ScreenShot
| Created | 2023.04.16 16:44 | Machine | s1_win7_x6401 |
| Filename | ss29 | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 9 detected (AGen, FileRepMalware, Misc, DownLoader45, Artemis, Fabookie) | ||
| md5 | 1a370e0c814e4444b9f0669ef7e92e3d | ||
| sha256 | bc4a5e1104914d5167f3fc238047673a5918fa013dd22db812d87f4390a5dd38 | ||
| ssdeep | 6144:DqJiPjw6mMS8YkTIbaH1MHxMrUxKHu/i5uzq46uOh4kcSfWBvgba3V30ytVJfecn:UgMHxMlu//zFXOh4kDYIWEOxUL0uH6N | ||
| imphash | 2a49d1af9482b46ff85239aac157270c | ||
| impfuzzy | 192:T5NaTeGlJ2Gs9IkPDQ8D4ZuXTfaaPN+dJmElhHB:Pv0lsekDQ8D4ZuXTfaaPNOJzbHB | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | File has been identified by 9 AntiVirus engines on VirusTotal as malicious |
| notice | Performs some HTTP requests |
| notice | Steals private information from local Internet browsers |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (8cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
Network (10cnts) ?
Suricata ids
ET HUNTING Double User-Agent (User-Agent User-Agent)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x100001000 AllocateAndInitializeSid
0x100001008 CheckTokenMembership
0x100001010 FreeSid
0x100001018 GetSecurityDescriptorSacl
0x100001020 GetSecurityDescriptorDacl
0x100001028 GetSecurityDescriptorGroup
0x100001030 GetSecurityDescriptorOwner
0x100001038 GetSecurityDescriptorControl
0x100001040 MakeSelfRelativeSD
0x100001048 GetSecurityDescriptorLength
0x100001050 RegOpenKeyExW
0x100001058 OpenProcessToken
0x100001060 AdjustTokenPrivileges
0x100001068 LookupPrivilegeValueW
0x100001070 RegLoadKeyW
0x100001078 RegQueryValueExW
0x100001080 RegCloseKey
0x100001088 ConvertSidToStringSidW
0x100001090 CryptAcquireContextW
0x100001098 CryptGenRandom
0x1000010a0 CryptReleaseContext
0x1000010a8 RegCreateKeyExW
0x1000010b0 RegSetValueExW
0x1000010b8 RegDeleteValueW
0x1000010c0 RegFlushKey
0x1000010c8 InitiateShutdownW
0x1000010d0 LookupAccountNameW
0x1000010d8 GetLengthSid
0x1000010e0 CopySid
0x1000010e8 IsValidSid
0x1000010f0 GetSidSubAuthority
0x1000010f8 InitializeSid
0x100001100 GetSidLengthRequired
0x100001108 SetSecurityDescriptorDacl
0x100001110 AddAce
0x100001118 InitializeAcl
0x100001120 GetAclInformation
0x100001128 InitializeSecurityDescriptor
0x100001130 MakeAbsoluteSD
0x100001138 SetSecurityDescriptorOwner
0x100001140 SetSecurityDescriptorControl
0x100001148 OpenSCManagerW
0x100001150 EnumServicesStatusW
0x100001158 CloseServiceHandle
0x100001160 OpenServiceW
0x100001168 QueryServiceConfigW
0x100001170 EventRegister
0x100001178 EventUnregister
0x100001180 EventWrite
KERNEL32.dll
0x1000011c0 GetExitCodeProcess
0x1000011c8 IsWow64Process
0x1000011d0 GetCurrentProcess
0x1000011d8 GetNativeSystemInfo
