Report - handdiy_4.exe

AgentTesla Gen2 Trojan_PWS_Stealer browser info stealer Credential User Data Generic Malware Google Chrome Downloader UPX Malicious Library SQLite Cookie Malicious Packer Create Service DGA Socket ScreenShot DNS BitCoin Internet API Code injecti
ScreenShot
Created 2023.03.22 10:28 Machine s1_win7_x6401
Filename handdiy_4.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
4
Behavior Score
11.6
ZERO API file : malware
VT API (file) 57 detected (ZomcoLwocqeN, FBStealer, malicious, high confidence, Lazy, Fragtor, Socelars, Save, RedLineStealer, confidence, 100%, ZexaF, CD0@aK8zQBdj, PSWStealer, ABRisk, LTUP, Attribute, HighConfidence, score, PWSX, Gencirc, Generic ML PUA, Siggen19, R002C0DCL23, high, Static AI, Suspicious PE, AGEN, Detected, Artemis, ai score=83, BScope, Agentb, unsafe, FBAdsCard, CLASSIC, LWiA6, o4emo, susgen, Genetic)
md5 802e1974c79084d3b80ce713a54929aa
sha256 6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8
ssdeep 24576:UGU0HpRGUYHKaPUM0Hqy69NgA+iVvRuPpND5TqJ6y5eXt7dRTg5hoS6S:fpEUIvU0N9jkpjweXt7785GjS
imphash b1e867ef87efb215fbaa4877aa8fac3e
impfuzzy 96:9XTXfp4sM0Otz0LEsQJcGtp43ta73grmxOP:5G2GEta7Qb
  Network IP location

Signature (28cnts)

Level Description
danger File has been identified by 57 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
watch Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic)
watch One or more non-whitelisted processes were created
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Executes one or more WMI queries
notice Foreign language identified in PE resource
notice Performs some HTTP requests
notice Potentially malicious URLs were found in the process memory dump
notice Queries for potentially installed applications
notice Resolves a suspicious Top Level Domain (TLD)
notice Steals private information from local Internet browsers
notice Terminates another process
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The file contains an unknown PE resource name possibly indicative of a packer
info Tries to locate where the browsers are installed

Rules (50cnts)

Level Name Description Collection
danger Trojan_PWS_Stealer_1_Zero Trojan.PWS.Stealer Zero binaries (upload)
warning Credential_User_Data_Check_Zero Credential User Data Check binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning infoStealer_browser_Zero browser info stealer memory
watch Chrome_User_Data_Check_Zero Google Chrome User Data Check memory
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch Network_Downloader File Downloader memory
watch SQLite_cookies_Check_Zero SQLite Cookie Check... select binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
notice BitCoin Perform crypto currency mining memory
notice Code_injection Code injection with CreateRemoteThread in a remote process memory
notice Create_Service Create a windows service memory
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
notice local_credential_Steal Steal credential memory
notice Network_DGA Communication using DGA memory
notice Network_DNS Communications use DNS memory
notice Network_FTP Communications over FTP memory
notice Network_HTTP Communications over HTTP memory
notice Network_P2P_Win Communications over P2P network memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice Persistence Install itself for autorun at Windows startup memory
notice ScreenShot Take ScreenShot memory
notice Sniff_Audio Record Audio memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info antisb_threatExpert Anti-Sandbox checks for ThreatExpert memory
info Check_Dlls (no description) memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerCheck__RemoteAPI (no description) memory
info DebuggerException__ConsoleCtrl (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info PNG_Format_Zero PNG Format binaries (download)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info Virtual_currency_Zero Virtual currency memory
info vmdetect Possibly employs anti-virtualization techniques memory
info win_hook Affect hook table memory
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (upload)
info Win_Trojan_agentTesla_Zero Win.Trojan.agentTesla memory

