ScreenShot
| Created | 2023.04.24 09:03 | Machine | s1_win7_x6403 |
| Filename | installer.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 41 detected (Microleaves, GenericKD, Artemis, ABRisk, NACY, Malicious, score, Proxy, OnlineGuard, jrqmwz, Redcap, eotnr, high, Generic Reputation PUA, Malware@#2se21unwb8xl9, Mamson, Detected, ai score=100, unsafe, R04AH07EI22, CLOUD, susgen, PossibleThreat) | ||
| md5 | fa24733f5a6a6f44d0e65d7d98b84aa6 | ||
| sha256 | da1b144b5f908cb7e811489dfe660e06aa6df9c9158c6972ec9c79c48afacb7e | ||
| ssdeep | 98304:5YoIz3Q2HM5Qp4WzMIaX8/BG6v/gIV0sba5mFkDzLb:5i3QDCpQaJGkDegFwL | ||
| imphash | 7c194251e86188363a60c4bd78b0d506 | ||
| impfuzzy | 48:JOscSpvEdJsQPbRioE9pwUwrkrXa9xvBrbYUrUvZk7O:JrcSpvEdJsQPYvzPwrkrgxv58UrWD | ||
Network IP location
Signature (21cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 41 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to create or modify system certificates |
| watch | Deletes executed files from disk |
| watch | Disables proxy possibly for traffic interception |
| watch | One or more of the buffers contains an embedded PE file |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Sends data using the HTTP POST Method |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (18cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
Network (7cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x61c000 CreateFileW
0x61c004 CloseHandle
0x61c008 WriteFile
0x61c00c DeleteFileW
0x61c010 HeapDestroy
0x61c014 HeapSize
0x61c018 HeapReAlloc
0x61c01c HeapFree
0x61c020 HeapAlloc
0x61c024 GetProcessHeap
0x61c028 SizeofResource
0x61c02c LockResource
0x61c030 LoadResource
0x61c034 FindResourceW
0x61c038 FindResourceExW
0x61c03c SetEvent
0x61c040 CreateEventExW
0x61c044 WaitForSingleObject
0x61c048 RemoveDirectoryW
0x61c04c GetTempPathW
0x61c050 GetTempFileNameW
0x61c054 CreateDirectoryW
0x61c058 MoveFileW
0x61c05c GetLastError
0x61c060 EnterCriticalSection
0x61c064 LeaveCriticalSection
0x61c068 GetModuleFileNameW
0x61c06c DeleteCriticalSection
0x61c070 InitializeCriticalSectionAndSpinCount
0x61c074 GetCurrentThreadId
0x61c078 RaiseException
0x61c07c SetLastError
0x61c080 GlobalUnlock
0x61c084 GlobalLock
0x61c088 GlobalAlloc
0x61c08c MulDiv
0x61c090 lstrcmpW
0x61c094 CreateEventW
0x61c098 FindClose
0x61c09c FindFirstFileW
0x61c0a0 GetFullPathNameW
0x61c0a4 InitializeCriticalSection
0x61c0a8 lstrcpynW
0x61c0ac CreateThread
0x61c0b0 GetProcAddress
0x61c0b4 LoadLibraryExW
0x61c0b8 GetCurrentProcess
0x61c0bc Sleep
0x61c0c0 WideCharToMultiByte
0x61c0c4 GetDiskFreeSpaceExW
0x61c0c8 DecodePointer
0x61c0cc GetExitCodeThread
