ScreenShot
| Created | 2023.07.31 17:32 | Machine | s1_win7_x6403 |
| Filename | 32123212.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 16 detected (malicious, moderate confidence, Fragtor, ZexaCO, eQW@aKwhob, Attribute, HighConfidence, BitMin, ai score=86, Genetic, confidence) | ||
| md5 | 9bd1cc9b027a4420d6e4f780c50af93c | ||
| sha256 | e65881aa7f6c33636776089b3584dbf8a1c1e7d04de4ed286bb0d5a50aa769f5 | ||
| ssdeep | 49152:a5eNQ7HYLiM2DV9Dy+B5edHCxnaEBgKwNVQ:A1VMyDF5xna | ||
| imphash | b41abaa038d8b27317c2ba6ce503cfa5 | ||
| impfuzzy | 96:NW5W6tiqeV5RnN/bYxyXHOW3b8OhYfPOT3n4I9gXiX18HJGCN7qTAEHO:NW5W6tivV5F+Wp/MWgSFJCNmTAEHO | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| watch | Attempts to create or modify system certificates |
| watch | File has been identified by 16 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Executes one or more WMI queries |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Moves the original executable to a new location |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | Obsidium_Zero | Obsidium protector file | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (6cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
crypt32.dll
0x606474 CertAddCertificateContextToStore
0x606478 CertCloseStore
0x60647c CertDuplicateCertificateChain
0x606480 CertDuplicateCertificateContext
0x606484 CertDuplicateStore
0x606488 CertEnumCertificatesInStore
0x60648c CertFreeCertificateChain
0x606490 CertFreeCertificateContext
0x606494 CertGetCertificateChain
0x606498 CertOpenStore
0x60649c CertVerifyCertificateChainPolicy
kernel32.dll
0x6064a4 AcquireSRWLockExclusive
0x6064a8 AcquireSRWLockShared
0x6064ac AddVectoredExceptionHandler
0x6064b0 CancelIo
0x6064b4 CloseHandle
0x6064b8 CompareStringOrdinal
0x6064bc CreateEventW
0x6064c0 CreateFileMappingA
0x6064c4 CreateFileW
0x6064c8 CreateIoCompletionPort
0x6064cc CreateMutexA
0x6064d0 CreateNamedPipeW
0x6064d4 CreateProcessW
0x6064d8 CreateThread
0x6064dc CreateToolhelp32Snapshot
0x6064e0 DuplicateHandle
0x6064e4 ExitProcess
0x6064e8 FormatMessageW
0x6064ec FreeEnvironmentStringsW
0x6064f0 FreeLibrary
0x6064f4 GetConsoleMode
0x6064f8 GetCurrentDirectoryW
0x6064fc GetCurrentProcess
0x606500 GetCurrentProcessId
0x606504 GetCurrentThread
0x606508 GetEnvironmentStringsW
0x60650c GetEnvironmentVariableW
0x606510 GetExitCodeProcess
0x606514 GetFileAttributesW
0x606518 GetFileInformationByHandle
0x60651c GetFileInformationByHandleEx
0x606520 GetFinalPathNameByHandleW
0x606524 GetFullPathNameW
0x606528 GetLastError
0x60652c GetModuleFileNameW
0x606530 GetModuleHandleA
0x606534 GetModuleHandleW
0x606538 GetOverlappedResult
0x60653c GetProcAddress
0x606540 GetProcessHeap
0x606544 GetQueuedCompletionStatusEx
0x606548 GetStdHandle
0x60654c GetSystemDirectoryW
0x606550 GetSystemInfo
0x606554 GetTempPathW
0x606558 GetWindowsDirectoryW
0x60655c GlobalAlloc
0x606560 GlobalFree
0x606564 GlobalLock
0x606568 GlobalSize
0x60656c GlobalUnlock
0x606570 HeapAlloc
0x606574 HeapFree
0x606578 HeapReAlloc
0x60657c InitOnceBeginInitialize
0x606580 InitOnceComplete
0x606584 LoadLibraryA
