ScreenShot
| Created | 2023.06.16 07:38 | Machine | s1_win7_x6403 |
| Filename | gate_011.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 13 detected (malicious, confidence, 100%, Attribute, HighConfidence, high confidence, VMProtect, R suspicious, Badur, Wacatac) | ||
| md5 | dd0891b669fbe6d2f1442f2f28f57fe3 | ||
| sha256 | 29f8caa4248a60f8e6d058fec89fd8679c7a7b695e30c3bb2582450864fc9585 | ||
| ssdeep | 98304:6tx706LdxV9QflRFhPDkNWLA9VPFi6f7zyol7:Ex70cdn9QXPDIfVLtl7 | ||
| imphash | 8bcd8b76fba5e5fd12dd6e198b4c17e6 | ||
| impfuzzy | 96:/mX3QbcGtpxWtv746AJ11tLCWc/cgs5rWFqa:oGYtv7QJzzHa | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | Disables Windows Security features |
| watch | Attempts to create or modify system certificates |
| watch | Communicates with host for which no DNS query was performed |
| watch | File has been identified by 13 AntiVirus engines on VirusTotal as malicious |
| notice | Creates executable files on the filesystem |
| notice | Creates hidden or system file |
| notice | Expresses interest in specific running processes |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | Performs some HTTP requests |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| info | Collects information to fingerprint the system (MachineGuid |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
Network (11cnts) ?
Suricata ids
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET DROP Spamhaus DROP Listed Traffic Inbound group 40
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET DROP Spamhaus DROP Listed Traffic Inbound group 40
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1404bc000 InitializeCriticalSectionEx
0x1404bc008 lstrlenA
0x1404bc010 lstrcatA
0x1404bc018 GetModuleHandleA
0x1404bc020 SetCurrentDirectoryA
0x1404bc028 Sleep
0x1404bc030 GetModuleHandleExA
0x1404bc038 GetFileAttributesA
0x1404bc040 GetBinaryTypeA
0x1404bc048 QueryFullProcessImageNameA
0x1404bc050 GetSystemDirectoryA
0x1404bc058 GlobalAlloc
0x1404bc060 lstrcpyA
0x1404bc068 SetFileAttributesA
0x1404bc070 VerSetConditionMask
0x1404bc078 WideCharToMultiByte
0x1404bc080 VerifyVersionInfoW
0x1404bc088 GetSystemTimeAsFileTime
0x1404bc090 HeapFree
0x1404bc098 HeapAlloc
0x1404bc0a0 GetProcAddress
0x1404bc0a8 lstrcpynA
0x1404bc0b0 GetProcessHeap
0x1404bc0b8 AreFileApisANSI
0x1404bc0c0 TryEnterCriticalSection
0x1404bc0c8 HeapCreate
0x1404bc0d0 EnterCriticalSection
0x1404bc0d8 GetFullPathNameW
0x1404bc0e0 GetDiskFreeSpaceW
0x1404bc0e8 OutputDebugStringA
0x1404bc0f0 LockFile
0x1404bc0f8 LeaveCriticalSection
0x1404bc100 InitializeCriticalSection
0x1404bc108 GetFullPathNameA
0x1404bc110 SetEndOfFile
0x1404bc118 FindClose
0x1404bc120 GetTempPathW
0x1404bc128 CreateMutexW
0x1404bc130 WaitForSingleObject
0x1404bc138 GetFileAttributesW
0x1404bc140 GetCurrentThreadId
0x1404bc148 UnmapViewOfFile
0x1404bc150 HeapValidate
