ScreenShot
| Created | 2023.03.23 18:45 | Machine | s1_win7_x6403 |
| Filename | ss47.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 17 detected (GenericKDZ, FileRepMalware, Misc, Sabsik, Wacapew, Detected, Artemis, ai score=82, CLOUD) | ||
| md5 | 44d59cf2b7e4700b703e95eaa7fdbdc7 | ||
| sha256 | 43e4574bbe757104766b7299c8ebf76026f0932b079e6a0ecd4325f6c0ddb36f | ||
| ssdeep | 24576:6yE8JiMHd/BieyIMZR9ejI21FiWOnoxkNMu4dXxbfat6Z:kCiMHtBiez+Rb21FiWOnoxkNMu4dX9aE | ||
| imphash | ca4024c0e7ca045d1b257058baf9658b | ||
| impfuzzy | 96:udFssstDqF01DuRvOzm2yBMkaersm1VKcpek4KhlBgPnar:udFsttuaDGserJhSar | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| watch | Attempts to create or modify system certificates |
| watch | File has been identified by 17 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Collects information to fingerprint the system (MachineGuid |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (11cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Double User-Agent (User-Agent User-Agent)
ET HUNTING Double User-Agent (User-Agent User-Agent)
PE API
IAT(Import Address Table) Library
POWRPROF.dll
0x140095500 CallNtPowerInformation
USER32.dll
0x140095510 RegisterClassW
0x140095518 GetMessageW
0x140095520 TranslateMessage
0x140095528 DispatchMessageW
0x140095530 PostMessageW
0x140095538 DefWindowProcW
0x140095540 GetWindowLongPtrW
0x140095548 UnregisterClassW
0x140095550 CreateWindowExW
0x140095558 DestroyWindow
0x140095560 SetWindowLongPtrW
VERSION.dll
0x140095570 GetFileVersionInfoSizeW
0x140095578 VerQueryValueW
0x140095580 GetFileVersionInfoW
WINHTTP.dll
0x140095590 WinHttpWriteData
0x140095598 WinHttpCrackUrl
0x1400955a0 WinHttpOpen
0x1400955a8 WinHttpCloseHandle
0x1400955b0 WinHttpConnect
0x1400955b8 WinHttpReadData
0x1400955c0 WinHttpQueryHeaders
0x1400955c8 WinHttpSetTimeouts
0x1400955d0 WinHttpOpenRequest
0x1400955d8 WinHttpAddRequestHeaders
0x1400955e0 WinHttpSendRequest
0x1400955e8 WinHttpReceiveResponse
ADVAPI32.dll
0x140095000 SystemFunction036
0x140095008 ConvertStringSecurityDescriptorToSecurityDescriptorW
0x140095010 BuildExplicitAccessWithNameW
0x140095018 BuildSecurityDescriptorW
0x140095020 RevertToSelf
0x140095028 ImpersonateNamedPipeClient
0x140095030 RegQueryValueExW
0x140095038 RegQueryValueExA
0x140095040 RegOpenKeyExW
0x140095048 RegCloseKey
KERNEL32.dll
0x140095058 GetFileTime
0x140095060 CreateProcessW
0x140095068 Sleep
0x140095070 SleepEx
0x140095078 RemoveDirectoryW
0x140095080 DeleteFileW
0x140095088 CreateDirectoryW
0x140095090 WriteConsoleW
0x140095098 GetProcessHeap
0x1400950a0 SetStdHandle
0x1400950a8 SetEnvironmentVariableW
0x1400950b0 FreeEnvironmentStringsW
0x1400950b8 GetEnvironmentStringsW
0x1400950c0 GetOEMCP
0x1400950c8 InitializeCriticalSection
0x1400950d0 GetDriveTypeW
0x1400950d8 GetFileInformationByHandle
0x1400950e0 PeekNamedPipe
0x1400950e8 SystemTimeToTzSpecificLocalTime
0x1400950f0 FileTimeToSystemTime
0x1400950f8 GetCurrentDirectoryW
0x140095100 GetFileAttributesW
0x140095108 WriteFile