0x606588 MapViewOfFile
0x60658c Module32FirstW
0x606590 Module32NextW
0x606594 MoveFileExW
0x606598 MultiByteToWideChar
0x60659c PostQueuedCompletionStatus
0x6065a0 QueryPerformanceCounter
0x6065a4 QueryPerformanceFrequency
0x6065a8 ReadFile
0x6065ac ReadFileEx
0x6065b0 ReleaseMutex
0x6065b4 ReleaseSRWLockExclusive
0x6065b8 ReleaseSRWLockShared
0x6065bc SetFileCompletionNotificationModes
0x6065c0 SetHandleInformation
0x6065c4 SetLastError
0x6065c8 SetThreadStackGuarantee
0x6065cc SetUnhandledExceptionFilter
0x6065d0 Sleep
0x6065d4 SleepEx
0x6065d8 SwitchToThread
0x6065dc TlsAlloc
0x6065e0 TlsFree
0x6065e4 TlsGetValue
0x6065e8 TlsSetValue
0x6065ec TryAcquireSRWLockExclusive
0x6065f0 UnmapViewOfFile
0x6065f4 WaitForMultipleObjects
0x6065f8 WaitForSingleObject
0x6065fc WaitForSingleObjectEx
0x606600 WriteConsoleW
0x606604 WriteFileEx
secur32.dll
0x60660c AcceptSecurityContext
0x606610 AcquireCredentialsHandleA
0x606614 ApplyControlToken
0x606618 DecryptMessage
0x60661c DeleteSecurityContext
0x606620 EncryptMessage
0x606624 FreeContextBuffer
0x606628 FreeCredentialsHandle
0x60662c InitializeSecurityContextW
0x606630 QueryContextAttributesW
user32.dll
0x606638 CloseClipboard
0x60663c EmptyClipboard
0x606640 GetClipboardData
0x606644 OpenClipboard
0x606648 SetClipboardData
ws2_32.dll
0x606650 WSACleanup
0x606654 WSAGetLastError
0x606658 WSAIoctl
0x60665c WSASend
0x606660 WSASocketW
0x606664 WSAStartup
0x606668 ind
0x60666c closesocket
0x606670 connect
0x606674 freeaddrinfo
0x606678 getaddrinfo
0x60667c getpeername
0x606680 getsockname
0x606684 getsockopt
0x606688 ioctlsocket
0x60668c recv
0x606690 send
0x606694 setsockopt
0x606698 shutdown
ADVAPI32.dll
0x6066a0 GetTokenInformation
0x6066a4 OpenProcessToken
0x6066a8 RegCloseKey
0x6066ac RegOpenKeyExW
0x6066b0 RegQueryValueExW
0x6066b4 SystemFunction036
crypt.dll
0x6066bc BCryptGenRandom
KERNEL32.dll
0x6066c4 CreateEventA
0x6066c8 CreateSemaphoreA
0x6066cc DeleteCriticalSection
0x6066d0 EnterCriticalSection
0x6066d4 GetCurrentThreadId
0x6066d8 GetHandleInformation
0x6066dc GetProcessAffinityMask
0x6066e0 GetSystemTimeAsFileTime
0x6066e4 GetThreadContext
0x6066e8 GetThreadPriority
0x6066ec GetTickCount64
0x6066f0 InitializeCriticalSection
0x6066f4 IsDebuggerPresent
0x6066f8 IsProcessorFeaturePresent
0x6066fc LeaveCriticalSection
0x606700 LoadLibraryW
0x606704 OpenProcess
0x606708 OutputDebugStringA
0x60670c RaiseException
0x606710 ReleaseSemaphore
0x606714 RemoveVectoredExceptionHandler
0x606718 ResetEvent
0x60671c ResumeThread
0x606720 SetEvent
0x606724 SetProcessAffinityMask
0x606728 SetThreadContext
0x60672c SetThreadPriority
0x606730 SuspendThread
0x606734 TerminateProcess
0x606738 TryEnterCriticalSection
0x60673c VirtualProtect
0x606740 VirtualQuery
msvcrt.dll
0x606748 __getmainargs
0x60674c __initenv
0x606750 __p__commode
0x606754 __p__fmode
0x606758 __set_app_type
0x60675c __setusermatherr
0x606760 _amsg_exit
0x606764 _beginthreadex
0x606768 _cexit
0x60676c _commode
0x606770 _endthreadex
0x606774 _errno
0x606778 _fmode
0x60677c _fpreset
0x606780 _initterm
0x606784 _iob
0x606788 _onexit