0x1000011e0 ReleaseMutex
0x1000011e8 GetWindowsDirectoryW
0x1000011f0 GetFileAttributesW
0x1000011f8 GetUILanguageInfo
0x100001200 GetVersionExW
0x100001208 GetProductInfo
0x100001210 EnumUILanguagesW
0x100001218 DeviceIoControl
0x100001220 GetDiskFreeSpaceW
0x100001228 GetDiskFreeSpaceExW
0x100001230 LocalAlloc
0x100001238 LocalFree
0x100001240 WaitForSingleObject
0x100001248 Sleep
0x100001250 CreateEventW
0x100001258 SetEvent
0x100001260 MultiByteToWideChar
0x100001268 CreateThread
0x100001270 GetFileMUIPath
0x100001278 GetSystemPowerStatus
0x100001280 GetSystemTime
0x100001288 SystemTimeToFileTime
0x100001290 CreateDirectoryW
0x100001298 GetFileSizeEx
0x1000012a0 FindFirstFileW
0x1000012a8 FindNextFileW
0x1000012b0 FindClose
0x1000012b8 GetModuleFileNameW
0x1000012c0 GetSystemWindowsDirectoryW
0x1000012c8 GetModuleHandleW
0x1000012d0 GetFullPathNameW
0x1000012d8 FormatMessageW
0x1000012e0 lstrlenW
0x1000012e8 GetFileSize
0x1000012f0 ReadFile
0x1000012f8 HeapAlloc
0x100001300 GetProcessHeap
0x100001308 HeapReAlloc
0x100001310 HeapFree
0x100001318 GlobalFree
0x100001320 WideCharToMultiByte
0x100001328 SetFilePointer
0x100001330 SetEndOfFile
0x100001338 WriteFile
0x100001340 OutputDebugStringA
0x100001348 SearchPathW
0x100001350 GetEnvironmentVariableW
0x100001358 HeapSize
0x100001360 HeapDestroy
0x100001368 CreateProcessW
0x100001370 FindResourceExW
0x100001378 FindResourceW
0x100001380 LoadResource
0x100001388 LockResource
0x100001390 SizeofResource
0x100001398 GetProcAddress
0x1000013a0 CreateFileW
0x1000013a8 EnterCriticalSection
0x1000013b0 LeaveCriticalSection
0x1000013b8 InitializeCriticalSection
0x1000013c0 DeleteCriticalSection
0x1000013c8 GetVersionExA
0x1000013d0 SetUnhandledExceptionFilter
0x1000013d8 RaiseException
0x1000013e0 QueryPerformanceCounter
0x1000013e8 GetTickCount
0x1000013f0 GetCurrentThreadId
0x1000013f8 GetCurrentProcessId
0x100001400 GetSystemTimeAsFileTime
0x100001408 TerminateProcess
0x100001410 UnhandledExceptionFilter
0x100001418 MoveFileExW
0x100001420 CompareFileTime
0x100001428 SetFileTime
0x100001430 DeleteFileW
0x100001438 CloseHandle
0x100001440 CreateMutexW
0x100001448 FreeLibrary
0x100001450 GetLastError
0x100001458 LoadLibraryW
0x100001460 SetLastError
0x100001468 GetFileAttributesExW
USER32.dll
0x100001500 MessageBoxW
0x100001508 UnregisterClassA
msvcrt.dll
0x1000015c0 ?terminate@@YAXXZ
0x1000015c8 __CxxFrameHandler3
0x1000015d0 iswspace
0x1000015d8 vsprintf_s
0x1000015e0 _vscprintf
0x1000015e8 _wtoi
0x1000015f0 iswdigit
0x1000015f8 wcstoul
0x100001600 _CxxThrowException
0x100001608 _vsnwprintf
0x100001610 _vsnprintf
0x100001618 wcsstr
0x100001620 _wtol
0x100001628 isdigit
0x100001630 _wcsnicmp