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://www.ippfinfo.top/ DE Inline Internet Online Dienste GmbH 178.18.252.110 clean
iplogger.org DE Hetzner Online GmbH 148.251.234.83 mailcious
www.ippfinfo.top DE Inline Internet Online Dienste GmbH 178.18.252.110 clean
148.251.234.83 DE Hetzner Online GmbH 148.251.234.83 clean
178.18.252.110 DE Inline Internet Online Dienste GmbH 178.18.252.110 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x52c050 GetComputerNameW
 0x52c054 GetModuleFileNameA
 0x52c058 GetCurrentProcessId
 0x52c05c OpenProcess
 0x52c060 GetModuleFileNameW
 0x52c064 SetLastError
 0x52c068 WaitForSingleObject
 0x52c06c CreateEventW
 0x52c070 FreeLibrary
 0x52c074 WinExec
 0x52c078 GetPrivateProfileStringW
 0x52c07c CopyFileW
 0x52c080 SetStdHandle
 0x52c084 SetEnvironmentVariableW
 0x52c088 FreeEnvironmentStringsW
 0x52c08c GetEnvironmentStringsW
 0x52c090 GetOEMCP
 0x52c094 LocalFree
 0x52c098 LocalAlloc
 0x52c09c LoadResource
 0x52c0a0 FindResourceW
 0x52c0a4 SizeofResource
 0x52c0a8 LockResource
 0x52c0ac GetTickCount
 0x52c0b0 GetCurrentThread
 0x52c0b4 Sleep
 0x52c0b8 GetProcessHeap
 0x52c0bc HeapAlloc
 0x52c0c0 GetLastError
 0x52c0c4 GetTempPathA
 0x52c0c8 SetCurrentDirectoryW
 0x52c0cc GetShortPathNameA
 0x52c0d0 LoadLibraryW
 0x52c0d4 GetProcAddress
 0x52c0d8 WideCharToMultiByte
 0x52c0dc MultiByteToWideChar
 0x52c0e0 SystemTimeToFileTime
 0x52c0e4 DosDateTimeToFileTime
 0x52c0e8 GetCurrentProcess
 0x52c0ec DuplicateHandle
 0x52c0f0 CloseHandle
 0x52c0f4 WriteFile
 0x52c0f8 SetFileTime
 0x52c0fc SetFilePointer
 0x52c100 ReadFile
 0x52c104 GetFileType
 0x52c108 CreateFileW
 0x52c10c CreateDirectoryW
 0x52c110 TerminateProcess
 0x52c114 GetCurrentDirectoryW
 0x52c118 GetACP
 0x52c11c IsValidCodePage
 0x52c120 FindNextFileW
 0x52c124 FindFirstFileExW
 0x52c128 FindClose
 0x52c12c GetTimeZoneInformation
 0x52c130 GetFileSizeEx
 0x52c134 GetConsoleOutputCP
 0x52c138 SetFilePointerEx
 0x52c13c ReadConsoleW
 0x52c140 GetConsoleMode
 0x52c144 EnumSystemLocalesW
 0x52c148 GetUserDefaultLCID
 0x52c14c IsValidLocale
 0x52c150 GetLocaleInfoW
 0x52c154 LCMapStringW
 0x52c158 CompareStringW
 0x52c15c GetCommandLineW
 0x52c160 GetCommandLineA
 0x52c164 GetStdHandle
 0x52c168 ExitProcess
 0x52c16c GetModuleHandleExW
 0x52c170 FreeLibraryAndExitThread
 0x52c174 ExitThread
 0x52c178 CreateThread
 0x52c17c LoadLibraryExW
 0x52c180 TlsFree
 0x52c184 TlsSetValue
 0x52c188 TlsGetValue
 0x52c18c TlsAlloc
 0x52c190 RtlUnwind
 0x52c194 RaiseException
 0x52c198 GetStringTypeW
 0x52c19c GetCPInfo
 0x52c1a0 WriteConsoleW
 0x52c1a4 CompareStringEx
 0x52c1a8 LCMapStringEx
 0x52c1ac DecodePointer
 0x52c1b0 EncodePointer
 0x52c1b4 InitializeCriticalSectionEx
 0x52c1b8 InitializeSListHead
 0x52c1bc GetStartupInfoW
