ScreenShot
Created | 2023.06.22 10:36 | Machine | s1_win7_x6401 |
Filename | postmon.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 48 detected (AIDetectMalware, malicious, high confidence, GenericKD, Artemis, Save, confidence, 100%, ABRisk, JHSG, Attribute, HighConfidence, Kryptik, AGen, score, Coins, CrypterX, QQPass, QQRob, Vgil, bxgvi, TMLOADER, YXDFIZ, PUPXTU, high, Static AI, Suspicious PE, Scar, ai score=81, Sabsik, Detected, ZexaF, xC0@am20nIgi, BScope, TrojanPSW, unsafe, Generic@AI, RDML, SyFX+TNVNHWNj5WBLAFzRQ, susgen) | ||
md5 | f7d6bd06f96439787aa170983ab55c3e | ||
sha256 | 69a695a22c366f9ccdbcb42e6654834bbecef41cda7f9cd2d81d21912fcd0a1c | ||
ssdeep | 6144:q0FPy3bQeuMyxK2hGFgAObpOXFVrZLqaZ3A8ihSxfw+o7Rpybm:qV3GdGFgliX5+JUq+eAm | ||
imphash | 59205d17118cd7f4c84a50e8810865e6 | ||
impfuzzy | 48:+BKkUBHve4mc+ULtoS1xGoZZG53u/ZRdK+:+A5verc+ULtoS1xGojfZRdK+ |
Network IP location
Signature (28cnts)
Level | Description |
---|---|
danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
watch | Communicates with host for which no DNS query was performed |
watch | Deletes executed files from disk |
watch | Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe |
watch | The process powershell.exe wrote an executable file to disk |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Creates a shortcut to an executable file |
notice | Creates a suspicious process |
notice | Drops an executable to the user AppData folder |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Poweshell is sending data to a remote host |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | URL downloaded by powershell script |
notice | Uses Windows utilities for basic Windows functionality |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Collects information to fingerprint the system (MachineGuid |
info | Command line console output was observed |
info | Powershell script has download & invoke calls |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | The file contains an unknown PE resource name possibly indicative of a packer |
info | Uses Windows APIs to generate a cryptographic key |
Rules (18cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
watch | Antivirus | Contains references to security software | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | PowerShell | PowerShell script | scripts |
info | PowershellDI | Extract Download/Invoke calls from powershell script | scripts |
info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
Network (13cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
WININET.dll
0x42318c InternetReadFile
0x423190 InternetCloseHandle
0x423194 InternetCrackUrlW
0x423198 InternetOpenW
0x42319c InternetOpenUrlW
0x4231a0 InternetQueryDataAvailable
SHLWAPI.dll
0x423170 StrStrW
0x423174 wnsprintfW
KERNEL32.dll
0x42301c GetCommandLineW
0x423020 GetCommandLineA
0x423024 GetOEMCP
0x423028 WriteFile
0x42302c GetModuleFileNameW
0x423030 GetEnvironmentVariableW
0x423034 lstrlenA
0x423038 CreateFileW
0x42303c GetFileAttributesW
0x423040 GetSystemWow64DirectoryW
0x423044 GetLastError
0x423048 LoadLibraryA
0x42304c lstrcatW
0x423050 lstrcpyA
0x423054 GetEnvironmentStringsW
0x423058 CloseHandle
0x42305c ExitProcess
0x423060 GetModuleHandleW
0x423064 lstrcpyW
0x423068 GetTempFileNameW
0x42306c HeapFree
0x423070 HeapReAlloc
0x423074 HeapAlloc
0x423078 GetProcessHeap
0x42307c WideCharToMultiByte
0x423080 GetACP
0x423084 IsValidCodePage
0x423088 FindNextFileW
0x42308c FindFirstFileExW
0x423090 FreeEnvironmentStringsW
0x423094 SetStdHandle
0x423098 HeapSize
0x42309c TlsSetValue
0x4230a0 EnterCriticalSection
0x4230a4 LeaveCriticalSection
0x4230a8 DeleteCriticalSection
0x4230ac EncodePointer
0x4230b0 DecodePointer
0x4230b4 MultiByteToWideChar
0x4230b8 SetLastError
0x4230bc InitializeCriticalSectionAndSpinCount
0x4230c0 CreateEventW
0x4230c4 TlsAlloc
0x4230c8 TlsGetValue