0x100001638 _purecall
0x100001640 wcschr
0x100001648 _wcslwr_s
0x100001650 towupper
0x100001658 wcscspn
0x100001660 _resetstkoflw
0x100001668 wcsrchr
0x100001670 vswprintf_s
0x100001678 _vscwprintf
0x100001680 ??_V@YAXPEAX@Z
0x100001688 ??_U@YAPEAX_K@Z
0x100001690 ??2@YAPEAX_K@Z
0x100001698 malloc
0x1000016a0 memset
0x1000016a8 __C_specific_handler
0x1000016b0 _wcsicmp
0x1000016b8 memmove_s
0x1000016c0 free
0x1000016c8 memcpy_s
0x1000016d0 ??3@YAXPEAX@Z
0x1000016d8 _onexit
0x1000016e0 __wgetmainargs
0x1000016e8 _XcptFilter
0x1000016f0 _exit
0x1000016f8 _cexit
0x100001700 exit
0x100001708 wcsncmp
0x100001710 _lock
0x100001718 __dllonexit
0x100001720 _unlock
0x100001728 ??1type_info@@UEAA@XZ
0x100001730 __set_app_type
0x100001738 _fmode
0x100001740 _commode
0x100001748 __setusermatherr
0x100001750 _amsg_exit
0x100001758 _initterm
0x100001760 calloc
0x100001768 memcpy
SHELL32.dll
0x1000014a8 SHFileOperationW
0x1000014b0 SHCreateItemFromParsingName
0x1000014b8 CommandLineToArgvW
ole32.dll
0x1000017c0 CoSetProxyBlanket
0x1000017c8 StringFromGUID2
0x1000017d0 CoGetMalloc
0x1000017d8 CoUninitialize
0x1000017e0 CoInitializeSecurity
0x1000017e8 CoInitializeEx
0x1000017f0 CoCreateInstance
OLEAUT32.dll
0x100001478 VariantChangeType
0x100001480 VariantInit
0x100001488 VariantClear
0x100001490 SysAllocStringLen
0x100001498 SysFreeString
VERSION.dll
0x100001528 VerQueryValueW
0x100001530 GetFileVersionInfoW
0x100001538 GetFileVersionInfoSizeW
ntdll.dll
0x100001778 RtlCaptureContext
0x100001780 RtlLookupFunctionEntry
0x100001788 RtlVirtualUnwind
0x100001790 RtlNumberOfClearBits
0x100001798 RtlInitializeBitMap
0x1000017a0 RtlSetBits
0x1000017a8 RtlAreBitsSet
0x1000017b0 RtlAreBitsClear
WTSAPI32.dll
0x100001598 WTSQuerySessionInformationW
0x1000015a0 WTSFreeMemory
SHLWAPI.dll
0x1000014c8 PathFileExistsW
0x1000014d0 PathCombineW
0x1000014d8 SHCreateStreamOnFileW
0x1000014e0 PathIsURLW
0x1000014e8 PathRemoveFileSpecW
0x1000014f0 PathFindFileNameW
XmlLite.dll
0x1000015b0 CreateXmlReader
CRYPT32.dll
0x100001190 CertFreeCertificateContext
0x100001198 CertAddCertificateContextToStore
0x1000011a0 CertCreateCertificateContext
0x1000011a8 CertCloseStore
0x1000011b0 CertOpenStore
USERENV.dll
0x100001518 UnloadUserProfile
sqmapi.dll
0x100001800 SqmSetAppId
0x100001808 SqmSetEnabled
0x100001810 SqmGetSession
0x100001818 SqmIsWindowsOptedIn
0x100001820 SqmEndSession
0x100001828 SqmWaitForUploadComplete
0x100001830 SqmAddToStreamV
0x100001838 SqmSet
0x100001840 SqmReadSharedMachineId
0x100001848 SqmCreateNewId
0x100001850 SqmWriteSharedMachineId
0x100001858 SqmSetMachineId
0x100001860 SqmSetBits
0x100001868 SqmSetString
0x100001870 SqmStartUpload
WINBRAND.dll
0x100001548 BrandingFormatString
