ScreenShot
| Created | 2023.04.02 09:09 | Machine | s1_win7_x6401 |
| Filename | handdiy_6.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 54 detected (ZomcoLwocqeN, Lazy, unsafe, Save, malicious, confidence, 100%, ZexaF, CD0@amnc9Xpj, PSWStealer, SICT, Attribute, HighConfidence, high confidence, score, FBStealer, jvhbnw, PWSX, Gencirc, AGEN, Siggen19, high, Generic ML PUA, Static AI, Suspicious PE, awer, Socelars, RedLineStealer, Detected, GenericRXVN, ai score=82, BScope, Agentb, FBAdsCard, CLASSIC, LWiA6, o4emo, susgen, Genetic) | ||
| md5 | 6418bc223b6880e2276b4ef2415544b1 | ||
| sha256 | 47d79e9977b50909c657e4497073b797e898f833e0728602a8d75ebd0abde021 | ||
| ssdeep | 24576:ZGU0HpRGUYHKaPUM0Hqy69NgA+iVvRuPpND5TqJ6y5eXt7dRXj5hgSe:8pEUIvU0N9jkpjweXt77z5q/ | ||
| imphash | b1e867ef87efb215fbaa4877aa8fac3e | ||
| impfuzzy | 96:9XTXfp4sM0Otz0LEsQJcGtp43ta73grmxOP:5G2GEta7Qb | ||
Network IP location
Signature (25cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 54 AntiVirus engines on VirusTotal as malicious |
| watch | Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) |
| watch | One or more non-whitelisted processes were created |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An application raised an exception which may be indicative of an exploit crash |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Executes one or more WMI queries |
| notice | Foreign language identified in PE resource |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | Tries to locate where the browsers are installed |
Rules (49cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Trojan_PWS_Stealer_1_Zero | Trojan.PWS.Stealer Zero | binaries (upload) |
| warning | Credential_User_Data_Check_Zero | Credential User Data Check | binaries (upload) |
| warning | infoStealer_browser_Zero | browser info stealer | memory |
| watch | Chrome_User_Data_Check_Zero | Google Chrome User Data Check | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | SQLite_cookies_Check_Zero | SQLite Cookie Check... select | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | BitCoin | Perform crypto currency mining | memory |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PNG_Format_Zero | PNG Format | binaries (download) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | Virtual_currency_Zero | Virtual currency | memory |
| info | vmdetect | Possibly employs anti-virtualization techniques | memory |
| info | win_hook | Affect hook table | memory |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
| info | Win_Trojan_agentTesla_Zero | Win.Trojan.agentTesla | memory |
Network (5cnts) ?
Suricata ids
ET DNS Query to a *.top domain - Likely Hostile
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x52c050 GetComputerNameW
0x52c054 GetModuleFileNameA
0x52c058 GetCurrentProcessId
0x52c05c OpenProcess
0x52c060 GetModuleFileNameW
0x52c064 SetLastError
0x52c068 WaitForSingleObject
0x52c06c CreateEventW
0x52c070 FreeLibrary
0x52c074 WinExec
0x52c078 GetPrivateProfileStringW
0x52c07c CopyFileW
0x52c080 SetStdHandle
0x52c084 SetEnvironmentVariableW
0x52c088 FreeEnvironmentStringsW
