ScreenShot
| Created | 2023.04.21 18:02 | Machine | s1_win7_x6401 |
| Filename | build2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 54 detected (ChaikoBonwX, Injuke, malicious, high confidence, GenericKDZ, Stop, Artemis, Save, confidence, 100%, GenusB, DGBG, Eldorado, Kryptik, HTIW, score, BootkitX, VIDAR, YXDDRZ, Lockbit, moderate, Static AI, Suspicious PE, Malware@#2xut7z8jjl6t5, StopCrypt, Detected, R572924, ai score=89, unsafe, Chgt, Generic@AI, RDML, UQLe61GtHbWxS4Lpe5iFsA, susgen, HTJK) | ||
| md5 | d0eb40fe08f409805aed3f5312bfb5b8 | ||
| sha256 | 2689a2c221cb723b4f35e912efa5c1f6df415d9f656b44c1c9cbbccf248ad1c6 | ||
| ssdeep | 6144:Z16f9MWbC0l7fKduveCMI9VqzpxICGwZKlC21AHNdOEs27iM+:OfjpKSXVizIZRlCpUR27 | ||
| imphash | 5f5dc2f801dd0386bbc0b0641bbaff5b | ||
| impfuzzy | 24:b5/lgUmyj6tX/mcD7u9jEdQBY4abG2bv8HikliOov7keJ3ttmuHQFQ8Ryv9f4Bze:b5tgfyUXLdKdXCtt1H39gBzf+90Q91p | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 54 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | Network activity contains more than one unique useragent |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_PWS_Loki_Zero | Win32 PWS Loki | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (8cnts) ?
Suricata ids
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40100c QueryPerformanceCounter
0x401010 UnlockFile
0x401014 GetLogicalDrives
0x401018 BackupSeek
0x40101c GetModuleHandleW
0x401020 VirtualFree
0x401024 ConvertFiberToThread
0x401028 ReadConsoleW
0x40102c GetWindowsDirectoryA
0x401030 EnumTimeFormatsA
0x401034 EnumTimeFormatsW
0x401038 EnumResourceTypesA
0x40103c LoadLibraryW
0x401040 GetFileAttributesA
0x401044 GetShortPathNameA
0x401048 EnumSystemLocalesA
0x40104c SetThreadLocale
0x401050 GetCPInfoExW
0x401054 GetLastError
0x401058 GetProcAddress
0x40105c ScrollConsoleScreenBufferW
0x401060 HeapUnlock
0x401064 GetFirmwareEnvironmentVariableW
0x401068 LoadLibraryA
0x40106c InterlockedExchangeAdd
0x401070 LocalAlloc
0x401074 RemoveDirectoryW
0x401078 BeginUpdateResourceA
0x40107c PostQueuedCompletionStatus
0x401080 WriteProfileSectionW
0x401084 GetDefaultCommConfigA
0x401088 VirtualProtect
0x40108c OpenEventW
0x401090 ScrollConsoleScreenBufferA
0x401094 AddConsoleAliasA
0x401098 DebugBreak
0x40109c EnumCalendarInfoExA
0x4010a0 VirtualAlloc
0x4010a4 FindFirstChangeNotificationW
0x4010a8 HeapSize
0x4010ac InitializeCriticalSectionAndSpinCount
0x4010b0 MultiByteToWideChar
0x4010b4 GetCommandLineA
0x4010b8 GetStartupInfoA
0x4010bc GetCPInfo
0x4010c0 InterlockedIncrement
0x4010c4 InterlockedDecrement
0x4010c8 GetACP
0x4010cc GetOEMCP
0x4010d0 IsValidCodePage
0x4010d4 TlsGetValue
0x4010d8 TlsAlloc
0x4010dc TlsSetValue
0x4010e0 TlsFree
0x4010e4 SetLastError
0x4010e8 GetCurrentThreadId
0x4010ec TerminateProcess
0x4010f0 GetCurrentProcess
0x4010f4 UnhandledExceptionFilter
0x4010f8 SetUnhandledExceptionFilter
0x4010fc IsDebuggerPresent
0x401100 HeapAlloc
0x401104 HeapFree
0x401108 RaiseException
0x40110c Sleep
0x401110 ExitProcess
0x401114 WriteFile
0x401118 GetStdHandle
0x40111c GetModuleFileNameA
0x401120 FreeEnvironmentStringsA
0x401124 GetEnvironmentStrings
0x401128 FreeEnvironmentStringsW
0x40112c WideCharToMultiByte
0x401130 GetEnvironmentStringsW
