ScreenShot
| Created | 2023.07.08 14:05 | Machine | s1_win7_x6403 |
| Filename | class-wp-image-editors.php | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 37 detected (AIDetectMalware, HRY@IjvCzRi, GenKryptik, malicious, Attribute, HighConfidence, moderate confidence, GLKG, score, Strab, BtcMine, STEALC, YXDGHZ, Artemis, ai score=84, Redline, BScope, TrojanPSW, unsafe, Chgt, Kryptik, HiOYjzK79sC, susgen, confidence, 100%) | ||
| md5 | 2796bf32abbebdd11a35603f3453214d | ||
| sha256 | 0edc6dae7ee848bf465be34edfc49377b7da304798445685e4a7d45d4983f166 | ||
| ssdeep | 98304:dK7rmuwY9IEUOJaMpTW0IX0WV2GnusfXd7FlwffC:g3muJ6IIEEt7Fl | ||
| imphash | bed9633b96201805297d3db544466c09 | ||
| impfuzzy | 48:RUHnoWJcpH+PdD99rxQSXtXlcGtfz2a63ruFZGt:2oWJcpH+P5DrxHXtXlcGtfqa9k | ||
Network IP location
Signature (35cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 37 AntiVirus engines on VirusTotal as malicious |
| watch | A process attempted to delay the analysis task. |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to create or modify system certificates |
| watch | Installs itself for autorun at Windows startup |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates hidden or system file |
| notice | Executes one or more WMI queries |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Terminates another process |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (17cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | schtasks_Zero | task schedule | memory |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | vmdetect_misc | Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names. | memory |
Network (8cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x4b7000 AddAccessAllowedAceEx
COMCTL32.dll
0x4b7030 ImageList_Merge
0x4b7034 None
0x4b7038 ImageList_SetImageCount
KERNEL32.dll
0x4b7068 GetModuleHandleA
0x4b706c RaiseException
0x4b7070 InitializeSRWLock
0x4b7074 ReleaseSRWLockExclusive
0x4b7078 AcquireSRWLockExclusive
0x4b707c EnterCriticalSection
0x4b7080 LeaveCriticalSection
0x4b7084 InitializeCriticalSectionEx
0x4b7088 TryEnterCriticalSection
0x4b708c DeleteCriticalSection
0x4b7090 GetCurrentThreadId
0x4b7094 InitializeConditionVariable
0x4b7098 WakeConditionVariable
0x4b709c WakeAllConditionVariable
0x4b70a0 SleepConditionVariableCS
0x4b70a4 SleepConditionVariableSRW
0x4b70a8 FormatMessageA
0x4b70ac InitOnceBeginInitialize
0x4b70b0 InitOnceComplete
0x4b70b4 GetLastError
0x4b70b8 FreeLibraryWhenCallbackReturns
0x4b70bc CreateThreadpoolWork
0x4b70c0 SubmitThreadpoolWork
0x4b70c4 CloseThreadpoolWork
0x4b70c8 GetModuleHandleExW
0x4b70cc RtlCaptureStackBackTrace
0x4b70d0 IsProcessorFeaturePresent
0x4b70d4 QueryPerformanceCounter
0x4b70d8 QueryPerformanceFrequency
0x4b70dc SetFileInformationByHandle
0x4b70e0 FlsAlloc
0x4b70e4 FlsGetValue
0x4b70e8 FlsSetValue
0x4b70ec FlsFree
0x4b70f0 InitOnceExecuteOnce
0x4b70f4 CreateEventExW
0x4b70f8 CreateSemaphoreExW
0x4b70fc FlushProcessWriteBuffers
0x4b7100 GetCurrentProcessorNumber
0x4b7104 GetSystemTimeAsFileTime
0x4b7108 GetTickCount64
