ScreenShot
Created | 2023.04.24 08:55 | Machine | s1_win7_x6401 |
Filename | foto0171.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | |||
md5 | d5f53a529d7ca25cc9d341990c85db4c | ||
sha256 | ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc | ||
ssdeep | 12288:+y90nMBYiLeqPyzx7Z/KTXuTGktCGIDmBWS3SpI1qzCdlIzmMC3/KbnqvUr:+y0MB/yt7tcXubtrIOnlCUlI6JonHr | ||
imphash | 1efe015ade03f54dd6d9b2ccea28b970 | ||
impfuzzy | 48:mPkNSpUOU4iLz/uM9U08vUL0QaV6x9KEl4LTrzUp5aSvd59E5o+RXpNuAC8tGFmW:ikmUZ4iL7uMq08vUL0QnsVXG6Y |
Network IP location
Signature (22cnts)
Level | Description |
---|---|
watch | Collects information about installed applications |
watch | Communicates with host for which no DNS query was performed |
watch | Executes one or more WMI queries |
watch | Harvests credentials from local FTP client softwares |
watch | Installs itself for autorun at Windows startup |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates executable files on the filesystem |
notice | Executes one or more WMI queries which can be used to identify virtual machines |
notice | One or more potentially interesting buffers were extracted |
notice | Queries for potentially installed applications |
notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
notice | Steals private information from local Internet browsers |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | One or more processes crashed |
info | Queries for the computername |
info | The file contains an unknown PE resource name possibly indicative of a packer |
info | This executable has a PDB path |
info | Tries to locate where the browsers are installed |
info | Uses Windows APIs to generate a cryptographic key |
Rules (7cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | Win32_Trojan_Emotet_RL_Gen_Zero | Win32 Trojan Emotet | binaries (upload) |
danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (upload) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | CAB_file_format | CAB archive file | binaries (upload) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x40a000 GetTokenInformation
0x40a004 RegDeleteValueA
0x40a008 RegOpenKeyExA
0x40a00c RegQueryInfoKeyA
0x40a010 FreeSid
0x40a014 OpenProcessToken
0x40a018 RegSetValueExA
0x40a01c RegCreateKeyExA
0x40a020 LookupPrivilegeValueA
0x40a024 AllocateAndInitializeSid
0x40a028 RegQueryValueExA
0x40a02c EqualSid
0x40a030 RegCloseKey
0x40a034 AdjustTokenPrivileges
KERNEL32.dll
0x40a060 _lopen
0x40a064 _llseek
0x40a068 CompareStringA
0x40a06c GetLastError
0x40a070 GetFileAttributesA
0x40a074 GetSystemDirectoryA
0x40a078 LoadLibraryA
0x40a07c DeleteFileA
0x40a080 GlobalAlloc
0x40a084 GlobalFree
0x40a088 CloseHandle
0x40a08c WritePrivateProfileStringA
0x40a090 IsDBCSLeadByte
0x40a094 GetWindowsDirectoryA
0x40a098 SetFileAttributesA
0x40a09c GetProcAddress
0x40a0a0 GlobalLock
0x40a0a4 LocalFree
0x40a0a8 RemoveDirectoryA
0x40a0ac FreeLibrary
0x40a0b0 _lclose
0x40a0b4 CreateDirectoryA
0x40a0b8 GetPrivateProfileIntA
0x40a0bc GetPrivateProfileStringA
0x40a0c0 GlobalUnlock
0x40a0c4 ReadFile
0x40a0c8 SizeofResource
0x40a0cc WriteFile
0x40a0d0 GetDriveTypeA
0x40a0d4 lstrcmpA
0x40a0d8 SetFileTime
0x40a0dc SetFilePointer
0x40a0e0 FindResourceA
