ScreenShot
| Created | 2023.08.07 08:50 | Machine | s1_win7_x6403 |
| Filename | Documents-EnemyFrauz.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | a490f1848b792df4dc37c9e1b200578d | ||
| sha256 | b61325a676000c0afb169f63048c583bc81cb52e1690a6ccf5642decb7831b5e | ||
| ssdeep | 24576:mDXdMCbh0lhSMXlPFN3RFEuHhra2oQfKhBdY7O8gz/7:mBMPt/G29fKhBdYy8ij | ||
| imphash | 4dc7a7765a97318d45b0210b0d408b04 | ||
| impfuzzy | 24:WWjsSDpVX1FlyobKAWdgBcpVWZIdtpgliE0qtI1UJgF0YgvuZYGMABOovbOPZ8Ih:WmVX1vWdgBcpVeIdtGftI130ruZu3F | ||
Network IP location
Signature (35cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | Generates some ICMP traffic |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Attempts to detect Cuckoo Sandbox through the presence of a file |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates known Dapato Trojan files |
| watch | Creates known Dyreza Banking Trojan files |
| watch | Creates known Hupigon files |
| watch | Creates known Upatre files |
| watch | Detects VirtualBox through the presence of a file |
| watch | Detects VirtualBox through the presence of a registry key |
| watch | Drops a binary and executes it |
| watch | Harvests credentials from local email clients |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process created a hidden window |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Looks up the external IP address |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (23cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA Applayer Protocol detection skipped
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA Applayer Protocol detection skipped
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x14002f018 WriteProcessMemory
0x14002f020 WaitForSingleObject
0x14002f028 ResumeThread
0x14002f030 LoadLibraryA
0x14002f038 GetModuleFileNameA
0x14002f040 GetProcAddress
0x14002f048 FreeLibrary
0x14002f050 SetThreadContext
0x14002f058 HeapSize
0x14002f060 VirtualAlloc
0x14002f068 GetThreadContext
0x14002f070 VirtualFree
0x14002f078 SetStdHandle
0x14002f080 WideCharToMultiByte
0x14002f088 GetLastError
0x14002f090 GetModuleHandleExW
0x14002f098 CreateFileW
0x14002f0a0 FindClose
0x14002f0a8 FindFirstFileExW
0x14002f0b0 FindNextFileW
0x14002f0b8 CloseHandle
0x14002f0c0 GetModuleHandleW
0x14002f0c8 MultiByteToWideChar
0x14002f0d0 ReleaseSRWLockExclusive
0x14002f0d8 AcquireSRWLockExclusive
0x14002f0e0 WakeAllConditionVariable
0x14002f0e8 SleepConditionVariableSRW
0x14002f0f0 IsProcessorFeaturePresent
0x14002f0f8 RtlPcToFileHeader
0x14002f100 RaiseException
0x14002f108 EnterCriticalSection
0x14002f110 LeaveCriticalSection
0x14002f118 InitializeCriticalSectionEx
0x14002f120 DeleteCriticalSection
0x14002f128 EncodePointer
0x14002f130 DecodePointer
0x14002f138 LCMapStringEx
0x14002f140 InitializeSRWLock
0x14002f148 TryAcquireSRWLockExclusive
0x14002f150 GetCurrentThreadId
0x14002f158 InitializeConditionVariable
0x14002f160 WakeConditionVariable
0x14002f168 QueryPerformanceCounter
0x14002f170 GetStringTypeW
0x14002f178 FlsAlloc
0x14002f180 FlsGetValue
0x14002f188 FlsSetValue
0x14002f190 FlsFree
0x14002f198 GetSystemTimeAsFileTime
0x14002f1a0 GetCPInfo
0x14002f1a8 InitializeCriticalSectionAndSpinCount
0x14002f1b0 CreateEventW
0x14002f1b8 RtlCaptureContext
0x14002f1c0 RtlLookupFunctionEntry
0x14002f1c8 RtlVirtualUnwind
0x14002f1d0 IsDebuggerPresent
0x14002f1d8 UnhandledExceptionFilter
0x14002f1e0 SetUnhandledExceptionFilter
0x14002f1e8 GetStartupInfoW
0x14002f1f0 GetCurrentProcessId
0x14002f1f8 InitializeSListHead
0x14002f200 GetCurrentProcess
0x14002f208 TerminateProcess
0x14002f210 RtlUnwindEx
0x14002f218 SetLastError
0x14002f220 TlsAlloc
0x14002f228 TlsGetValue
0x14002f230 TlsSetValue
0x14002f238 TlsFree
0x14002f240 LoadLibraryExW
0x14002f248 RtlUnwind
0x14002f250 ExitProcess
0x14002f258 GetModuleFileNameW
0x14002f260 GetStdHandle
