ScreenShot
| Created | 2023.07.12 07:44 | Machine | s1_win7_x6401 |
| Filename | YoDo_Fake.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 32 detected (AIDetectMalware, Coins, malicious, high confidence, Artemis, Save, Attribute, HighConfidence, PWSX, AMADEY, YXDGKZ, Static AI, Suspicious PE, SpywareX, CRDB, Detected, ZexaF, hqW@aG9InDn, BScope, Chgt, Generic@AI, RDML, IMGCJz7UY6UvSH03hyjlYA, Outbreak, PossibleThreat, confidence, 100%) | ||
| md5 | 10adfd55d2fe1b14553f911adc389e89 | ||
| sha256 | a1e9ac36f287a51c929becd38de41a536962e7f1c1ef3e954eeb5da0101bd7a3 | ||
| ssdeep | 3072:ceImo5mf7mNlQw2+IvEuyrAAmU9JpdaNKNezb629Tf6O+BUnfvg0I0IM07V4Qr/c:ceGxMUbdqgw | ||
| imphash | 824637e9faa330dbb88c3aeabc598215 | ||
| impfuzzy | 24:rdvVboGcebnMURBtMS1JbJe1l3eDoLoEOovbOIj4ZHu93v4A5cjAjbRtDBrfRFht:rdV7cUBtMS1J+pXc3g4Arhzht | ||
Network IP location
Signature (3cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 32 AntiVirus engines on VirusTotal as malicious |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x416008 DecodePointer
0x41600c RaiseException
0x416010 GetLastError
0x416014 HeapAlloc
0x416018 GetProcessHeap
0x41601c InitializeCriticalSectionEx
0x416020 DeleteCriticalSection
0x416024 GetTickCount
0x416028 IsDebuggerPresent
0x41602c MultiByteToWideChar
0x416030 FreeConsole
0x416034 OutputDebugStringW
0x416038 EnterCriticalSection
0x41603c LeaveCriticalSection
0x416040 CloseHandle
0x416044 CreateFileW
0x416048 LoadLibraryA
0x41604c GetTempPathA
0x416050 SetFilePointerEx
0x416054 GetConsoleMode
0x416058 GetConsoleOutputCP
0x41605c FlushFileBuffers
0x416060 LCMapStringW
0x416064 CompareStringW
0x416068 UnhandledExceptionFilter
0x41606c SetUnhandledExceptionFilter
0x416070 GetCurrentProcess
0x416074 TerminateProcess
0x416078 IsProcessorFeaturePresent
0x41607c QueryPerformanceCounter
0x416080 GetCurrentProcessId
0x416084 GetCurrentThreadId
0x416088 GetSystemTimeAsFileTime
0x41608c InitializeSListHead
0x416090 GetStartupInfoW
0x416094 GetModuleHandleW
0x416098 RtlUnwind
0x41609c SetLastError
0x4160a0 EncodePointer
0x4160a4 InitializeCriticalSectionAndSpinCount
0x4160a8 TlsAlloc
0x4160ac TlsGetValue
0x4160b0 TlsSetValue
0x4160b4 TlsFree
0x4160b8 FreeLibrary
0x4160bc GetProcAddress
0x4160c0 LoadLibraryExW
0x4160c4 GetStdHandle
0x4160c8 WriteFile
0x4160cc GetModuleFileNameW
0x4160d0 ExitProcess
0x4160d4 GetModuleHandleExW
0x4160d8 GetCommandLineA
0x4160dc GetCommandLineW
0x4160e0 HeapFree
0x4160e4 HeapSize
0x4160e8 HeapReAlloc
0x4160ec FindClose
0x4160f0 FindFirstFileExW
0x4160f4 FindNextFileW
0x4160f8 IsValidCodePage
0x4160fc GetACP
0x416100 GetOEMCP
0x416104 GetCPInfo
0x416108 WideCharToMultiByte
