ScreenShot
| Created | 2023.03.16 07:59 | Machine | s1_win7_x6403 |
| Filename | PXN5J | ||
| Type | PE32+ executable (DLL) (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 10 detected (malicious, high confidence, score, confidence, 100%, Attribute, HighConfidence, Generic ML PUA, Emotet, susgen) | ||
| md5 | 27c6e6bc4b46148fb4dcc6a6a9346914 | ||
| sha256 | aa57889a91be96c5b5cae185792f5ad76eb5248abb66344a740266a1c297cfd7 | ||
| ssdeep | 6144:+TSJ5KqLXrlG1qTSZLJbgrVfpaHbEMbn9lTej0QjUZ:+aKqjgqTQVgjaHfbnOjZUZ | ||
| imphash | abb9300283e542fb453de5c4c87cd55d | ||
| impfuzzy | 48:H9LtdS1CLBc+ppnT3gQQ5mS5ECnB+F/KA/X09jKJOzi7OaJ:dLtdS1CLBc+ppni+cyJ | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Attempts to remove evidence of file being downloaded from the Internet |
| watch | Communicates with host for which no DNS query was performed |
| watch | File has been identified by 10 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks whether any human activity is being performed by constantly checking whether the foreground window changed |
| notice | Creates a suspicious process |
| notice | Expresses interest in specific running processes |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (7cnts) ?
Suricata ids
ET CNC Feodo Tracker Reported CnC Server group 6
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 11
ET CNC Feodo Tracker Reported CnC Server group 8
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 11
ET CNC Feodo Tracker Reported CnC Server group 8
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x180015038 SetFilePointerEx
0x180015040 GetConsoleMode
0x180015048 GetConsoleOutputCP
0x180015050 WriteFile
0x180015058 FlushFileBuffers
0x180015060 SetStdHandle
0x180015068 HeapSize
0x180015070 GetStringTypeW
0x180015078 GetFileType
0x180015080 GetStdHandle
0x180015088 GetProcessHeap
0x180015090 CreateFileW
0x180015098 CloseHandle
0x1800150a0 WriteConsoleW
0x1800150a8 ExitProcess
0x1800150b0 HeapReAlloc
0x1800150b8 GetLastError
0x1800150c0 LCMapStringW
0x1800150c8 FlsFree
0x1800150d0 FlsSetValue
0x1800150d8 FlsGetValue
0x1800150e0 FlsAlloc
0x1800150e8 UnhandledExceptionFilter
0x1800150f0 SetUnhandledExceptionFilter
0x1800150f8 GetCurrentProcess
0x180015100 TerminateProcess
0x180015108 IsProcessorFeaturePresent
0x180015110 IsDebuggerPresent
0x180015118 GetStartupInfoW
0x180015120 GetModuleHandleW
0x180015128 QueryPerformanceCounter
0x180015130 GetCurrentProcessId
0x180015138 GetCurrentThreadId
0x180015140 GetSystemTimeAsFileTime
0x180015148 InitializeSListHead
0x180015150 RtlUnwindEx
0x180015158 InterlockedFlushSList
0x180015160 SetLastError
0x180015168 EncodePointer
0x180015170 RaiseException
0x180015178 EnterCriticalSection
0x180015180 LeaveCriticalSection
0x180015188 DeleteCriticalSection
0x180015190 InitializeCriticalSectionAndSpinCount
0x180015198 TlsAlloc
0x1800151a0 TlsGetValue
0x1800151a8 TlsSetValue
0x1800151b0 TlsFree
0x1800151b8 FreeLibrary
0x1800151c0 GetProcAddress
0x1800151c8 LoadLibraryExW
0x1800151d0 RtlPcToFileHeader
0x1800151d8 GetModuleHandleExW
0x1800151e0 GetModuleFileNameW
0x1800151e8 HeapAlloc
0x1800151f0 HeapFree
0x1800151f8 FindClose
0x180015200 FindFirstFileExW
0x180015208 FindNextFileW
0x180015210 IsValidCodePage
0x180015218 GetACP
0x180015220 GetOEMCP
0x180015228 GetCPInfo
0x180015230 GetCommandLineA
0x180015238 GetCommandLineW
0x180015240 MultiByteToWideChar
0x180015248 WideCharToMultiByte
0x180015250 GetEnvironmentStringsW
0x180015258 FreeEnvironmentStringsW
USER32.dll
0x180015268 GetGestureInfo
0x180015270 InvalidateRect
0x180015278 ScreenToClient
0x180015280 CloseGestureInfoHandle
0x180015288 EndPaint
0x180015290 BeginPaint
0x180015298 UpdateWindow
0x1800152a0 PostQuitMessage
0x1800152a8 LoadCursorW
0x1800152b0 GetMessageW