0x1404bc158 HeapSize
0x1404bc160 MultiByteToWideChar
0x1404bc168 GetTempPathA
0x1404bc170 FormatMessageW
0x1404bc178 GetDiskFreeSpaceA
0x1404bc180 GetFileAttributesExW
0x1404bc188 OutputDebugStringW
0x1404bc190 FlushViewOfFile
0x1404bc198 LoadLibraryA
0x1404bc1a0 WaitForSingleObjectEx
0x1404bc1a8 DeleteFileA
0x1404bc1b0 DeleteFileW
0x1404bc1b8 HeapReAlloc
0x1404bc1c0 GetSystemInfo
0x1404bc1c8 LoadLibraryW
0x1404bc1d0 HeapCompact
0x1404bc1d8 HeapDestroy
0x1404bc1e0 UnlockFile
0x1404bc1e8 LocalFree
0x1404bc1f0 LockFileEx
0x1404bc1f8 GetFileSize
0x1404bc200 DeleteCriticalSection
0x1404bc208 GetCurrentProcessId
0x1404bc210 SystemTimeToFileTime
0x1404bc218 FreeLibrary
0x1404bc220 GetSystemTime
0x1404bc228 FormatMessageA
0x1404bc230 CreateFileMappingW
0x1404bc238 MapViewOfFile
0x1404bc240 QueryPerformanceCounter
0x1404bc248 GetTickCount
0x1404bc250 FlushFileBuffers
0x1404bc258 WriteConsoleW
0x1404bc260 CloseHandle
0x1404bc268 CreateFileA
0x1404bc270 GetLastError
0x1404bc278 CreateFileW
0x1404bc280 SetFilePointer
0x1404bc288 WriteFile
0x1404bc290 UnlockFileEx
0x1404bc298 ReadFile
0x1404bc2a0 SetEnvironmentVariableW
0x1404bc2a8 FreeEnvironmentStringsW
0x1404bc2b0 GetEnvironmentStringsW
0x1404bc2b8 GetCommandLineW
0x1404bc2c0 GetCommandLineA
0x1404bc2c8 GetOEMCP
0x1404bc2d0 RtlCaptureContext
0x1404bc2d8 RtlLookupFunctionEntry
0x1404bc2e0 RtlVirtualUnwind
0x1404bc2e8 UnhandledExceptionFilter
0x1404bc2f0 SetUnhandledExceptionFilter
0x1404bc2f8 GetCurrentProcess
0x1404bc300 TerminateProcess
0x1404bc308 IsProcessorFeaturePresent
0x1404bc310 InitializeSListHead
0x1404bc318 InitializeCriticalSectionAndSpinCount
0x1404bc320 SetEvent
0x1404bc328 ResetEvent
0x1404bc330 CreateEventW
0x1404bc338 GetModuleHandleW
0x1404bc340 IsDebuggerPresent
0x1404bc348 GetStartupInfoW
0x1404bc350 CreateDirectoryW
0x1404bc358 FindFirstFileExW
0x1404bc360 FindNextFileW
0x1404bc368 SetFilePointerEx
0x1404bc370 GetFileInformationByHandleEx
0x1404bc378 QueryPerformanceFrequency
0x1404bc380 LCMapStringEx
0x1404bc388 EncodePointer
0x1404bc390 DecodePointer
0x1404bc398 GetCPInfo
0x1404bc3a0 GetStringTypeW
0x1404bc3a8 SetLastError
0x1404bc3b0 GetCurrentThread
0x1404bc3b8 GetThreadTimes
0x1404bc3c0 RtlUnwindEx
0x1404bc3c8 InterlockedPushEntrySList
0x1404bc3d0 RtlPcToFileHeader
0x1404bc3d8 RaiseException
0x1404bc3e0 TlsAlloc
0x1404bc3e8 TlsGetValue
0x1404bc3f0 TlsSetValue
0x1404bc3f8 TlsFree
0x1404bc400 LoadLibraryExW
0x1404bc408 GetFileType
0x1404bc410 ExitProcess
0x1404bc418 GetModuleHandleExW
0x1404bc420 CreateThread
0x1404bc428 ExitThread
0x1404bc430 FreeLibraryAndExitThread
0x1404bc438 GetModuleFileNameW
0x1404bc440 GetStdHandle
0x1404bc448 GetConsoleMode
0x1404bc450 ReadConsoleW
0x1404bc458 GetConsoleOutputCP
0x1404bc460 SetStdHandle
0x1404bc468 CompareStringW
0x1404bc470 LCMapStringW
0x1404bc478 GetLocaleInfoW
