ScreenShot
| Created | 2023.06.07 07:41 | Machine | s1_win7_x6401 |
| Filename | ceshi.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 58 detected (AIDetectMalware, Cycler, tobt, malicious, high confidence, score, Farli, S673162, Save, Farfli, QYHJ, Attribute, HighConfidence, amco, ekovmh, 7kjdrStSW2Q, AGEN, PcClient, ZEGOST, SM33, GenericRXAW, fkra, ai score=87, CK@709g8g, Detected, unsafe, Gencirc, GenAsa, tdeUKaifYeg, susgen, ZexaF, jmW@ayUVhai, confidence, 100%) | ||
| md5 | 25214ee067e1480fa57f0ffd143ebb03 | ||
| sha256 | 523461b6e1b7beb0ea5596ecf7e4455c3b5930e4280db607cc19a73c88a11a58 | ||
| ssdeep | 1536:BwL42hI3IetDA3F39dOPD4IyuKUc7H8LiYHOv3YHV2m9zrPW4B5:BwL4mOIet+uPNyOLiQC3YE0zrPLB5 | ||
| imphash | 4eac46eb01c65a7e209bb87f15f9e46d | ||
| impfuzzy | 24:G9aNDotFMdNOovK/J3I+tQcxOaCjFQ8Ryv0T4FNTqdhNZA9IKpCwu6:ZaM6BhtQcvC60cFcdhNZ8IKpC0 | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 58 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a service |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| info | This executable has a PDB path |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Dotted Quad Host DLL Request
ET ADWARE_PUP User-Agent (Mozilla/4.0 (compatible))
ET HUNTING Rejetto HTTP File Sever Response
ET INFO Dotted Quad Host DLL Request
ET ADWARE_PUP User-Agent (Mozilla/4.0 (compatible))
ET HUNTING Rejetto HTTP File Sever Response
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41d000 Sleep
0x41d004 HeapFree
0x41d008 GetProcessHeap
0x41d00c VirtualFree
0x41d010 FreeLibrary
0x41d014 HeapAlloc
0x41d018 VirtualAlloc
0x41d01c VirtualProtect
0x41d020 GetProcAddress
0x41d024 LoadLibraryA
0x41d028 CloseHandle
0x41d02c CreateFileA
0x41d030 WriteFile
0x41d034 ReadFile
0x41d038 GetFileSize
0x41d03c RtlUnwind
0x41d040 RaiseException
0x41d044 GetLastError
0x41d048 HeapReAlloc
0x41d04c GetCommandLineA
0x41d050 GetVersionExA
0x41d054 GetStartupInfoA
0x41d058 GetModuleHandleA
0x41d05c TlsGetValue
0x41d060 TlsAlloc
0x41d064 TlsSetValue
0x41d068 TlsFree
0x41d06c InterlockedIncrement
0x41d070 SetLastError
0x41d074 GetCurrentThreadId
0x41d078 InterlockedDecrement
0x41d07c GetCurrentThread
0x41d080 TerminateProcess
0x41d084 GetCurrentProcess
0x41d088 UnhandledExceptionFilter
0x41d08c SetUnhandledExceptionFilter
0x41d090 IsDebuggerPresent
0x41d094 HeapDestroy
0x41d098 HeapCreate
0x41d09c DeleteCriticalSection
0x41d0a0 LeaveCriticalSection
0x41d0a4 FatalAppExitA
0x41d0a8 EnterCriticalSection
0x41d0ac ExitProcess
0x41d0b0 GetStdHandle
0x41d0b4 GetModuleFileNameA
0x41d0b8 FreeEnvironmentStringsA
0x41d0bc GetEnvironmentStrings
0x41d0c0 FreeEnvironmentStringsW
0x41d0c4 WideCharToMultiByte
0x41d0c8 GetEnvironmentStringsW
0x41d0cc SetHandleCount
0x41d0d0 GetFileType
0x41d0d4 QueryPerformanceCounter
0x41d0d8 GetTickCount
0x41d0dc GetCurrentProcessId
