ScreenShot
| Created | 2023.07.03 18:06 | Machine | s1_win7_x6401 |
| Filename | Dhepj.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 65 detected (MakyJonteH, Windows, AveMaria, Marte, Remcos, GenericRXNI, Save, malicious, ZexaF, juW@aC, YjWh, Genus, Eldorado, Warzone, score, htnucw, XPACK, Gen2, Packed2, YXDF4Z, high, Mocrt, Agentb, AntiAV, VA@81mmki, Detected, R373692, ai score=85, unsafe, Genetic, CLASSIC, Static AI, Malicious PE, susgen, confidence, 100%) | ||
| md5 | 66552aa98285ba1c58a90ae8eee06c7a | ||
| sha256 | 8880dce3daf97e67a978a171305d7fd8f487fc74793ec760580bdd19197d77fd | ||
| ssdeep | 3072:4NLOpnhTdOw9YAJOzIY9gVl01T2ENipdDg0z5:4NLYdT97JSIFl0QENqF | ||
| imphash | b9494f92817e4dfbe294ad842e8f1988 | ||
| impfuzzy | 96:eP7y38R4UE3nsr+zGeweMCDIp2yjBmqqKncGKaNM2c9/I1K:enE3nweMCDIp2DnRWmgK | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 65 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to remove evidence of file being downloaded from the Internet |
| watch | Harvests credentials from local email clients |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Ave_Maria_Zero | Remote Access Trojan that is also called WARZONE RAT | binaries (upload) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | Network_Downloader | File Downloader | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
crypt.dll
0x41734c BCryptGenerateSymmetricKey
0x417350 BCryptDecrypt
0x417354 BCryptSetProperty
0x417358 BCryptOpenAlgorithmProvider
ntdll.dll
0x417360 NtQueryInformationProcess
0x417364 RtlInitUnicodeString
0x417368 RtlEqualUnicodeString
KERNEL32.dll
0x417090 GetModuleHandleA
0x417094 GetCommandLineA
0x417098 GetStartupInfoA
0x41709c HeapFree
0x4170a0 VirtualAlloc
0x4170a4 HeapReAlloc
0x4170a8 VirtualQuery
0x4170ac TerminateThread
0x4170b0 CreateThread
0x4170b4 WriteProcessMemory
0x4170b8 GetCurrentProcess
0x4170bc OpenProcess
0x4170c0 GetWindowsDirectoryA
0x4170c4 VirtualProtectEx
0x4170c8 VirtualAllocEx
0x4170cc CreateRemoteThread
0x4170d0 CreateProcessA
0x4170d4 WriteFile
0x4170d8 CreateFileW
0x4170dc LoadLibraryW
0x4170e0 GetLocalTime
0x4170e4 GetCurrentThreadId
0x4170e8 GetCurrentProcessId
0x4170ec ReadFile
0x4170f0 FindFirstFileA
0x4170f4 GetBinaryTypeW
0x4170f8 FindNextFileA
0x4170fc GetFullPathNameA
0x417100 GetTempPathW
0x417104 GetPrivateProfileStringW
0x417108 CreateFileA
0x41710c GlobalAlloc
0x417110 GetCurrentDirectoryW
0x417114 SetCurrentDirectoryW
0x417118 GetFileSize
0x41711c FreeLibrary
0x417120 SetDllDirectoryW
0x417124 GetFileSizeEx
0x417128 LocalAlloc
0x41712c lstrcmpW
0x417130 WaitForSingleObject
0x417134 CreateProcessW
0x417138 VirtualProtect
0x41713c SetFilePointer
0x417140 ReadProcessMemory
0x417144 VirtualQueryEx
0x417148 GetModuleHandleW
0x41714c IsWow64Process
0x417150 WaitForMultipleObjects
0x417154 CreatePipe
0x417158 PeekNamedPipe
0x41715c DuplicateHandle
0x417160 SetEvent
0x417164 ExitProcess
0x417168 GetModuleFileNameW
0x41716c LoadResource
0x417170 FindResourceW
0x417174 GetComputerNameW
0x417178 GlobalMemoryStatusEx
0x41717c LoadLibraryExW
0x417180 FindFirstFileW
