ScreenShot
| Created | 2023.06.01 18:49 | Machine | s1_win7_x6403 |
| Filename | postmon.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 55 detected (AIDetectMalware, Malicious, score, Selfdel, GenericRXVW, Save, ABRisk, UFTG, Attribute, HighConfidence, high confidence, Kryptik, AGen, jwghec, PWSX, Gencirc, FileFinder, Gen7, Siggen20, R002C0PE723, NetLoader, Generic Reputation PUA, Bandra, Sabsik, Casdet, UN14F8, Detected, PowershellDownloader, R575694, ZexaF, pCW@aGKkZ@hi, ai score=67, BScope, TrojanPSW, Coins, unsafe, qlDhpU51GmN, susgen, HROL, confidence, 100%) | ||
| md5 | 3661cbaa14b2974e5f1c228da71b3375 | ||
| sha256 | ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f | ||
| ssdeep | 3072:/jw74LtbRIpVtSxq3hJSaj0CqWuvSNImaZhljVLl7r8qi41j2m2FtHJjgBvFGhC4:M6hJVL5nt2FvUJFGhCWUyAOkgqk7 | ||
| imphash | 8ad88ac708ddb8f8b13f36cf34d63196 | ||
| impfuzzy | 48:+BKkUBHve4xc+ULtoS1xGoZZGK3/ZRdK+:+A5veoc+ULtoS1xGojBZRdK+ | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Drops an executable to the user AppData folder |
| notice | Poweshell is sending data to a remote host |
| notice | URL downloaded by powershell script |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Powershell script has download & invoke calls |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
| info | PowershellDI | Extract Download/Invoke calls from powershell script | scripts |
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO TLS Handshake Failure
PE API
IAT(Import Address Table) Library
WININET.dll
0x42c188 InternetReadFile
0x42c18c InternetCloseHandle
0x42c190 InternetCrackUrlW
0x42c194 InternetOpenW
0x42c198 InternetOpenUrlW
0x42c19c InternetQueryDataAvailable
SHLWAPI.dll
0x42c170 StrStrW
0x42c174 wnsprintfW
KERNEL32.dll
0x42c01c GetCommandLineW
0x42c020 GetCommandLineA
0x42c024 GetOEMCP
0x42c028 WriteFile
0x42c02c GetModuleFileNameW
0x42c030 GetEnvironmentVariableW
0x42c034 lstrlenA
0x42c038 CreateFileW
0x42c03c GetFileAttributesW
0x42c040 GetSystemWow64DirectoryW
0x42c044 GetLastError
0x42c048 LoadLibraryA
0x42c04c lstrcatW
0x42c050 lstrcpyA
0x42c054 GetEnvironmentStringsW
0x42c058 CloseHandle
0x42c05c ExitProcess
0x42c060 GetModuleHandleW
0x42c064 lstrcpyW
0x42c068 GetTempFileNameW
0x42c06c HeapFree
0x42c070 HeapReAlloc
0x42c074 HeapAlloc
0x42c078 GetProcessHeap
0x42c07c WideCharToMultiByte
0x42c080 GetACP
0x42c084 IsValidCodePage
0x42c088 FindNextFileW
0x42c08c FreeEnvironmentStringsW
0x42c090 SetStdHandle
0x42c094 HeapSize
0x42c098 TlsSetValue
0x42c09c EnterCriticalSection
0x42c0a0 LeaveCriticalSection
0x42c0a4 DeleteCriticalSection
0x42c0a8 EncodePointer
0x42c0ac DecodePointer
0x42c0b0 MultiByteToWideChar
0x42c0b4 SetLastError
0x42c0b8 InitializeCriticalSectionAndSpinCount
0x42c0bc CreateEventW
0x42c0c0 TlsAlloc
0x42c0c4 TlsGetValue
0x42c0c8 WriteConsoleW
0x42c0cc TlsFree
0x42c0d0 GetSystemTimeAsFileTime
0x42c0d4 GetProcAddress
0x42c0d8 LCMapStringW
0x42c0dc GetLocaleInfoW
0x42c0e0 GetStringTypeW
0x42c0e4 GetCPInfo
0x42c0e8 SetEvent
0x42c0ec ResetEvent
0x42c0f0 WaitForSingleObjectEx
0x42c0f4 UnhandledExceptionFilter
0x42c0f8 SetUnhandledExceptionFilter
0x42c0fc GetCurrentProcess
0x42c100 TerminateProcess
0x42c104 IsProcessorFeaturePresent
0x42c108 IsDebuggerPresent
0x42c10c GetStartupInfoW
0x42c110 QueryPerformanceCounter
0x42c114 GetCurrentProcessId