wer.dll
0x100001880 WerpSetCallBack
0x100001888 WerReportSetParameter
0x100001890 WerReportSetUIOption
0x100001898 WerReportSubmit
0x1000018a0 WerReportCloseHandle
0x1000018a8 WerReportCreate
WINTRUST.dll
0x100001558 CryptCATAdminCalcHashFromFileHandle
0x100001560 WinVerifyTrust
0x100001568 CryptCATCatalogInfoFromContext
0x100001570 CryptCATAdminReleaseCatalogContext
0x100001578 CryptCATAdminEnumCatalogFromHash
0x100001580 CryptCATAdminReleaseContext
0x100001588 CryptCATAdminAcquireContext
EAT(Export Address Table) is none
ADVAPI32.dll
0x100001000 AllocateAndInitializeSid
0x100001008 CheckTokenMembership
0x100001010 FreeSid
0x100001018 GetSecurityDescriptorSacl
0x100001020 GetSecurityDescriptorDacl
0x100001028 GetSecurityDescriptorGroup
0x100001030 GetSecurityDescriptorOwner
0x100001038 GetSecurityDescriptorControl
0x100001040 MakeSelfRelativeSD
0x100001048 GetSecurityDescriptorLength
0x100001050 RegOpenKeyExW
0x100001058 OpenProcessToken
0x100001060 AdjustTokenPrivileges
0x100001068 LookupPrivilegeValueW
0x100001070 RegLoadKeyW
0x100001078 RegQueryValueExW
0x100001080 RegCloseKey
0x100001088 ConvertSidToStringSidW
0x100001090 CryptAcquireContextW
0x100001098 CryptGenRandom
0x1000010a0 CryptReleaseContext
0x1000010a8 RegCreateKeyExW
0x1000010b0 RegSetValueExW
0x1000010b8 RegDeleteValueW
0x1000010c0 RegFlushKey
0x1000010c8 InitiateShutdownW
0x1000010d0 LookupAccountNameW
0x1000010d8 GetLengthSid
0x1000010e0 CopySid
0x1000010e8 IsValidSid
0x1000010f0 GetSidSubAuthority
0x1000010f8 InitializeSid
0x100001100 GetSidLengthRequired
0x100001108 SetSecurityDescriptorDacl
0x100001110 AddAce
0x100001118 InitializeAcl
0x100001120 GetAclInformation
0x100001128 InitializeSecurityDescriptor
0x100001130 MakeAbsoluteSD
0x100001138 SetSecurityDescriptorOwner
0x100001140 SetSecurityDescriptorControl
0x100001148 OpenSCManagerW
0x100001150 EnumServicesStatusW
0x100001158 CloseServiceHandle
0x100001160 OpenServiceW
0x100001168 QueryServiceConfigW
0x100001170 EventRegister
0x100001178 EventUnregister
0x100001180 EventWrite
KERNEL32.dll
0x1000011c0 GetExitCodeProcess
0x1000011c8 IsWow64Process
0x1000011d0 GetCurrentProcess
0x1000011d8 GetNativeSystemInfo
0x1000011e0 ReleaseMutex
0x1000011e8 GetWindowsDirectoryW
0x1000011f0 GetFileAttributesW
0x1000011f8 GetUILanguageInfo
0x100001200 GetVersionExW
0x100001208 GetProductInfo
0x100001210 EnumUILanguagesW
0x100001218 DeviceIoControl
0x100001220 GetDiskFreeSpaceW
0x100001228 GetDiskFreeSpaceExW
0x100001230 LocalAlloc
0x100001238 LocalFree
0x100001240 WaitForSingleObject
0x100001248 Sleep
0x100001250 CreateEventW
0x100001258 SetEvent
0x100001260 MultiByteToWideChar
0x100001268 CreateThread
0x100001270 GetFileMUIPath