0x4b710c CreateThreadpoolTimer
0x4b7110 SetThreadpoolTimer
0x4b7114 WaitForThreadpoolTimerCallbacks
0x4b7118 CloseThreadpoolTimer
0x4b711c CreateThreadpoolWait
0x4b7120 SetThreadpoolWait
0x4b7124 CloseThreadpoolWait
0x4b7128 GetModuleHandleW
0x4b712c GetProcAddress
0x4b7130 GetFileInformationByHandleEx
0x4b7134 CreateSymbolicLinkW
0x4b7138 CloseHandle
0x4b713c WaitForSingleObjectEx
0x4b7140 Sleep
0x4b7144 SwitchToThread
0x4b7148 GetExitCodeThread
0x4b714c GetNativeSystemInfo
0x4b7150 LocalFree
0x4b7154 InitializeCriticalSectionAndSpinCount
0x4b7158 SetEvent
0x4b715c ResetEvent
0x4b7160 CreateEventW
0x4b7164 GetCurrentProcessId
0x4b7168 InitializeSListHead
0x4b716c IsDebuggerPresent
0x4b7170 UnhandledExceptionFilter
0x4b7174 SetUnhandledExceptionFilter
0x4b7178 GetStartupInfoW
0x4b717c GetCurrentProcess
0x4b7180 TerminateProcess
0x4b7184 WriteConsoleW
0x4b7188 RtlUnwind
0x4b718c InterlockedPushEntrySList
0x4b7190 InterlockedFlushSList
0x4b7194 SetLastError
0x4b7198 EncodePointer
0x4b719c TlsAlloc
0x4b71a0 TlsGetValue
0x4b71a4 TlsSetValue
0x4b71a8 TlsFree
0x4b71ac FreeLibrary
0x4b71b0 LoadLibraryExW
0x4b71b4 CreateThread
0x4b71b8 ExitThread
0x4b71bc ResumeThread
0x4b71c0 FreeLibraryAndExitThread
0x4b71c4 GetStdHandle
0x4b71c8 WriteFile
0x4b71cc GetModuleFileNameW
0x4b71d0 ExitProcess
0x4b71d4 GetCommandLineA
0x4b71d8 GetCommandLineW
0x4b71dc GetCurrentThread
0x4b71e0 SetConsoleCtrlHandler
0x4b71e4 HeapAlloc
0x4b71e8 HeapFree
0x4b71ec GetDateFormatW
0x4b71f0 GetTimeFormatW
0x4b71f4 CompareStringW
0x4b71f8 LCMapStringW
0x4b71fc GetLocaleInfoW
0x4b7200 IsValidLocale
0x4b7204 GetUserDefaultLCID
0x4b7208 EnumSystemLocalesW
0x4b720c GetFileType
0x4b7210 GetFileSizeEx
0x4b7214 SetFilePointerEx
0x4b7218 OutputDebugStringW
0x4b721c FindClose
0x4b7220 FindFirstFileExW
0x4b7224 FindNextFileW
0x4b7228 IsValidCodePage
0x4b722c GetACP
0x4b7230 GetOEMCP
0x4b7234 GetCPInfo
0x4b7238 MultiByteToWideChar
0x4b723c WideCharToMultiByte
0x4b7240 GetEnvironmentStringsW
0x4b7244 FreeEnvironmentStringsW
0x4b7248 SetEnvironmentVariableW
0x4b724c SetStdHandle
0x4b7250 GetStringTypeW
0x4b7254 GetProcessHeap
0x4b7258 FlushFileBuffers
0x4b725c GetConsoleOutputCP
0x4b7260 GetConsoleMode
0x4b7264 HeapSize
0x4b7268 HeapReAlloc
0x4b726c ReadFile
0x4b7270 ReadConsoleW
0x4b7274 CreateFileW
0x4b7278 DecodePointer
EAT(Export Address Table) is none
ADVAPI32.dll
0x4b7000 AddAccessAllowedAceEx
COMCTL32.dll
0x4b7030 ImageList_Merge
0x4b7034 None
0x4b7038 ImageList_SetImageCount
KERNEL32.dll
0x4b7068 GetModuleHandleA
0x4b706c RaiseException
0x4b7070 InitializeSRWLock
0x4b7074 ReleaseSRWLockExclusive
0x4b7078 AcquireSRWLockExclusive
0x4b707c EnterCriticalSection
0x4b7080 LeaveCriticalSection
0x4b7084 InitializeCriticalSectionEx
0x4b7088 TryEnterCriticalSection
0x4b708c DeleteCriticalSection
0x4b7090 GetCurrentThreadId
0x4b7094 InitializeConditionVariable
0x4b7098 WakeConditionVariable
0x4b709c WakeAllConditionVariable
0x4b70a0 SleepConditionVariableCS
0x4b70a4 SleepConditionVariableSRW
0x4b70a8 FormatMessageA