0x42c118 GetCurrentThreadId
0x42c11c InitializeSListHead
0x42c120 RaiseException
0x42c124 RtlUnwind
0x42c128 FreeLibrary
0x42c12c LoadLibraryExW
0x42c130 GetModuleHandleExW
0x42c134 GetStdHandle
0x42c138 ReadFile
0x42c13c GetConsoleMode
0x42c140 ReadConsoleW
0x42c144 IsValidLocale
0x42c148 GetUserDefaultLCID
0x42c14c EnumSystemLocalesW
0x42c150 GetFileType
0x42c154 FlushFileBuffers
0x42c158 GetConsoleOutputCP
0x42c15c GetFileSizeEx
0x42c160 SetFilePointerEx
0x42c164 FindClose
0x42c168 FindFirstFileExW
USER32.dll
0x42c17c wsprintfW
0x42c180 wsprintfA
ADVAPI32.dll
0x42c000 GetSidSubAuthorityCount
0x42c004 GetSidSubAuthority
0x42c008 RegSetValueExW
0x42c00c RegOpenKeyExW
0x42c010 RegCreateKeyW
0x42c014 RegCloseKey
EAT(Export Address Table) is none
WININET.dll
0x42c188 InternetReadFile
0x42c18c InternetCloseHandle
0x42c190 InternetCrackUrlW
0x42c194 InternetOpenW
0x42c198 InternetOpenUrlW
0x42c19c InternetQueryDataAvailable
SHLWAPI.dll
0x42c170 StrStrW
0x42c174 wnsprintfW
KERNEL32.dll
0x42c01c GetCommandLineW
0x42c020 GetCommandLineA
0x42c024 GetOEMCP
0x42c028 WriteFile
0x42c02c GetModuleFileNameW
0x42c030 GetEnvironmentVariableW
0x42c034 lstrlenA
0x42c038 CreateFileW
0x42c03c GetFileAttributesW
0x42c040 GetSystemWow64DirectoryW
0x42c044 GetLastError
0x42c048 LoadLibraryA
0x42c04c lstrcatW
0x42c050 lstrcpyA
0x42c054 GetEnvironmentStringsW
0x42c058 CloseHandle
0x42c05c ExitProcess
0x42c060 GetModuleHandleW
0x42c064 lstrcpyW
0x42c068 GetTempFileNameW
0x42c06c HeapFree
0x42c070 HeapReAlloc
0x42c074 HeapAlloc
0x42c078 GetProcessHeap
0x42c07c WideCharToMultiByte
0x42c080 GetACP
0x42c084 IsValidCodePage
0x42c088 FindNextFileW
0x42c08c FreeEnvironmentStringsW
0x42c090 SetStdHandle
0x42c094 HeapSize
0x42c098 TlsSetValue
0x42c09c EnterCriticalSection
0x42c0a0 LeaveCriticalSection
0x42c0a4 DeleteCriticalSection
0x42c0a8 EncodePointer
0x42c0ac DecodePointer
0x42c0b0 MultiByteToWideChar
0x42c0b4 SetLastError
0x42c0b8 InitializeCriticalSectionAndSpinCount
0x42c0bc CreateEventW
0x42c0c0 TlsAlloc
0x42c0c4 TlsGetValue
0x42c0c8 WriteConsoleW
0x42c0cc TlsFree
0x42c0d0 GetSystemTimeAsFileTime
0x42c0d4 GetProcAddress
0x42c0d8 LCMapStringW
0x42c0dc GetLocaleInfoW
0x42c0e0 GetStringTypeW
0x42c0e4 GetCPInfo
0x42c0e8 SetEvent
0x42c0ec ResetEvent
0x42c0f0 WaitForSingleObjectEx
0x42c0f4 UnhandledExceptionFilter
0x42c0f8 SetUnhandledExceptionFilter
0x42c0fc GetCurrentProcess
0x42c100 TerminateProcess
0x42c104 IsProcessorFeaturePresent
0x42c108 IsDebuggerPresent
0x42c10c GetStartupInfoW
0x42c110 QueryPerformanceCounter
0x42c114 GetCurrentProcessId
0x42c118 GetCurrentThreadId
0x42c11c InitializeSListHead
0x42c120 RaiseException
0x42c124 RtlUnwind
0x42c128 FreeLibrary
0x42c12c LoadLibraryExW
0x42c130 GetModuleHandleExW
0x42c134 GetStdHandle
0x42c138 ReadFile
0x42c13c GetConsoleMode
0x42c140 ReadConsoleW
0x42c144 IsValidLocale
0x42c148 GetUserDefaultLCID
0x42c14c EnumSystemLocalesW
0x42c150 GetFileType
0x42c154 FlushFileBuffers
0x42c158 GetConsoleOutputCP
0x42c15c GetFileSizeEx
0x42c160 SetFilePointerEx
0x42c164 FindClose
0x42c168 FindFirstFileExW
USER32.dll
0x42c17c wsprintfW
0x42c180 wsprintfA
ADVAPI32.dll
0x42c000 GetSidSubAuthorityCount
0x42c004 GetSidSubAuthority
0x42c008 RegSetValueExW
0x42c00c RegOpenKeyExW
0x42c010 RegCreateKeyW
0x42c014 RegCloseKey
EAT(Export Address Table) is none