ScreenShot
| Created | 2023.04.22 08:52 | Machine | s1_win7_x6401 |
| Filename | 4493ZRgdFTeXSMAHoJWWJBvXxPsJ.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 59 detected (AIDetect, malware1, Vidar, malicious, high confidence, Steam, GenericKD, GenericRXVL, Vrhz, confidence, 100%, TrojanPSW, ZexaF, Dy0@auv0R9ei, GenusT, DGBW, ABRisk, QSFW, Attribute, HighConfidence, Kryptik, HSTO, score, juvrsl, PWSX, Gencirc, lwryu, Zusy, YXDDTZ, Static AI, Suspicious PE, ai score=86, GenKryptik, Malware@#3ghgyspkmb8a, Arkei, 7WNFK8, Detected, unsafe, Chgt, kRjQ8iIk7J) | ||
| md5 | 2252417dd70ee414c21fc4585940b6fd | ||
| sha256 | c73171952a210537b7d9ef3155ee1df312c2ab1a9d84883db96c44863885625f | ||
| ssdeep | 12288:EP1M+5sUj035Ur2kF23qxwIH6dPrkyguLNPWJTi0or6a:ESesUj+5S2kF2axudPrkIt0or | ||
| imphash | 379ac571aeb3154c809e333b6e5cbb5a | ||
| impfuzzy | 48:Tignc8vBLHapxf4C8Gjmc3Rca93wlzsUzMeqnEe1165:Tignc8vBLHapxf4hmD93wxTzPqnEe11C | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 59 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Network activity contains more than one unique useragent |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Performs some HTTP requests |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (7cnts) ?
Suricata ids
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x411000 GetProcAddress
0x411004 LoadLibraryA
0x411008 VirtualAlloc
0x41100c HeapAlloc
0x411010 WideCharToMultiByte
0x411014 lstrlenA
0x411018 GetModuleFileNameW
0x41101c CreateFileW
0x411020 GetFileSize
0x411024 ReadFile
0x411028 CloseHandle
0x41102c GetModuleHandleW
0x411030 GetModuleHandleExW
0x411034 FreeLibrary
0x411038 ExitProcess
0x41103c Sleep
0x411040 LCIDToLocaleName
0x411044 GetStartupInfoW
0x411048 IsDebuggerPresent
0x41104c InitializeSListHead
0x411050 GetSystemTimeAsFileTime
0x411054 GetCurrentThreadId
0x411058 GetCurrentProcessId
0x41105c QueryPerformanceCounter
0x411060 TerminateProcess
0x411064 GetCurrentProcess
0x411068 SetUnhandledExceptionFilter
0x41106c UnhandledExceptionFilter
0x411070 IsProcessorFeaturePresent
0x411074 LCMapStringEx
0x411078 MultiByteToWideChar
0x41107c DecodePointer
0x411080 EncodePointer
0x411084 GetLocaleInfoEx
0x411088 DeleteCriticalSection
0x41108c InitializeCriticalSectionEx
0x411090 LeaveCriticalSection
0x411094 EnterCriticalSection
msvcrt.dll
0x41109c setvbuf
0x4110a0 ungetc
0x4110a4 realloc
0x4110a8 abort
0x4110ac __strncnt
0x4110b0 tolower
0x4110b4 wcsnlen
0x4110b8 _callnewh
0x4110bc _initterm
0x4110c0 _initterm_e
0x4110c4 fgetpos
0x4110c8 __p__commode
0x4110cc _controlfp_s
0x4110d0 _stricmp
0x4110d4 strcpy_s
0x4110d8 strnlen
0x4110dc strtol
0x4110e0 wctomb_s
0x4110e4 _lock
0x4110e8 _unlock
0x4110ec _iob
0x4110f0 ___lc_handle_func
0x4110f4 _XcptFilter
0x4110f8 __set_app_type
0x4110fc fsetpos
0x411100 _wcmdln
0x411104 ?_set_new_mode@@YAHH@Z
0x411108 _msize
0x41110c ?terminate@@YAXXZ
0x411110 _isatty
0x411114 _fileno
0x411118 _CIlog10
0x41111c ceil
0x411120 _clearfp
0x411124 fgetc
