStringW
0x1400411f0 CompareStringW
0x1400411f8 HeapFree
0x140041200 GetStringTypeW
0x140041208 EnterCriticalSection
0x140041210 LeaveCriticalSection
0x140041218 InitializeCriticalSectionEx
0x140041220 DeleteCriticalSection
0x140041228 EncodePointer
0x140041230 DecodePointer
0x140041238 LCMapStringEx
0x140041240 GetCPInfo
0x140041248 InitializeCriticalSectionAndSpinCount
0x140041250 SetEvent
0x140041258 ResetEvent
0x140041260 WaitForSingleObjectEx
0x140041268 CreateEventW
0x140041270 GetModuleHandleW
0x140041278 RtlCaptureContext
0x140041280 RtlLookupFunctionEntry
0x140041288 RtlVirtualUnwind
0x140041290 UnhandledExceptionFilter
0x140041298 SetUnhandledExceptionFilter
0x1400412a0 GetCurrentProcess
0x1400412a8 TerminateProcess
0x1400412b0 IsProcessorFeaturePresent
0x1400412b8 IsDebuggerPresent
0x1400412c0 GetStartupInfoW
0x1400412c8 QueryPerformanceCounter
0x1400412d0 GetCurrentProcessId
0x1400412d8 GetCurrentThreadId
0x1400412e0 GetSystemTimeAsFileTime
0x1400412e8 InitializeSListHead
0x1400412f0 RtlUnwindEx
0x1400412f8 RtlPcToFileHeader
0x140041300 RaiseException
0x140041308 SetLastError
0x140041310 TlsAlloc
0x140041318 TlsGetValue
0x140041320 TlsSetValue
0x140041328 TlsFree
0x140041330 LoadLibraryExW
0x140041338 GetFileType
0x140041340 SetFileTime
0x140041348 TzSpecificLocalTimeToSystemTime
0x140041350 SystemTimeToFileTime
0x140041358 GetModuleHandleExW
0x140041360 GetStdHandle
0x140041368 HeapAlloc
USER32.dll
0x1400413c0 wsprintfW
ADVAPI32.dll
0x140041000 GetUserNameW
SHELL32.dll
0x140041378 ShellExecuteW
ole32.dll
0x140041478 StringFromGUID2
WS2_32.dll
0x140041448 socket
0x140041450 ind
0x140041458 inet_addr
0x140041460 listen
0x140041468 closesocket
WININET.dll
0x1400413f0 InternetCloseHandle
0x1400413f8 InternetSetOptionW
0x140041400 InternetReadFile
0x140041408 InternetOpenW
0x140041410 InternetQueryDataAvailable
0x140041418 InternetQueryOptionW
0x140041420 HttpOpenRequestW
0x140041428 InternetConnectW
0x140041430 HttpSendRequestW
0x140041438 InternetCrackUrlW
urlmon.dll
0x140041488 ObtainUserAgentString
VERSION.dll
0x1400413d0 VerQueryValueW
0x1400413d8 GetFileVersionInfoSizeW
0x1400413e0 GetFileVersionInfoW
SHLWAPI.dll
0x140041388 wnsprintfW
0x140041390 StrCmpNIW
0x140041398 StrNCatW
0x1400413a0 PathCombineW
0x1400413a8 wnsprintfA
0x1400413b0 StrCmpNA
EAT(Export Address Table) is none
KERNEL32.dll
0x140041010 LoadLibraryA
0x140041018 GetProcAddress
0x140041020 FreeLibrary
0x140041028 CreateDirectoryW
0x140041030 GetVolumeInformationW
0x140041038 FindFirstFileW
0x140041040 FindNextFileW
0x140041048 ExpandEnvironmentStringsW
0x140041050 GetModuleFileNameW
0x140041058 GetEnvironmentVariableW
0x140041060 CreateMutexW
0x140041068 FindClose
0x140041070 GetFileAttributesW
0x140041078 Sleep
0x140041080 GetLastError
0x140041088 CloseHandle
0x140041090 lstrlenA
0x140041098 GetComputerNameW
0x1400410a0 CreateProcessW
0x1400410a8 CopyFileW
0x1400410b0 lstrcpyW
0x1400410b8 lstrcmpW
0x1400410c0 MultiByteToWideChar
0x1400410c8 ReadFile
0x1400410d0 WriteFile
0x1400410d8 RemoveDirectoryW
0x1400410e0 GetTempPathW
0x1400410e8 CreateFileW
0x1400410f0 DeleteFileW
0x1400410f8 GetFileSize
