ScreenShot
| Created | 2023.03.30 16:38 | Machine | s1_win7_x6401 |
| Filename | white.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 7 detected (malicious, moderate confidence, ZexaF, PM2@a4wjBpYT, PWSX, unsafe, Generic@AI, RDMK, cmRtazp8kFRH1+FdnJmqJuRi+P6O) | ||
| md5 | 89a133e7158e8bb6e2614a7c9bd7ff5d | ||
| sha256 | b974225598477c7a4692e46cb12da74272a55f762f4e4b2539ce43ea5d502b61 | ||
| ssdeep | 24576:IBHp0AVAyuFvrOaq7Dk17o3SFGAcRbNft7+xElgjRcDJLX2FmI7oyO:IBHSQkFSDk1E+GtJNft7WjjRcVLT | ||
| imphash | 4f49b28f7be60d11310d563049d6e2ee | ||
| impfuzzy | 48:lAofCCaFc5JOgXlhNOqdQGhETS5o30QlJEkJZZe:uofCCec5gil3OqdQIIEgZE | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process white.exe |
| notice | Creates executable files on the filesystem |
| notice | File has been identified by 7 AntiVirus engines on VirusTotal as malicious |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | NPKI_Zero | File included NPKI | binaries (upload) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (9cnts) ?
Suricata ids
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
PE API
IAT(Import Address Table) Library
GDI32.dll
0x6a41d8 CreateFontIndirectA
0x6a41dc DeleteObject
0x6a41e0 GetObjectA
0x6a41e4 GetStockObject
0x6a41e8 SetBkMode
0x6a41ec SetPixel
0x6a41f0 SetTextColor
KERNEL32.dll
0x6a41f8 CloseHandle
0x6a41fc CreateWaitableTimerW
0x6a4200 DeleteCriticalSection
0x6a4204 EnterCriticalSection
0x6a4208 ExitProcess
0x6a420c FindClose
0x6a4210 FindFirstFileA
0x6a4214 FindNextFileA
0x6a4218 FreeLibrary
0x6a421c GetCommandLineA
0x6a4220 GetLastError
0x6a4224 GetModuleHandleA
0x6a4228 GetProcAddress
0x6a422c GetStdHandle
0x6a4230 GetSystemInfo
0x6a4234 GlobalAlloc
0x6a4238 GlobalFlags
0x6a423c HeapDestroy
0x6a4240 InitializeCriticalSection
0x6a4244 LeaveCriticalSection
0x6a4248 LoadLibraryA
0x6a424c SetUnhandledExceptionFilter
0x6a4250 SetWaitableTimer
0x6a4254 TlsGetValue
0x6a4258 VirtualProtect
0x6a425c VirtualQuery
0x6a4260 WaitForSingleObject
msvcrt.dll
0x6a4268 _strdup
0x6a426c _stricoll
msvcrt.dll
0x6a4274 __getmainargs
0x6a4278 __mb_cur_max
0x6a427c __p__environ
0x6a4280 __p__fmode
0x6a4284 __set_app_type
0x6a4288 _cexit
0x6a428c _errno
0x6a4290 _fpreset
0x6a4294 _fullpath
0x6a4298 _iob
0x6a429c _isctype
0x6a42a0 _onexit
0x6a42a4 _pctype
0x6a42a8 _setmode
0x6a42ac abort
0x6a42b0 atexit
0x6a42b4 calloc
0x6a42b8 free
0x6a42bc fwrite
0x6a42c0 malloc
0x6a42c4 mbstowcs
0x6a42c8 memcpy
0x6a42cc realloc
0x6a42d0 setlocale
0x6a42d4 signal
0x6a42d8 strcmp
0x6a42dc strcoll
0x6a42e0 strlen
0x6a42e4 tolower
0x6a42e8 vfprintf
0x6a42ec wcstombs
USER32.dll
0x6a42f4 BeginPaint
0x6a42f8 DispatchMessageA
0x6a42fc EndPaint
0x6a4300 GetClientRect
0x6a4304 GetMessageA
0x6a4308 RegisterClassA
0x6a430c TranslateMessage
USERENV.dll
0x6a4314 CreateEnvironmentBlock
0x6a4318 DestroyEnvironmentBlock
0x6a431c GetUserProfileDirectoryW
EAT(Export Address Table) is none
GDI32.dll
0x6a41d8 CreateFontIndirectA
0x6a41dc DeleteObject
0x6a41e0 GetObjectA
0x6a41e4 GetStockObject
0x6a41e8 SetBkMode
0x6a41ec SetPixel
0x6a41f0 SetTextColor
KERNEL32.dll
0x6a41f8 CloseHandle
0x6a41fc CreateWaitableTimerW
0x6a4200 DeleteCriticalSection
0x6a4204 EnterCriticalSection
0x6a4208 ExitProcess
0x6a420c FindClose
0x6a4210 FindFirstFileA
0x6a4214 FindNextFileA
0x6a4218 FreeLibrary
0x6a421c GetCommandLineA
0x6a4220 GetLastError
0x6a4224 GetModuleHandleA
0x6a4228 GetProcAddress
0x6a422c GetStdHandle
0x6a4230 GetSystemInfo
0x6a4234 GlobalAlloc
0x6a4238 GlobalFlags
0x6a423c HeapDestroy
0x6a4240 InitializeCriticalSection
0x6a4244 LeaveCriticalSection
0x6a4248 LoadLibraryA
0x6a424c SetUnhandledExceptionFilter
0x6a4250 SetWaitableTimer
0x6a4254 TlsGetValue
0x6a4258 VirtualProtect
0x6a425c VirtualQuery
0x6a4260 WaitForSingleObject
msvcrt.dll
0x6a4268 _strdup
0x6a426c _stricoll
msvcrt.dll
0x6a4274 __getmainargs
0x6a4278 __mb_cur_max
0x6a427c __p__environ
0x6a4280 __p__fmode
0x6a4284 __set_app_type
0x6a4288 _cexit
0x6a428c _errno
0x6a4290 _fpreset
0x6a4294 _fullpath
0x6a4298 _iob
0x6a429c _isctype
0x6a42a0 _onexit
0x6a42a4 _pctype
0x6a42a8 _setmode
0x6a42ac abort
0x6a42b0 atexit
0x6a42b4 calloc
0x6a42b8 free
0x6a42bc fwrite
0x6a42c0 malloc
0x6a42c4 mbstowcs
0x6a42c8 memcpy
0x6a42cc realloc
0x6a42d0 setlocale
0x6a42d4 signal
0x6a42d8 strcmp
0x6a42dc strcoll
0x6a42e0 strlen
0x6a42e4 tolower
0x6a42e8 vfprintf
0x6a42ec wcstombs
USER32.dll
0x6a42f4 BeginPaint
0x6a42f8 DispatchMessageA
0x6a42fc EndPaint
0x6a4300 GetClientRect
0x6a4304 GetMessageA
0x6a4308 RegisterClassA
0x6a430c TranslateMessage
USERENV.dll
0x6a4314 CreateEnvironmentBlock
0x6a4318 DestroyEnvironmentBlock
0x6a431c GetUserProfileDirectoryW
EAT(Export Address Table) is none