0x52c08c GetEnvironmentStringsW
0x52c090 GetOEMCP
0x52c094 LocalFree
0x52c098 LocalAlloc
0x52c09c LoadResource
0x52c0a0 FindResourceW
0x52c0a4 SizeofResource
0x52c0a8 LockResource
0x52c0ac GetTickCount
0x52c0b0 GetCurrentThread
0x52c0b4 Sleep
0x52c0b8 GetProcessHeap
0x52c0bc HeapAlloc
0x52c0c0 GetLastError
0x52c0c4 GetTempPathA
0x52c0c8 SetCurrentDirectoryW
0x52c0cc GetShortPathNameA
0x52c0d0 LoadLibraryW
0x52c0d4 GetProcAddress
0x52c0d8 WideCharToMultiByte
0x52c0dc MultiByteToWideChar
0x52c0e0 SystemTimeToFileTime
0x52c0e4 DosDateTimeToFileTime
0x52c0e8 GetCurrentProcess
0x52c0ec DuplicateHandle
0x52c0f0 CloseHandle
0x52c0f4 WriteFile
0x52c0f8 SetFileTime
0x52c0fc SetFilePointer
0x52c100 ReadFile
0x52c104 GetFileType
0x52c108 CreateFileW
0x52c10c CreateDirectoryW
0x52c110 TerminateProcess
0x52c114 GetCurrentDirectoryW
0x52c118 GetACP
0x52c11c IsValidCodePage
0x52c120 FindNextFileW
0x52c124 FindFirstFileExW
0x52c128 FindClose
0x52c12c GetTimeZoneInformation
0x52c130 GetFileSizeEx
0x52c134 GetConsoleOutputCP
0x52c138 SetFilePointerEx
0x52c13c ReadConsoleW
0x52c140 GetConsoleMode
0x52c144 EnumSystemLocalesW
0x52c148 GetUserDefaultLCID
0x52c14c IsValidLocale
0x52c150 GetLocaleInfoW
0x52c154 LCMapStringW
0x52c158 CompareStringW
0x52c15c GetCommandLineW
0x52c160 GetCommandLineA
0x52c164 GetStdHandle
0x52c168 ExitProcess
0x52c16c GetModuleHandleExW
0x52c170 FreeLibraryAndExitThread
0x52c174 ExitThread
0x52c178 CreateThread
0x52c17c LoadLibraryExW
0x52c180 TlsFree
0x52c184 TlsSetValue
0x52c188 TlsGetValue
0x52c18c TlsAlloc
0x52c190 RtlUnwind
0x52c194 RaiseException
0x52c198 GetStringTypeW
0x52c19c GetCPInfo
0x52c1a0 WriteConsoleW
0x52c1a4 CompareStringEx
0x52c1a8 LCMapStringEx
0x52c1ac DecodePointer
0x52c1b0 EncodePointer
0x52c1b4 InitializeCriticalSectionEx
0x52c1b8 InitializeSListHead
0x52c1bc GetStartupInfoW
0x52c1c0 IsDebuggerPresent
0x52c1c4 GetModuleHandleW
0x52c1c8 ResetEvent
0x52c1cc SetEvent
0x52c1d0 InitializeCriticalSectionAndSpinCount
0x52c1d4 IsProcessorFeaturePresent
0x52c1d8 SetUnhandledExceptionFilter
0x52c1dc UnhandledExceptionFilter
0x52c1e0 FlushFileBuffers
0x52c1e4 QueryPerformanceCounter
0x52c1e8 MapViewOfFile
0x52c1ec CreateFileMappingW
0x52c1f0 AreFileApisANSI
0x52c1f4 TryEnterCriticalSection
0x52c1f8 HeapCreate
0x52c1fc HeapFree
0x52c200 EnterCriticalSection
0x52c204 GetFullPathNameW
0x52c208 GetDiskFreeSpaceW
0x52c20c OutputDebugStringA
0x52c210 LockFile
0x52c214 LeaveCriticalSection
0x52c218 InitializeCriticalSection
0x52c21c GetFullPathNameA
0x52c220 SetEndOfFile
0x52c224 UnlockFileEx
0x52c228 GetTempPathW
0x52c22c CreateMutexW
0x52c230 GetFileAttributesW
0x52c234 GetCurrentThreadId
0x52c238 UnmapViewOfFile
0x52c23c HeapValidate
0x52c240 HeapSize
0x52c244 FormatMessageW
0x52c248 GetDiskFreeSpaceA
0x52c24c GetFileAttributesA
0x52c250 GetFileAttributesExW
0x52c254 OutputDebugStringW
0x52c258 FlushViewOfFile
0x52c25c CreateFileA
0x52c260 LoadLibraryA
0x52c264 WaitForSingleObjectEx
0x52c268 DeleteFileA
0x52c26c DeleteFileW
0x52c270 HeapReAlloc
0x52c274 GetSystemInfo
0x52c278 HeapCompact
0x52c27c HeapDestroy
0x52c280 UnlockFile