0x1404bc480 IsValidLocale
0x1404bc488 GetUserDefaultLCID
0x1404bc490 EnumSystemLocalesW
0x1404bc498 GetFileSizeEx
0x1404bc4a0 GetTimeZoneInformation
0x1404bc4a8 IsValidCodePage
0x1404bc4b0 GetACP
0x1404bc4b8 RtlUnwind
USER32.dll
0x1404bc4c8 CharNextA
ADVAPI32.dll
0x1404bc4d8 RegCloseKey
0x1404bc4e0 RegCreateKeyExA
0x1404bc4e8 RegSetValueExA
0x1404bc4f0 OpenProcessToken
0x1404bc4f8 RegOpenKeyExA
0x1404bc500 GetTokenInformation
0x1404bc508 CryptReleaseContext
SHELL32.dll
0x1404bc518 ShellExecuteA
ole32.dll
0x1404bc528 CoCreateInstance
0x1404bc530 CoInitializeEx
0x1404bc538 CoUninitialize
KERNEL32.dll
0x1404bc548 LocalAlloc
0x1404bc550 LocalFree
0x1404bc558 GetModuleFileNameW
0x1404bc560 ExitProcess
0x1404bc568 LoadLibraryA
0x1404bc570 GetModuleHandleA
0x1404bc578 GetProcAddress
EAT(Export Address Table) is none
KERNEL32.dll
0x1404bc000 InitializeCriticalSectionEx
0x1404bc008 lstrlenA
0x1404bc010 lstrcatA
0x1404bc018 GetModuleHandleA
0x1404bc020 SetCurrentDirectoryA
0x1404bc028 Sleep
0x1404bc030 GetModuleHandleExA
0x1404bc038 GetFileAttributesA
0x1404bc040 GetBinaryTypeA
0x1404bc048 QueryFullProcessImageNameA
0x1404bc050 GetSystemDirectoryA
0x1404bc058 GlobalAlloc
0x1404bc060 lstrcpyA
0x1404bc068 SetFileAttributesA
0x1404bc070 VerSetConditionMask
0x1404bc078 WideCharToMultiByte
0x1404bc080 VerifyVersionInfoW
0x1404bc088 GetSystemTimeAsFileTime
0x1404bc090 HeapFree
0x1404bc098 HeapAlloc
0x1404bc0a0 GetProcAddress
0x1404bc0a8 lstrcpynA
0x1404bc0b0 GetProcessHeap
0x1404bc0b8 AreFileApisANSI
0x1404bc0c0 TryEnterCriticalSection
0x1404bc0c8 HeapCreate
0x1404bc0d0 EnterCriticalSection
0x1404bc0d8 GetFullPathNameW
0x1404bc0e0 GetDiskFreeSpaceW
0x1404bc0e8 OutputDebugStringA
0x1404bc0f0 LockFile
0x1404bc0f8 LeaveCriticalSection
0x1404bc100 InitializeCriticalSection
0x1404bc108 GetFullPathNameA
0x1404bc110 SetEndOfFile
0x1404bc118 FindClose
0x1404bc120 GetTempPathW
0x1404bc128 CreateMutexW
0x1404bc130 WaitForSingleObject
0x1404bc138 GetFileAttributesW
0x1404bc140 GetCurrentThreadId
0x1404bc148 UnmapViewOfFile
0x1404bc150 HeapValidate
0x1404bc158 HeapSize
0x1404bc160 MultiByteToWideChar
0x1404bc168 GetTempPathA
0x1404bc170 FormatMessageW
0x1404bc178 GetDiskFreeSpaceA
0x1404bc180 GetFileAttributesExW
0x1404bc188 OutputDebugStringW
0x1404bc190 FlushViewOfFile
0x1404bc198 LoadLibraryA
0x1404bc1a0 WaitForSingleObjectEx
0x1404bc1a8 DeleteFileA
0x1404bc1b0 DeleteFileW
0x1404bc1b8 HeapReAlloc
0x1404bc1c0 GetSystemInfo
0x1404bc1c8 LoadLibraryW
0x1404bc1d0 HeapCompact
0x1404bc1d8 HeapDestroy
0x1404bc1e0 UnlockFile
0x1404bc1e8 LocalFree
0x1404bc1f0 LockFileEx
0x1404bc1f8 GetFileSize
0x1404bc200 DeleteCriticalSection
0x1404bc208 GetCurrentProcessId
0x1404bc210 SystemTimeToFileTime
0x1404bc218 FreeLibrary
0x1404bc220 GetSystemTime
0x1404bc228 FormatMessageA
0x1404bc230 CreateFileMappingW
0x1404bc238 MapViewOfFile
