ScreenShot
| Created | 2023.04.11 10:55 | Machine | s1_win7_x6401 |
| Filename | WhaleSetup.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | |||
| md5 | 1e3722886b68cb4e706bd60e2cc257bd | ||
| sha256 | 55a60ea73703082c346e1fa4f1243fcfa96e5ae7a2ba068b6ea0ddec2e278646 | ||
| ssdeep | 49152:1OuHkUNYObLhcau0fTDE7b2/g8FnCjKwF6qUr1FOgDyWKoB+hEFMfBZKtgSIvZ9l:11HzmkhhumWag8FnCjKwMBFOgWWKe+hh | ||
| imphash | bb065681c127dc3d97b65a4d19f1c421 | ||
| impfuzzy | 24:ED4EO+1ljOMU6dE9StMS1GbJeDc+plmYOovbOMoBURZivJSLk9J+f0h:mOQ+QtMS1G6c+p+3MWJSYj+0h | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| watch | Disables proxy possibly for traffic interception |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (18cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PNG_Format_Zero | PNG Format | binaries (download) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40f000 SetDllDirectoryW
0x40f004 GetProcAddress
0x40f008 GetModuleHandleW
0x40f00c SetSearchPathMode
0x40f010 GetTempPathW
0x40f014 CreateDirectoryW
0x40f018 DeleteFileW
0x40f01c RemoveDirectoryW
0x40f020 FindResourceW
0x40f024 LoadResource
0x40f028 LockResource
0x40f02c SizeofResource
0x40f030 CreateFileW
0x40f034 WriteFile
0x40f038 CloseHandle
0x40f03c WaitForSingleObject
0x40f040 GetExitCodeProcess
0x40f044 WriteConsoleW
0x40f048 SetFilePointerEx
0x40f04c GetConsoleMode
0x40f050 GetConsoleCP
0x40f054 FlushFileBuffers
0x40f058 HeapReAlloc
0x40f05c HeapSize
0x40f060 RaiseException
0x40f064 GetLastError
0x40f068 GetSystemInfo
0x40f06c VirtualProtect
0x40f070 VirtualQuery
0x40f074 FreeLibrary
0x40f078 LoadLibraryExA
0x40f07c UnhandledExceptionFilter
0x40f080 SetUnhandledExceptionFilter
0x40f084 GetCurrentProcess
0x40f088 TerminateProcess
0x40f08c IsProcessorFeaturePresent
0x40f090 QueryPerformanceCounter
0x40f094 GetCurrentProcessId
0x40f098 GetCurrentThreadId
0x40f09c GetSystemTimeAsFileTime
0x40f0a0 InitializeSListHead
0x40f0a4 IsDebuggerPresent
0x40f0a8 GetStartupInfoW
0x40f0ac RtlUnwind
0x40f0b0 SetLastError
0x40f0b4 EncodePointer
0x40f0b8 EnterCriticalSection
0x40f0bc LeaveCriticalSection
0x40f0c0 DeleteCriticalSection
0x40f0c4 InitializeCriticalSectionAndSpinCount
0x40f0c8 TlsAlloc
0x40f0cc TlsGetValue
0x40f0d0 TlsSetValue
0x40f0d4 TlsFree
0x40f0d8 LoadLibraryExW
0x40f0dc GetCommandLineA
0x40f0e0 GetCommandLineW
0x40f0e4 GetStdHandle
0x40f0e8 GetModuleFileNameW
0x40f0ec ExitProcess
0x40f0f0 GetModuleHandleExW
0x40f0f4 HeapAlloc
0x40f0f8 HeapFree
0x40f0fc FindClose
0x40f100 FindFirstFileExW
0x40f104 FindNextFileW
0x40f108 IsValidCodePage
0x40f10c GetACP
0x40f110 GetOEMCP
0x40f114 GetCPInfo