0x52c284 LockFileEx
0x52c288 GetFileSize
0x52c28c DeleteCriticalSection
0x52c290 GetSystemTimeAsFileTime
0x52c294 GetSystemTime
0x52c298 FormatMessageA
ADVAPI32.dll
0x52c000 LookupPrivilegeValueW
0x52c004 AdjustTokenPrivileges
0x52c008 LookupAccountNameW
0x52c00c SetSecurityDescriptorOwner
0x52c010 SetSecurityDescriptorGroup
0x52c014 SetSecurityDescriptorDacl
0x52c018 IsValidSecurityDescriptor
0x52c01c InitializeSecurityDescriptor
0x52c020 InitializeAcl
0x52c024 GetTokenInformation
0x52c028 GetLengthSid
0x52c02c FreeSid
0x52c030 EqualSid
0x52c034 DuplicateToken
0x52c038 AllocateAndInitializeSid
0x52c03c AddAccessAllowedAce
0x52c040 AccessCheck
0x52c044 OpenThreadToken
0x52c048 OpenProcessToken
SHELL32.dll
0x52c2a8 ShellExecuteExA
ole32.dll
0x52c2fc CoInitializeEx
0x52c300 CoGetObject
0x52c304 CoUninitialize
WININET.dll
0x52c2b0 InternetGetCookieExA
NETAPI32.dll
0x52c2a0 Netbios
ntdll.dll
0x52c2b8 RtlInitUnicodeString
0x52c2bc NtFreeVirtualMemory
0x52c2c0 LdrEnumerateLoadedModules
0x52c2c4 RtlEqualUnicodeString
0x52c2c8 RtlAcquirePebLock
0x52c2cc NtAllocateVirtualMemory
0x52c2d0 RtlReleasePebLock
0x52c2d4 RtlNtStatusToDosError
0x52c2d8 RtlCreateHeap
0x52c2dc RtlDestroyHeap
0x52c2e0 RtlAllocateHeap
0x52c2e4 RtlFreeHeap
0x52c2e8 NtClose
0x52c2ec NtOpenKey
0x52c2f0 NtEnumerateValueKey
0x52c2f4 NtQueryValueKey
EAT(Export Address Table) is none
KERNEL32.dll
0x52c050 GetComputerNameW
0x52c054 GetModuleFileNameA
0x52c058 GetCurrentProcessId
0x52c05c OpenProcess
0x52c060 GetModuleFileNameW
0x52c064 SetLastError
0x52c068 WaitForSingleObject
0x52c06c CreateEventW
0x52c070 FreeLibrary
0x52c074 WinExec
0x52c078 GetPrivateProfileStringW
0x52c07c CopyFileW
0x52c080 SetStdHandle
0x52c084 SetEnvironmentVariableW
0x52c088 FreeEnvironmentStringsW
0x52c08c GetEnvironmentStringsW
0x52c090 GetOEMCP
0x52c094 LocalFree
0x52c098 LocalAlloc
0x52c09c LoadResource
0x52c0a0 FindResourceW
0x52c0a4 SizeofResource
0x52c0a8 LockResource
0x52c0ac GetTickCount
0x52c0b0 GetCurrentThread
0x52c0b4 Sleep
0x52c0b8 GetProcessHeap
0x52c0bc HeapAlloc
0x52c0c0 GetLastError
0x52c0c4 GetTempPathA
0x52c0c8 SetCurrentDirectoryW
0x52c0cc GetShortPathNameA
0x52c0d0 LoadLibraryW
0x52c0d4 GetProcAddress
0x52c0d8 WideCharToMultiByte
0x52c0dc MultiByteToWideChar
0x52c0e0 SystemTimeToFileTime
0x52c0e4 DosDateTimeToFileTime
0x52c0e8 GetCurrentProcess
0x52c0ec DuplicateHandle
0x52c0f0 CloseHandle
0x52c0f4 WriteFile
0x52c0f8 SetFileTime
0x52c0fc SetFilePointer
0x52c100 ReadFile
0x52c104 GetFileType
0x52c108 CreateFileW
0x52c10c CreateDirectoryW
0x52c110 TerminateProcess
0x52c114 GetCurrentDirectoryW
0x52c118 GetACP
0x52c11c IsValidCodePage
0x52c120 FindNextFileW
0x52c124 FindFirstFileExW
0x52c128 FindClose
0x52c12c GetTimeZoneInformation
0x52c130 GetFileSizeEx
0x52c134 GetConsoleOutputCP
0x52c138 SetFilePointerEx
0x52c13c ReadConsoleW
0x52c140 GetConsoleMode
0x52c144 EnumSystemLocalesW
0x52c148 GetUserDefaultLCID
0x52c14c IsValidLocale
0x52c150 GetLocaleInfoW
0x52c154 LCMapStringW
0x52c158 CompareStringW
0x52c15c GetCommandLineW
0x52c160 GetCommandLineA
0x52c164 GetStdHandle
0x52c168 ExitProcess