0x100001278 GetSystemPowerStatus
0x100001280 GetSystemTime
0x100001288 SystemTimeToFileTime
0x100001290 CreateDirectoryW
0x100001298 GetFileSizeEx
0x1000012a0 FindFirstFileW
0x1000012a8 FindNextFileW
0x1000012b0 FindClose
0x1000012b8 GetModuleFileNameW
0x1000012c0 GetSystemWindowsDirectoryW
0x1000012c8 GetModuleHandleW
0x1000012d0 GetFullPathNameW
0x1000012d8 FormatMessageW
0x1000012e0 lstrlenW
0x1000012e8 GetFileSize
0x1000012f0 ReadFile
0x1000012f8 HeapAlloc
0x100001300 GetProcessHeap
0x100001308 HeapReAlloc
0x100001310 HeapFree
0x100001318 GlobalFree
0x100001320 WideCharToMultiByte
0x100001328 SetFilePointer
0x100001330 SetEndOfFile
0x100001338 WriteFile
0x100001340 OutputDebugStringA
0x100001348 SearchPathW
0x100001350 GetEnvironmentVariableW
0x100001358 HeapSize
0x100001360 HeapDestroy
0x100001368 CreateProcessW
0x100001370 FindResourceExW
0x100001378 FindResourceW
0x100001380 LoadResource
0x100001388 LockResource
0x100001390 SizeofResource
0x100001398 GetProcAddress
0x1000013a0 CreateFileW
0x1000013a8 EnterCriticalSection
0x1000013b0 LeaveCriticalSection
0x1000013b8 InitializeCriticalSection
0x1000013c0 DeleteCriticalSection
0x1000013c8 GetVersionExA
0x1000013d0 SetUnhandledExceptionFilter
0x1000013d8 RaiseException
0x1000013e0 QueryPerformanceCounter
0x1000013e8 GetTickCount
0x1000013f0 GetCurrentThreadId
0x1000013f8 GetCurrentProcessId
0x100001400 GetSystemTimeAsFileTime
0x100001408 TerminateProcess
0x100001410 UnhandledExceptionFilter
0x100001418 MoveFileExW
0x100001420 CompareFileTime
0x100001428 SetFileTime
0x100001430 DeleteFileW
0x100001438 CloseHandle
0x100001440 CreateMutexW
0x100001448 FreeLibrary
0x100001450 GetLastError
0x100001458 LoadLibraryW
0x100001460 SetLastError
0x100001468 GetFileAttributesExW
USER32.dll
0x100001500 MessageBoxW
0x100001508 UnregisterClassA
msvcrt.dll
0x1000015c0 ?terminate@@YAXXZ
0x1000015c8 __CxxFrameHandler3
0x1000015d0 iswspace
0x1000015d8 vsprintf_s
0x1000015e0 _vscprintf
0x1000015e8 _wtoi
0x1000015f0 iswdigit
0x1000015f8 wcstoul
0x100001600 _CxxThrowException
0x100001608 _vsnwprintf
0x100001610 _vsnprintf
0x100001618 wcsstr
0x100001620 _wtol
0x100001628 isdigit
0x100001630 _wcsnicmp
0x100001638 _purecall
0x100001640 wcschr
0x100001648 _wcslwr_s
0x100001650 towupper
0x100001658 wcscspn
0x100001660 _resetstkoflw
0x100001668 wcsrchr
0x100001670 vswprintf_s
0x100001678 _vscwprintf
0x100001680 ??_V@YAXPEAX@Z
0x100001688 ??_U@YAPEAX_K@Z
0x100001690 ??2@YAPEAX_K@Z
0x100001698 malloc
0x1000016a0 memset
0x1000016a8 __C_specific_handler
0x1000016b0 _wcsicmp
0x1000016b8 memmove_s
0x1000016c0 free
0x1000016c8 memcpy_s
0x1000016d0 ??3@YAXPEAX@Z
0x1000016d8 _onexit
0x1000016e0 __wgetmainargs
0x1000016e8 _XcptFilter
0x1000016f0 _exit