0x14002f268 WriteFile
0x14002f270 HeapAlloc
0x14002f278 HeapFree
0x14002f280 GetFileType
0x14002f288 LCMapStringW
0x14002f290 GetLocaleInfoW
0x14002f298 IsValidLocale
0x14002f2a0 GetUserDefaultLCID
0x14002f2a8 EnumSystemLocalesW
0x14002f2b0 FlushFileBuffers
0x14002f2b8 GetConsoleOutputCP
0x14002f2c0 GetConsoleMode
0x14002f2c8 ReadFile
0x14002f2d0 GetFileSizeEx
0x14002f2d8 SetFilePointerEx
0x14002f2e0 ReadConsoleW
0x14002f2e8 HeapReAlloc
0x14002f2f0 IsValidCodePage
0x14002f2f8 GetACP
0x14002f300 GetOEMCP
0x14002f308 GetCommandLineA
0x14002f310 GetCommandLineW
0x14002f318 GetEnvironmentStringsW
0x14002f320 FreeEnvironmentStringsW
0x14002f328 GetProcessHeap
0x14002f330 WriteConsoleW
ADVAPI32.dll
0x14002f000 RegOpenKeyExW
0x14002f008 RegCloseKey
WININET.dll
0x14002f340 InternetGetConnectedState
EAT(Export Address Table) is none
KERNEL32.dll
0x14002f018 WriteProcessMemory
0x14002f020 WaitForSingleObject
0x14002f028 ResumeThread
0x14002f030 LoadLibraryA
0x14002f038 GetModuleFileNameA
0x14002f040 GetProcAddress
0x14002f048 FreeLibrary
0x14002f050 SetThreadContext
0x14002f058 HeapSize
0x14002f060 VirtualAlloc
0x14002f068 GetThreadContext
0x14002f070 VirtualFree
0x14002f078 SetStdHandle
0x14002f080 WideCharToMultiByte
0x14002f088 GetLastError
0x14002f090 GetModuleHandleExW
0x14002f098 CreateFileW
0x14002f0a0 FindClose
0x14002f0a8 FindFirstFileExW
0x14002f0b0 FindNextFileW
0x14002f0b8 CloseHandle
0x14002f0c0 GetModuleHandleW
0x14002f0c8 MultiByteToWideChar
0x14002f0d0 ReleaseSRWLockExclusive
0x14002f0d8 AcquireSRWLockExclusive
0x14002f0e0 WakeAllConditionVariable
0x14002f0e8 SleepConditionVariableSRW
0x14002f0f0 IsProcessorFeaturePresent
0x14002f0f8 RtlPcToFileHeader
0x14002f100 RaiseException
0x14002f108 EnterCriticalSection
0x14002f110 LeaveCriticalSection
0x14002f118 InitializeCriticalSectionEx
0x14002f120 DeleteCriticalSection
0x14002f128 EncodePointer
0x14002f130 DecodePointer
0x14002f138 LCMapStringEx
0x14002f140 InitializeSRWLock
0x14002f148 TryAcquireSRWLockExclusive
0x14002f150 GetCurrentThreadId
0x14002f158 InitializeConditionVariable
0x14002f160 WakeConditionVariable
0x14002f168 QueryPerformanceCounter
0x14002f170 GetStringTypeW
0x14002f178 FlsAlloc
0x14002f180 FlsGetValue
0x14002f188 FlsSetValue
0x14002f190 FlsFree
0x14002f198 GetSystemTimeAsFileTime
0x14002f1a0 GetCPInfo
0x14002f1a8 InitializeCriticalSectionAndSpinCount
0x14002f1b0 CreateEventW
0x14002f1b8 RtlCaptureContext
0x14002f1c0 RtlLookupFunctionEntry
0x14002f1c8 RtlVirtualUnwind
0x14002f1d0 IsDebuggerPresent
0x14002f1d8 UnhandledExceptionFilter
0x14002f1e0 SetUnhandledExceptionFilter
0x14002f1e8 GetStartupInfoW
0x14002f1f0 GetCurrentProcessId
0x14002f1f8 InitializeSListHead
0x14002f200 GetCurrentProcess
0x14002f208 TerminateProcess
0x14002f210 RtlUnwindEx
0x14002f218 SetLastError
0x14002f220 TlsAlloc
0x14002f228 TlsGetValue
0x14002f230 TlsSetValue
0x14002f238 TlsFree
0x14002f240 LoadLibraryExW
0x14002f248 RtlUnwind
0x14002f250 ExitProcess
0x14002f258 GetModuleFileNameW
0x14002f260 GetStdHandle
0x14002f268 WriteFile
0x14002f270 HeapAlloc
0x14002f278 HeapFree
0x14002f280 GetFileType
0x14002f288 LCMapStringW
0x14002f290 GetLocaleInfoW
0x14002f298 IsValidLocale
0x14002f2a0 GetUserDefaultLCID
0x14002f2a8 EnumSystemLocalesW
0x14002f2b0 FlushFileBuffers
0x14002f2b8 GetConsoleOutputCP
0x14002f2c0 GetConsoleMode
0x14002f2c8 ReadFile
0x14002f2d0 GetFileSizeEx
0x14002f2d8 SetFilePointerEx
0x14002f2e0 ReadConsoleW
0x14002f2e8 HeapReAlloc
0x14002f2f0 IsValidCodePage
0x14002f2f8 GetACP
0x14002f300 GetOEMCP
0x14002f308 GetCommandLineA
0x14002f310 GetCommandLineW
0x14002f318 GetEnvironmentStringsW
0x14002f320 FreeEnvironmentStringsW
0x14002f328 GetProcessHeap
0x14002f330 WriteConsoleW
ADVAPI32.dll
0x14002f000 RegOpenKeyExW
0x14002f008 RegCloseKey
WININET.dll
0x14002f340 InternetGetConnectedState
EAT(Export Address Table) is none