0x60678c _setjmp3
0x606790 _strdup
0x606794 _ultoa
0x606798 _write
0x60679c abort
0x6067a0 calloc
0x6067a4 exit
0x6067a8 fprintf
0x6067ac free
0x6067b0 fwrite
0x6067b4 longjmp
0x6067b8 malloc
0x6067bc memcpy
0x6067c0 memmove
0x6067c4 memset
0x6067c8 memcmp
0x6067cc pow
0x6067d0 printf
0x6067d4 realloc
0x6067d8 signal
0x6067dc strlen
0x6067e0 strncmp
0x6067e4 vfprintf
ntdll.dll
0x6067ec NtCancelIoFileEx
0x6067f0 NtCreateFile
0x6067f4 NtDeviceIoControlFile
0x6067f8 NtReadFile
0x6067fc NtWriteFile
0x606800 RtlCaptureContext
0x606804 RtlNtStatusToDosError
EAT(Export Address Table) is none
crypt32.dll
0x606474 CertAddCertificateContextToStore
0x606478 CertCloseStore
0x60647c CertDuplicateCertificateChain
0x606480 CertDuplicateCertificateContext
0x606484 CertDuplicateStore
0x606488 CertEnumCertificatesInStore
0x60648c CertFreeCertificateChain
0x606490 CertFreeCertificateContext
0x606494 CertGetCertificateChain
0x606498 CertOpenStore
0x60649c CertVerifyCertificateChainPolicy
kernel32.dll
0x6064a4 AcquireSRWLockExclusive
0x6064a8 AcquireSRWLockShared
0x6064ac AddVectoredExceptionHandler
0x6064b0 CancelIo
0x6064b4 CloseHandle
0x6064b8 CompareStringOrdinal
0x6064bc CreateEventW
0x6064c0 CreateFileMappingA
0x6064c4 CreateFileW
0x6064c8 CreateIoCompletionPort
0x6064cc CreateMutexA
0x6064d0 CreateNamedPipeW
0x6064d4 CreateProcessW
0x6064d8 CreateThread
0x6064dc CreateToolhelp32Snapshot
0x6064e0 DuplicateHandle
0x6064e4 ExitProcess
0x6064e8 FormatMessageW
0x6064ec FreeEnvironmentStringsW
0x6064f0 FreeLibrary
0x6064f4 GetConsoleMode
0x6064f8 GetCurrentDirectoryW
0x6064fc GetCurrentProcess
0x606500 GetCurrentProcessId
0x606504 GetCurrentThread
0x606508 GetEnvironmentStringsW
0x60650c GetEnvironmentVariableW
0x606510 GetExitCodeProcess
0x606514 GetFileAttributesW
0x606518 GetFileInformationByHandle
0x60651c GetFileInformationByHandleEx
0x606520 GetFinalPathNameByHandleW
0x606524 GetFullPathNameW
0x606528 GetLastError
0x60652c GetModuleFileNameW
0x606530 GetModuleHandleA
0x606534 GetModuleHandleW
0x606538 GetOverlappedResult
0x60653c GetProcAddress
0x606540 GetProcessHeap
0x606544 GetQueuedCompletionStatusEx
0x606548 GetStdHandle
0x60654c GetSystemDirectoryW
0x606550 GetSystemInfo
0x606554 GetTempPathW
0x606558 GetWindowsDirectoryW
0x60655c GlobalAlloc
0x606560 GlobalFree
0x606564 GlobalLock
0x606568 GlobalSize
0x60656c GlobalUnlock
0x606570 HeapAlloc
0x606574 HeapFree
0x606578 HeapReAlloc
0x60657c InitOnceBeginInitialize
0x606580 InitOnceComplete
0x606584 LoadLibraryA
0x606588 MapViewOfFile
0x60658c Module32FirstW
0x606590 Module32NextW
0x606594 MoveFileExW
0x606598 MultiByteToWideChar
0x60659c PostQueuedCompletionStatus
0x6065a0 QueryPerformanceCounter
0x6065a4 QueryPerformanceFrequency
0x6065a8 ReadFile
0x6065ac ReadFileEx
0x6065b0 ReleaseMutex
0x6065b4 ReleaseSRWLockExclusive
0x6065b8 ReleaseSRWLockShared
0x6065bc SetFileCompletionNotificationModes
0x6065c0 SetHandleInformation
0x6065c4 SetLastError
0x6065c8 SetThreadStackGuarantee
0x6065cc SetUnhandledExceptionFilter
0x6065d0 Sleep
0x6065d4 SleepEx
0x6065d8 SwitchToThread
0x6065dc TlsAlloc