0x4b70ac InitOnceBeginInitialize
0x4b70b0 InitOnceComplete
0x4b70b4 GetLastError
0x4b70b8 FreeLibraryWhenCallbackReturns
0x4b70bc CreateThreadpoolWork
0x4b70c0 SubmitThreadpoolWork
0x4b70c4 CloseThreadpoolWork
0x4b70c8 GetModuleHandleExW
0x4b70cc RtlCaptureStackBackTrace
0x4b70d0 IsProcessorFeaturePresent
0x4b70d4 QueryPerformanceCounter
0x4b70d8 QueryPerformanceFrequency
0x4b70dc SetFileInformationByHandle
0x4b70e0 FlsAlloc
0x4b70e4 FlsGetValue
0x4b70e8 FlsSetValue
0x4b70ec FlsFree
0x4b70f0 InitOnceExecuteOnce
0x4b70f4 CreateEventExW
0x4b70f8 CreateSemaphoreExW
0x4b70fc FlushProcessWriteBuffers
0x4b7100 GetCurrentProcessorNumber
0x4b7104 GetSystemTimeAsFileTime
0x4b7108 GetTickCount64
0x4b710c CreateThreadpoolTimer
0x4b7110 SetThreadpoolTimer
0x4b7114 WaitForThreadpoolTimerCallbacks
0x4b7118 CloseThreadpoolTimer
0x4b711c CreateThreadpoolWait
0x4b7120 SetThreadpoolWait
0x4b7124 CloseThreadpoolWait
0x4b7128 GetModuleHandleW
0x4b712c GetProcAddress
0x4b7130 GetFileInformationByHandleEx
0x4b7134 CreateSymbolicLinkW
0x4b7138 CloseHandle
0x4b713c WaitForSingleObjectEx
0x4b7140 Sleep
0x4b7144 SwitchToThread
0x4b7148 GetExitCodeThread
0x4b714c GetNativeSystemInfo
0x4b7150 LocalFree
0x4b7154 InitializeCriticalSectionAndSpinCount
0x4b7158 SetEvent
0x4b715c ResetEvent
0x4b7160 CreateEventW
0x4b7164 GetCurrentProcessId
0x4b7168 InitializeSListHead
0x4b716c IsDebuggerPresent
0x4b7170 UnhandledExceptionFilter
0x4b7174 SetUnhandledExceptionFilter
0x4b7178 GetStartupInfoW
0x4b717c GetCurrentProcess
0x4b7180 TerminateProcess
0x4b7184 WriteConsoleW
0x4b7188 RtlUnwind
0x4b718c InterlockedPushEntrySList
0x4b7190 InterlockedFlushSList
0x4b7194 SetLastError
0x4b7198 EncodePointer
0x4b719c TlsAlloc
0x4b71a0 TlsGetValue
0x4b71a4 TlsSetValue
0x4b71a8 TlsFree
0x4b71ac FreeLibrary
0x4b71b0 LoadLibraryExW
0x4b71b4 CreateThread
0x4b71b8 ExitThread
0x4b71bc ResumeThread
0x4b71c0 FreeLibraryAndExitThread
0x4b71c4 GetStdHandle
0x4b71c8 WriteFile
0x4b71cc GetModuleFileNameW
0x4b71d0 ExitProcess
0x4b71d4 GetCommandLineA
0x4b71d8 GetCommandLineW
0x4b71dc GetCurrentThread
0x4b71e0 SetConsoleCtrlHandler
0x4b71e4 HeapAlloc
0x4b71e8 HeapFree
0x4b71ec GetDateFormatW
0x4b71f0 GetTimeFormatW
0x4b71f4 CompareStringW
0x4b71f8 LCMapStringW
0x4b71fc GetLocaleInfoW
0x4b7200 IsValidLocale
0x4b7204 GetUserDefaultLCID
0x4b7208 EnumSystemLocalesW
0x4b720c GetFileType
0x4b7210 GetFileSizeEx
0x4b7214 SetFilePointerEx
0x4b7218 OutputDebugStringW
0x4b721c FindClose
0x4b7220 FindFirstFileExW
0x4b7224 FindNextFileW
0x4b7228 IsValidCodePage
0x4b722c GetACP
0x4b7230 GetOEMCP
0x4b7234 GetCPInfo
0x4b7238 MultiByteToWideChar
0x4b723c WideCharToMultiByte
0x4b7240 GetEnvironmentStringsW
0x4b7244 FreeEnvironmentStringsW
0x4b7248 SetEnvironmentVariableW
0x4b724c SetStdHandle
0x4b7250 GetStringTypeW
0x4b7254 GetProcessHeap
0x4b7258 FlushFileBuffers
0x4b725c GetConsoleOutputCP
0x4b7260 GetConsoleMode
0x4b7264 HeapSize
0x4b7268 HeapReAlloc
0x4b726c ReadFile
0x4b7270 ReadConsoleW
0x4b7274 CreateFileW
0x4b7278 DecodePointer
EAT(Export Address Table) is none