ScreenShot
| Created | 2023.04.17 15:06 | Machine | s1_win7_x6401 |
| Filename | InstallerFilex_64.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 51 detected (Coins, Jaik, Aurora, Artemis, unsafe, Vnhi, TrojanPSW, ABRisk, QPZI, Attribute, HighConfidence, malicious, high confidence, a variant of WinGo, score, afhg, jvhmor, QQPass, QQRob, Ltgl, AuroraStealer, YXDDGZ, high, TitanStealer, Redcap, ptgyn, Malware@#35m7i3gpxpwqa, Casdet, Detected, R568851, BScope, Nacra, ai score=84, CLASSIC, susgen, GoAgent) | ||
| md5 | 78462baf56c10c4a1aee9dd38eb37bdc | ||
| sha256 | 29339458f4a33ee922f25d36b83f19797a15a279634e9c44ebd3816866a541cb | ||
| ssdeep | 49152:k2vK4D+psO1DSBvHSmL1Xdf5k6N21D5Mgwp1haASvh6k1S80:kotD4sKYvSmRVSQ80 | ||
| imphash | 9cbefe68f395e67356e2a5d8d1b285c0 | ||
| impfuzzy | 24:UbVjhNwO+VuT2oLtXOr6kwmDruMztxdEr6tP:KwO+VAXOmGx0oP | ||
Network IP location
Signature (23cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 51 AntiVirus engines on VirusTotal as malicious |
| watch | Appends a known multi-family ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Collects information on the system (ipconfig |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects the presence of Wine emulator |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Executes one or more WMI queries |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | aurora_stealer | detect Aurora stealer | binaries (upload) |
| danger | NPKI_Zero | File included NPKI | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
kernel32.dll
0x6bc260 WriteFile
0x6bc264 WriteConsoleW
0x6bc268 WaitForMultipleObjects
0x6bc26c WaitForSingleObject
0x6bc270 VirtualQuery
0x6bc274 VirtualFree
0x6bc278 VirtualAlloc
0x6bc27c SwitchToThread
0x6bc280 SuspendThread
0x6bc284 SetWaitableTimer
0x6bc288 SetUnhandledExceptionFilter
0x6bc28c SetProcessPriorityBoost
0x6bc290 SetEvent
0x6bc294 SetErrorMode
0x6bc298 SetConsoleCtrlHandler
0x6bc29c ResumeThread
0x6bc2a0 PostQueuedCompletionStatus
0x6bc2a4 LoadLibraryA
0x6bc2a8 LoadLibraryW
0x6bc2ac SetThreadContext
0x6bc2b0 GetThreadContext
0x6bc2b4 GetSystemInfo
0x6bc2b8 GetSystemDirectoryA
0x6bc2bc GetStdHandle
0x6bc2c0 GetQueuedCompletionStatusEx
0x6bc2c4 GetProcessAffinityMask
0x6bc2c8 GetProcAddress
0x6bc2cc GetEnvironmentStringsW
0x6bc2d0 GetConsoleMode
0x6bc2d4 FreeEnvironmentStringsW
0x6bc2d8 ExitProcess
0x6bc2dc DuplicateHandle
0x6bc2e0 CreateWaitableTimerExW
0x6bc2e4 CreateThread
0x6bc2e8 CreateIoCompletionPort
0x6bc2ec CreateFileA
0x6bc2f0 CreateEventA
0x6bc2f4 CloseHandle
0x6bc2f8 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x6bc260 WriteFile
0x6bc264 WriteConsoleW
0x6bc268 WaitForMultipleObjects
0x6bc26c WaitForSingleObject
0x6bc270 VirtualQuery
0x6bc274 VirtualFree
0x6bc278 VirtualAlloc
0x6bc27c SwitchToThread
0x6bc280 SuspendThread
0x6bc284 SetWaitableTimer
0x6bc288 SetUnhandledExceptionFilter
0x6bc28c SetProcessPriorityBoost
0x6bc290 SetEvent
0x6bc294 SetErrorMode
0x6bc298 SetConsoleCtrlHandler
0x6bc29c ResumeThread
0x6bc2a0 PostQueuedCompletionStatus
0x6bc2a4 LoadLibraryA
0x6bc2a8 LoadLibraryW
0x6bc2ac SetThreadContext
0x6bc2b0 GetThreadContext
0x6bc2b4 GetSystemInfo
0x6bc2b8 GetSystemDirectoryA
0x6bc2bc GetStdHandle
0x6bc2c0 GetQueuedCompletionStatusEx
0x6bc2c4 GetProcessAffinityMask
0x6bc2c8 GetProcAddress
0x6bc2cc GetEnvironmentStringsW
0x6bc2d0 GetConsoleMode
0x6bc2d4 FreeEnvironmentStringsW
0x6bc2d8 ExitProcess
0x6bc2dc DuplicateHandle
0x6bc2e0 CreateWaitableTimerExW
0x6bc2e4 CreateThread
0x6bc2e8 CreateIoCompletionPort
0x6bc2ec CreateFileA
0x6bc2f0 CreateEventA
0x6bc2f4 CloseHandle
0x6bc2f8 AddVectoredExceptionHandler
EAT(Export Address Table) is none