0x6065e0 TlsFree
0x6065e4 TlsGetValue
0x6065e8 TlsSetValue
0x6065ec TryAcquireSRWLockExclusive
0x6065f0 UnmapViewOfFile
0x6065f4 WaitForMultipleObjects
0x6065f8 WaitForSingleObject
0x6065fc WaitForSingleObjectEx
0x606600 WriteConsoleW
0x606604 WriteFileEx
secur32.dll
0x60660c AcceptSecurityContext
0x606610 AcquireCredentialsHandleA
0x606614 ApplyControlToken
0x606618 DecryptMessage
0x60661c DeleteSecurityContext
0x606620 EncryptMessage
0x606624 FreeContextBuffer
0x606628 FreeCredentialsHandle
0x60662c InitializeSecurityContextW
0x606630 QueryContextAttributesW
user32.dll
0x606638 CloseClipboard
0x60663c EmptyClipboard
0x606640 GetClipboardData
0x606644 OpenClipboard
0x606648 SetClipboardData
ws2_32.dll
0x606650 WSACleanup
0x606654 WSAGetLastError
0x606658 WSAIoctl
0x60665c WSASend
0x606660 WSASocketW
0x606664 WSAStartup
0x606668 ind
0x60666c closesocket
0x606670 connect
0x606674 freeaddrinfo
0x606678 getaddrinfo
0x60667c getpeername
0x606680 getsockname
0x606684 getsockopt
0x606688 ioctlsocket
0x60668c recv
0x606690 send
0x606694 setsockopt
0x606698 shutdown
ADVAPI32.dll
0x6066a0 GetTokenInformation
0x6066a4 OpenProcessToken
0x6066a8 RegCloseKey
0x6066ac RegOpenKeyExW
0x6066b0 RegQueryValueExW
0x6066b4 SystemFunction036
crypt.dll
0x6066bc BCryptGenRandom
KERNEL32.dll
0x6066c4 CreateEventA
0x6066c8 CreateSemaphoreA
0x6066cc DeleteCriticalSection
0x6066d0 EnterCriticalSection
0x6066d4 GetCurrentThreadId
0x6066d8 GetHandleInformation
0x6066dc GetProcessAffinityMask
0x6066e0 GetSystemTimeAsFileTime
0x6066e4 GetThreadContext
0x6066e8 GetThreadPriority
0x6066ec GetTickCount64
0x6066f0 InitializeCriticalSection
0x6066f4 IsDebuggerPresent
0x6066f8 IsProcessorFeaturePresent
0x6066fc LeaveCriticalSection
0x606700 LoadLibraryW
0x606704 OpenProcess
0x606708 OutputDebugStringA
0x60670c RaiseException
0x606710 ReleaseSemaphore
0x606714 RemoveVectoredExceptionHandler
0x606718 ResetEvent
0x60671c ResumeThread
0x606720 SetEvent
0x606724 SetProcessAffinityMask
0x606728 SetThreadContext
0x60672c SetThreadPriority
0x606730 SuspendThread
0x606734 TerminateProcess
0x606738 TryEnterCriticalSection
0x60673c VirtualProtect
0x606740 VirtualQuery
msvcrt.dll
0x606748 __getmainargs
0x60674c __initenv
0x606750 __p__commode
0x606754 __p__fmode
0x606758 __set_app_type
0x60675c __setusermatherr
0x606760 _amsg_exit
0x606764 _beginthreadex
0x606768 _cexit
0x60676c _commode
0x606770 _endthreadex
0x606774 _errno
0x606778 _fmode
0x60677c _fpreset
0x606780 _initterm
0x606784 _iob
0x606788 _onexit
0x60678c _setjmp3
0x606790 _strdup
0x606794 _ultoa
0x606798 _write
0x60679c abort
0x6067a0 calloc
0x6067a4 exit
0x6067a8 fprintf
0x6067ac free
0x6067b0 fwrite
0x6067b4 longjmp
0x6067b8 malloc
0x6067bc memcpy
0x6067c0 memmove
0x6067c4 memset
0x6067c8 memcmp
0x6067cc pow
0x6067d0 printf
0x6067d4 realloc
0x6067d8 signal
0x6067dc strlen
0x6067e0 strncmp
0x6067e4 vfprintf
ntdll.dll
0x6067ec NtCancelIoFileEx
0x6067f0 NtCreateFile
0x6067f4 NtDeviceIoControlFile
0x6067f8 NtReadFile
0x6067fc NtWriteFile
0x606800 RtlCaptureContext
0x606804 RtlNtStatusToDosError
EAT(Export Address Table) is none