ScreenShot
| Created | 2023.07.10 18:20 | Machine | s1_win7_x6401 |
| Filename | foto175.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 2415dbdd83d587bd33b25678273cb84a | ||
| sha256 | 589598f28559e972e9cfe2b17798a77c91d90dfc4c6abcbec2ce2f84cd972216 | ||
| ssdeep | 12288:K0U2Oz47NdoGV45u3SeBz/0qgoG0//f1x:B047voGVjpgGf1 | ||
| imphash | d16fc9171842127d5f2d9438e5ae0377 | ||
| impfuzzy | 24:dojMVDo0S1jtubJnc+pl39/CyoEOovbO3URZHu93vB3GMM:jS1jtulc+ppQyc3vBi | ||
Network IP location
Signature (38cnts)
| Level | Description |
|---|---|
| danger | Disables Windows Security features |
| watch | A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. |
| watch | Attempts to disable Windows Auto Updates |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Attempts to stop active services |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | Installs itself for autorun at Windows startup |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process danke.exe |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (17cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_RL_Gen_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | CAB_file_format | CAB archive file | binaries (download) |
| info | Is_DotNET_EXE | (no description) | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Dotted Quad Host DLL Request
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x410000 GetLastError
0x410004 WaitForSingleObject
0x410008 CreateMutexW
0x41000c Sleep
0x410010 CreateThread
0x410014 VirtualAlloc
0x410018 VirtualProtect
0x41001c GetModuleHandleA
0x410020 GetProcAddress
0x410024 LoadLibraryA
0x410028 lstrlenW
0x41002c FreeConsole
0x410030 WriteConsoleW
0x410034 QueryPerformanceCounter
0x410038 GetCurrentProcessId
0x41003c GetCurrentThreadId
0x410040 GetSystemTimeAsFileTime
0x410044 InitializeSListHead
0x410048 IsDebuggerPresent
0x41004c UnhandledExceptionFilter
0x410050 SetUnhandledExceptionFilter
0x410054 GetStartupInfoW
0x410058 IsProcessorFeaturePresent
0x41005c GetModuleHandleW
0x410060 GetCurrentProcess
0x410064 TerminateProcess
0x410068 RtlUnwind
0x41006c SetLastError
0x410070 EnterCriticalSection
0x410074 LeaveCriticalSection
0x410078 DeleteCriticalSection
0x41007c InitializeCriticalSectionAndSpinCount
0x410080 TlsAlloc
0x410084 TlsGetValue
0x410088 TlsSetValue
0x41008c TlsFree
0x410090 FreeLibrary
0x410094 LoadLibraryExW
0x410098 EncodePointer
0x41009c RaiseException
0x4100a0 GetStdHandle
0x4100a4 WriteFile
0x4100a8 GetModuleFileNameW
0x4100ac ExitProcess
0x4100b0 GetModuleHandleExW
0x4100b4 GetCommandLineA
0x4100b8 GetCommandLineW
0x4100bc HeapAlloc
0x4100c0 HeapFree
0x4100c4 FindClose
0x4100c8 FindFirstFileExW
0x4100cc FindNextFileW
0x4100d0 IsValidCodePage
0x4100d4 GetACP
0x4100d8 GetOEMCP
0x4100dc GetCPInfo
0x4100e0 MultiByteToWideChar
0x4100e4 WideCharToMultiByte
0x4100e8 GetEnvironmentStringsW
0x4100ec FreeEnvironmentStringsW
0x4100f0 SetEnvironmentVariableW
0x4100f4 SetStdHandle
0x4100f8 GetFileType
0x4100fc GetStringTypeW
0x410100 CompareStringW
0x410104 LCMapStringW
0x410108 GetProcessHeap
0x41010c HeapSize
0x410110 HeapReAlloc
0x410114 FlushFileBuffers
0x410118 GetConsoleOutputCP
0x41011c GetConsoleMode
0x410120 SetFilePointerEx
0x410124 CreateFileW
0x410128 CloseHandle
0x41012c DecodePointer
EAT(Export Address Table) is none
KERNEL32.dll
0x410000 GetLastError
0x410004 WaitForSingleObject
0x410008 CreateMutexW
0x41000c Sleep
0x410010 CreateThread
0x410014 VirtualAlloc
0x410018 VirtualProtect
0x41001c GetModuleHandleA
0x410020 GetProcAddress
0x410024 LoadLibraryA
0x410028 lstrlenW
0x41002c FreeConsole
0x410030 WriteConsoleW
0x410034 QueryPerformanceCounter
0x410038 GetCurrentProcessId
0x41003c GetCurrentThreadId
0x410040 GetSystemTimeAsFileTime
0x410044 InitializeSListHead
0x410048 IsDebuggerPresent
0x41004c UnhandledExceptionFilter
0x410050 SetUnhandledExceptionFilter
0x410054 GetStartupInfoW
0x410058 IsProcessorFeaturePresent
0x41005c GetModuleHandleW
0x410060 GetCurrentProcess
0x410064 TerminateProcess
0x410068 RtlUnwind
0x41006c SetLastError
0x410070 EnterCriticalSection
0x410074 LeaveCriticalSection
0x410078 DeleteCriticalSection
0x41007c InitializeCriticalSectionAndSpinCount
0x410080 TlsAlloc
0x410084 TlsGetValue
0x410088 TlsSetValue
0x41008c TlsFree
0x410090 FreeLibrary
0x410094 LoadLibraryExW
0x410098 EncodePointer
0x41009c RaiseException
0x4100a0 GetStdHandle
0x4100a4 WriteFile
0x4100a8 GetModuleFileNameW
0x4100ac ExitProcess
0x4100b0 GetModuleHandleExW
0x4100b4 GetCommandLineA
0x4100b8 GetCommandLineW
0x4100bc HeapAlloc
0x4100c0 HeapFree
0x4100c4 FindClose
0x4100c8 FindFirstFileExW
0x4100cc FindNextFileW
0x4100d0 IsValidCodePage
0x4100d4 GetACP
0x4100d8 GetOEMCP
0x4100dc GetCPInfo
0x4100e0 MultiByteToWideChar
0x4100e4 WideCharToMultiByte
0x4100e8 GetEnvironmentStringsW
0x4100ec FreeEnvironmentStringsW
0x4100f0 SetEnvironmentVariableW
0x4100f4 SetStdHandle
0x4100f8 GetFileType
0x4100fc GetStringTypeW
0x410100 CompareStringW
0x410104 LCMapStringW
0x410108 GetProcessHeap
0x41010c HeapSize
0x410110 HeapReAlloc
0x410114 FlushFileBuffers
0x410118 GetConsoleOutputCP
0x41011c GetConsoleMode
0x410120 SetFilePointerEx
0x410124 CreateFileW
0x410128 CloseHandle
0x41012c DecodePointer
EAT(Export Address Table) is none