ScreenShot
| Created | 2023.04.18 09:40 | Machine | s1_win7_x6403 |
| Filename | Output.exe | ||
| Type | PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 26 detected (AIDetect, malware2, malicious, confidence, ZexaF, KD2@ayWYl3ii, Attribute, HighConfidence, high confidence, GenKryptik, GITK, score, Stealerc, PWSX, QQPass, QQRob, Ytjl, Stealc, paocz, YXDDQZ, Artemis, Vidar, XG50VH, CLOUD) | ||
| md5 | 453776b8b812727c5a905d4db70c1935 | ||
| sha256 | 7beb3f5dd622520c95241c27a48c3728ff3e77178870271f620e9c217850d4d2 | ||
| ssdeep | 49152:Vuq1EdbCepGInnddwoGP2Ja4nRQMiDIIfU:6deSJa4RQMisN | ||
| imphash | 860c88364b21c7ea32d1cf74eeb74e93 | ||
| impfuzzy | 48:ZNO4IqCXGrQUeRWjZl1xE4zZ6M/a8SvKzDyoZDRV63bitrILtQNJkIK4Seui/n6d:Zk4Iqf3Ln3Oh | ||
Network IP location
Signature (25cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 26 AntiVirus engines on VirusTotal as malicious |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes executed files from disk |
| watch | Harvests credentials from local email clients |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process output.exe |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (19cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (9cnts) ?
Suricata ids
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x5541a4 CloseHandle
0x5541a8 CreateFileA
0x5541ac CreateWaitableTimerW
0x5541b0 FreeConsole
0x5541b4 GetProcessHeap
0x5541b8 GetStdHandle
0x5541bc GetSystemInfo
0x5541c0 HeapAlloc
0x5541c4 SetFileAttributesA
0x5541c8 SetFilePointer
0x5541cc SetWaitableTimer
0x5541d0 WaitForSingleObject
0x5541d4 WriteFile
msvcrt.dll
0x5541dc malloc
0x5541e0 memset
USER32.dll
0x5541e8 AppendMenuA
0x5541ec CallWindowProcA
0x5541f0 CharLowerBuffA
0x5541f4 CharUpperA
0x5541f8 CheckDlgButton
0x5541fc CheckMenuItem
0x554200 CheckMenuRadioItem
0x554204 ChildWindowFromPoint
0x554208 ClientToScreen
0x55420c CloseClipboard
0x554210 CreateDialogParamA
0x554214 CreatePopupMenu
0x554218 DefDlgProcA
0x55421c DestroyCursor
0x554220 DestroyIcon
0x554224 DestroyMenu
0x554228 DestroyWindow
0x55422c EmptyClipboard
0x554230 EnableMenuItem
0x554234 EndDialog
0x554238 EnumClipboardFormats
0x55423c GetActiveWindow
0x554240 GetClassInfoA
0x554244 GetClientRect
0x554248 GetClipboardData
0x55424c GetCursorPos
0x554250 GetDlgItem
0x554254 GetDlgItemTextA
0x554258 GetMenu
0x55425c GetMessageA
0x554260 GetSubMenu
0x554264 GetSysColor
0x554268 GetSystemMenu
0x55426c GetWindowPlacement
0x554270 GetWindowRect
0x554274 InsertMenuItemA
0x554278 InvalidateRect
0x55427c IsDialogMessageA
0x554280 IsDlgButtonChecked
0x554284 IsMenu
0x554288 KillTimer
0x55428c LoadAcceleratorsA
0x554290 LoadCursorA
0x554294 LoadIconA
0x554298 MessageBoxA
0x55429c MoveWindow
0x5542a0 OpenClipboard
0x5542a4 PostMessageA
0x5542a8 PostQuitMessage
0x5542ac RegisterClassA
0x5542b0 RemoveMenu
0x5542b4 SendDlgItemMessageA
0x5542b8 SendMessageA
0x5542bc SetActiveWindow
0x5542c0 SetClipboardData
0x5542c4 SetDlgItemInt
0x5542c8 SetDlgItemTextA
0x5542cc SetFocus
0x5542d0 SetMenuItemInfoA
0x5542d4 SetTimer
0x5542d8 SetWindowLongA
0x5542dc SetWindowPlacement
0x5542e0 SetWindowTextA
0x5542e4 TrackPopupMenu
0x5542e8 TranslateAcceleratorA
0x5542ec TranslateMessage
0x5542f0 wsprintfA
EAT(Export Address Table) is none
KERNEL32.dll
0x5541a4 CloseHandle
0x5541a8 CreateFileA
0x5541ac CreateWaitableTimerW
0x5541b0 FreeConsole
0x5541b4 GetProcessHeap
0x5541b8 GetStdHandle
0x5541bc GetSystemInfo
0x5541c0 HeapAlloc
0x5541c4 SetFileAttributesA
0x5541c8 SetFilePointer
0x5541cc SetWaitableTimer
0x5541d0 WaitForSingleObject
0x5541d4 WriteFile
msvcrt.dll
0x5541dc malloc
0x5541e0 memset
USER32.dll
0x5541e8 AppendMenuA
0x5541ec CallWindowProcA
0x5541f0 CharLowerBuffA
0x5541f4 CharUpperA
0x5541f8 CheckDlgButton
0x5541fc CheckMenuItem
0x554200 CheckMenuRadioItem
0x554204 ChildWindowFromPoint
0x554208 ClientToScreen
0x55420c CloseClipboard
0x554210 CreateDialogParamA
0x554214 CreatePopupMenu
0x554218 DefDlgProcA
0x55421c DestroyCursor
0x554220 DestroyIcon
0x554224 DestroyMenu
0x554228 DestroyWindow
0x55422c EmptyClipboard
0x554230 EnableMenuItem
0x554234 EndDialog
0x554238 EnumClipboardFormats
0x55423c GetActiveWindow
0x554240 GetClassInfoA
0x554244 GetClientRect
0x554248 GetClipboardData
0x55424c GetCursorPos
0x554250 GetDlgItem
0x554254 GetDlgItemTextA
0x554258 GetMenu
0x55425c GetMessageA
0x554260 GetSubMenu
0x554264 GetSysColor
0x554268 GetSystemMenu
0x55426c GetWindowPlacement
0x554270 GetWindowRect
0x554274 InsertMenuItemA
0x554278 InvalidateRect
0x55427c IsDialogMessageA
0x554280 IsDlgButtonChecked
0x554284 IsMenu
0x554288 KillTimer
0x55428c LoadAcceleratorsA
0x554290 LoadCursorA
0x554294 LoadIconA
0x554298 MessageBoxA
0x55429c MoveWindow
0x5542a0 OpenClipboard
0x5542a4 PostMessageA
0x5542a8 PostQuitMessage
0x5542ac RegisterClassA
0x5542b0 RemoveMenu
0x5542b4 SendDlgItemMessageA
0x5542b8 SendMessageA
0x5542bc SetActiveWindow
0x5542c0 SetClipboardData
0x5542c4 SetDlgItemInt
0x5542c8 SetDlgItemTextA
0x5542cc SetFocus
0x5542d0 SetMenuItemInfoA
0x5542d4 SetTimer
0x5542d8 SetWindowLongA
0x5542dc SetWindowPlacement
0x5542e0 SetWindowTextA
0x5542e4 TrackPopupMenu
0x5542e8 TranslateAcceleratorA
0x5542ec TranslateMessage
0x5542f0 wsprintfA
EAT(Export Address Table) is none