0x411128 fflush
0x41112c fclose
0x411130 islower
0x411134 ___mb_cur_max_func
0x411138 _errno
0x41113c _wcsdup
0x411140 ___lc_codepage_func
0x411144 isupper
0x411148 __pctype_func
0x41114c malloc
0x411150 strcspn
0x411154 puts
0x411158 calloc
0x41115c localeconv
0x411160 free
0x411164 frexp
0x411168 strrchr
0x41116c _amsg_exit
0x411170 _except_handler4_common
0x411174 __uncaught_exception
0x411178 memmove
0x41117c memset
0x411180 memcpy
0x411184 _CxxThrowException
0x411188 __CxxFrameHandler3
0x41118c _fseeki64
0x411190 __wgetmainargs
0x411194 fread
0x411198 _set_fmode
0x41119c strchr
0x4111a0 wcsrchr
0x4111a4 pow
EAT(Export Address Table) is none
KERNEL32.dll
0x411000 GetProcAddress
0x411004 LoadLibraryA
0x411008 VirtualAlloc
0x41100c HeapAlloc
0x411010 WideCharToMultiByte
0x411014 lstrlenA
0x411018 GetModuleFileNameW
0x41101c CreateFileW
0x411020 GetFileSize
0x411024 ReadFile
0x411028 CloseHandle
0x41102c GetModuleHandleW
0x411030 GetModuleHandleExW
0x411034 FreeLibrary
0x411038 ExitProcess
0x41103c Sleep
0x411040 LCIDToLocaleName
0x411044 GetStartupInfoW
0x411048 IsDebuggerPresent
0x41104c InitializeSListHead
0x411050 GetSystemTimeAsFileTime
0x411054 GetCurrentThreadId
0x411058 GetCurrentProcessId
0x41105c QueryPerformanceCounter
0x411060 TerminateProcess
0x411064 GetCurrentProcess
0x411068 SetUnhandledExceptionFilter
0x41106c UnhandledExceptionFilter
0x411070 IsProcessorFeaturePresent
0x411074 LCMapStringEx
0x411078 MultiByteToWideChar
0x41107c DecodePointer
0x411080 EncodePointer
0x411084 GetLocaleInfoEx
0x411088 DeleteCriticalSection
0x41108c InitializeCriticalSectionEx
0x411090 LeaveCriticalSection
0x411094 EnterCriticalSection
msvcrt.dll
0x41109c setvbuf
0x4110a0 ungetc
0x4110a4 realloc
0x4110a8 abort
0x4110ac __strncnt
0x4110b0 tolower
0x4110b4 wcsnlen
0x4110b8 _callnewh
0x4110bc _initterm
0x4110c0 _initterm_e
0x4110c4 fgetpos
0x4110c8 __p__commode
0x4110cc _controlfp_s
0x4110d0 _stricmp
0x4110d4 strcpy_s
0x4110d8 strnlen
0x4110dc strtol
0x4110e0 wctomb_s
0x4110e4 _lock
0x4110e8 _unlock
0x4110ec _iob
0x4110f0 ___lc_handle_func
0x4110f4 _XcptFilter
0x4110f8 __set_app_type
0x4110fc fsetpos
0x411100 _wcmdln
0x411104 ?_set_new_mode@@YAHH@Z
0x411108 _msize
0x41110c ?terminate@@YAXXZ
0x411110 _isatty
0x411114 _fileno
0x411118 _CIlog10
0x41111c ceil
0x411120 _clearfp
0x411124 fgetc
0x411128 fflush
0x41112c fclose
0x411130 islower
0x411134 ___mb_cur_max_func
0x411138 _errno
0x41113c _wcsdup
0x411140 ___lc_codepage_func
0x411144 isupper
0x411148 __pctype_func
0x41114c malloc
0x411150 strcspn
0x411154 puts
0x411158 calloc
0x41115c localeconv
0x411160 free
0x411164 frexp
0x411168 strrchr
0x41116c _amsg_exit
0x411170 _except_handler4_common
0x411174 __uncaught_exception
0x411178 memmove
0x41117c memset
0x411180 memcpy
0x411184 _CxxThrowException
0x411188 __CxxFrameHandler3
0x41118c _fseeki64
0x411190 __wgetmainargs
0x411194 fread
0x411198 _set_fmode
0x41119c strchr
0x4111a0 wcsrchr
0x4111a4 pow
EAT(Export Address Table) is none