0x40a0e4 CreateMutexA
0x40a0e8 GetVolumeInformationA
0x40a0ec WaitForSingleObject
0x40a0f0 FindClose
0x40a0f4 FreeResource
0x40a0f8 GetVersion
0x40a0fc SetCurrentDirectoryA
0x40a100 GetTempPathA
0x40a104 LocalFileTimeToFileTime
0x40a108 CreateFileA
0x40a10c SetEvent
0x40a110 TerminateThread
0x40a114 GetVersionExA
0x40a118 LockResource
0x40a11c GetSystemInfo
0x40a120 CreateThread
0x40a124 ResetEvent
0x40a128 LoadResource
0x40a12c ExitProcess
0x40a130 GetModuleHandleW
0x40a134 CreateProcessA
0x40a138 FormatMessageA
0x40a13c GetTempFileNameA
0x40a140 DosDateTimeToFileTime
0x40a144 CreateEventA
0x40a148 GetExitCodeProcess
0x40a14c GetModuleFileNameA
0x40a150 LocalAlloc
0x40a154 MulDiv
0x40a158 GetDiskFreeSpaceA
0x40a15c EnumResourceLanguagesA
0x40a160 GetTickCount
0x40a164 GetSystemTimeAsFileTime
0x40a168 GetCurrentThreadId
0x40a16c GetCurrentProcessId
0x40a170 QueryPerformanceCounter
0x40a174 GetModuleHandleA
0x40a178 TerminateProcess
0x40a17c SetUnhandledExceptionFilter
0x40a180 UnhandledExceptionFilter
0x40a184 GetStartupInfoA
0x40a188 Sleep
0x40a18c ExpandEnvironmentStringsA
0x40a190 FindNextFileA
0x40a194 GetCurrentProcess
0x40a198 GetCurrentDirectoryA
0x40a19c FindFirstFileA
0x40a1a0 GetShortPathNameA
0x40a1a4 LoadLibraryExA
GDI32.dll
0x40a058 GetDeviceCaps
USER32.dll
0x40a1ac GetDlgItemTextA
0x40a1b0 DialogBoxIndirectParamA
0x40a1b4 ShowWindow
0x40a1b8 MsgWaitForMultipleObjects
0x40a1bc SetWindowPos
0x40a1c0 GetDC
0x40a1c4 GetWindowRect
0x40a1c8 DispatchMessageA
0x40a1cc GetDesktopWindow
0x40a1d0 CharUpperA
0x40a1d4 SetDlgItemTextA
0x40a1d8 ExitWindowsEx
0x40a1dc MessageBeep
0x40a1e0 EndDialog
0x40a1e4 CharPrevA
0x40a1e8 LoadStringA
0x40a1ec CharNextA
0x40a1f0 EnableWindow
0x40a1f4 ReleaseDC
0x40a1f8 SetForegroundWindow
0x40a1fc PeekMessageA
0x40a200 GetDlgItem
0x40a204 SendMessageA
0x40a208 SendDlgItemMessageA
0x40a20c MessageBoxA
0x40a210 SetWindowTextA
0x40a214 GetWindowLongA
0x40a218 CallWindowProcA
0x40a21c GetSystemMetrics
0x40a220 SetWindowLongA
msvcrt.dll
0x40a238 ?terminate@@YAXXZ
0x40a23c _acmdln
0x40a240 _controlfp
0x40a244 _except_handler4_common
0x40a248 _initterm
0x40a24c __setusermatherr
0x40a250 _ismbblead
0x40a254 __p__fmode
0x40a258 _cexit
0x40a25c _exit
0x40a260 exit
0x40a264 __set_app_type
0x40a268 __getmainargs
0x40a26c _amsg_exit
0x40a270 __p__commode
0x40a274 _XcptFilter
0x40a278 memcpy_s
0x40a27c _vsnprintf
0x40a280 memcpy
0x40a284 memset
COMCTL32.dll
0x40a03c None
Cabinet.dll
0x40a044 None
0x40a048 None
0x40a04c None
0x40a050 None
VERSION.dll
0x40a228 VerQueryValueA
0x40a22c GetFileVersionInfoSizeA
0x40a230 GetFileVersionInfoA
EAT(Export Address Table) is none
ADVAPI32.dll
0x40a000 GetTokenInformation
0x40a004 RegDeleteValueA
0x40a008 RegOpenKeyExA
0x40a00c RegQueryInfoKeyA
0x40a010 FreeSid
0x40a014 OpenProcessToken
0x40a018 RegSetValueExA
0x40a01c RegCreateKeyExA
0x40a020 LookupPrivilegeValueA
0x40a024 AllocateAndInitializeSid
0x40a028 RegQueryValueExA
0x40a02c EqualSid
0x40a030 RegCloseKey
0x40a034 AdjustTokenPrivileges
KERNEL32.dll
0x40a060 _lopen
0x40a064 _llseek
0x40a068 CompareStringA
0x40a06c GetLastError
0x40a070 GetFileAttributesA
0x40a074 GetSystemDirectoryA
0x40a078 LoadLibraryA
0x40a07c DeleteFileA
0x40a080 GlobalAlloc
