ScreenShot
| Created | 2023.06.11 23:21 | Machine | s1_win7_x6403 |
| Filename | minuscrypt_crypted.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 39 detected (AIDetectMalware, Fragtor, Artemis, unsafe, Kryptik, Vhm0, Attribute, HighConfidence, malicious, high confidence, HTTO, score, TrojanX, CLOUD, moderate, ai score=89, Wacatac, Detected, ZexaF, 4yX@ay6ssA, BScope, GenKryptik, Chgt, GHTO, confidence) | ||
| md5 | 3a68a2cbeb827588f3749568b121a79b | ||
| sha256 | 2ab209c8b13fc820c0f2cd15de422053e94e2ca02b939ff97eeb2abceb5bb810 | ||
| ssdeep | 12288:x7Gmaojeh4hLyhLk9el5ih7XrIqEMbs0qFvPrVc8Ml1T5J4rNl99uF04r4hZZ1v6:MTMYP2tP4CKdKh | ||
| imphash | 836daea6dc0c0e58deaab2b0e9ca3107 | ||
| impfuzzy | 48:INtLS1jt5G5c+ppic30BWoIJ4+jjAcwkJ1:INtLS1jt5G5c+ppiGndJ1 | ||
Network IP location
Signature (28cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 39 AntiVirus engines on VirusTotal as malicious |
| watch | A process attempted to delay the analysis task. |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | schtasks_Zero | task schedule | memory |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (9cnts) ?
Suricata ids
ET MALWARE DCRAT Activity (GET)
ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt)
ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt)
PE API
IAT(Import Address Table) Library
COMDLG32.dll
0x410000 GetSaveFileNameA
0x410004 ChooseColorW
0x410008 GetOpenFileNameA
KERNEL32.dll
0x410010 GetModuleHandleA
0x410014 GetProcAddress
0x410018 MultiByteToWideChar
0x41001c QueryPerformanceFrequency
0x410020 QueryPerformanceCounter
0x410024 GetCurrentProcessId
0x410028 GetCurrentThreadId
0x41002c GetSystemTimeAsFileTime
0x410030 InitializeSListHead
0x410034 IsDebuggerPresent
0x410038 UnhandledExceptionFilter
0x41003c SetUnhandledExceptionFilter
0x410040 GetStartupInfoW
0x410044 IsProcessorFeaturePresent
0x410048 GetModuleHandleW
0x41004c GetCurrentProcess
0x410050 TerminateProcess
0x410054 WriteConsoleW
0x410058 RaiseException
0x41005c RtlUnwind
0x410060 GetLastError
0x410064 SetLastError
0x410068 EnterCriticalSection
0x41006c LeaveCriticalSection
0x410070 DeleteCriticalSection
0x410074 InitializeCriticalSectionAndSpinCount
0x410078 TlsAlloc
0x41007c TlsGetValue
0x410080 TlsSetValue
0x410084 TlsFree
0x410088 FreeLibrary
0x41008c LoadLibraryExW
0x410090 EncodePointer
0x410094 GetStdHandle
0x410098 WriteFile
0x41009c GetModuleFileNameW
0x4100a0 ExitProcess
0x4100a4 GetModuleHandleExW
0x4100a8 GetCommandLineA
0x4100ac GetCommandLineW
0x4100b0 HeapAlloc
0x4100b4 HeapFree
0x4100b8 FindClose
0x4100bc FindFirstFileExW
0x4100c0 FindNextFileW
0x4100c4 IsValidCodePage
0x4100c8 GetACP
0x4100cc GetOEMCP
0x4100d0 GetCPInfo
0x4100d4 WideCharToMultiByte
0x4100d8 GetEnvironmentStringsW
0x4100dc FreeEnvironmentStringsW
0x4100e0 SetEnvironmentVariableW
0x4100e4 SetStdHandle
0x4100e8 GetFileType
0x4100ec GetStringTypeW
0x4100f0 CompareStringW
0x4100f4 LCMapStringW
