ScreenShot
| Created | 2023.08.04 10:25 | Machine | s1_win7_x6403 |
| Filename | buildntai1.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 58 detected (AIDetectMalware, Emotet, GenericKD, Trojanpws, Stealerc, Fragtor, unsafe, Save, TrojanPSW, malicious, ZexaF, DqW@ayD5Sqc, Genus, Eldorado, Windows, Vidar, score, jxxmgm, PWSX, Gencirc, GenSteal, rkvci, YXDHBZ, CoinMiner, moderate, Static AI, Malicious PE, Malware@#1kaw4zjufl6w9, Detected, Artemis, ai score=85, BScope, Genetic, 2AsqLo0QfwC, susgen, confidence, 100%) | ||
| md5 | df0c22316b7b50ee84b60b201fb837ae | ||
| sha256 | 05e67c0721526e7dd9b6ef6cdc391d656399d9346b0e9e7e563c160fd0c4fa79 | ||
| ssdeep | 12288:7MqFYULoWzniwtgGbl6mw/YAMOtwhF5fBqylCnwe+:7MqFbniCgGZ6T/DMO25fzonwd | ||
| imphash | eb946a5d419bb360e395b3426711b797 | ||
| impfuzzy | 24:2+Do24DW1x/UHTP+ZFkNdZ+fcW0LluGIOovIt/J3OnlyvCOcjMZboHOT4MultwAR:x1xM6Z0dZ+fcqGHnthKK3NcFNyQJ | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 58 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Attempts to create or modify system certificates |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Network activity contains more than one unique useragent |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (9cnts) ?
Suricata ids
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host ZIP Request
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host ZIP Request
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x45b00c VirtualFree
0x45b010 VirtualAlloc
0x45b014 Sleep
0x45b018 GlobalMemoryStatusEx
0x45b01c GetSystemInfo
0x45b020 LocalAlloc
0x45b024 lstrlenW
0x45b028 lstrcatW
0x45b02c GetProcAddress
0x45b030 LoadLibraryA
0x45b034 VirtualProtect
0x45b038 GetCurrentProcess
0x45b03c GetLogicalProcessorInformationEx
0x45b040 CloseHandle
0x45b044 Process32Next
0x45b048 Process32First
0x45b04c CreateToolhelp32Snapshot
0x45b050 FindNextFileW
0x45b054 FindFirstFileW
0x45b058 lstrcpynA
0x45b05c CompareStringW
0x45b060 GetProcessHeap
0x45b064 VirtualAllocExNuma
0x45b068 TerminateProcess
0x45b06c ExitProcess
0x45b070 SetEndOfFile
0x45b074 CreateFileW
0x45b078 CreateFileA
0x45b07c SetStdHandle
0x45b080 WriteConsoleW
0x45b084 LoadLibraryW
0x45b088 FreeLibrary
0x45b08c SetConsoleCtrlHandler
0x45b090 IsValidLocale
0x45b094 EnumSystemLocalesA
0x45b098 GetLocaleInfoA
0x45b09c GetUserDefaultLCID
0x45b0a0 GetLocaleInfoW
0x45b0a4 InterlockedIncrement
0x45b0a8 InterlockedDecrement
0x45b0ac WideCharToMultiByte
0x45b0b0 InterlockedExchange
0x45b0b4 InitializeCriticalSection
0x45b0b8 DeleteCriticalSection
0x45b0bc EnterCriticalSection
0x45b0c0 LeaveCriticalSection
0x45b0c4 EncodePointer
0x45b0c8 DecodePointer
0x45b0cc InterlockedCompareExchange
0x45b0d0 MultiByteToWideChar
0x45b0d4 HeapAlloc
0x45b0d8 GetLastError
0x45b0dc HeapFree
0x45b0e0 RaiseException
0x45b0e4 RtlUnwind
0x45b0e8 HeapReAlloc
0x45b0ec GetSystemTimeAsFileTime
0x45b0f0 GetCommandLineA
0x45b0f4 HeapSetInformation
0x45b0f8 GetStartupInfoW
0x45b0fc LCMapStringW
0x45b100 GetCPInfo
0x45b104 IsProcessorFeaturePresent
0x45b108 UnhandledExceptionFilter
0x45b10c SetUnhandledExceptionFilter
0x45b110 IsDebuggerPresent
0x45b114 GetModuleHandleW
0x45b118 WriteFile
0x45b11c GetStdHandle
0x45b120 GetModuleFileNameW
0x45b124 HeapCreate
0x45b128 HeapDestroy
0x45b12c TlsAlloc
0x45b130 TlsGetValue
0x45b134 TlsSetValue
0x45b138 TlsFree
0x45b13c SetLastError
0x45b140 GetCurrentThreadId
0x45b144 GetCurrentThread
0x45b148 GetACP
0x45b14c GetOEMCP
0x45b150 IsValidCodePage
0x45b154 HeapSize
0x45b158 SetHandleCount
0x45b15c InitializeCriticalSectionAndSpinCount
0x45b160 GetFileType
0x45b164 FatalAppExitA
0x45b168 GetConsoleCP
0x45b16c GetConsoleMode
0x45b170 FlushFileBuffers