0x1800152b8 DefWindowProcW
0x1800152c0 DestroyWindow
0x1800152c8 CreateWindowExW
0x1800152d0 RegisterClassExW
0x1800152d8 LoadStringW
0x1800152e0 ShowWindow
0x1800152e8 DispatchMessageW
0x1800152f0 SetGestureConfig
0x1800152f8 TranslateAcceleratorW
0x180015300 TranslateMessage
GDI32.dll
0x180015000 Polyline
0x180015008 LineTo
0x180015010 CreatePen
0x180015018 MoveToEx
0x180015020 DeleteObject
0x180015028 SelectObject
ntdll.dll
0x180015310 NtQueueApcThread
0x180015318 ZwOpenSymbolicLinkObject
0x180015320 LdrFindResource_U
0x180015328 NtAllocateVirtualMemory
0x180015330 NtTestAlert
0x180015338 LdrAccessResource
0x180015340 RtlCaptureContext
0x180015348 RtlLookupFunctionEntry
0x180015350 RtlVirtualUnwind
EAT(Export Address Table) Library
0x180005540 DllRegisterServer
KERNEL32.dll
0x180015038 SetFilePointerEx
0x180015040 GetConsoleMode
0x180015048 GetConsoleOutputCP
0x180015050 WriteFile
0x180015058 FlushFileBuffers
0x180015060 SetStdHandle
0x180015068 HeapSize
0x180015070 GetStringTypeW
0x180015078 GetFileType
0x180015080 GetStdHandle
0x180015088 GetProcessHeap
0x180015090 CreateFileW
0x180015098 CloseHandle
0x1800150a0 WriteConsoleW
0x1800150a8 ExitProcess
0x1800150b0 HeapReAlloc
0x1800150b8 GetLastError
0x1800150c0 LCMapStringW
0x1800150c8 FlsFree
0x1800150d0 FlsSetValue
0x1800150d8 FlsGetValue
0x1800150e0 FlsAlloc
0x1800150e8 UnhandledExceptionFilter
0x1800150f0 SetUnhandledExceptionFilter
0x1800150f8 GetCurrentProcess
0x180015100 TerminateProcess
0x180015108 IsProcessorFeaturePresent
0x180015110 IsDebuggerPresent
0x180015118 GetStartupInfoW
0x180015120 GetModuleHandleW
0x180015128 QueryPerformanceCounter
0x180015130 GetCurrentProcessId
0x180015138 GetCurrentThreadId
0x180015140 GetSystemTimeAsFileTime
0x180015148 InitializeSListHead
0x180015150 RtlUnwindEx
0x180015158 InterlockedFlushSList
0x180015160 SetLastError
0x180015168 EncodePointer
0x180015170 RaiseException
0x180015178 EnterCriticalSection
0x180015180 LeaveCriticalSection
0x180015188 DeleteCriticalSection
0x180015190 InitializeCriticalSectionAndSpinCount
0x180015198 TlsAlloc
0x1800151a0 TlsGetValue
0x1800151a8 TlsSetValue
0x1800151b0 TlsFree
0x1800151b8 FreeLibrary
0x1800151c0 GetProcAddress
0x1800151c8 LoadLibraryExW
0x1800151d0 RtlPcToFileHeader
0x1800151d8 GetModuleHandleExW
0x1800151e0 GetModuleFileNameW
0x1800151e8 HeapAlloc
0x1800151f0 HeapFree
0x1800151f8 FindClose
0x180015200 FindFirstFileExW
0x180015208 FindNextFileW
0x180015210 IsValidCodePage
0x180015218 GetACP
0x180015220 GetOEMCP
0x180015228 GetCPInfo
0x180015230 GetCommandLineA
0x180015238 GetCommandLineW
0x180015240 MultiByteToWideChar
0x180015248 WideCharToMultiByte
0x180015250 GetEnvironmentStringsW
0x180015258 FreeEnvironmentStringsW
USER32.dll
0x180015268 GetGestureInfo
0x180015270 InvalidateRect
0x180015278 ScreenToClient
0x180015280 CloseGestureInfoHandle
0x180015288 EndPaint
0x180015290 BeginPaint
0x180015298 UpdateWindow
0x1800152a0 PostQuitMessage
0x1800152a8 LoadCursorW
0x1800152b0 GetMessageW
0x1800152b8 DefWindowProcW
0x1800152c0 DestroyWindow
0x1800152c8 CreateWindowExW
0x1800152d0 RegisterClassExW
0x1800152d8 LoadStringW
0x1800152e0 ShowWindow
0x1800152e8 DispatchMessageW
0x1800152f0 SetGestureConfig
0x1800152f8 TranslateAcceleratorW
0x180015300 TranslateMessage
GDI32.dll
0x180015000 Polyline
0x180015008 LineTo
0x180015010 CreatePen
0x180015018 MoveToEx
0x180015020 DeleteObject
0x180015028 SelectObject
ntdll.dll
0x180015310 NtQueueApcThread
0x180015318 ZwOpenSymbolicLinkObject
0x180015320 LdrFindResource_U
0x180015328 NtAllocateVirtualMemory
0x180015330 NtTestAlert
0x180015338 LdrAccessResource
0x180015340 RtlCaptureContext
0x180015348 RtlLookupFunctionEntry
0x180015350 RtlVirtualUnwind
EAT(Export Address Table) Library
0x180005540 DllRegisterServer