0x4230cc WriteConsoleW
0x4230d0 TlsFree
0x4230d4 GetSystemTimeAsFileTime
0x4230d8 GetProcAddress
0x4230dc LCMapStringW
0x4230e0 GetLocaleInfoW
0x4230e4 GetStringTypeW
0x4230e8 GetCPInfo
0x4230ec SetEvent
0x4230f0 ResetEvent
0x4230f4 WaitForSingleObjectEx
0x4230f8 UnhandledExceptionFilter
0x4230fc SetUnhandledExceptionFilter
0x423100 GetCurrentProcess
0x423104 TerminateProcess
0x423108 IsProcessorFeaturePresent
0x42310c IsDebuggerPresent
0x423110 GetStartupInfoW
0x423114 QueryPerformanceCounter
0x423118 GetCurrentProcessId
0x42311c GetCurrentThreadId
0x423120 InitializeSListHead
0x423124 RaiseException
0x423128 RtlUnwind
0x42312c FreeLibrary
0x423130 LoadLibraryExW
0x423134 GetModuleHandleExW
0x423138 GetStdHandle
0x42313c ReadFile
0x423140 GetConsoleMode
0x423144 ReadConsoleW
0x423148 IsValidLocale
0x42314c GetUserDefaultLCID
0x423150 EnumSystemLocalesW
0x423154 GetFileType
0x423158 FlushFileBuffers
0x42315c GetConsoleOutputCP
0x423160 GetFileSizeEx
0x423164 SetFilePointerEx
0x423168 FindClose
USER32.dll
0x42317c wsprintfW
0x423180 MessageBoxA
0x423184 wsprintfA
ADVAPI32.dll
0x423000 GetSidSubAuthorityCount
0x423004 GetSidSubAuthority
0x423008 RegSetValueExW
0x42300c RegOpenKeyExW
0x423010 RegCreateKeyW
0x423014 RegCloseKey
EAT(Export Address Table) is none
WININET.dll
0x42318c InternetReadFile
0x423190 InternetCloseHandle
0x423194 InternetCrackUrlW
0x423198 InternetOpenW
0x42319c InternetOpenUrlW
0x4231a0 InternetQueryDataAvailable
SHLWAPI.dll
0x423170 StrStrW
0x423174 wnsprintfW
KERNEL32.dll
0x42301c GetCommandLineW
0x423020 GetCommandLineA
0x423024 GetOEMCP
0x423028 WriteFile
0x42302c GetModuleFileNameW
0x423030 GetEnvironmentVariableW
0x423034 lstrlenA
0x423038 CreateFileW
0x42303c GetFileAttributesW
0x423040 GetSystemWow64DirectoryW
0x423044 GetLastError
0x423048 LoadLibraryA
0x42304c lstrcatW
0x423050 lstrcpyA
0x423054 GetEnvironmentStringsW
0x423058 CloseHandle
0x42305c ExitProcess
0x423060 GetModuleHandleW
0x423064 lstrcpyW
0x423068 GetTempFileNameW
0x42306c HeapFree
0x423070 HeapReAlloc
0x423074 HeapAlloc
0x423078 GetProcessHeap
0x42307c WideCharToMultiByte
0x423080 GetACP
0x423084 IsValidCodePage
0x423088 FindNextFileW
0x42308c FindFirstFileExW
0x423090 FreeEnvironmentStringsW
0x423094 SetStdHandle
0x423098 HeapSize
0x42309c TlsSetValue
0x4230a0 EnterCriticalSection
0x4230a4 LeaveCriticalSection
0x4230a8 DeleteCriticalSection
0x4230ac EncodePointer
0x4230b0 DecodePointer
0x4230b4 MultiByteToWideChar
0x4230b8 SetLastError
0x4230bc InitializeCriticalSectionAndSpinCount
0x4230c0 CreateEventW
0x4230c4 TlsAlloc
0x4230c8 TlsGetValue
0x4230cc WriteConsoleW
0x4230d0 TlsFree
0x4230d4 GetSystemTimeAsFileTime
0x4230d8 GetProcAddress
0x4230dc LCMapStringW
0x4230e0 GetLocaleInfoW
0x4230e4 GetStringTypeW
0x4230e8 GetCPInfo
0x4230ec SetEvent
0x4230f0 ResetEvent
0x4230f4 WaitForSingleObjectEx
0x4230f8 UnhandledExceptionFilter
0x4230fc SetUnhandledExceptionFilter
0x423100 GetCurrentProcess
0x423104 TerminateProcess
0x423108 IsProcessorFeaturePresent
0x42310c IsDebuggerPresent
0x423110 GetStartupInfoW
0x423114 QueryPerformanceCounter
0x423118 GetCurrentProcessId
0x42311c GetCurrentThreadId
0x423120 InitializeSListHead
0x423124 RaiseException
0x423128 RtlUnwind
0x42312c FreeLibrary
0x423130 LoadLibraryExW
0x423134 GetModuleHandleExW
0x423138 GetStdHandle
0x42313c ReadFile
0x423140 GetConsoleMode
0x423144 ReadConsoleW
0x423148 IsValidLocale
0x42314c GetUserDefaultLCID
0x423150 EnumSystemLocalesW
0x423154 GetFileType
0x423158 FlushFileBuffers
0x42315c GetConsoleOutputCP
0x423160 GetFileSizeEx
0x423164 SetFilePointerEx
0x423168 FindClose
USER32.dll
0x42317c wsprintfW
0x423180 MessageBoxA
0x423184 wsprintfA
ADVAPI32.dll
0x423000 GetSidSubAuthorityCount
0x423004 GetSidSubAuthority
0x423008 RegSetValueExW
0x42300c RegOpenKeyExW
0x423010 RegCreateKeyW
0x423014 RegCloseKey
EAT(Export Address Table) is none