0x140095110 SetUnhandledExceptionFilter
0x140095118 SetProcessShutdownParameters
0x140095120 SetConsoleCtrlHandler
0x140095128 GetProcessTimes
0x140095130 SuspendThread
0x140095138 ResumeThread
0x140095140 GetProcessId
0x140095148 GetThreadContext
0x140095150 Wow64GetThreadContext
0x140095158 VerSetConditionMask
0x140095160 IsProcessorFeaturePresent
0x140095168 GetSystemInfo
0x140095170 VerifyVersionInfoW
0x140095178 GetTimeZoneInformation
0x140095180 GetThreadLocale
0x140095188 GetSystemDefaultLCID
0x140095190 GetUserDefaultLCID
0x140095198 GetModuleFileNameW
0x1400951a0 DuplicateHandle
0x1400951a8 GetLastError
0x1400951b0 ConnectNamedPipe
0x1400951b8 DisconnectNamedPipe
0x1400951c0 CreateIoCompletionPort
0x1400951c8 GetQueuedCompletionStatus
0x1400951d0 PostQueuedCompletionStatus
0x1400951d8 SetEvent
0x1400951e0 WaitForSingleObject
0x1400951e8 CreateEventW
0x1400951f0 GetCurrentProcess
0x1400951f8 TerminateProcess
0x140095200 CreateThread
0x140095208 OpenProcess
0x140095210 UnregisterWaitEx
0x140095218 RegisterWaitForSingleObject
0x140095220 GetFileInformationByHandleEx
0x140095228 SetLastError
0x140095230 IsWow64Process
0x140095238 GetModuleHandleW
0x140095240 FormatMessageA
0x140095248 VirtualQueryEx
0x140095250 ReadProcessMemory
0x140095258 GetSystemTimeAsFileTime
0x140095260 FindClose
0x140095268 CloseHandle
0x140095270 GetProcAddress
0x140095278 LoadLibraryW
0x140095280 CreateFileW
0x140095288 SetNamedPipeHandleState
0x140095290 TransactNamedPipe
0x140095298 CreateNamedPipeW
0x1400952a0 WaitNamedPipeW
0x1400952a8 GetVersion
0x1400952b0 ReleaseSemaphore
0x1400952b8 CreateSemaphoreW
0x1400952c0 GetStdHandle
0x1400952c8 GetFileSizeEx
0x1400952d0 GetFileType
0x1400952d8 LockFileEx
0x1400952e0 ReadFile
0x1400952e8 SetEndOfFile
0x1400952f0 SetFilePointerEx
0x1400952f8 UnlockFileEx
0x140095300 GetFullPathNameW
0x140095308 LocalFree
0x140095310 OutputDebugStringW
0x140095318 GetCurrentProcessId
0x140095320 GetCurrentThreadId
0x140095328 GetLocalTime
0x140095330 FormatMessageW
0x140095338 EnterCriticalSection
0x140095340 LeaveCriticalSection
0x140095348 InitializeCriticalSectionAndSpinCount
0x140095350 DeleteCriticalSection
0x140095358 GetACP
0x140095360 WideCharToMultiByte
0x140095368 InitializeCriticalSectionEx
0x140095370 EncodePointer
0x140095378 DecodePointer
0x140095380 MultiByteToWideChar
0x140095388 LCMapStringEx
0x140095390 GetStringTypeW
0x140095398 GetCPInfo
0x1400953a0 ResetEvent
0x1400953a8 WaitForSingleObjectEx
0x1400953b0 RtlCaptureContext
0x1400953b8 RtlLookupFunctionEntry
0x1400953c0 RtlVirtualUnwind
0x1400953c8 UnhandledExceptionFilter
0x1400953d0 QueryPerformanceCounter
0x1400953d8 InitializeSListHead
0x1400953e0 IsDebuggerPresent
0x1400953e8 GetStartupInfoW
0x1400953f0 RtlUnwindEx
0x1400953f8 RtlPcToFileHeader
0x140095400 RaiseException
0x140095408 TlsAlloc
0x140095410 TlsGetValue
0x140095418 TlsSetValue
0x140095420 TlsFree
0x140095428 FreeLibrary
0x140095430 LoadLibraryExW
0x140095438 RtlUnwind
0x140095440 GetCommandLineA
0x140095448 GetCommandLineW
