ScreenShot
| Created | 2023.03.16 07:47 | Machine | s1_win7_x6403 |
| Filename | Ses8712iGR8du | ||
| Type | PE32+ executable (DLL) (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 9 detected (malicious, high confidence, Save, Attribute, HighConfidence, Emotet, susgen) | ||
| md5 | bfc060937dc90b273eccb6825145f298 | ||
| sha256 | 2f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253 | ||
| ssdeep | 6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt | ||
| imphash | abb9300283e542fb453de5c4c87cd55d | ||
| impfuzzy | 48:H9LtdS1CLBc+ppnT3gQQ5mS5ECnB+F/KA/X09jKJOzi7OaJ:dLtdS1CLBc+ppni+cyJ | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Attempts to remove evidence of file being downloaded from the Internet |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Expresses interest in specific running processes |
| notice | File has been identified by 9 AntiVirus engines on VirusTotal as malicious |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (9cnts) ?
Suricata ids
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 1
ET CNC Feodo Tracker Reported CnC Server group 7
ET CNC Feodo Tracker Reported CnC Server group 5
ET CNC Feodo Tracker Reported CnC Server group 8
ET CNC Feodo Tracker Reported CnC Server group 1
ET CNC Feodo Tracker Reported CnC Server group 7
ET CNC Feodo Tracker Reported CnC Server group 5
ET CNC Feodo Tracker Reported CnC Server group 8
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x180016038 SetFilePointerEx
0x180016040 GetConsoleMode
0x180016048 GetConsoleOutputCP
0x180016050 WriteFile
0x180016058 FlushFileBuffers
0x180016060 SetStdHandle
0x180016068 HeapSize
0x180016070 GetStringTypeW
0x180016078 GetFileType
0x180016080 GetStdHandle
0x180016088 GetProcessHeap
0x180016090 CreateFileW
0x180016098 CloseHandle
0x1800160a0 WriteConsoleW
0x1800160a8 ExitProcess
0x1800160b0 HeapReAlloc
0x1800160b8 GetLastError
0x1800160c0 LCMapStringW
0x1800160c8 FlsFree
0x1800160d0 FlsSetValue
0x1800160d8 FlsGetValue
0x1800160e0 FlsAlloc
0x1800160e8 UnhandledExceptionFilter
0x1800160f0 SetUnhandledExceptionFilter
0x1800160f8 GetCurrentProcess
0x180016100 TerminateProcess
0x180016108 IsProcessorFeaturePresent
0x180016110 IsDebuggerPresent
0x180016118 GetStartupInfoW
0x180016120 GetModuleHandleW
0x180016128 QueryPerformanceCounter
0x180016130 GetCurrentProcessId
0x180016138 GetCurrentThreadId
0x180016140 GetSystemTimeAsFileTime
0x180016148 InitializeSListHead
0x180016150 RtlUnwindEx
0x180016158 InterlockedFlushSList
0x180016160 SetLastError
0x180016168 EncodePointer
0x180016170 RaiseException
0x180016178 EnterCriticalSection
0x180016180 LeaveCriticalSection
0x180016188 DeleteCriticalSection
0x180016190 InitializeCriticalSectionAndSpinCount
0x180016198 TlsAlloc
0x1800161a0 TlsGetValue
0x1800161a8 TlsSetValue
0x1800161b0 TlsFree
0x1800161b8 FreeLibrary
0x1800161c0 GetProcAddress
0x1800161c8 LoadLibraryExW
0x1800161d0 RtlPcToFileHeader
0x1800161d8 GetModuleHandleExW
0x1800161e0 GetModuleFileNameW
0x1800161e8 HeapAlloc
0x1800161f0 HeapFree
0x1800161f8 FindClose
0x180016200 FindFirstFileExW
0x180016208 FindNextFileW
0x180016210 IsValidCodePage
0x180016218 GetACP
0x180016220 GetOEMCP
0x180016228 GetCPInfo
0x180016230 GetCommandLineA
0x180016238 GetCommandLineW
0x180016240 MultiByteToWideChar
0x180016248 WideCharToMultiByte
0x180016250 GetEnvironmentStringsW
0x180016258 FreeEnvironmentStringsW
USER32.dll
0x180016268 GetGestureInfo
0x180016270 InvalidateRect
0x180016278 ScreenToClient
0x180016280 CloseGestureInfoHandle
0x180016288 EndPaint
0x180016290 BeginPaint
0x180016298 UpdateWindow
0x1800162a0 PostQuitMessage
0x1800162a8 LoadCursorW
0x1800162b0 GetMessageW
0x1800162b8 DefWindowProcW
0x1800162c0 DestroyWindow