0x61c0d0 GetCurrentProcessId
0x61c0d4 FreeLibrary
0x61c0d8 GetSystemDirectoryW
0x61c0dc lstrlenW
0x61c0e0 VerifyVersionInfoW
0x61c0e4 VerSetConditionMask
0x61c0e8 lstrcmpiW
0x61c0ec GetModuleHandleW
0x61c0f0 LoadLibraryW
0x61c0f4 GetDriveTypeW
0x61c0f8 CompareStringW
0x61c0fc FindNextFileW
0x61c100 GetLogicalDriveStringsW
0x61c104 GetFileSize
0x61c108 GetFileAttributesW
0x61c10c GetShortPathNameW
0x61c110 SetFileAttributesW
0x61c114 GetFileTime
0x61c118 CopyFileW
0x61c11c ReadFile
0x61c120 SetFilePointer
0x61c124 SystemTimeToFileTime
0x61c128 MultiByteToWideChar
0x61c12c GetSystemInfo
0x61c130 WaitForMultipleObjects
0x61c134 VirtualProtect
0x61c138 VirtualQuery
0x61c13c LoadLibraryExA
0x61c140 GetStringTypeW
0x61c144 SetUnhandledExceptionFilter
0x61c148 FileTimeToSystemTime
0x61c14c GetEnvironmentVariableW
0x61c150 GetSystemTime
0x61c154 GetDateFormatW
0x61c158 GetTimeFormatW
0x61c15c GetLocaleInfoW
0x61c160 CreateProcessW
0x61c164 GetExitCodeProcess
0x61c168 GetWindowsDirectoryW
0x61c16c CreateToolhelp32Snapshot
0x61c170 Process32FirstW
0x61c174 Process32NextW
0x61c178 FormatMessageW
0x61c17c GetEnvironmentStringsW
0x61c180 LocalFree
0x61c184 InitializeCriticalSectionEx
0x61c188 LoadLibraryA
0x61c18c GetModuleFileNameA
0x61c190 GetCurrentThread
0x61c194 GetConsoleOutputCP
0x61c198 FlushFileBuffers
0x61c19c Wow64DisableWow64FsRedirection
0x61c1a0 Wow64RevertWow64FsRedirection
0x61c1a4 IsWow64Process
0x61c1a8 SetConsoleTextAttribute
0x61c1ac GetStdHandle
0x61c1b0 GetConsoleScreenBufferInfo
0x61c1b4 OutputDebugStringW
0x61c1b8 GetTickCount
0x61c1bc GetCommandLineW
0x61c1c0 SetCurrentDirectoryW
0x61c1c4 SetEndOfFile
0x61c1c8 EnumResourceLanguagesW
0x61c1cc GetSystemDefaultLangID
0x61c1d0 GetUserDefaultLangID
0x61c1d4 GetLocalTime
0x61c1d8 ResetEvent
0x61c1dc GlobalFree
0x61c1e0 GetPrivateProfileStringW
0x61c1e4 GetPrivateProfileSectionNamesW
0x61c1e8 WritePrivateProfileStringW
0x61c1ec CreateNamedPipeW
0x61c1f0 ConnectNamedPipe
0x61c1f4 TerminateThread
0x61c1f8 LocalAlloc
0x61c1fc CompareFileTime
0x61c200 CopyFileExW
0x61c204 OpenEventW
0x61c208 PeekNamedPipe
0x61c20c WaitForSingleObjectEx
0x61c210 QueryPerformanceCounter
0x61c214 QueryPerformanceFrequency
0x61c218 EncodePointer
0x61c21c LCMapStringEx
0x61c220 GetSystemTimeAsFileTime
0x61c224 CompareStringEx
0x61c228 GetCPInfo
0x61c22c IsDebuggerPresent
0x61c230 InitializeSListHead
0x61c234 InterlockedPopEntrySList
0x61c238 InterlockedPushEntrySList
0x61c23c FlushInstructionCache
0x61c240 IsProcessorFeaturePresent
0x61c244 VirtualAlloc
0x61c248 VirtualFree
0x61c24c UnhandledExceptionFilter
0x61c250 TerminateProcess
0x61c254 GetStartupInfoW
0x61c258 RtlUnwind