0x41d0e0 GetSystemTimeAsFileTime
0x41d0e4 GetCPInfo
0x41d0e8 GetACP
0x41d0ec GetOEMCP
0x41d0f0 InitializeCriticalSection
0x41d0f4 SetConsoleCtrlHandler
0x41d0f8 InterlockedExchange
0x41d0fc HeapSize
0x41d100 GetTimeFormatA
0x41d104 GetDateFormatA
0x41d108 GetUserDefaultLCID
0x41d10c GetLocaleInfoA
0x41d110 EnumSystemLocalesA
0x41d114 IsValidLocale
0x41d118 IsValidCodePage
0x41d11c GetStringTypeA
0x41d120 MultiByteToWideChar
0x41d124 GetStringTypeW
0x41d128 LCMapStringA
0x41d12c LCMapStringW
0x41d130 GetLocaleInfoW
0x41d134 GetTimeZoneInformation
0x41d138 CompareStringA
0x41d13c CompareStringW
0x41d140 SetEnvironmentVariableA
0x41d144 LocalAlloc
0x41d148 LocalFree
EAT(Export Address Table) is none
KERNEL32.dll
0x41d000 Sleep
0x41d004 HeapFree
0x41d008 GetProcessHeap
0x41d00c VirtualFree
0x41d010 FreeLibrary
0x41d014 HeapAlloc
0x41d018 VirtualAlloc
0x41d01c VirtualProtect
0x41d020 GetProcAddress
0x41d024 LoadLibraryA
0x41d028 CloseHandle
0x41d02c CreateFileA
0x41d030 WriteFile
0x41d034 ReadFile
0x41d038 GetFileSize
0x41d03c RtlUnwind
0x41d040 RaiseException
0x41d044 GetLastError
0x41d048 HeapReAlloc
0x41d04c GetCommandLineA
0x41d050 GetVersionExA
0x41d054 GetStartupInfoA
0x41d058 GetModuleHandleA
0x41d05c TlsGetValue
0x41d060 TlsAlloc
0x41d064 TlsSetValue
0x41d068 TlsFree
0x41d06c InterlockedIncrement
0x41d070 SetLastError
0x41d074 GetCurrentThreadId
0x41d078 InterlockedDecrement
0x41d07c GetCurrentThread
0x41d080 TerminateProcess
0x41d084 GetCurrentProcess
0x41d088 UnhandledExceptionFilter
0x41d08c SetUnhandledExceptionFilter
0x41d090 IsDebuggerPresent
0x41d094 HeapDestroy
0x41d098 HeapCreate
0x41d09c DeleteCriticalSection
0x41d0a0 LeaveCriticalSection
0x41d0a4 FatalAppExitA
0x41d0a8 EnterCriticalSection
0x41d0ac ExitProcess
0x41d0b0 GetStdHandle
0x41d0b4 GetModuleFileNameA
0x41d0b8 FreeEnvironmentStringsA
0x41d0bc GetEnvironmentStrings
0x41d0c0 FreeEnvironmentStringsW
0x41d0c4 WideCharToMultiByte
0x41d0c8 GetEnvironmentStringsW
0x41d0cc SetHandleCount
0x41d0d0 GetFileType
0x41d0d4 QueryPerformanceCounter
0x41d0d8 GetTickCount
0x41d0dc GetCurrentProcessId
0x41d0e0 GetSystemTimeAsFileTime
0x41d0e4 GetCPInfo
0x41d0e8 GetACP
0x41d0ec GetOEMCP
0x41d0f0 InitializeCriticalSection
0x41d0f4 SetConsoleCtrlHandler
0x41d0f8 InterlockedExchange
0x41d0fc HeapSize
0x41d100 GetTimeFormatA
0x41d104 GetDateFormatA
0x41d108 GetUserDefaultLCID
0x41d10c GetLocaleInfoA
0x41d110 EnumSystemLocalesA
0x41d114 IsValidLocale
0x41d118 IsValidCodePage
0x41d11c GetStringTypeA
0x41d120 MultiByteToWideChar
0x41d124 GetStringTypeW
0x41d128 LCMapStringA
0x41d12c LCMapStringW
0x41d130 GetLocaleInfoW
0x41d134 GetTimeZoneInformation
0x41d138 CompareStringA
0x41d13c CompareStringW
0x41d140 SetEnvironmentVariableA
0x41d144 LocalAlloc
0x41d148 LocalFree
EAT(Export Address Table) is none