0x417184 FindNextFileW
0x417188 GetLogicalDriveStringsW
0x41718c DeleteFileW
0x417190 CopyFileW
0x417194 GetDriveTypeW
0x417198 EnterCriticalSection
0x41719c GetTickCount
0x4171a0 InitializeCriticalSection
0x4171a4 DeleteCriticalSection
0x4171a8 CreateMutexA
0x4171ac ReleaseMutex
0x4171b0 TerminateProcess
0x4171b4 CreateToolhelp32Snapshot
0x4171b8 Process32NextW
0x4171bc Process32FirstW
0x4171c0 WinExec
0x4171c4 Wow64DisableWow64FsRedirection
0x4171c8 GetSystemDirectoryW
0x4171cc Wow64RevertWow64FsRedirection
0x4171d0 Process32First
0x4171d4 Process32Next
0x4171d8 SizeofResource
0x4171dc GetTempPathA
0x4171e0 LockResource
0x4171e4 lstrcpyW
0x4171e8 WideCharToMultiByte
0x4171ec lstrcpyA
0x4171f0 Sleep
0x4171f4 MultiByteToWideChar
0x4171f8 lstrcatA
0x4171fc lstrcmpA
0x417200 lstrlenA
0x417204 ExpandEnvironmentStringsW
0x417208 lstrlenW
0x41720c CloseHandle
0x417210 lstrcatW
0x417214 GetLastError
0x417218 VirtualFree
0x41721c SetLastError
0x417220 GetModuleFileNameA
0x417224 CreateDirectoryW
0x417228 GetProcAddress
0x41722c LoadLibraryA
0x417230 GetProcessHeap
0x417234 CreateEventA
0x417238 HeapAlloc
0x41723c LocalFree
0x417240 LeaveCriticalSection
USER32.dll
0x4172ac CreateDesktopW
0x4172b0 CharLowerW
0x4172b4 GetKeyState
0x4172b8 GetMessageA
0x4172bc DispatchMessageA
0x4172c0 CreateWindowExW
0x4172c4 CallNextHookEx
0x4172c8 GetAsyncKeyState
0x4172cc RegisterClassW
0x4172d0 GetRawInputData
0x4172d4 MapVirtualKeyA
0x4172d8 DefWindowProcA
0x4172dc RegisterRawInputDevices
0x4172e0 TranslateMessage
0x4172e4 wsprintfA
0x4172e8 GetKeyNameTextW
0x4172ec PostQuitMessage
0x4172f0 MessageBoxA
0x4172f4 GetLastInputInfo
0x4172f8 GetForegroundWindow
0x4172fc GetWindowTextW
0x417300 ToUnicode
0x417304 wsprintfW
ADVAPI32.dll
0x417000 LookupPrivilegeValueW
0x417004 AdjustTokenPrivileges
0x417008 AllocateAndInitializeSid
0x41700c OpenProcessToken
0x417010 FreeSid
0x417014 LookupAccountSidW
0x417018 GetTokenInformation
0x41701c QueryServiceStatusEx
0x417020 InitializeSecurityDescriptor
0x417024 RegDeleteKeyA
0x417028 SetSecurityDescriptorDacl
0x41702c RegCreateKeyExW
0x417030 RegSetValueExA
0x417034 RegDeleteValueW
0x417038 RegQueryValueExW
0x41703c RegOpenKeyExW
0x417040 RegOpenKeyExA
0x417044 RegEnumKeyExW
0x417048 RegQueryValueExA
0x41704c RegQueryInfoKeyW
0x417050 RegCloseKey
0x417054 OpenServiceW
0x417058 ChangeServiceConfigW
0x41705c QueryServiceConfigW
0x417060 EnumServicesStatusExW
0x417064 StartServiceW
0x417068 RegSetValueExW
0x41706c RegCreateKeyExA
0x417070 OpenSCManagerW
0x417074 CloseServiceHandle
0x417078 RegDeleteKeyW
SHELL32.dll
0x417264 SHFileOperationW
0x417268 ShellExecuteExW
0x41726c SHGetSpecialFolderPathW
0x417270 SHCreateDirectoryExW
0x417274 ShellExecuteW
0x417278 SHGetKnownFolderPath
0x41727c ShellExecuteExA
0x417280 SHGetFolderPathW
urlmon.dll
0x417388 URLDownloadToFileW
WS2_32.dll
0x41730c getaddrinfo
0x417310 setsockopt
0x417314 freeaddrinfo
0x417318 htons
0x41731c recv
0x417320 connect
0x417324 socket
0x417328 send
0x41732c WSAStartup
0x417330 shutdown
0x417334 closesocket
0x417338 WSACleanup