0x4100f8 GetProcessHeap
0x4100fc HeapSize
0x410100 HeapReAlloc
0x410104 FlushFileBuffers
0x410108 GetConsoleOutputCP
0x41010c GetConsoleMode
0x410110 SetFilePointerEx
0x410114 CreateFileW
0x410118 CloseHandle
0x41011c DecodePointer
kernel32.dll
0x4e26c4 DestroyClass
0x4e26c8 GetStyle
0x4e26cc GetProcess
0x4e26d0 TerminateThread
0x4e26d4 TerminateCursor
0x4e26d8 InitializeMemory
0x4e26dc AllocateClass
0x4e26e0 QueryBitmap
0x4e26e4 DeleteClass
user32.dll
0x4e26ec AllocateEvent
0x4e26f0 GetTimer
0x4e26f4 DeleteBrush
0x4e26f8 SetFont
0x4e26fc OpenMessage
advapi32.dll
0x4e2704 OpenFont
0x4e2708 TerminateStyle
0x4e270c UnregisterCursor
EAT(Export Address Table) is none
COMDLG32.dll
0x410000 GetSaveFileNameA
0x410004 ChooseColorW
0x410008 GetOpenFileNameA
KERNEL32.dll
0x410010 GetModuleHandleA
0x410014 GetProcAddress
0x410018 MultiByteToWideChar
0x41001c QueryPerformanceFrequency
0x410020 QueryPerformanceCounter
0x410024 GetCurrentProcessId
0x410028 GetCurrentThreadId
0x41002c GetSystemTimeAsFileTime
0x410030 InitializeSListHead
0x410034 IsDebuggerPresent
0x410038 UnhandledExceptionFilter
0x41003c SetUnhandledExceptionFilter
0x410040 GetStartupInfoW
0x410044 IsProcessorFeaturePresent
0x410048 GetModuleHandleW
0x41004c GetCurrentProcess
0x410050 TerminateProcess
0x410054 WriteConsoleW
0x410058 RaiseException
0x41005c RtlUnwind
0x410060 GetLastError
0x410064 SetLastError
0x410068 EnterCriticalSection
0x41006c LeaveCriticalSection
0x410070 DeleteCriticalSection
0x410074 InitializeCriticalSectionAndSpinCount
0x410078 TlsAlloc
0x41007c TlsGetValue
0x410080 TlsSetValue
0x410084 TlsFree
0x410088 FreeLibrary
0x41008c LoadLibraryExW
0x410090 EncodePointer
0x410094 GetStdHandle
0x410098 WriteFile
0x41009c GetModuleFileNameW
0x4100a0 ExitProcess
0x4100a4 GetModuleHandleExW
0x4100a8 GetCommandLineA
0x4100ac GetCommandLineW
0x4100b0 HeapAlloc
0x4100b4 HeapFree
0x4100b8 FindClose
0x4100bc FindFirstFileExW
0x4100c0 FindNextFileW
0x4100c4 IsValidCodePage
0x4100c8 GetACP
0x4100cc GetOEMCP
0x4100d0 GetCPInfo
0x4100d4 WideCharToMultiByte
0x4100d8 GetEnvironmentStringsW
0x4100dc FreeEnvironmentStringsW
0x4100e0 SetEnvironmentVariableW
0x4100e4 SetStdHandle
0x4100e8 GetFileType
0x4100ec GetStringTypeW
0x4100f0 CompareStringW
0x4100f4 LCMapStringW
0x4100f8 GetProcessHeap
0x4100fc HeapSize
0x410100 HeapReAlloc
0x410104 FlushFileBuffers
0x410108 GetConsoleOutputCP
0x41010c GetConsoleMode
0x410110 SetFilePointerEx
0x410114 CreateFileW
0x410118 CloseHandle
0x41011c DecodePointer
kernel32.dll
0x4e26c4 DestroyClass
0x4e26c8 GetStyle
0x4e26cc GetProcess
0x4e26d0 TerminateThread
0x4e26d4 TerminateCursor
0x4e26d8 InitializeMemory
0x4e26dc AllocateClass
0x4e26e0 QueryBitmap
0x4e26e4 DeleteClass
user32.dll
0x4e26ec AllocateEvent
0x4e26f0 GetTimer
0x4e26f4 DeleteBrush
0x4e26f8 SetFont
0x4e26fc OpenMessage
advapi32.dll
0x4e2704 OpenFont
0x4e2708 TerminateStyle
0x4e270c UnregisterCursor
EAT(Export Address Table) is none