0x52c16c GetModuleHandleExW
0x52c170 FreeLibraryAndExitThread
0x52c174 ExitThread
0x52c178 CreateThread
0x52c17c LoadLibraryExW
0x52c180 TlsFree
0x52c184 TlsSetValue
0x52c188 TlsGetValue
0x52c18c TlsAlloc
0x52c190 RtlUnwind
0x52c194 RaiseException
0x52c198 GetStringTypeW
0x52c19c GetCPInfo
0x52c1a0 WriteConsoleW
0x52c1a4 CompareStringEx
0x52c1a8 LCMapStringEx
0x52c1ac DecodePointer
0x52c1b0 EncodePointer
0x52c1b4 InitializeCriticalSectionEx
0x52c1b8 InitializeSListHead
0x52c1bc GetStartupInfoW
0x52c1c0 IsDebuggerPresent
0x52c1c4 GetModuleHandleW
0x52c1c8 ResetEvent
0x52c1cc SetEvent
0x52c1d0 InitializeCriticalSectionAndSpinCount
0x52c1d4 IsProcessorFeaturePresent
0x52c1d8 SetUnhandledExceptionFilter
0x52c1dc UnhandledExceptionFilter
0x52c1e0 FlushFileBuffers
0x52c1e4 QueryPerformanceCounter
0x52c1e8 MapViewOfFile
0x52c1ec CreateFileMappingW
0x52c1f0 AreFileApisANSI
0x52c1f4 TryEnterCriticalSection
0x52c1f8 HeapCreate
0x52c1fc HeapFree
0x52c200 EnterCriticalSection
0x52c204 GetFullPathNameW
0x52c208 GetDiskFreeSpaceW
0x52c20c OutputDebugStringA
0x52c210 LockFile
0x52c214 LeaveCriticalSection
0x52c218 InitializeCriticalSection
0x52c21c GetFullPathNameA
0x52c220 SetEndOfFile
0x52c224 UnlockFileEx
0x52c228 GetTempPathW
0x52c22c CreateMutexW
0x52c230 GetFileAttributesW
0x52c234 GetCurrentThreadId
0x52c238 UnmapViewOfFile
0x52c23c HeapValidate
0x52c240 HeapSize
0x52c244 FormatMessageW
0x52c248 GetDiskFreeSpaceA
0x52c24c GetFileAttributesA
0x52c250 GetFileAttributesExW
0x52c254 OutputDebugStringW
0x52c258 FlushViewOfFile
0x52c25c CreateFileA
0x52c260 LoadLibraryA
0x52c264 WaitForSingleObjectEx
0x52c268 DeleteFileA
0x52c26c DeleteFileW
0x52c270 HeapReAlloc
0x52c274 GetSystemInfo
0x52c278 HeapCompact
0x52c27c HeapDestroy
0x52c280 UnlockFile
0x52c284 LockFileEx
0x52c288 GetFileSize
0x52c28c DeleteCriticalSection
0x52c290 GetSystemTimeAsFileTime
0x52c294 GetSystemTime
0x52c298 FormatMessageA
ADVAPI32.dll
0x52c000 LookupPrivilegeValueW
0x52c004 AdjustTokenPrivileges
0x52c008 LookupAccountNameW
0x52c00c SetSecurityDescriptorOwner
0x52c010 SetSecurityDescriptorGroup
0x52c014 SetSecurityDescriptorDacl
0x52c018 IsValidSecurityDescriptor
0x52c01c InitializeSecurityDescriptor
0x52c020 InitializeAcl
0x52c024 GetTokenInformation
0x52c028 GetLengthSid
0x52c02c FreeSid
0x52c030 EqualSid
0x52c034 DuplicateToken
0x52c038 AllocateAndInitializeSid
0x52c03c AddAccessAllowedAce
0x52c040 AccessCheck
0x52c044 OpenThreadToken
0x52c048 OpenProcessToken
SHELL32.dll
0x52c2a8 ShellExecuteExA
ole32.dll
0x52c2fc CoInitializeEx
0x52c300 CoGetObject
0x52c304 CoUninitialize
WININET.dll
0x52c2b0 InternetGetCookieExA
NETAPI32.dll
0x52c2a0 Netbios
ntdll.dll
0x52c2b8 RtlInitUnicodeString
0x52c2bc NtFreeVirtualMemory
0x52c2c0 LdrEnumerateLoadedModules
0x52c2c4 RtlEqualUnicodeString
0x52c2c8 RtlAcquirePebLock
0x52c2cc NtAllocateVirtualMemory
0x52c2d0 RtlReleasePebLock
0x52c2d4 RtlNtStatusToDosError
0x52c2d8 RtlCreateHeap
0x52c2dc RtlDestroyHeap
0x52c2e0 RtlAllocateHeap
0x52c2e4 RtlFreeHeap
0x52c2e8 NtClose
0x52c2ec NtOpenKey
0x52c2f0 NtEnumerateValueKey
0x52c2f4 NtQueryValueKey
EAT(Export Address Table) is none