0x45b174 ReadFile
0x45b178 SetFilePointer
0x45b17c GetTimeZoneInformation
0x45b180 GetModuleFileNameA
0x45b184 FreeEnvironmentStringsW
0x45b188 GetEnvironmentStringsW
0x45b18c QueryPerformanceCounter
0x45b190 GetTickCount
0x45b194 GetCurrentProcessId
0x45b198 GetStringTypeW
0x45b19c SetEnvironmentVariableA
USER32.dll
0x45b1c4 ReleaseDC
GDI32.dll
0x45b000 GetDeviceCaps
0x45b004 CreateDCA
ole32.dll
0x45b1cc CoCreateInstance
0x45b1d0 CoInitializeSecurity
0x45b1d4 CoInitializeEx
0x45b1d8 CoSetProxyBlanket
OLEAUT32.dll
0x45b1b0 SysFreeString
0x45b1b4 VariantClear
0x45b1b8 VariantInit
0x45b1bc SysAllocString
NETAPI32.dll
0x45b1a4 NetWkstaGetInfo
0x45b1a8 NetApiBufferFree
EAT(Export Address Table) is none
KERNEL32.dll
0x45b00c VirtualFree
0x45b010 VirtualAlloc
0x45b014 Sleep
0x45b018 GlobalMemoryStatusEx
0x45b01c GetSystemInfo
0x45b020 LocalAlloc
0x45b024 lstrlenW
0x45b028 lstrcatW
0x45b02c GetProcAddress
0x45b030 LoadLibraryA
0x45b034 VirtualProtect
0x45b038 GetCurrentProcess
0x45b03c GetLogicalProcessorInformationEx
0x45b040 CloseHandle
0x45b044 Process32Next
0x45b048 Process32First
0x45b04c CreateToolhelp32Snapshot
0x45b050 FindNextFileW
0x45b054 FindFirstFileW
0x45b058 lstrcpynA
0x45b05c CompareStringW
0x45b060 GetProcessHeap
0x45b064 VirtualAllocExNuma
0x45b068 TerminateProcess
0x45b06c ExitProcess
0x45b070 SetEndOfFile
0x45b074 CreateFileW
0x45b078 CreateFileA
0x45b07c SetStdHandle
0x45b080 WriteConsoleW
0x45b084 LoadLibraryW
0x45b088 FreeLibrary
0x45b08c SetConsoleCtrlHandler
0x45b090 IsValidLocale
0x45b094 EnumSystemLocalesA
0x45b098 GetLocaleInfoA
0x45b09c GetUserDefaultLCID
0x45b0a0 GetLocaleInfoW
0x45b0a4 InterlockedIncrement
0x45b0a8 InterlockedDecrement
0x45b0ac WideCharToMultiByte
0x45b0b0 InterlockedExchange
0x45b0b4 InitializeCriticalSection
0x45b0b8 DeleteCriticalSection
0x45b0bc EnterCriticalSection
0x45b0c0 LeaveCriticalSection
0x45b0c4 EncodePointer
0x45b0c8 DecodePointer
0x45b0cc InterlockedCompareExchange
0x45b0d0 MultiByteToWideChar
0x45b0d4 HeapAlloc
0x45b0d8 GetLastError
0x45b0dc HeapFree
0x45b0e0 RaiseException
0x45b0e4 RtlUnwind
0x45b0e8 HeapReAlloc
0x45b0ec GetSystemTimeAsFileTime
0x45b0f0 GetCommandLineA
0x45b0f4 HeapSetInformation
0x45b0f8 GetStartupInfoW
0x45b0fc LCMapStringW
0x45b100 GetCPInfo
0x45b104 IsProcessorFeaturePresent
0x45b108 UnhandledExceptionFilter
0x45b10c SetUnhandledExceptionFilter
0x45b110 IsDebuggerPresent
0x45b114 GetModuleHandleW
0x45b118 WriteFile
0x45b11c GetStdHandle
0x45b120 GetModuleFileNameW
0x45b124 HeapCreate
0x45b128 HeapDestroy
0x45b12c TlsAlloc
0x45b130 TlsGetValue
0x45b134 TlsSetValue
0x45b138 TlsFree
0x45b13c SetLastError
0x45b140 GetCurrentThreadId
0x45b144 GetCurrentThread
0x45b148 GetACP
0x45b14c GetOEMCP
0x45b150 IsValidCodePage
0x45b154 HeapSize
0x45b158 SetHandleCount
0x45b15c InitializeCriticalSectionAndSpinCount
0x45b160 GetFileType
0x45b164 FatalAppExitA
0x45b168 GetConsoleCP
0x45b16c GetConsoleMode
0x45b170 FlushFileBuffers
0x45b174 ReadFile
0x45b178 SetFilePointer
0x45b17c GetTimeZoneInformation
0x45b180 GetModuleFileNameA
0x45b184 FreeEnvironmentStringsW
0x45b188 GetEnvironmentStringsW
0x45b18c QueryPerformanceCounter
0x45b190 GetTickCount
0x45b194 GetCurrentProcessId
0x45b198 GetStringTypeW
0x45b19c SetEnvironmentVariableA
USER32.dll
0x45b1c4 ReleaseDC
GDI32.dll
0x45b000 GetDeviceCaps
0x45b004 CreateDCA
ole32.dll
0x45b1cc CoCreateInstance
0x45b1d0 CoInitializeSecurity
0x45b1d4 CoInitializeEx
0x45b1d8 CoSetProxyBlanket
OLEAUT32.dll
0x45b1b0 SysFreeString
0x45b1b4 VariantClear
0x45b1b8 VariantInit
0x45b1bc SysAllocString
NETAPI32.dll
0x45b1a4 NetWkstaGetInfo
0x45b1a8 NetApiBufferFree
EAT(Export Address Table) is none