0x140095450 ExitProcess
0x140095458 GetModuleHandleExW
0x140095460 HeapAlloc
0x140095468 HeapFree
0x140095470 FlsAlloc
0x140095478 FlsGetValue
0x140095480 FlsSetValue
0x140095488 FlsFree
0x140095490 CompareStringW
0x140095498 LCMapStringW
0x1400954a0 GetLocaleInfoW
0x1400954a8 IsValidLocale
0x1400954b0 EnumSystemLocalesW
0x1400954b8 HeapReAlloc
0x1400954c0 HeapSize
0x1400954c8 FlushFileBuffers
0x1400954d0 GetConsoleOutputCP
0x1400954d8 GetConsoleMode
0x1400954e0 FindFirstFileExW
0x1400954e8 FindNextFileW
0x1400954f0 IsValidCodePage
EAT(Export Address Table) is none
POWRPROF.dll
0x140095500 CallNtPowerInformation
USER32.dll
0x140095510 RegisterClassW
0x140095518 GetMessageW
0x140095520 TranslateMessage
0x140095528 DispatchMessageW
0x140095530 PostMessageW
0x140095538 DefWindowProcW
0x140095540 GetWindowLongPtrW
0x140095548 UnregisterClassW
0x140095550 CreateWindowExW
0x140095558 DestroyWindow
0x140095560 SetWindowLongPtrW
VERSION.dll
0x140095570 GetFileVersionInfoSizeW
0x140095578 VerQueryValueW
0x140095580 GetFileVersionInfoW
WINHTTP.dll
0x140095590 WinHttpWriteData
0x140095598 WinHttpCrackUrl
0x1400955a0 WinHttpOpen
0x1400955a8 WinHttpCloseHandle
0x1400955b0 WinHttpConnect
0x1400955b8 WinHttpReadData
0x1400955c0 WinHttpQueryHeaders
0x1400955c8 WinHttpSetTimeouts
0x1400955d0 WinHttpOpenRequest
0x1400955d8 WinHttpAddRequestHeaders
0x1400955e0 WinHttpSendRequest
0x1400955e8 WinHttpReceiveResponse
ADVAPI32.dll
0x140095000 SystemFunction036
0x140095008 ConvertStringSecurityDescriptorToSecurityDescriptorW
0x140095010 BuildExplicitAccessWithNameW
0x140095018 BuildSecurityDescriptorW
0x140095020 RevertToSelf
0x140095028 ImpersonateNamedPipeClient
0x140095030 RegQueryValueExW
0x140095038 RegQueryValueExA
0x140095040 RegOpenKeyExW
0x140095048 RegCloseKey
KERNEL32.dll
0x140095058 GetFileTime
0x140095060 CreateProcessW
0x140095068 Sleep
0x140095070 SleepEx
0x140095078 RemoveDirectoryW
0x140095080 DeleteFileW
0x140095088 CreateDirectoryW
0x140095090 WriteConsoleW
0x140095098 GetProcessHeap
0x1400950a0 SetStdHandle
0x1400950a8 SetEnvironmentVariableW
0x1400950b0 FreeEnvironmentStringsW
0x1400950b8 GetEnvironmentStringsW
0x1400950c0 GetOEMCP
0x1400950c8 InitializeCriticalSection
0x1400950d0 GetDriveTypeW
0x1400950d8 GetFileInformationByHandle
0x1400950e0 PeekNamedPipe
0x1400950e8 SystemTimeToTzSpecificLocalTime
0x1400950f0 FileTimeToSystemTime
0x1400950f8 GetCurrentDirectoryW
0x140095100 GetFileAttributesW
0x140095108 WriteFile
0x140095110 SetUnhandledExceptionFilter
0x140095118 SetProcessShutdownParameters
0x140095120 SetConsoleCtrlHandler
0x140095128 GetProcessTimes
0x140095130 SuspendThread
0x140095138 ResumeThread
0x140095140 GetProcessId
0x140095148 GetThreadContext
0x140095150 Wow64GetThreadContext
0x140095158 VerSetConditionMask
0x140095160 IsProcessorFeaturePresent
0x140095168 GetSystemInfo
0x140095170 VerifyVersionInfoW
0x140095178 GetTimeZoneInformation
0x140095180 GetThreadLocale
0x140095188 GetSystemDefaultLCID
0x140095190 GetUserDefaultLCID
0x140095198 GetModuleFileNameW