0x1404bc240 QueryPerformanceCounter
0x1404bc248 GetTickCount
0x1404bc250 FlushFileBuffers
0x1404bc258 WriteConsoleW
0x1404bc260 CloseHandle
0x1404bc268 CreateFileA
0x1404bc270 GetLastError
0x1404bc278 CreateFileW
0x1404bc280 SetFilePointer
0x1404bc288 WriteFile
0x1404bc290 UnlockFileEx
0x1404bc298 ReadFile
0x1404bc2a0 SetEnvironmentVariableW
0x1404bc2a8 FreeEnvironmentStringsW
0x1404bc2b0 GetEnvironmentStringsW
0x1404bc2b8 GetCommandLineW
0x1404bc2c0 GetCommandLineA
0x1404bc2c8 GetOEMCP
0x1404bc2d0 RtlCaptureContext
0x1404bc2d8 RtlLookupFunctionEntry
0x1404bc2e0 RtlVirtualUnwind
0x1404bc2e8 UnhandledExceptionFilter
0x1404bc2f0 SetUnhandledExceptionFilter
0x1404bc2f8 GetCurrentProcess
0x1404bc300 TerminateProcess
0x1404bc308 IsProcessorFeaturePresent
0x1404bc310 InitializeSListHead
0x1404bc318 InitializeCriticalSectionAndSpinCount
0x1404bc320 SetEvent
0x1404bc328 ResetEvent
0x1404bc330 CreateEventW
0x1404bc338 GetModuleHandleW
0x1404bc340 IsDebuggerPresent
0x1404bc348 GetStartupInfoW
0x1404bc350 CreateDirectoryW
0x1404bc358 FindFirstFileExW
0x1404bc360 FindNextFileW
0x1404bc368 SetFilePointerEx
0x1404bc370 GetFileInformationByHandleEx
0x1404bc378 QueryPerformanceFrequency
0x1404bc380 LCMapStringEx
0x1404bc388 EncodePointer
0x1404bc390 DecodePointer
0x1404bc398 GetCPInfo
0x1404bc3a0 GetStringTypeW
0x1404bc3a8 SetLastError
0x1404bc3b0 GetCurrentThread
0x1404bc3b8 GetThreadTimes
0x1404bc3c0 RtlUnwindEx
0x1404bc3c8 InterlockedPushEntrySList
0x1404bc3d0 RtlPcToFileHeader
0x1404bc3d8 RaiseException
0x1404bc3e0 TlsAlloc
0x1404bc3e8 TlsGetValue
0x1404bc3f0 TlsSetValue
0x1404bc3f8 TlsFree
0x1404bc400 LoadLibraryExW
0x1404bc408 GetFileType
0x1404bc410 ExitProcess
0x1404bc418 GetModuleHandleExW
0x1404bc420 CreateThread
0x1404bc428 ExitThread
0x1404bc430 FreeLibraryAndExitThread
0x1404bc438 GetModuleFileNameW
0x1404bc440 GetStdHandle
0x1404bc448 GetConsoleMode
0x1404bc450 ReadConsoleW
0x1404bc458 GetConsoleOutputCP
0x1404bc460 SetStdHandle
0x1404bc468 CompareStringW
0x1404bc470 LCMapStringW
0x1404bc478 GetLocaleInfoW
0x1404bc480 IsValidLocale
0x1404bc488 GetUserDefaultLCID
0x1404bc490 EnumSystemLocalesW
0x1404bc498 GetFileSizeEx
0x1404bc4a0 GetTimeZoneInformation
0x1404bc4a8 IsValidCodePage
0x1404bc4b0 GetACP
0x1404bc4b8 RtlUnwind
USER32.dll
0x1404bc4c8 CharNextA
ADVAPI32.dll
0x1404bc4d8 RegCloseKey
0x1404bc4e0 RegCreateKeyExA
0x1404bc4e8 RegSetValueExA
0x1404bc4f0 OpenProcessToken
0x1404bc4f8 RegOpenKeyExA
0x1404bc500 GetTokenInformation
0x1404bc508 CryptReleaseContext
SHELL32.dll
0x1404bc518 ShellExecuteA
ole32.dll
0x1404bc528 CoCreateInstance
0x1404bc530 CoInitializeEx
0x1404bc538 CoUninitialize
KERNEL32.dll
0x1404bc548 LocalAlloc
0x1404bc550 LocalFree
0x1404bc558 GetModuleFileNameW
0x1404bc560 ExitProcess
0x1404bc568 LoadLibraryA
0x1404bc570 GetModuleHandleA
0x1404bc578 GetProcAddress
EAT(Export Address Table) is none