ScreenShot
| Created | 2023.07.07 07:45 | Machine | s1_win7_x6401 |
| Filename | qlmfckzvtoso.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | |||
| md5 | 107c04590864856c6d7c4fbc9f9a3da9 | ||
| sha256 | 759edeee6e9ca27b5945680ba5ed35e3b8fc64542ab6ea52527480de4d5e7ba8 | ||
| ssdeep | 12288:GhG0jFMyLIYEKP/DN4yR2nFcXgHbqtVvAE:OGuG3KP/DunFYC8IE | ||
| imphash | 4187815841bc2ea783999b0bc5d86771 | ||
| impfuzzy | 24:qCYhzJcDo/NOqpDcjtRkKuHRnlyv9JT4CmIjMA:qpwqBcjtDWK9JcfA | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | Network activity contains more than one unique useragent |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Steals private information from local Internet browsers |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (8cnts) ?
Suricata ids
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x496000 GetCurrentProcess
0x496004 VirtualAlloc
0x496008 GetNativeSystemInfo
0x49600c FreeLibrary
0x496010 HeapAlloc
0x496014 HeapFree
0x496018 VirtualFree
0x49601c GetProcessHeap
0x496020 IsBadReadPtr
0x496024 SetLastError
0x496028 GetProcAddress
0x49602c LoadLibraryA
0x496030 VirtualProtect
0x496034 GetLastError
0x496038 HeapReAlloc
0x49603c GetCommandLineW
0x496040 HeapSetInformation
0x496044 GetStartupInfoW
0x496048 HeapCreate
0x49604c GetModuleHandleW
0x496050 ExitProcess
0x496054 DecodePointer
0x496058 WriteFile
0x49605c GetStdHandle
0x496060 GetModuleFileNameW
0x496064 EncodePointer
0x496068 EnterCriticalSection
0x49606c LeaveCriticalSection
0x496070 UnhandledExceptionFilter
0x496074 SetUnhandledExceptionFilter
0x496078 IsDebuggerPresent
0x49607c TerminateProcess
0x496080 GetCPInfo
0x496084 InterlockedIncrement
0x496088 InterlockedDecrement
0x49608c GetACP
0x496090 GetOEMCP
0x496094 IsValidCodePage
0x496098 TlsAlloc
0x49609c TlsGetValue
0x4960a0 TlsSetValue
0x4960a4 TlsFree
0x4960a8 GetCurrentThreadId
0x4960ac GetStringTypeW
0x4960b0 FreeEnvironmentStringsW
0x4960b4 GetEnvironmentStringsW
0x4960b8 SetHandleCount
0x4960bc InitializeCriticalSectionAndSpinCount
0x4960c0 GetFileType
0x4960c4 DeleteCriticalSection
0x4960c8 QueryPerformanceCounter
0x4960cc GetTickCount
0x4960d0 GetCurrentProcessId
0x4960d4 GetSystemTimeAsFileTime
0x4960d8 LoadLibraryW
0x4960dc Sleep
0x4960e0 MultiByteToWideChar
0x4960e4 RtlUnwind
0x4960e8 WideCharToMultiByte
0x4960ec LCMapStringW
0x4960f0 HeapSize
0x4960f4 GetConsoleCP
0x4960f8 GetConsoleMode
0x4960fc FlushFileBuffers
0x496100 IsProcessorFeaturePresent
0x496104 SetFilePointer
0x496108 CloseHandle
0x49610c WriteConsoleW
0x496110 SetStdHandle
0x496114 CreateFileW
EAT(Export Address Table) Library
0x401570 Test
KERNEL32.dll
0x496000 GetCurrentProcess
0x496004 VirtualAlloc
0x496008 GetNativeSystemInfo
0x49600c FreeLibrary
0x496010 HeapAlloc
0x496014 HeapFree
0x496018 VirtualFree
0x49601c GetProcessHeap
0x496020 IsBadReadPtr
0x496024 SetLastError
0x496028 GetProcAddress
0x49602c LoadLibraryA
0x496030 VirtualProtect
0x496034 GetLastError
0x496038 HeapReAlloc
0x49603c GetCommandLineW
0x496040 HeapSetInformation
0x496044 GetStartupInfoW
0x496048 HeapCreate
0x49604c GetModuleHandleW
0x496050 ExitProcess
0x496054 DecodePointer
0x496058 WriteFile
0x49605c GetStdHandle
0x496060 GetModuleFileNameW
0x496064 EncodePointer
0x496068 EnterCriticalSection
0x49606c LeaveCriticalSection
0x496070 UnhandledExceptionFilter
0x496074 SetUnhandledExceptionFilter
0x496078 IsDebuggerPresent
0x49607c TerminateProcess
0x496080 GetCPInfo
0x496084 InterlockedIncrement
0x496088 InterlockedDecrement
0x49608c GetACP
0x496090 GetOEMCP
0x496094 IsValidCodePage
0x496098 TlsAlloc
0x49609c TlsGetValue
0x4960a0 TlsSetValue
0x4960a4 TlsFree
0x4960a8 GetCurrentThreadId
0x4960ac GetStringTypeW
0x4960b0 FreeEnvironmentStringsW
0x4960b4 GetEnvironmentStringsW
0x4960b8 SetHandleCount
0x4960bc InitializeCriticalSectionAndSpinCount
0x4960c0 GetFileType
0x4960c4 DeleteCriticalSection
0x4960c8 QueryPerformanceCounter
0x4960cc GetTickCount
0x4960d0 GetCurrentProcessId
0x4960d4 GetSystemTimeAsFileTime
0x4960d8 LoadLibraryW
0x4960dc Sleep
0x4960e0 MultiByteToWideChar
0x4960e4 RtlUnwind
0x4960e8 WideCharToMultiByte
0x4960ec LCMapStringW
0x4960f0 HeapSize
0x4960f4 GetConsoleCP
0x4960f8 GetConsoleMode
0x4960fc FlushFileBuffers
0x496100 IsProcessorFeaturePresent
0x496104 SetFilePointer
0x496108 CloseHandle
0x49610c WriteConsoleW
0x496110 SetStdHandle
0x496114 CreateFileW
EAT(Export Address Table) Library
0x401570 Test