0x1400951a0 DuplicateHandle
0x1400951a8 GetLastError
0x1400951b0 ConnectNamedPipe
0x1400951b8 DisconnectNamedPipe
0x1400951c0 CreateIoCompletionPort
0x1400951c8 GetQueuedCompletionStatus
0x1400951d0 PostQueuedCompletionStatus
0x1400951d8 SetEvent
0x1400951e0 WaitForSingleObject
0x1400951e8 CreateEventW
0x1400951f0 GetCurrentProcess
0x1400951f8 TerminateProcess
0x140095200 CreateThread
0x140095208 OpenProcess
0x140095210 UnregisterWaitEx
0x140095218 RegisterWaitForSingleObject
0x140095220 GetFileInformationByHandleEx
0x140095228 SetLastError
0x140095230 IsWow64Process
0x140095238 GetModuleHandleW
0x140095240 FormatMessageA
0x140095248 VirtualQueryEx
0x140095250 ReadProcessMemory
0x140095258 GetSystemTimeAsFileTime
0x140095260 FindClose
0x140095268 CloseHandle
0x140095270 GetProcAddress
0x140095278 LoadLibraryW
0x140095280 CreateFileW
0x140095288 SetNamedPipeHandleState
0x140095290 TransactNamedPipe
0x140095298 CreateNamedPipeW
0x1400952a0 WaitNamedPipeW
0x1400952a8 GetVersion
0x1400952b0 ReleaseSemaphore
0x1400952b8 CreateSemaphoreW
0x1400952c0 GetStdHandle
0x1400952c8 GetFileSizeEx
0x1400952d0 GetFileType
0x1400952d8 LockFileEx
0x1400952e0 ReadFile
0x1400952e8 SetEndOfFile
0x1400952f0 SetFilePointerEx
0x1400952f8 UnlockFileEx
0x140095300 GetFullPathNameW
0x140095308 LocalFree
0x140095310 OutputDebugStringW
0x140095318 GetCurrentProcessId
0x140095320 GetCurrentThreadId
0x140095328 GetLocalTime
0x140095330 FormatMessageW
0x140095338 EnterCriticalSection
0x140095340 LeaveCriticalSection
0x140095348 InitializeCriticalSectionAndSpinCount
0x140095350 DeleteCriticalSection
0x140095358 GetACP
0x140095360 WideCharToMultiByte
0x140095368 InitializeCriticalSectionEx
0x140095370 EncodePointer
0x140095378 DecodePointer
0x140095380 MultiByteToWideChar
0x140095388 LCMapStringEx
0x140095390 GetStringTypeW
0x140095398 GetCPInfo
0x1400953a0 ResetEvent
0x1400953a8 WaitForSingleObjectEx
0x1400953b0 RtlCaptureContext
0x1400953b8 RtlLookupFunctionEntry
0x1400953c0 RtlVirtualUnwind
0x1400953c8 UnhandledExceptionFilter
0x1400953d0 QueryPerformanceCounter
0x1400953d8 InitializeSListHead
0x1400953e0 IsDebuggerPresent
0x1400953e8 GetStartupInfoW
0x1400953f0 RtlUnwindEx
0x1400953f8 RtlPcToFileHeader
0x140095400 RaiseException
0x140095408 TlsAlloc
0x140095410 TlsGetValue
0x140095418 TlsSetValue
0x140095420 TlsFree
0x140095428 FreeLibrary
0x140095430 LoadLibraryExW
0x140095438 RtlUnwind
0x140095440 GetCommandLineA
0x140095448 GetCommandLineW
0x140095450 ExitProcess
0x140095458 GetModuleHandleExW
0x140095460 HeapAlloc
0x140095468 HeapFree
0x140095470 FlsAlloc
0x140095478 FlsGetValue
0x140095480 FlsSetValue
0x140095488 FlsFree
0x140095490 CompareStringW
0x140095498 LCMapStringW
0x1400954a0 GetLocaleInfoW
0x1400954a8 IsValidLocale
0x1400954b0 EnumSystemLocalesW
0x1400954b8 HeapReAlloc
0x1400954c0 HeapSize
0x1400954c8 FlushFileBuffers
0x1400954d0 GetConsoleOutputCP
0x1400954d8 GetConsoleMode
0x1400954e0 FindFirstFileExW
0x1400954e8 FindNextFileW
0x1400954f0 IsValidCodePage
EAT(Export Address Table) is none