ScreenShot
| Created | 2023.06.22 17:39 | Machine | s1_win7_x6403 |
| Filename | photo085.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 29 detected (AIDetectMalware, malicious, high confidence, Save, Attribute, HighConfidence, GenKryptik, GLAP, score, Babar, DropperX, moderate, Static AI, Malicious PE, Redline, CRTE, Detected, ai score=88, unsafe, GdSda, Generic@AI, RDML, 0PnzoQBsPDD8kWBUpj8lKA, TitanStealer, susgen, ZexaF, 2y0@aCysyfmi, confidence, 100%) | ||
| md5 | c3f6bfa5ad67642e7c540b458c375fbf | ||
| sha256 | e76c80fe7d5265c877f1f656e4bd2929a0ae87b7ea45bed551e624db19615d6e | ||
| ssdeep | 24576:KKlkdee6n/9HWuNFjDKJ/QI/4Bx5u79RLm:adee25WWFjGpQIh | ||
| imphash | 5546d5d08c85c9bfc72c6e57a660ba00 | ||
| impfuzzy | 24:WjavDo3cpVWcfS1jtXGhlJBl39LoEOovbO3gv9FZ6GMAkEZHu9J:QcpV5fS1jtXGnpJc3y9FZ+ | ||
Network IP location
Signature (36cnts)
| Level | Description |
|---|---|
| danger | Disables Windows Security features |
| warning | File has been identified by 29 AntiVirus engines on VirusTotal as malicious |
| watch | A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. |
| watch | Attempts to disable Windows Auto Updates |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Attempts to stop active services |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | Installs itself for autorun at Windows startup |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process rugen.exe |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_RL_Gen_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | CAB_file_format | CAB archive file | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x428000 WaitForSingleObject
0x428004 Sleep
0x428008 GetCurrentProcess
0x42800c CreateThread
0x428010 GetVersion
0x428014 VirtualAlloc
0x428018 VirtualProtect
0x42801c GetModuleHandleA
0x428020 GetProcAddress
0x428024 LoadLibraryA
0x428028 lstrlenW
0x42802c FreeConsole
0x428030 CreateFileW
0x428034 WideCharToMultiByte
0x428038 EnterCriticalSection
0x42803c LeaveCriticalSection
0x428040 InitializeCriticalSectionEx
0x428044 DeleteCriticalSection
0x428048 EncodePointer
0x42804c DecodePointer
0x428050 MultiByteToWideChar
0x428054 LCMapStringEx
0x428058 GetStringTypeW
0x42805c GetCPInfo
0x428060 IsProcessorFeaturePresent
0x428064 QueryPerformanceCounter
0x428068 GetCurrentProcessId
0x42806c GetCurrentThreadId
0x428070 GetSystemTimeAsFileTime
0x428074 InitializeSListHead
0x428078 IsDebuggerPresent
0x42807c UnhandledExceptionFilter
0x428080 SetUnhandledExceptionFilter
0x428084 GetStartupInfoW
0x428088 GetModuleHandleW
0x42808c TerminateProcess
0x428090 RaiseException
0x428094 RtlUnwind
0x428098 GetLastError
0x42809c SetLastError
0x4280a0 InitializeCriticalSectionAndSpinCount
0x4280a4 TlsAlloc
0x4280a8 TlsGetValue
0x4280ac TlsSetValue
0x4280b0 TlsFree
0x4280b4 FreeLibrary
0x4280b8 LoadLibraryExW
0x4280bc GetStdHandle
0x4280c0 WriteFile
0x4280c4 GetModuleFileNameW
0x4280c8 ExitProcess
0x4280cc GetModuleHandleExW