0x40a084 GlobalFree
0x40a088 CloseHandle
0x40a08c WritePrivateProfileStringA
0x40a090 IsDBCSLeadByte
0x40a094 GetWindowsDirectoryA
0x40a098 SetFileAttributesA
0x40a09c GetProcAddress
0x40a0a0 GlobalLock
0x40a0a4 LocalFree
0x40a0a8 RemoveDirectoryA
0x40a0ac FreeLibrary
0x40a0b0 _lclose
0x40a0b4 CreateDirectoryA
0x40a0b8 GetPrivateProfileIntA
0x40a0bc GetPrivateProfileStringA
0x40a0c0 GlobalUnlock
0x40a0c4 ReadFile
0x40a0c8 SizeofResource
0x40a0cc WriteFile
0x40a0d0 GetDriveTypeA
0x40a0d4 lstrcmpA
0x40a0d8 SetFileTime
0x40a0dc SetFilePointer
0x40a0e0 FindResourceA
0x40a0e4 CreateMutexA
0x40a0e8 GetVolumeInformationA
0x40a0ec WaitForSingleObject
0x40a0f0 FindClose
0x40a0f4 FreeResource
0x40a0f8 GetVersion
0x40a0fc SetCurrentDirectoryA
0x40a100 GetTempPathA
0x40a104 LocalFileTimeToFileTime
0x40a108 CreateFileA
0x40a10c SetEvent
0x40a110 TerminateThread
0x40a114 GetVersionExA
0x40a118 LockResource
0x40a11c GetSystemInfo
0x40a120 CreateThread
0x40a124 ResetEvent
0x40a128 LoadResource
0x40a12c ExitProcess
0x40a130 GetModuleHandleW
0x40a134 CreateProcessA
0x40a138 FormatMessageA
0x40a13c GetTempFileNameA
0x40a140 DosDateTimeToFileTime
0x40a144 CreateEventA
0x40a148 GetExitCodeProcess
0x40a14c GetModuleFileNameA
0x40a150 LocalAlloc
0x40a154 MulDiv
0x40a158 GetDiskFreeSpaceA
0x40a15c EnumResourceLanguagesA
0x40a160 GetTickCount
0x40a164 GetSystemTimeAsFileTime
0x40a168 GetCurrentThreadId
0x40a16c GetCurrentProcessId
0x40a170 QueryPerformanceCounter
0x40a174 GetModuleHandleA
0x40a178 TerminateProcess
0x40a17c SetUnhandledExceptionFilter
0x40a180 UnhandledExceptionFilter
0x40a184 GetStartupInfoA
0x40a188 Sleep
0x40a18c ExpandEnvironmentStringsA
0x40a190 FindNextFileA
0x40a194 GetCurrentProcess
0x40a198 GetCurrentDirectoryA
0x40a19c FindFirstFileA
0x40a1a0 GetShortPathNameA
0x40a1a4 LoadLibraryExA
GDI32.dll
0x40a058 GetDeviceCaps
USER32.dll
0x40a1ac GetDlgItemTextA
0x40a1b0 DialogBoxIndirectParamA
0x40a1b4 ShowWindow
0x40a1b8 MsgWaitForMultipleObjects
0x40a1bc SetWindowPos
0x40a1c0 GetDC
0x40a1c4 GetWindowRect
0x40a1c8 DispatchMessageA
0x40a1cc GetDesktopWindow
0x40a1d0 CharUpperA
0x40a1d4 SetDlgItemTextA
0x40a1d8 ExitWindowsEx
0x40a1dc MessageBeep
0x40a1e0 EndDialog
0x40a1e4 CharPrevA
0x40a1e8 LoadStringA
0x40a1ec CharNextA
0x40a1f0 EnableWindow
0x40a1f4 ReleaseDC
0x40a1f8 SetForegroundWindow
0x40a1fc PeekMessageA
0x40a200 GetDlgItem
0x40a204 SendMessageA
0x40a208 SendDlgItemMessageA
0x40a20c MessageBoxA
0x40a210 SetWindowTextA
0x40a214 GetWindowLongA
0x40a218 CallWindowProcA
0x40a21c GetSystemMetrics
0x40a220 SetWindowLongA
msvcrt.dll
0x40a238 ?terminate@@YAXXZ
0x40a23c _acmdln
0x40a240 _controlfp
0x40a244 _except_handler4_common
0x40a248 _initterm
0x40a24c __setusermatherr
0x40a250 _ismbblead
0x40a254 __p__fmode
0x40a258 _cexit
0x40a25c _exit
0x40a260 exit
0x40a264 __set_app_type
0x40a268 __getmainargs
0x40a26c _amsg_exit
0x40a270 __p__commode
0x40a274 _XcptFilter
0x40a278 memcpy_s
0x40a27c _vsnprintf
0x40a280 memcpy
0x40a284 memset
COMCTL32.dll
0x40a03c None
Cabinet.dll
0x40a044 None
0x40a048 None
0x40a04c None
0x40a050 None
VERSION.dll
0x40a228 VerQueryValueA
0x40a22c GetFileVersionInfoSizeA
0x40a230 GetFileVersionInfoA
EAT(Export Address Table) is none