ScreenShot
| Created | 2023.05.31 09:18 | Machine | s1_win7_x6401 |
| Filename | tg.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 39 detected (AIDetectMalware, Stealerc, malicious, high confidence, Save, TrojanPSW, confidence, 100%, Attribute, HighConfidence, Kryptik, HSNW, score, Lazy, PWSX, QQPass, QQRob, Rgil, AGEN, R014C0DEU23, high, Steal, RedLine, 6N6W4Q, Detected, Artemis, unsafe, Chgt, kqXc7BNj1qJ, Static AI, Malicious PE, ZexaF, kEW@aOEsQ6oi) | ||
| md5 | da5b8144aed2113cdd7df3f3c164fb0b | ||
| sha256 | 3e0614367a4306ad0692212eb5704af5982995ca52c80f3aacef74a9883b6536 | ||
| ssdeep | 12288:x4ZO2poYvtcyrdxyfz/FLIMyhWkpDsW8wkpnabzIA+N:yZhp0yhxyftOWEzYpaz | ||
| imphash | 65d9c1a9ed29f52599b050c6a36bebe6 | ||
| impfuzzy | 24:Q8jTcpVWZjeD1th4GhlJBl39WuPLOovbO3kFZMv5GMA+EZHu95:Q0cpVejeth4Gnpn630FZGf | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 39 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41f000 VirtualProtect
0x41f004 FreeConsole
0x41f008 MultiByteToWideChar
0x41f00c GetStringTypeW
0x41f010 WideCharToMultiByte
0x41f014 GetCurrentThreadId
0x41f018 CloseHandle
0x41f01c WaitForSingleObjectEx
0x41f020 GetExitCodeThread
0x41f024 EnterCriticalSection
0x41f028 LeaveCriticalSection
0x41f02c InitializeCriticalSectionEx
0x41f030 DeleteCriticalSection
0x41f034 EncodePointer
0x41f038 DecodePointer
0x41f03c LCMapStringEx
0x41f040 QueryPerformanceCounter
0x41f044 GetSystemTimeAsFileTime
0x41f048 GetModuleHandleW
0x41f04c GetProcAddress
0x41f050 GetCPInfo
0x41f054 UnhandledExceptionFilter
0x41f058 SetUnhandledExceptionFilter
0x41f05c GetCurrentProcess
0x41f060 TerminateProcess
0x41f064 IsProcessorFeaturePresent
0x41f068 GetCurrentProcessId
0x41f06c InitializeSListHead
0x41f070 IsDebuggerPresent
0x41f074 GetStartupInfoW
0x41f078 CreateFileW
0x41f07c RaiseException
0x41f080 RtlUnwind
0x41f084 GetLastError
0x41f088 SetLastError
0x41f08c InitializeCriticalSectionAndSpinCount
0x41f090 TlsAlloc
0x41f094 TlsGetValue
0x41f098 TlsSetValue
0x41f09c TlsFree
0x41f0a0 FreeLibrary
0x41f0a4 LoadLibraryExW
0x41f0a8 CreateThread
0x41f0ac ExitThread
0x41f0b0 FreeLibraryAndExitThread
0x41f0b4 GetModuleHandleExW
0x41f0b8 GetStdHandle
0x41f0bc WriteFile
0x41f0c0 GetModuleFileNameW
0x41f0c4 ExitProcess
0x41f0c8 GetCommandLineA
0x41f0cc GetCommandLineW
0x41f0d0 HeapAlloc
0x41f0d4 HeapFree
0x41f0d8 CompareStringW
0x41f0dc LCMapStringW
0x41f0e0 GetLocaleInfoW
0x41f0e4 IsValidLocale
0x41f0e8 GetUserDefaultLCID
0x41f0ec EnumSystemLocalesW
0x41f0f0 GetFileType
0x41f0f4 GetFileSizeEx
0x41f0f8 SetFilePointerEx
0x41f0fc FlushFileBuffers