0x41610c GetEnvironmentStringsW
0x416110 FreeEnvironmentStringsW
0x416114 SetEnvironmentVariableW
0x416118 SetStdHandle
0x41611c GetFileType
0x416120 GetStringTypeW
0x416124 WriteConsoleW
USER32.dll
0x41612c CharLowerA
ADVAPI32.dll
0x416000 GetUserNameA
WINHTTP.dll
0x416134 WinHttpOpenRequest
0x416138 WinHttpCloseHandle
0x41613c WinHttpOpen
0x416140 WinHttpReadData
0x416144 WinHttpReceiveResponse
0x416148 WinHttpQueryDataAvailable
0x41614c WinHttpSendRequest
0x416150 WinHttpConnect
EAT(Export Address Table) is none
KERNEL32.dll
0x416008 DecodePointer
0x41600c RaiseException
0x416010 GetLastError
0x416014 HeapAlloc
0x416018 GetProcessHeap
0x41601c InitializeCriticalSectionEx
0x416020 DeleteCriticalSection
0x416024 GetTickCount
0x416028 IsDebuggerPresent
0x41602c MultiByteToWideChar
0x416030 FreeConsole
0x416034 OutputDebugStringW
0x416038 EnterCriticalSection
0x41603c LeaveCriticalSection
0x416040 CloseHandle
0x416044 CreateFileW
0x416048 LoadLibraryA
0x41604c GetTempPathA
0x416050 SetFilePointerEx
0x416054 GetConsoleMode
0x416058 GetConsoleOutputCP
0x41605c FlushFileBuffers
0x416060 LCMapStringW
0x416064 CompareStringW
0x416068 UnhandledExceptionFilter
0x41606c SetUnhandledExceptionFilter
0x416070 GetCurrentProcess
0x416074 TerminateProcess
0x416078 IsProcessorFeaturePresent
0x41607c QueryPerformanceCounter
0x416080 GetCurrentProcessId
0x416084 GetCurrentThreadId
0x416088 GetSystemTimeAsFileTime
0x41608c InitializeSListHead
0x416090 GetStartupInfoW
0x416094 GetModuleHandleW
0x416098 RtlUnwind
0x41609c SetLastError
0x4160a0 EncodePointer
0x4160a4 InitializeCriticalSectionAndSpinCount
0x4160a8 TlsAlloc
0x4160ac TlsGetValue
0x4160b0 TlsSetValue
0x4160b4 TlsFree
0x4160b8 FreeLibrary
0x4160bc GetProcAddress
0x4160c0 LoadLibraryExW
0x4160c4 GetStdHandle
0x4160c8 WriteFile
0x4160cc GetModuleFileNameW
0x4160d0 ExitProcess
0x4160d4 GetModuleHandleExW
0x4160d8 GetCommandLineA
0x4160dc GetCommandLineW
0x4160e0 HeapFree
0x4160e4 HeapSize
0x4160e8 HeapReAlloc
0x4160ec FindClose
0x4160f0 FindFirstFileExW
0x4160f4 FindNextFileW
0x4160f8 IsValidCodePage
0x4160fc GetACP
0x416100 GetOEMCP
0x416104 GetCPInfo
0x416108 WideCharToMultiByte
0x41610c GetEnvironmentStringsW
0x416110 FreeEnvironmentStringsW
0x416114 SetEnvironmentVariableW
0x416118 SetStdHandle
0x41611c GetFileType
0x416120 GetStringTypeW
0x416124 WriteConsoleW
USER32.dll
0x41612c CharLowerA
ADVAPI32.dll
0x416000 GetUserNameA
WINHTTP.dll
0x416134 WinHttpOpenRequest
0x416138 WinHttpCloseHandle
0x41613c WinHttpOpen
0x416140 WinHttpReadData
0x416144 WinHttpReceiveResponse
0x416148 WinHttpQueryDataAvailable
0x41614c WinHttpSendRequest
0x416150 WinHttpConnect
EAT(Export Address Table) is none