0x61c25c TlsAlloc
0x61c260 TlsGetValue
0x61c264 TlsSetValue
0x61c268 TlsFree
0x61c26c ExitThread
0x61c270 FreeLibraryAndExitThread
0x61c274 GetModuleHandleExW
0x61c278 ExitProcess
0x61c27c GetFileType
0x61c280 LCMapStringW
0x61c284 IsValidLocale
0x61c288 GetUserDefaultLCID
0x61c28c EnumSystemLocalesW
0x61c290 GetTimeZoneInformation
0x61c294 GetConsoleMode
0x61c298 GetFileSizeEx
0x61c29c SetFilePointerEx
0x61c2a0 FindFirstFileExW
0x61c2a4 IsValidCodePage
0x61c2a8 GetACP
0x61c2ac GetOEMCP
0x61c2b0 GetCommandLineA
0x61c2b4 FreeEnvironmentStringsW
0x61c2b8 SetEnvironmentVariableW
0x61c2bc SetStdHandle
0x61c2c0 ReadConsoleW
0x61c2c4 WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x61c000 CreateFileW
0x61c004 CloseHandle
0x61c008 WriteFile
0x61c00c DeleteFileW
0x61c010 HeapDestroy
0x61c014 HeapSize
0x61c018 HeapReAlloc
0x61c01c HeapFree
0x61c020 HeapAlloc
0x61c024 GetProcessHeap
0x61c028 SizeofResource
0x61c02c LockResource
0x61c030 LoadResource
0x61c034 FindResourceW
0x61c038 FindResourceExW
0x61c03c SetEvent
0x61c040 CreateEventExW
0x61c044 WaitForSingleObject
0x61c048 RemoveDirectoryW
0x61c04c GetTempPathW
0x61c050 GetTempFileNameW
0x61c054 CreateDirectoryW
0x61c058 MoveFileW
0x61c05c GetLastError
0x61c060 EnterCriticalSection
0x61c064 LeaveCriticalSection
0x61c068 GetModuleFileNameW
0x61c06c DeleteCriticalSection
0x61c070 InitializeCriticalSectionAndSpinCount
0x61c074 GetCurrentThreadId
0x61c078 RaiseException
0x61c07c SetLastError
0x61c080 GlobalUnlock
0x61c084 GlobalLock
0x61c088 GlobalAlloc
0x61c08c MulDiv
0x61c090 lstrcmpW
0x61c094 CreateEventW
0x61c098 FindClose
0x61c09c FindFirstFileW
0x61c0a0 GetFullPathNameW
0x61c0a4 InitializeCriticalSection
0x61c0a8 lstrcpynW
0x61c0ac CreateThread
0x61c0b0 GetProcAddress
0x61c0b4 LoadLibraryExW
0x61c0b8 GetCurrentProcess
0x61c0bc Sleep
0x61c0c0 WideCharToMultiByte
0x61c0c4 GetDiskFreeSpaceExW
0x61c0c8 DecodePointer
0x61c0cc GetExitCodeThread
0x61c0d0 GetCurrentProcessId
0x61c0d4 FreeLibrary
0x61c0d8 GetSystemDirectoryW
0x61c0dc lstrlenW
0x61c0e0 VerifyVersionInfoW
0x61c0e4 VerSetConditionMask
0x61c0e8 lstrcmpiW
0x61c0ec GetModuleHandleW
0x61c0f0 LoadLibraryW
0x61c0f4 GetDriveTypeW
0x61c0f8 CompareStringW
0x61c0fc FindNextFileW
0x61c100 GetLogicalDriveStringsW
0x61c104 GetFileSize
0x61c108 GetFileAttributesW
0x61c10c GetShortPathNameW
0x61c110 SetFileAttributesW
0x61c114 GetFileTime
0x61c118 CopyFileW
0x61c11c ReadFile
0x61c120 SetFilePointer
0x61c124 SystemTimeToFileTime
0x61c128 MultiByteToWideChar
0x61c12c GetSystemInfo
0x61c130 WaitForMultipleObjects
0x61c134 VirtualProtect
0x61c138 VirtualQuery
0x61c13c LoadLibraryExA
0x61c140 GetStringTypeW
0x61c144 SetUnhandledExceptionFilter
0x61c148 FileTimeToSystemTime
0x61c14c GetEnvironmentVariableW
0x61c150 GetSystemTime
0x61c154 GetDateFormatW
0x61c158 GetTimeFormatW
0x61c15c GetLocaleInfoW
0x61c160 CreateProcessW
0x61c164 GetExitCodeProcess
0x61c168 GetWindowsDirectoryW
0x61c16c CreateToolhelp32Snapshot
0x61c170 Process32FirstW
0x61c174 Process32NextW
0x61c178 FormatMessageW
0x61c17c GetEnvironmentStringsW
0x61c180 LocalFree
0x61c184 InitializeCriticalSectionEx
0x61c188 LoadLibraryA
0x61c18c GetModuleFileNameA
0x61c190 GetCurrentThread
0x61c194 GetConsoleOutputCP
0x61c198 FlushFileBuffers
0x61c19c Wow64DisableWow64FsRedirection
0x61c1a0 Wow64RevertWow64FsRedirection
0x61c1a4 IsWow64Process
0x61c1a8 SetConsoleTextAttribute
0x61c1ac GetStdHandle
0x61c1b0 GetConsoleScreenBufferInfo
0x61c1b4 OutputDebugStringW
0x61c1b8 GetTickCount
0x61c1bc GetCommandLineW
0x61c1c0 SetCurrentDirectoryW
0x61c1c4 SetEndOfFile
0x61c1c8 EnumResourceLanguagesW
0x61c1cc GetSystemDefaultLangID
0x61c1d0 GetUserDefaultLangID
0x61c1d4 GetLocalTime
0x61c1d8 ResetEvent
0x61c1dc GlobalFree
0x61c1e0 GetPrivateProfileStringW
0x61c1e4 GetPrivateProfileSectionNamesW
0x61c1e8 WritePrivateProfileStringW
0x61c1ec CreateNamedPipeW
0x61c1f0 ConnectNamedPipe
0x61c1f4 TerminateThread
0x61c1f8 LocalAlloc
0x61c1fc CompareFileTime
0x61c200 CopyFileExW
0x61c204 OpenEventW
0x61c208 PeekNamedPipe
0x61c20c WaitForSingleObjectEx
0x61c210 QueryPerformanceCounter
0x61c214 QueryPerformanceFrequency
0x61c218 EncodePointer
0x61c21c LCMapStringEx
0x61c220 GetSystemTimeAsFileTime
0x61c224 CompareStringEx
0x61c228 GetCPInfo
0x61c22c IsDebuggerPresent
0x61c230 InitializeSListHead
0x61c234 InterlockedPopEntrySList
0x61c238 InterlockedPushEntrySList
0x61c23c FlushInstructionCache
0x61c240 IsProcessorFeaturePresent
0x61c244 VirtualAlloc
0x61c248 VirtualFree
0x61c24c UnhandledExceptionFilter
0x61c250 TerminateProcess
0x61c254 GetStartupInfoW
0x61c258 RtlUnwind
0x61c25c TlsAlloc
0x61c260 TlsGetValue
0x61c264 TlsSetValue
0x61c268 TlsFree
0x61c26c ExitThread
0x61c270 FreeLibraryAndExitThread
0x61c274 GetModuleHandleExW
0x61c278 ExitProcess
0x61c27c GetFileType
0x61c280 LCMapStringW
0x61c284 IsValidLocale
0x61c288 GetUserDefaultLCID
0x61c28c EnumSystemLocalesW
0x61c290 GetTimeZoneInformation
0x61c294 GetConsoleMode
0x61c298 GetFileSizeEx
0x61c29c SetFilePointerEx
0x61c2a0 FindFirstFileExW
0x61c2a4 IsValidCodePage
0x61c2a8 GetACP
0x61c2ac GetOEMCP
0x61c2b0 GetCommandLineA
0x61c2b4 FreeEnvironmentStringsW
0x61c2b8 SetEnvironmentVariableW
0x61c2bc SetStdHandle
0x61c2c0 ReadConsoleW
0x61c2c4 WriteConsoleW
EAT(Export Address Table) is none