0x4280d0 GetCommandLineA
0x4280d4 GetCommandLineW
0x4280d8 HeapAlloc
0x4280dc HeapFree
0x4280e0 GetFileType
0x4280e4 CompareStringW
0x4280e8 LCMapStringW
0x4280ec GetLocaleInfoW
0x4280f0 IsValidLocale
0x4280f4 GetUserDefaultLCID
0x4280f8 EnumSystemLocalesW
0x4280fc CloseHandle
0x428100 FlushFileBuffers
0x428104 GetConsoleOutputCP
0x428108 GetConsoleMode
0x42810c ReadFile
0x428110 GetFileSizeEx
0x428114 SetFilePointerEx
0x428118 ReadConsoleW
0x42811c HeapReAlloc
0x428120 FindClose
0x428124 FindFirstFileExW
0x428128 FindNextFileW
0x42812c IsValidCodePage
0x428130 GetACP
0x428134 GetOEMCP
0x428138 GetEnvironmentStringsW
0x42813c FreeEnvironmentStringsW
0x428140 SetEnvironmentVariableW
0x428144 SetStdHandle
0x428148 GetProcessHeap
0x42814c HeapSize
0x428150 WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x428000 WaitForSingleObject
0x428004 Sleep
0x428008 GetCurrentProcess
0x42800c CreateThread
0x428010 GetVersion
0x428014 VirtualAlloc
0x428018 VirtualProtect
0x42801c GetModuleHandleA
0x428020 GetProcAddress
0x428024 LoadLibraryA
0x428028 lstrlenW
0x42802c FreeConsole
0x428030 CreateFileW
0x428034 WideCharToMultiByte
0x428038 EnterCriticalSection
0x42803c LeaveCriticalSection
0x428040 InitializeCriticalSectionEx
0x428044 DeleteCriticalSection
0x428048 EncodePointer
0x42804c DecodePointer
0x428050 MultiByteToWideChar
0x428054 LCMapStringEx
0x428058 GetStringTypeW
0x42805c GetCPInfo
0x428060 IsProcessorFeaturePresent
0x428064 QueryPerformanceCounter
0x428068 GetCurrentProcessId
0x42806c GetCurrentThreadId
0x428070 GetSystemTimeAsFileTime
0x428074 InitializeSListHead
0x428078 IsDebuggerPresent
0x42807c UnhandledExceptionFilter
0x428080 SetUnhandledExceptionFilter
0x428084 GetStartupInfoW
0x428088 GetModuleHandleW
0x42808c TerminateProcess
0x428090 RaiseException
0x428094 RtlUnwind
0x428098 GetLastError
0x42809c SetLastError
0x4280a0 InitializeCriticalSectionAndSpinCount
0x4280a4 TlsAlloc
0x4280a8 TlsGetValue
0x4280ac TlsSetValue
0x4280b0 TlsFree
0x4280b4 FreeLibrary
0x4280b8 LoadLibraryExW
0x4280bc GetStdHandle
0x4280c0 WriteFile
0x4280c4 GetModuleFileNameW
0x4280c8 ExitProcess
0x4280cc GetModuleHandleExW
0x4280d0 GetCommandLineA
0x4280d4 GetCommandLineW
0x4280d8 HeapAlloc
0x4280dc HeapFree
0x4280e0 GetFileType
0x4280e4 CompareStringW
0x4280e8 LCMapStringW
0x4280ec GetLocaleInfoW
0x4280f0 IsValidLocale
0x4280f4 GetUserDefaultLCID
0x4280f8 EnumSystemLocalesW
0x4280fc CloseHandle
0x428100 FlushFileBuffers
0x428104 GetConsoleOutputCP
0x428108 GetConsoleMode
0x42810c ReadFile
0x428110 GetFileSizeEx
0x428114 SetFilePointerEx
0x428118 ReadConsoleW
0x42811c HeapReAlloc
0x428120 FindClose
0x428124 FindFirstFileExW
0x428128 FindNextFileW
0x42812c IsValidCodePage
0x428130 GetACP
0x428134 GetOEMCP
0x428138 GetEnvironmentStringsW
0x42813c FreeEnvironmentStringsW
0x428140 SetEnvironmentVariableW
0x428144 SetStdHandle
0x428148 GetProcessHeap
0x42814c HeapSize
0x428150 WriteConsoleW
EAT(Export Address Table) is none