0x1000016f8 _cexit
0x100001700 exit
0x100001708 wcsncmp
0x100001710 _lock
0x100001718 __dllonexit
0x100001720 _unlock
0x100001728 ??1type_info@@UEAA@XZ
0x100001730 __set_app_type
0x100001738 _fmode
0x100001740 _commode
0x100001748 __setusermatherr
0x100001750 _amsg_exit
0x100001758 _initterm
0x100001760 calloc
0x100001768 memcpy
SHELL32.dll
0x1000014a8 SHFileOperationW
0x1000014b0 SHCreateItemFromParsingName
0x1000014b8 CommandLineToArgvW
ole32.dll
0x1000017c0 CoSetProxyBlanket
0x1000017c8 StringFromGUID2
0x1000017d0 CoGetMalloc
0x1000017d8 CoUninitialize
0x1000017e0 CoInitializeSecurity
0x1000017e8 CoInitializeEx
0x1000017f0 CoCreateInstance
OLEAUT32.dll
0x100001478 VariantChangeType
0x100001480 VariantInit
0x100001488 VariantClear
0x100001490 SysAllocStringLen
0x100001498 SysFreeString
VERSION.dll
0x100001528 VerQueryValueW
0x100001530 GetFileVersionInfoW
0x100001538 GetFileVersionInfoSizeW
ntdll.dll
0x100001778 RtlCaptureContext
0x100001780 RtlLookupFunctionEntry
0x100001788 RtlVirtualUnwind
0x100001790 RtlNumberOfClearBits
0x100001798 RtlInitializeBitMap
0x1000017a0 RtlSetBits
0x1000017a8 RtlAreBitsSet
0x1000017b0 RtlAreBitsClear
WTSAPI32.dll
0x100001598 WTSQuerySessionInformationW
0x1000015a0 WTSFreeMemory
SHLWAPI.dll
0x1000014c8 PathFileExistsW
0x1000014d0 PathCombineW
0x1000014d8 SHCreateStreamOnFileW
0x1000014e0 PathIsURLW
0x1000014e8 PathRemoveFileSpecW
0x1000014f0 PathFindFileNameW
XmlLite.dll
0x1000015b0 CreateXmlReader
CRYPT32.dll
0x100001190 CertFreeCertificateContext
0x100001198 CertAddCertificateContextToStore
0x1000011a0 CertCreateCertificateContext
0x1000011a8 CertCloseStore
0x1000011b0 CertOpenStore
USERENV.dll
0x100001518 UnloadUserProfile
sqmapi.dll
0x100001800 SqmSetAppId
0x100001808 SqmSetEnabled
0x100001810 SqmGetSession
0x100001818 SqmIsWindowsOptedIn
0x100001820 SqmEndSession
0x100001828 SqmWaitForUploadComplete
0x100001830 SqmAddToStreamV
0x100001838 SqmSet
0x100001840 SqmReadSharedMachineId
0x100001848 SqmCreateNewId
0x100001850 SqmWriteSharedMachineId
0x100001858 SqmSetMachineId
0x100001860 SqmSetBits
0x100001868 SqmSetString
0x100001870 SqmStartUpload
WINBRAND.dll
0x100001548 BrandingFormatString
wer.dll
0x100001880 WerpSetCallBack
0x100001888 WerReportSetParameter
0x100001890 WerReportSetUIOption
0x100001898 WerReportSubmit
0x1000018a0 WerReportCloseHandle
0x1000018a8 WerReportCreate
WINTRUST.dll
0x100001558 CryptCATAdminCalcHashFromFileHandle
0x100001560 WinVerifyTrust
0x100001568 CryptCATCatalogInfoFromContext
0x100001570 CryptCATAdminReleaseCatalogContext
0x100001578 CryptCATAdminEnumCatalogFromHash
0x100001580 CryptCATAdminReleaseContext
0x100001588 CryptCATAdminAcquireContext
EAT(Export Address Table) is none