0x1800162c8 CreateWindowExW
0x1800162d0 RegisterClassExW
0x1800162d8 LoadStringW
0x1800162e0 ShowWindow
0x1800162e8 DispatchMessageW
0x1800162f0 SetGestureConfig
0x1800162f8 TranslateAcceleratorW
0x180016300 TranslateMessage
GDI32.dll
0x180016000 Polyline
0x180016008 LineTo
0x180016010 CreatePen
0x180016018 MoveToEx
0x180016020 DeleteObject
0x180016028 SelectObject
ntdll.dll
0x180016310 NtQueueApcThread
0x180016318 ZwOpenSymbolicLinkObject
0x180016320 LdrFindResource_U
0x180016328 NtAllocateVirtualMemory
0x180016330 NtTestAlert
0x180016338 LdrAccessResource
0x180016340 RtlCaptureContext
0x180016348 RtlLookupFunctionEntry
0x180016350 RtlVirtualUnwind
EAT(Export Address Table) Library
0x180010a70 DllRegisterServer
KERNEL32.dll
0x180016038 SetFilePointerEx
0x180016040 GetConsoleMode
0x180016048 GetConsoleOutputCP
0x180016050 WriteFile
0x180016058 FlushFileBuffers
0x180016060 SetStdHandle
0x180016068 HeapSize
0x180016070 GetStringTypeW
0x180016078 GetFileType
0x180016080 GetStdHandle
0x180016088 GetProcessHeap
0x180016090 CreateFileW
0x180016098 CloseHandle
0x1800160a0 WriteConsoleW
0x1800160a8 ExitProcess
0x1800160b0 HeapReAlloc
0x1800160b8 GetLastError
0x1800160c0 LCMapStringW
0x1800160c8 FlsFree
0x1800160d0 FlsSetValue
0x1800160d8 FlsGetValue
0x1800160e0 FlsAlloc
0x1800160e8 UnhandledExceptionFilter
0x1800160f0 SetUnhandledExceptionFilter
0x1800160f8 GetCurrentProcess
0x180016100 TerminateProcess
0x180016108 IsProcessorFeaturePresent
0x180016110 IsDebuggerPresent
0x180016118 GetStartupInfoW
0x180016120 GetModuleHandleW
0x180016128 QueryPerformanceCounter
0x180016130 GetCurrentProcessId
0x180016138 GetCurrentThreadId
0x180016140 GetSystemTimeAsFileTime
0x180016148 InitializeSListHead
0x180016150 RtlUnwindEx
0x180016158 InterlockedFlushSList
0x180016160 SetLastError
0x180016168 EncodePointer
0x180016170 RaiseException
0x180016178 EnterCriticalSection
0x180016180 LeaveCriticalSection
0x180016188 DeleteCriticalSection
0x180016190 InitializeCriticalSectionAndSpinCount
0x180016198 TlsAlloc
0x1800161a0 TlsGetValue
0x1800161a8 TlsSetValue
0x1800161b0 TlsFree
0x1800161b8 FreeLibrary
0x1800161c0 GetProcAddress
0x1800161c8 LoadLibraryExW
0x1800161d0 RtlPcToFileHeader
0x1800161d8 GetModuleHandleExW
0x1800161e0 GetModuleFileNameW
0x1800161e8 HeapAlloc
0x1800161f0 HeapFree
0x1800161f8 FindClose
0x180016200 FindFirstFileExW
0x180016208 FindNextFileW
0x180016210 IsValidCodePage
0x180016218 GetACP
0x180016220 GetOEMCP
0x180016228 GetCPInfo
0x180016230 GetCommandLineA
0x180016238 GetCommandLineW
0x180016240 MultiByteToWideChar
0x180016248 WideCharToMultiByte
0x180016250 GetEnvironmentStringsW
0x180016258 FreeEnvironmentStringsW
USER32.dll
0x180016268 GetGestureInfo
0x180016270 InvalidateRect
0x180016278 ScreenToClient
0x180016280 CloseGestureInfoHandle
0x180016288 EndPaint
0x180016290 BeginPaint
0x180016298 UpdateWindow
0x1800162a0 PostQuitMessage
0x1800162a8 LoadCursorW
0x1800162b0 GetMessageW
0x1800162b8 DefWindowProcW
0x1800162c0 DestroyWindow
0x1800162c8 CreateWindowExW
0x1800162d0 RegisterClassExW
0x1800162d8 LoadStringW
0x1800162e0 ShowWindow
0x1800162e8 DispatchMessageW
0x1800162f0 SetGestureConfig
0x1800162f8 TranslateAcceleratorW
0x180016300 TranslateMessage
GDI32.dll
0x180016000 Polyline
0x180016008 LineTo
0x180016010 CreatePen
0x180016018 MoveToEx
0x180016020 DeleteObject
0x180016028 SelectObject
ntdll.dll
0x180016310 NtQueueApcThread
0x180016318 ZwOpenSymbolicLinkObject
0x180016320 LdrFindResource_U
0x180016328 NtAllocateVirtualMemory
0x180016330 NtTestAlert
0x180016338 LdrAccessResource
0x180016340 RtlCaptureContext
0x180016348 RtlLookupFunctionEntry
0x180016350 RtlVirtualUnwind
EAT(Export Address Table) Library
0x180010a70 DllRegisterServer