0x401134 SetHandleCount
0x401138 GetFileType
0x40113c DeleteCriticalSection
0x401140 HeapCreate
0x401144 GetTickCount
0x401148 GetCurrentProcessId
0x40114c GetSystemTimeAsFileTime
0x401150 LCMapStringA
0x401154 LCMapStringW
0x401158 GetStringTypeA
0x40115c GetStringTypeW
0x401160 LeaveCriticalSection
0x401164 EnterCriticalSection
0x401168 GetLocaleInfoA
0x40116c HeapReAlloc
0x401170 GetModuleHandleA
0x401174 RtlUnwind
USER32.dll
0x40117c RegisterClassA
0x401180 CharLowerBuffW
GDI32.dll
0x401000 GetCharWidthI
0x401004 GetCharWidthW
ole32.dll
0x401190 CoGetPSClsid
WINHTTP.dll
0x401188 WinHttpOpen
EAT(Export Address Table) is none
KERNEL32.dll
0x40100c QueryPerformanceCounter
0x401010 UnlockFile
0x401014 GetLogicalDrives
0x401018 BackupSeek
0x40101c GetModuleHandleW
0x401020 VirtualFree
0x401024 ConvertFiberToThread
0x401028 ReadConsoleW
0x40102c GetWindowsDirectoryA
0x401030 EnumTimeFormatsA
0x401034 EnumTimeFormatsW
0x401038 EnumResourceTypesA
0x40103c LoadLibraryW
0x401040 GetFileAttributesA
0x401044 GetShortPathNameA
0x401048 EnumSystemLocalesA
0x40104c SetThreadLocale
0x401050 GetCPInfoExW
0x401054 GetLastError
0x401058 GetProcAddress
0x40105c ScrollConsoleScreenBufferW
0x401060 HeapUnlock
0x401064 GetFirmwareEnvironmentVariableW
0x401068 LoadLibraryA
0x40106c InterlockedExchangeAdd
0x401070 LocalAlloc
0x401074 RemoveDirectoryW
0x401078 BeginUpdateResourceA
0x40107c PostQueuedCompletionStatus
0x401080 WriteProfileSectionW
0x401084 GetDefaultCommConfigA
0x401088 VirtualProtect
0x40108c OpenEventW
0x401090 ScrollConsoleScreenBufferA
0x401094 AddConsoleAliasA
0x401098 DebugBreak
0x40109c EnumCalendarInfoExA
0x4010a0 VirtualAlloc
0x4010a4 FindFirstChangeNotificationW
0x4010a8 HeapSize
0x4010ac InitializeCriticalSectionAndSpinCount
0x4010b0 MultiByteToWideChar
0x4010b4 GetCommandLineA
0x4010b8 GetStartupInfoA
0x4010bc GetCPInfo
0x4010c0 InterlockedIncrement
0x4010c4 InterlockedDecrement
0x4010c8 GetACP
0x4010cc GetOEMCP
0x4010d0 IsValidCodePage
0x4010d4 TlsGetValue
0x4010d8 TlsAlloc
0x4010dc TlsSetValue
0x4010e0 TlsFree
0x4010e4 SetLastError
0x4010e8 GetCurrentThreadId
0x4010ec TerminateProcess
0x4010f0 GetCurrentProcess
0x4010f4 UnhandledExceptionFilter
0x4010f8 SetUnhandledExceptionFilter
0x4010fc IsDebuggerPresent
0x401100 HeapAlloc
0x401104 HeapFree
0x401108 RaiseException
0x40110c Sleep
0x401110 ExitProcess
0x401114 WriteFile
0x401118 GetStdHandle
0x40111c GetModuleFileNameA
0x401120 FreeEnvironmentStringsA
0x401124 GetEnvironmentStrings
0x401128 FreeEnvironmentStringsW
0x40112c WideCharToMultiByte
0x401130 GetEnvironmentStringsW
0x401134 SetHandleCount
0x401138 GetFileType
0x40113c DeleteCriticalSection
0x401140 HeapCreate
0x401144 GetTickCount
0x401148 GetCurrentProcessId
0x40114c GetSystemTimeAsFileTime
0x401150 LCMapStringA
0x401154 LCMapStringW
0x401158 GetStringTypeA
0x40115c GetStringTypeW
0x401160 LeaveCriticalSection
0x401164 EnterCriticalSection
0x401168 GetLocaleInfoA
0x40116c HeapReAlloc
0x401170 GetModuleHandleA
0x401174 RtlUnwind
USER32.dll
0x40117c RegisterClassA
0x401180 CharLowerBuffW
GDI32.dll
0x401000 GetCharWidthI
0x401004 GetCharWidthW
ole32.dll
0x401190 CoGetPSClsid
WINHTTP.dll
0x401188 WinHttpOpen
EAT(Export Address Table) is none