0x40f118 MultiByteToWideChar
0x40f11c WideCharToMultiByte
0x40f120 GetEnvironmentStringsW
0x40f124 FreeEnvironmentStringsW
0x40f128 SetStdHandle
0x40f12c GetFileType
0x40f130 GetStringTypeW
0x40f134 LCMapStringW
0x40f138 GetProcessHeap
0x40f13c DecodePointer
USER32.dll
0x40f14c LoadIconW
0x40f150 LoadStringW
0x40f154 LoadCursorW
0x40f158 RegisterClassExW
SHELL32.dll
0x40f144 ShellExecuteExW
EAT(Export Address Table) is none
KERNEL32.dll
0x40f000 SetDllDirectoryW
0x40f004 GetProcAddress
0x40f008 GetModuleHandleW
0x40f00c SetSearchPathMode
0x40f010 GetTempPathW
0x40f014 CreateDirectoryW
0x40f018 DeleteFileW
0x40f01c RemoveDirectoryW
0x40f020 FindResourceW
0x40f024 LoadResource
0x40f028 LockResource
0x40f02c SizeofResource
0x40f030 CreateFileW
0x40f034 WriteFile
0x40f038 CloseHandle
0x40f03c WaitForSingleObject
0x40f040 GetExitCodeProcess
0x40f044 WriteConsoleW
0x40f048 SetFilePointerEx
0x40f04c GetConsoleMode
0x40f050 GetConsoleCP
0x40f054 FlushFileBuffers
0x40f058 HeapReAlloc
0x40f05c HeapSize
0x40f060 RaiseException
0x40f064 GetLastError
0x40f068 GetSystemInfo
0x40f06c VirtualProtect
0x40f070 VirtualQuery
0x40f074 FreeLibrary
0x40f078 LoadLibraryExA
0x40f07c UnhandledExceptionFilter
0x40f080 SetUnhandledExceptionFilter
0x40f084 GetCurrentProcess
0x40f088 TerminateProcess
0x40f08c IsProcessorFeaturePresent
0x40f090 QueryPerformanceCounter
0x40f094 GetCurrentProcessId
0x40f098 GetCurrentThreadId
0x40f09c GetSystemTimeAsFileTime
0x40f0a0 InitializeSListHead
0x40f0a4 IsDebuggerPresent
0x40f0a8 GetStartupInfoW
0x40f0ac RtlUnwind
0x40f0b0 SetLastError
0x40f0b4 EncodePointer
0x40f0b8 EnterCriticalSection
0x40f0bc LeaveCriticalSection
0x40f0c0 DeleteCriticalSection
0x40f0c4 InitializeCriticalSectionAndSpinCount
0x40f0c8 TlsAlloc
0x40f0cc TlsGetValue
0x40f0d0 TlsSetValue
0x40f0d4 TlsFree
0x40f0d8 LoadLibraryExW
0x40f0dc GetCommandLineA
0x40f0e0 GetCommandLineW
0x40f0e4 GetStdHandle
0x40f0e8 GetModuleFileNameW
0x40f0ec ExitProcess
0x40f0f0 GetModuleHandleExW
0x40f0f4 HeapAlloc
0x40f0f8 HeapFree
0x40f0fc FindClose
0x40f100 FindFirstFileExW
0x40f104 FindNextFileW
0x40f108 IsValidCodePage
0x40f10c GetACP
0x40f110 GetOEMCP
0x40f114 GetCPInfo
0x40f118 MultiByteToWideChar
0x40f11c WideCharToMultiByte
0x40f120 GetEnvironmentStringsW
0x40f124 FreeEnvironmentStringsW
0x40f128 SetStdHandle
0x40f12c GetFileType
0x40f130 GetStringTypeW
0x40f134 LCMapStringW
0x40f138 GetProcessHeap
0x40f13c DecodePointer
USER32.dll
0x40f14c LoadIconW
0x40f150 LoadStringW
0x40f154 LoadCursorW
0x40f158 RegisterClassExW
SHELL32.dll
0x40f144 ShellExecuteExW
EAT(Export Address Table) is none