0x41733c InetNtopW
0x417340 gethostbyname
0x417344 inet_addr
ole32.dll
0x417370 CoInitialize
0x417374 CoUninitialize
0x417378 CoCreateInstance
0x41737c CoInitializeSecurity
0x417380 CoTaskMemFree
SHLWAPI.dll
0x417288 PathFileExistsW
0x41728c PathFindExtensionW
0x417290 StrStrW
0x417294 PathRemoveFileSpecA
0x417298 StrStrA
0x41729c PathCombineA
0x4172a0 PathFindFileNameW
0x4172a4 AssocQueryStringW
NETAPI32.dll
0x417248 NetLocalGroupAddMembers
0x41724c NetUserAdd
OLEAUT32.dll
0x417254 VariantInit
CRYPT32.dll
0x417080 CryptUnprotectData
0x417084 CryptStringToBinaryA
0x417088 CryptStringToBinaryW
PSAPI.DLL
0x41725c GetModuleFileNameExW
EAT(Export Address Table) is none
crypt.dll
0x41734c BCryptGenerateSymmetricKey
0x417350 BCryptDecrypt
0x417354 BCryptSetProperty
0x417358 BCryptOpenAlgorithmProvider
ntdll.dll
0x417360 NtQueryInformationProcess
0x417364 RtlInitUnicodeString
0x417368 RtlEqualUnicodeString
KERNEL32.dll
0x417090 GetModuleHandleA
0x417094 GetCommandLineA
0x417098 GetStartupInfoA
0x41709c HeapFree
0x4170a0 VirtualAlloc
0x4170a4 HeapReAlloc
0x4170a8 VirtualQuery
0x4170ac TerminateThread
0x4170b0 CreateThread
0x4170b4 WriteProcessMemory
0x4170b8 GetCurrentProcess
0x4170bc OpenProcess
0x4170c0 GetWindowsDirectoryA
0x4170c4 VirtualProtectEx
0x4170c8 VirtualAllocEx
0x4170cc CreateRemoteThread
0x4170d0 CreateProcessA
0x4170d4 WriteFile
0x4170d8 CreateFileW
0x4170dc LoadLibraryW
0x4170e0 GetLocalTime
0x4170e4 GetCurrentThreadId
0x4170e8 GetCurrentProcessId
0x4170ec ReadFile
0x4170f0 FindFirstFileA
0x4170f4 GetBinaryTypeW
0x4170f8 FindNextFileA
0x4170fc GetFullPathNameA
0x417100 GetTempPathW
0x417104 GetPrivateProfileStringW
0x417108 CreateFileA
0x41710c GlobalAlloc
0x417110 GetCurrentDirectoryW
0x417114 SetCurrentDirectoryW
0x417118 GetFileSize
0x41711c FreeLibrary
0x417120 SetDllDirectoryW
0x417124 GetFileSizeEx
0x417128 LocalAlloc
0x41712c lstrcmpW
0x417130 WaitForSingleObject
0x417134 CreateProcessW
0x417138 VirtualProtect
0x41713c SetFilePointer
0x417140 ReadProcessMemory
0x417144 VirtualQueryEx
0x417148 GetModuleHandleW
0x41714c IsWow64Process
0x417150 WaitForMultipleObjects
0x417154 CreatePipe
0x417158 PeekNamedPipe
0x41715c DuplicateHandle
0x417160 SetEvent
0x417164 ExitProcess
0x417168 GetModuleFileNameW
0x41716c LoadResource
0x417170 FindResourceW
0x417174 GetComputerNameW
0x417178 GlobalMemoryStatusEx
0x41717c LoadLibraryExW
0x417180 FindFirstFileW
0x417184 FindNextFileW
0x417188 GetLogicalDriveStringsW
0x41718c DeleteFileW
0x417190 CopyFileW
0x417194 GetDriveTypeW
0x417198 EnterCriticalSection
0x41719c GetTickCount
0x4171a0 InitializeCriticalSection
0x4171a4 DeleteCriticalSection
0x4171a8 CreateMutexA
0x4171ac ReleaseMutex
0x4171b0 TerminateProcess
0x4171b4 CreateToolhelp32Snapshot
0x4171b8 Process32NextW
0x4171bc Process32FirstW
0x4171c0 WinExec
0x4171c4 Wow64DisableWow64FsRedirection
0x4171c8 GetSystemDirectoryW
0x4171cc Wow64RevertWow64FsRedirection
0x4171d0 Process32First
0x4171d4 Process32Next
0x4171d8 SizeofResource
0x4171dc GetTempPathA
0x4171e0 LockResource
0x4171e4 lstrcpyW
0x4171e8 WideCharToMultiByte