 0x52c1c0 IsDebuggerPresent
 0x52c1c4 GetModuleHandleW
 0x52c1c8 ResetEvent
 0x52c1cc SetEvent
 0x52c1d0 InitializeCriticalSectionAndSpinCount
 0x52c1d4 IsProcessorFeaturePresent
 0x52c1d8 SetUnhandledExceptionFilter
 0x52c1dc UnhandledExceptionFilter
 0x52c1e0 FlushFileBuffers
 0x52c1e4 QueryPerformanceCounter
 0x52c1e8 MapViewOfFile
 0x52c1ec CreateFileMappingW
 0x52c1f0 AreFileApisANSI
 0x52c1f4 TryEnterCriticalSection
 0x52c1f8 HeapCreate
 0x52c1fc HeapFree
 0x52c200 EnterCriticalSection
 0x52c204 GetFullPathNameW
 0x52c208 GetDiskFreeSpaceW
 0x52c20c OutputDebugStringA
 0x52c210 LockFile
 0x52c214 LeaveCriticalSection
 0x52c218 InitializeCriticalSection
 0x52c21c GetFullPathNameA
 0x52c220 SetEndOfFile
 0x52c224 UnlockFileEx
 0x52c228 GetTempPathW
 0x52c22c CreateMutexW
 0x52c230 GetFileAttributesW
 0x52c234 GetCurrentThreadId
 0x52c238 UnmapViewOfFile
 0x52c23c HeapValidate
 0x52c240 HeapSize
 0x52c244 FormatMessageW
 0x52c248 GetDiskFreeSpaceA
 0x52c24c GetFileAttributesA
 0x52c250 GetFileAttributesExW
 0x52c254 OutputDebugStringW
 0x52c258 FlushViewOfFile
 0x52c25c CreateFileA
 0x52c260 LoadLibraryA
 0x52c264 WaitForSingleObjectEx
 0x52c268 DeleteFileA
 0x52c26c DeleteFileW
 0x52c270 HeapReAlloc
 0x52c274 GetSystemInfo
 0x52c278 HeapCompact
 0x52c27c HeapDestroy
 0x52c280 UnlockFile
 0x52c284 LockFileEx
 0x52c288 GetFileSize
 0x52c28c DeleteCriticalSection
 0x52c290 GetSystemTimeAsFileTime
 0x52c294 GetSystemTime
 0x52c298 FormatMessageA
ADVAPI32.dll
 0x52c000 LookupPrivilegeValueW
 0x52c004 AdjustTokenPrivileges
 0x52c008 LookupAccountNameW
 0x52c00c SetSecurityDescriptorOwner
 0x52c010 SetSecurityDescriptorGroup
 0x52c014 SetSecurityDescriptorDacl
 0x52c018 IsValidSecurityDescriptor
 0x52c01c InitializeSecurityDescriptor
 0x52c020 InitializeAcl
 0x52c024 GetTokenInformation
 0x52c028 GetLengthSid
 0x52c02c FreeSid
 0x52c030 EqualSid
 0x52c034 DuplicateToken
 0x52c038 AllocateAndInitializeSid
 0x52c03c AddAccessAllowedAce
 0x52c040 AccessCheck
 0x52c044 OpenThreadToken
 0x52c048 OpenProcessToken
SHELL32.dll
 0x52c2a8 ShellExecuteExA
ole32.dll
 0x52c2fc CoInitializeEx
 0x52c300 CoGetObject
 0x52c304 CoUninitialize
WININET.dll
 0x52c2b0 InternetGetCookieExA
NETAPI32.dll
 0x52c2a0 Netbios
ntdll.dll
 0x52c2b8 RtlInitUnicodeString
 0x52c2bc NtFreeVirtualMemory
 0x52c2c0 LdrEnumerateLoadedModules
 0x52c2c4 RtlEqualUnicodeString
 0x52c2c8 RtlAcquirePebLock
 0x52c2cc NtAllocateVirtualMemory
 0x52c2d0 RtlReleasePebLock
 0x52c2d4 RtlNtStatusToDosError
 0x52c2d8 RtlCreateHeap
 0x52c2dc RtlDestroyHeap
 0x52c2e0 RtlAllocateHeap
 0x52c2e4 RtlFreeHeap
 0x52c2e8 NtClose
 0x52c2ec NtOpenKey
 0x52c2f0 NtEnumerateValueKey
 0x52c2f4 NtQueryValueKey

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure