ScreenShot
| Created | 2023.05.25 17:40 | Machine | s1_win7_x6401 |
| Filename | Setup_x32_x64.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 34 detected (AIDetectMalware, Stealerc, malicious, high confidence, GenericKD, Save, TrojanPSW, Attribute, HighConfidence, VMProtect, AU suspicious, score, FileRepMalware, QQPass, QQRob, Hajl, Artemis, high, Static AI, Suspicious PE, M1LGBB, Cryware, Detected, ai score=82, BScope, Coins, unsafe, Chgt, CLOUD, susgen, ZexaF, @J2@aOdwaYpi, confidence) | ||
| md5 | c51e82e2c7a0f3b68d02fc988f764f8f | ||
| sha256 | 5cbcbf21e72a2a382039f92862cf3fd8364e0fcccda137c0eb1a57c6c3fc46e2 | ||
| ssdeep | 98304:s2Ck1pncPKXnRwJgPRVPh1g09XjV4AIvLEazhyf6Dqo:vvncP6nRwJoVngwXjVLQ0Q | ||
| imphash | ee126499edcdda4d19e739d00cbb1b09 | ||
| impfuzzy | 96:YZrZ+fcDGhtb1Jc6QF1AXJ+Zcp+qjwSttLyuua:0UQ0Z+Ra | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 34 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Network activity contains more than one unique useragent |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (9cnts) ?
Suricata ids
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO Dotted Quad Host ZIP Request
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO Dotted Quad Host ZIP Request
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x6e9000 Sleep
0x6e9004 GlobalMemoryStatusEx
0x6e9008 GetSystemInfo
0x6e900c VirtualProtect
0x6e9010 HeapAlloc
0x6e9014 GetProcessHeap
0x6e9018 GetProcAddress
0x6e901c LoadLibraryA
0x6e9020 GetLogicalProcessorInformationEx
0x6e9024 VirtualAlloc
0x6e9028 Process32Next
0x6e902c Process32First
0x6e9030 CreateToolhelp32Snapshot
0x6e9034 FindNextFileW
0x6e9038 FindFirstFileW
0x6e903c VirtualAllocExNuma
0x6e9040 SetEndOfFile
0x6e9044 VirtualFree
0x6e9048 CloseHandle
0x6e904c GetCurrentProcess
0x6e9050 CreateFileW
0x6e9054 CreateFileA
0x6e9058 SetStdHandle
0x6e905c WriteConsoleW
0x6e9060 LoadLibraryW
0x6e9064 IsValidLocale
0x6e9068 EnumSystemLocalesA
0x6e906c GetLocaleInfoA
0x6e9070 GetUserDefaultLCID
0x6e9074 HeapReAlloc
0x6e9078 GetLocaleInfoW
0x6e907c ExitProcess
0x6e9080 InterlockedIncrement
0x6e9084 InterlockedDecrement
0x6e9088 WideCharToMultiByte
0x6e908c InterlockedExchange
0x6e9090 InitializeCriticalSection
0x6e9094 DeleteCriticalSection
0x6e9098 EnterCriticalSection
0x6e909c LeaveCriticalSection
0x6e90a0 EncodePointer
0x6e90a4 DecodePointer
0x6e90a8 MultiByteToWideChar
0x6e90ac GetLastError
0x6e90b0 HeapFree
0x6e90b4 RaiseException
0x6e90b8 RtlUnwind
0x6e90bc GetSystemTimeAsFileTime
0x6e90c0 GetCommandLineA
0x6e90c4 HeapSetInformation
0x6e90c8 GetStartupInfoW
0x6e90cc LCMapStringW
0x6e90d0 GetCPInfo
0x6e90d4 IsProcessorFeaturePresent
0x6e90d8 TerminateProcess
0x6e90dc UnhandledExceptionFilter
0x6e90e0 SetUnhandledExceptionFilter
0x6e90e4 IsDebuggerPresent
0x6e90e8 GetModuleHandleW
0x6e90ec WriteFile
0x6e90f0 GetStdHandle
0x6e90f4 GetModuleFileNameW
0x6e90f8 HeapCreate
0x6e90fc TlsAlloc
0x6e9100 TlsGetValue
0x6e9104 TlsSetValue
0x6e9108 TlsFree
0x6e910c SetLastError
0x6e9110 GetCurrentThreadId
0x6e9114 GetACP
0x6e9118 GetOEMCP
0x6e911c IsValidCodePage
0x6e9120 HeapSize
0x6e9124 SetHandleCount
0x6e9128 InitializeCriticalSectionAndSpinCount
0x6e912c GetFileType
0x6e9130 GetConsoleCP
0x6e9134 GetConsoleMode
0x6e9138 FlushFileBuffers
0x6e913c ReadFile
0x6e9140 SetFilePointer
0x6e9144 GetModuleFileNameA
0x6e9148 FreeEnvironmentStringsW
0x6e914c GetEnvironmentStringsW
0x6e9150 QueryPerformanceCounter
0x6e9154 GetTickCount
0x6e9158 GetCurrentProcessId
0x6e915c GetStringTypeW
USER32.dll
0x6e9164 ReleaseDC
GDI32.dll
0x6e916c GetDeviceCaps
0x6e9170 CreateDCA
ole32.dll
0x6e9178 CoCreateInstance
0x6e917c CoInitializeSecurity
0x6e9180 CoInitializeEx
0x6e9184 CoSetProxyBlanket
OLEAUT32.dll
0x6e918c SysFreeString
0x6e9190 VariantClear
0x6e9194 VariantInit
0x6e9198 SysAllocString
CRYPT32.dll
0x6e91a0 CryptStringToBinaryA
KERNEL32.dll
0x6e91a8 GetSystemTimeAsFileTime
0x6e91ac GetModuleHandleA
0x6e91b0 CreateEventA
0x6e91b4 GetModuleFileNameW
0x6e91b8 TerminateProcess
0x6e91bc GetCurrentProcess
0x6e91c0 CreateToolhelp32Snapshot
0x6e91c4 Thread32First
0x6e91c8 GetCurrentProcessId
0x6e91cc GetCurrentThreadId
0x6e91d0 OpenThread
0x6e91d4 Thread32Next
0x6e91d8 CloseHandle
0x6e91dc SuspendThread
0x6e91e0 ResumeThread
0x6e91e4 WriteProcessMemory
0x6e91e8 GetSystemInfo
0x6e91ec VirtualAlloc
0x6e91f0 VirtualProtect
0x6e91f4 VirtualFree
0x6e91f8 GetProcessAffinityMask
0x6e91fc SetProcessAffinityMask
0x6e9200 GetCurrentThread
0x6e9204 SetThreadAffinityMask
0x6e9208 Sleep
0x6e920c LoadLibraryA
0x6e9210 FreeLibrary
0x6e9214 GetTickCount
0x6e9218 SystemTimeToFileTime
0x6e921c FileTimeToSystemTime
0x6e9220 GlobalFree
0x6e9224 LocalAlloc
0x6e9228 LocalFree
0x6e922c GetProcAddress
0x6e9230 ExitProcess
0x6e9234 EnterCriticalSection
0x6e9238 LeaveCriticalSection
0x6e923c InitializeCriticalSection
0x6e9240 DeleteCriticalSection
0x6e9244 GetModuleHandleW
0x6e9248 LoadResource
0x6e924c MultiByteToWideChar
0x6e9250 FindResourceExW
0x6e9254 FindResourceExA
0x6e9258 WideCharToMultiByte
0x6e925c GetThreadLocale
0x6e9260 GetUserDefaultLCID
0x6e9264 GetSystemDefaultLCID
0x6e9268 EnumResourceNamesA
0x6e926c EnumResourceNamesW
0x6e9270 EnumResourceLanguagesA
0x6e9274 EnumResourceLanguagesW
0x6e9278 EnumResourceTypesA
0x6e927c EnumResourceTypesW
0x6e9280 CreateFileW
0x6e9284 LoadLibraryW
0x6e9288 GetLastError
0x6e928c FlushFileBuffers
0x6e9290 WriteConsoleW
0x6e9294 SetStdHandle
0x6e9298 IsProcessorFeaturePresent
0x6e929c DecodePointer
0x6e92a0 GetCommandLineA
0x6e92a4 RaiseException
0x6e92a8 HeapFree
0x6e92ac GetCPInfo
0x6e92b0 InterlockedIncrement
0x6e92b4 InterlockedDecrement
0x6e92b8 GetACP
0x6e92bc GetOEMCP
0x6e92c0 IsValidCodePage
0x6e92c4 EncodePointer
0x6e92c8 TlsAlloc
0x6e92cc TlsGetValue
0x6e92d0 TlsSetValue
0x6e92d4 TlsFree
0x6e92d8 SetLastError
0x6e92dc UnhandledExceptionFilter
0x6e92e0 SetUnhandledExceptionFilter
0x6e92e4 IsDebuggerPresent
0x6e92e8 HeapAlloc
0x6e92ec LCMapStringW
0x6e92f0 GetStringTypeW
0x6e92f4 SetHandleCount
0x6e92f8 GetStdHandle
0x6e92fc InitializeCriticalSectionAndSpinCount
0x6e9300 GetFileType
0x6e9304 GetStartupInfoW
0x6e9308 GetModuleFileNameA
0x6e930c FreeEnvironmentStringsW
0x6e9310 GetEnvironmentStringsW
0x6e9314 HeapCreate
0x6e9318 HeapDestroy
0x6e931c QueryPerformanceCounter
0x6e9320 HeapSize
0x6e9324 WriteFile
0x6e9328 RtlUnwind
0x6e932c SetFilePointer
0x6e9330 GetConsoleCP
0x6e9334 GetConsoleMode
0x6e9338 HeapReAlloc
0x6e933c VirtualQuery
USER32.dll
0x6e9344 CharUpperBuffW
KERNEL32.dll
0x6e934c LocalAlloc
0x6e9350 LocalFree
0x6e9354 GetModuleFileNameW
0x6e9358 ExitProcess
0x6e935c LoadLibraryA
0x6e9360 GetModuleHandleA
0x6e9364 GetProcAddress
EAT(Export Address Table) is none
KERNEL32.dll
0x6e9000 Sleep
0x6e9004 GlobalMemoryStatusEx
0x6e9008 GetSystemInfo
0x6e900c VirtualProtect
0x6e9010 HeapAlloc
0x6e9014 GetProcessHeap
0x6e9018 GetProcAddress
0x6e901c LoadLibraryA
0x6e9020 GetLogicalProcessorInformationEx
0x6e9024 VirtualAlloc
0x6e9028 Process32Next
0x6e902c Process32First
0x6e9030 CreateToolhelp32Snapshot
0x6e9034 FindNextFileW
0x6e9038 FindFirstFileW
0x6e903c VirtualAllocExNuma
0x6e9040 SetEndOfFile
0x6e9044 VirtualFree
0x6e9048 CloseHandle
0x6e904c GetCurrentProcess
0x6e9050 CreateFileW
0x6e9054 CreateFileA
0x6e9058 SetStdHandle
0x6e905c WriteConsoleW
0x6e9060 LoadLibraryW
0x6e9064 IsValidLocale
0x6e9068 EnumSystemLocalesA
0x6e906c GetLocaleInfoA
0x6e9070 GetUserDefaultLCID
0x6e9074 HeapReAlloc
0x6e9078 GetLocaleInfoW
0x6e907c ExitProcess
0x6e9080 InterlockedIncrement
0x6e9084 InterlockedDecrement
0x6e9088 WideCharToMultiByte
0x6e908c InterlockedExchange
0x6e9090 InitializeCriticalSection
0x6e9094 DeleteCriticalSection
0x6e9098 EnterCriticalSection
0x6e909c LeaveCriticalSection
0x6e90a0 EncodePointer
0x6e90a4 DecodePointer
0x6e90a8 MultiByteToWideChar
0x6e90ac GetLastError
0x6e90b0 HeapFree
0x6e90b4 RaiseException
0x6e90b8 RtlUnwind
0x6e90bc GetSystemTimeAsFileTime
0x6e90c0 GetCommandLineA
0x6e90c4 HeapSetInformation
0x6e90c8 GetStartupInfoW
0x6e90cc LCMapStringW
0x6e90d0 GetCPInfo
0x6e90d4 IsProcessorFeaturePresent
0x6e90d8 TerminateProcess
0x6e90dc UnhandledExceptionFilter
0x6e90e0 SetUnhandledExceptionFilter
0x6e90e4 IsDebuggerPresent
0x6e90e8 GetModuleHandleW
0x6e90ec WriteFile
0x6e90f0 GetStdHandle
0x6e90f4 GetModuleFileNameW
0x6e90f8 HeapCreate
0x6e90fc TlsAlloc
0x6e9100 TlsGetValue
0x6e9104 TlsSetValue
0x6e9108 TlsFree
0x6e910c SetLastError
0x6e9110 GetCurrentThreadId
0x6e9114 GetACP
0x6e9118 GetOEMCP
0x6e911c IsValidCodePage
0x6e9120 HeapSize
0x6e9124 SetHandleCount
0x6e9128 InitializeCriticalSectionAndSpinCount
0x6e912c GetFileType
0x6e9130 GetConsoleCP
0x6e9134 GetConsoleMode
0x6e9138 FlushFileBuffers
0x6e913c ReadFile
0x6e9140 SetFilePointer
0x6e9144 GetModuleFileNameA
0x6e9148 FreeEnvironmentStringsW
0x6e914c GetEnvironmentStringsW
0x6e9150 QueryPerformanceCounter
0x6e9154 GetTickCount
0x6e9158 GetCurrentProcessId
0x6e915c GetStringTypeW
USER32.dll
0x6e9164 ReleaseDC
GDI32.dll
0x6e916c GetDeviceCaps
0x6e9170 CreateDCA
ole32.dll
0x6e9178 CoCreateInstance
0x6e917c CoInitializeSecurity
0x6e9180 CoInitializeEx
0x6e9184 CoSetProxyBlanket
OLEAUT32.dll
0x6e918c SysFreeString
0x6e9190 VariantClear
0x6e9194 VariantInit
0x6e9198 SysAllocString
CRYPT32.dll
0x6e91a0 CryptStringToBinaryA
KERNEL32.dll
0x6e91a8 GetSystemTimeAsFileTime
0x6e91ac GetModuleHandleA
0x6e91b0 CreateEventA
0x6e91b4 GetModuleFileNameW
0x6e91b8 TerminateProcess
0x6e91bc GetCurrentProcess
0x6e91c0 CreateToolhelp32Snapshot
0x6e91c4 Thread32First
0x6e91c8 GetCurrentProcessId
0x6e91cc GetCurrentThreadId
0x6e91d0 OpenThread
0x6e91d4 Thread32Next
0x6e91d8 CloseHandle
0x6e91dc SuspendThread
0x6e91e0 ResumeThread
0x6e91e4 WriteProcessMemory
0x6e91e8 GetSystemInfo
0x6e91ec VirtualAlloc
0x6e91f0 VirtualProtect
0x6e91f4 VirtualFree
0x6e91f8 GetProcessAffinityMask
0x6e91fc SetProcessAffinityMask
0x6e9200 GetCurrentThread
0x6e9204 SetThreadAffinityMask
0x6e9208 Sleep
0x6e920c LoadLibraryA
0x6e9210 FreeLibrary
0x6e9214 GetTickCount
0x6e9218 SystemTimeToFileTime
0x6e921c FileTimeToSystemTime
0x6e9220 GlobalFree
0x6e9224 LocalAlloc
0x6e9228 LocalFree
0x6e922c GetProcAddress
0x6e9230 ExitProcess
0x6e9234 EnterCriticalSection
0x6e9238 LeaveCriticalSection
0x6e923c InitializeCriticalSection
0x6e9240 DeleteCriticalSection
0x6e9244 GetModuleHandleW
0x6e9248 LoadResource
0x6e924c MultiByteToWideChar
0x6e9250 FindResourceExW
0x6e9254 FindResourceExA
0x6e9258 WideCharToMultiByte
0x6e925c GetThreadLocale
0x6e9260 GetUserDefaultLCID
0x6e9264 GetSystemDefaultLCID
0x6e9268 EnumResourceNamesA
0x6e926c EnumResourceNamesW
0x6e9270 EnumResourceLanguagesA
0x6e9274 EnumResourceLanguagesW
0x6e9278 EnumResourceTypesA
0x6e927c EnumResourceTypesW
0x6e9280 CreateFileW
0x6e9284 LoadLibraryW
0x6e9288 GetLastError
0x6e928c FlushFileBuffers
0x6e9290 WriteConsoleW
0x6e9294 SetStdHandle
0x6e9298 IsProcessorFeaturePresent
0x6e929c DecodePointer
0x6e92a0 GetCommandLineA
0x6e92a4 RaiseException
0x6e92a8 HeapFree
0x6e92ac GetCPInfo
0x6e92b0 InterlockedIncrement
0x6e92b4 InterlockedDecrement
0x6e92b8 GetACP
0x6e92bc GetOEMCP
0x6e92c0 IsValidCodePage
0x6e92c4 EncodePointer
0x6e92c8 TlsAlloc
0x6e92cc TlsGetValue
0x6e92d0 TlsSetValue
0x6e92d4 TlsFree
0x6e92d8 SetLastError
0x6e92dc UnhandledExceptionFilter
0x6e92e0 SetUnhandledExceptionFilter
0x6e92e4 IsDebuggerPresent
0x6e92e8 HeapAlloc
0x6e92ec LCMapStringW
0x6e92f0 GetStringTypeW
0x6e92f4 SetHandleCount
0x6e92f8 GetStdHandle
0x6e92fc InitializeCriticalSectionAndSpinCount
0x6e9300 GetFileType
0x6e9304 GetStartupInfoW
0x6e9308 GetModuleFileNameA
0x6e930c FreeEnvironmentStringsW
0x6e9310 GetEnvironmentStringsW
0x6e9314 HeapCreate
0x6e9318 HeapDestroy
0x6e931c QueryPerformanceCounter
0x6e9320 HeapSize
0x6e9324 WriteFile
0x6e9328 RtlUnwind
0x6e932c SetFilePointer
0x6e9330 GetConsoleCP
0x6e9334 GetConsoleMode
0x6e9338 HeapReAlloc
0x6e933c VirtualQuery
USER32.dll
0x6e9344 CharUpperBuffW
KERNEL32.dll
0x6e934c LocalAlloc
0x6e9350 LocalFree
0x6e9354 GetModuleFileNameW
0x6e9358 ExitProcess
0x6e935c LoadLibraryA
0x6e9360 GetModuleHandleA
0x6e9364 GetProcAddress
EAT(Export Address Table) is none