0x4171ec lstrcpyA
0x4171f0 Sleep
0x4171f4 MultiByteToWideChar
0x4171f8 lstrcatA
0x4171fc lstrcmpA
0x417200 lstrlenA
0x417204 ExpandEnvironmentStringsW
0x417208 lstrlenW
0x41720c CloseHandle
0x417210 lstrcatW
0x417214 GetLastError
0x417218 VirtualFree
0x41721c SetLastError
0x417220 GetModuleFileNameA
0x417224 CreateDirectoryW
0x417228 GetProcAddress
0x41722c LoadLibraryA
0x417230 GetProcessHeap
0x417234 CreateEventA
0x417238 HeapAlloc
0x41723c LocalFree
0x417240 LeaveCriticalSection
USER32.dll
0x4172ac CreateDesktopW
0x4172b0 CharLowerW
0x4172b4 GetKeyState
0x4172b8 GetMessageA
0x4172bc DispatchMessageA
0x4172c0 CreateWindowExW
0x4172c4 CallNextHookEx
0x4172c8 GetAsyncKeyState
0x4172cc RegisterClassW
0x4172d0 GetRawInputData
0x4172d4 MapVirtualKeyA
0x4172d8 DefWindowProcA
0x4172dc RegisterRawInputDevices
0x4172e0 TranslateMessage
0x4172e4 wsprintfA
0x4172e8 GetKeyNameTextW
0x4172ec PostQuitMessage
0x4172f0 MessageBoxA
0x4172f4 GetLastInputInfo
0x4172f8 GetForegroundWindow
0x4172fc GetWindowTextW
0x417300 ToUnicode
0x417304 wsprintfW
ADVAPI32.dll
0x417000 LookupPrivilegeValueW
0x417004 AdjustTokenPrivileges
0x417008 AllocateAndInitializeSid
0x41700c OpenProcessToken
0x417010 FreeSid
0x417014 LookupAccountSidW
0x417018 GetTokenInformation
0x41701c QueryServiceStatusEx
0x417020 InitializeSecurityDescriptor
0x417024 RegDeleteKeyA
0x417028 SetSecurityDescriptorDacl
0x41702c RegCreateKeyExW
0x417030 RegSetValueExA
0x417034 RegDeleteValueW
0x417038 RegQueryValueExW
0x41703c RegOpenKeyExW
0x417040 RegOpenKeyExA
0x417044 RegEnumKeyExW
0x417048 RegQueryValueExA
0x41704c RegQueryInfoKeyW
0x417050 RegCloseKey
0x417054 OpenServiceW
0x417058 ChangeServiceConfigW
0x41705c QueryServiceConfigW
0x417060 EnumServicesStatusExW
0x417064 StartServiceW
0x417068 RegSetValueExW
0x41706c RegCreateKeyExA
0x417070 OpenSCManagerW
0x417074 CloseServiceHandle
0x417078 RegDeleteKeyW
SHELL32.dll
0x417264 SHFileOperationW
0x417268 ShellExecuteExW
0x41726c SHGetSpecialFolderPathW
0x417270 SHCreateDirectoryExW
0x417274 ShellExecuteW
0x417278 SHGetKnownFolderPath
0x41727c ShellExecuteExA
0x417280 SHGetFolderPathW
urlmon.dll
0x417388 URLDownloadToFileW
WS2_32.dll
0x41730c getaddrinfo
0x417310 setsockopt
0x417314 freeaddrinfo
0x417318 htons
0x41731c recv
0x417320 connect
0x417324 socket
0x417328 send
0x41732c WSAStartup
0x417330 shutdown
0x417334 closesocket
0x417338 WSACleanup
0x41733c InetNtopW
0x417340 gethostbyname
0x417344 inet_addr
ole32.dll
0x417370 CoInitialize
0x417374 CoUninitialize
0x417378 CoCreateInstance
0x41737c CoInitializeSecurity
0x417380 CoTaskMemFree
SHLWAPI.dll
0x417288 PathFileExistsW
0x41728c PathFindExtensionW
0x417290 StrStrW
0x417294 PathRemoveFileSpecA
0x417298 StrStrA
0x41729c PathCombineA
0x4172a0 PathFindFileNameW
0x4172a4 AssocQueryStringW
NETAPI32.dll
0x417248 NetLocalGroupAddMembers
0x41724c NetUserAdd
OLEAUT32.dll
0x417254 VariantInit
CRYPT32.dll
0x417080 CryptUnprotectData
0x417084 CryptStringToBinaryA
0x417088 CryptStringToBinaryW
PSAPI.DLL
0x41725c GetModuleFileNameExW
EAT(Export Address Table) is none