0x140041100 WideCharToMultiByte
0x140041108 WriteConsoleW
0x140041110 HeapSize
0x140041118 SetEndOfFile
0x140041120 ExitProcess
0x140041128 lstrlenW
0x140041130 GetProcessHeap
0x140041138 SetEnvironmentVariableW
0x140041140 FreeEnvironmentStringsW
0x140041148 GetEnvironmentStringsW
0x140041150 GetCommandLineW
0x140041158 GetCommandLineA
0x140041160 GetOEMCP
0x140041168 GetACP
0x140041170 IsValidCodePage
0x140041178 FindFirstFileExW
0x140041180 ReadConsoleW
0x140041188 SetFilePointerEx
0x140041190 GetFileSizeEx
0x140041198 HeapReAlloc
0x1400411a0 GetConsoleMode
0x1400411a8 GetConsoleOutputCP
0x1400411b0 FlushFileBuffers
0x1400411b8 GetTimeZoneInformation
0x1400411c0 SetStdHandle
0x1400411c8 EnumSystemLocalesW
0x1400411d0 GetUserDefaultLCID
0x1400411d8 IsValidLocale
0x1400411e0 GetLocaleInfoW
0x1400411e8 LCMapStringW
0x1400411f0 CompareStringW
0x1400411f8 HeapFree
0x140041200 GetStringTypeW
0x140041208 EnterCriticalSection
0x140041210 LeaveCriticalSection
0x140041218 InitializeCriticalSectionEx
0x140041220 DeleteCriticalSection
0x140041228 EncodePointer
0x140041230 DecodePointer
0x140041238 LCMapStringEx
0x140041240 GetCPInfo
0x140041248 InitializeCriticalSectionAndSpinCount
0x140041250 SetEvent
0x140041258 ResetEvent
0x140041260 WaitForSingleObjectEx
0x140041268 CreateEventW
0x140041270 GetModuleHandleW
0x140041278 RtlCaptureContext
0x140041280 RtlLookupFunctionEntry
0x140041288 RtlVirtualUnwind
0x140041290 UnhandledExceptionFilter
0x140041298 SetUnhandledExceptionFilter
0x1400412a0 GetCurrentProcess
0x1400412a8 TerminateProcess
0x1400412b0 IsProcessorFeaturePresent
0x1400412b8 IsDebuggerPresent
0x1400412c0 GetStartupInfoW
0x1400412c8 QueryPerformanceCounter
0x1400412d0 GetCurrentProcessId
0x1400412d8 GetCurrentThreadId
0x1400412e0 GetSystemTimeAsFileTime
0x1400412e8 InitializeSListHead
0x1400412f0 RtlUnwindEx
0x1400412f8 RtlPcToFileHeader
0x140041300 RaiseException
0x140041308 SetLastError
0x140041310 TlsAlloc
0x140041318 TlsGetValue
0x140041320 TlsSetValue
0x140041328 TlsFree
0x140041330 LoadLibraryExW
0x140041338 GetFileType
0x140041340 SetFileTime
0x140041348 TzSpecificLocalTimeToSystemTime
0x140041350 SystemTimeToFileTime
0x140041358 GetModuleHandleExW
0x140041360 GetStdHandle
0x140041368 HeapAlloc
USER32.dll
0x1400413c0 wsprintfW
ADVAPI32.dll
0x140041000 GetUserNameW
SHELL32.dll
0x140041378 ShellExecuteW
ole32.dll
0x140041478 StringFromGUID2
WS2_32.dll
0x140041448 socket
0x140041450 ind
0x140041458 inet_addr
0x140041460 listen
0x140041468 closesocket
WININET.dll
0x1400413f0 InternetCloseHandle
0x1400413f8 InternetSetOptionW
0x140041400 InternetReadFile
0x140041408 InternetOpenW
0x140041410 InternetQueryDataAvailable
0x140041418 InternetQueryOptionW
0x140041420 HttpOpenRequestW
0x140041428 InternetConnectW
0x140041430 HttpSendRequestW
0x140041438 InternetCrackUrlW
urlmon.dll
0x140041488 ObtainUserAgentString
VERSION.dll
0x1400413d0 VerQueryValueW
0x1400413d8 GetFileVersionInfoSizeW
0x1400413e0 GetFileVersionInfoW
SHLWAPI.dll
0x140041388 wnsprintfW
0x140041390 StrCmpNIW
0x140041398 StrNCatW
0x1400413a0 PathCombineW
0x1400413a8 wnsprintfA
0x1400413b0 StrCmpNA
EAT(Export Address Table) is none