0x41f100 GetConsoleOutputCP
0x41f104 GetConsoleMode
0x41f108 ReadFile
0x41f10c HeapReAlloc
0x41f110 FindClose
0x41f114 FindFirstFileExW
0x41f118 FindNextFileW
0x41f11c IsValidCodePage
0x41f120 GetACP
0x41f124 GetOEMCP
0x41f128 GetEnvironmentStringsW
0x41f12c FreeEnvironmentStringsW
0x41f130 SetEnvironmentVariableW
0x41f134 SetStdHandle
0x41f138 GetProcessHeap
0x41f13c ReadConsoleW
0x41f140 HeapSize
0x41f144 WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x41f000 VirtualProtect
0x41f004 FreeConsole
0x41f008 MultiByteToWideChar
0x41f00c GetStringTypeW
0x41f010 WideCharToMultiByte
0x41f014 GetCurrentThreadId
0x41f018 CloseHandle
0x41f01c WaitForSingleObjectEx
0x41f020 GetExitCodeThread
0x41f024 EnterCriticalSection
0x41f028 LeaveCriticalSection
0x41f02c InitializeCriticalSectionEx
0x41f030 DeleteCriticalSection
0x41f034 EncodePointer
0x41f038 DecodePointer
0x41f03c LCMapStringEx
0x41f040 QueryPerformanceCounter
0x41f044 GetSystemTimeAsFileTime
0x41f048 GetModuleHandleW
0x41f04c GetProcAddress
0x41f050 GetCPInfo
0x41f054 UnhandledExceptionFilter
0x41f058 SetUnhandledExceptionFilter
0x41f05c GetCurrentProcess
0x41f060 TerminateProcess
0x41f064 IsProcessorFeaturePresent
0x41f068 GetCurrentProcessId
0x41f06c InitializeSListHead
0x41f070 IsDebuggerPresent
0x41f074 GetStartupInfoW
0x41f078 CreateFileW
0x41f07c RaiseException
0x41f080 RtlUnwind
0x41f084 GetLastError
0x41f088 SetLastError
0x41f08c InitializeCriticalSectionAndSpinCount
0x41f090 TlsAlloc
0x41f094 TlsGetValue
0x41f098 TlsSetValue
0x41f09c TlsFree
0x41f0a0 FreeLibrary
0x41f0a4 LoadLibraryExW
0x41f0a8 CreateThread
0x41f0ac ExitThread
0x41f0b0 FreeLibraryAndExitThread
0x41f0b4 GetModuleHandleExW
0x41f0b8 GetStdHandle
0x41f0bc WriteFile
0x41f0c0 GetModuleFileNameW
0x41f0c4 ExitProcess
0x41f0c8 GetCommandLineA
0x41f0cc GetCommandLineW
0x41f0d0 HeapAlloc
0x41f0d4 HeapFree
0x41f0d8 CompareStringW
0x41f0dc LCMapStringW
0x41f0e0 GetLocaleInfoW
0x41f0e4 IsValidLocale
0x41f0e8 GetUserDefaultLCID
0x41f0ec EnumSystemLocalesW
0x41f0f0 GetFileType
0x41f0f4 GetFileSizeEx
0x41f0f8 SetFilePointerEx
0x41f0fc FlushFileBuffers
0x41f100 GetConsoleOutputCP
0x41f104 GetConsoleMode
0x41f108 ReadFile
0x41f10c HeapReAlloc
0x41f110 FindClose
0x41f114 FindFirstFileExW
0x41f118 FindNextFileW
0x41f11c IsValidCodePage
0x41f120 GetACP
0x41f124 GetOEMCP
0x41f128 GetEnvironmentStringsW
0x41f12c FreeEnvironmentStringsW
0x41f130 SetEnvironmentVariableW
0x41f134 SetStdHandle
0x41f138 GetProcessHeap
0x41f13c ReadConsoleW
0x41f140 HeapSize
0x41f144 WriteConsoleW
EAT(Export Address Table) is none