ScreenShot
| Created | 2023.08.08 18:47 | Machine | s1_win7_x6403 |
| Filename | Alligator_Gamers.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 43 detected (AIDetectMalware, malicious, high confidence, Jaik, Save, GenKryptik, Kryptik, Eldorado, Attribute, HighConfidence, GHTO, score, CrypterX, Azlw, XPACK, Gen5, VIDAR, YXDHHZ, high, Static AI, Malicious PE, ai score=89, RedLineStealer, Detected, Artemis, unsafe, Genetic, iHaF5L8XsUE, ZexaF, Hq0@aeXczMei, confidence, 100%) | ||
| md5 | 5c3d28d428bb30d59eb8ff498540a5d8 | ||
| sha256 | c65843189ff4683d957d94ad74b7a455a96736a51d66716182208c45bdb08c55 | ||
| ssdeep | 12288:o+Gj+NagcanPVUynnIe26AL560FgkMKqWST1XH/KtBY:otjzjanP2+o0BpDRKf | ||
| imphash | 035152f08fc01104c539a9694e78d939 | ||
| impfuzzy | 24:WjlNDoryn8ABxvbOovnKQFQ8RyvDh/J3ISlRT47mfpl/qH+A:nKqEK3Djhc7mfp5qHt | ||
Network IP location
Signature (23cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Attempts to create or modify system certificates |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Network activity contains more than one unique useragent |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (9cnts) ?
Suricata ids
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Dotted Quad Host ZIP Request
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40e008 WaitForSingleObject
0x40e00c CreateThread
0x40e010 lstrlenW
0x40e014 VirtualProtect
0x40e018 GetProcAddress
0x40e01c LoadLibraryA
0x40e020 VirtualAlloc
0x40e024 LockResource
0x40e028 LoadResource
0x40e02c SizeofResource
0x40e030 Sleep
0x40e034 GetModuleHandleW
0x40e038 GetLastError
0x40e03c CreateMutexA
0x40e040 GetModuleHandleA
0x40e044 SetCurrentDirectoryW
0x40e048 MoveFileW
0x40e04c GetConsoleWindow
0x40e050 FindResourceW
0x40e054 OpenFileMappingA
0x40e058 GetCommandLineA
0x40e05c SetUnhandledExceptionFilter
0x40e060 ExitProcess
0x40e064 WriteFile
0x40e068 GetStdHandle
0x40e06c GetModuleFileNameA
0x40e070 FreeEnvironmentStringsA
0x40e074 GetEnvironmentStrings
0x40e078 FreeEnvironmentStringsW
0x40e07c WideCharToMultiByte
0x40e080 GetEnvironmentStringsW
0x40e084 SetHandleCount
0x40e088 GetFileType
0x40e08c GetStartupInfoA
0x40e090 DeleteCriticalSection
0x40e094 TlsGetValue
0x40e098 TlsAlloc
0x40e09c TlsSetValue
0x40e0a0 TlsFree
0x40e0a4 InterlockedIncrement
0x40e0a8 SetLastError
0x40e0ac GetCurrentThreadId
0x40e0b0 InterlockedDecrement
0x40e0b4 HeapCreate
0x40e0b8 VirtualFree
0x40e0bc HeapFree
0x40e0c0 QueryPerformanceCounter
0x40e0c4 GetTickCount
0x40e0c8 GetCurrentProcessId
0x40e0cc GetSystemTimeAsFileTime
0x40e0d0 GetCPInfo
0x40e0d4 GetACP
0x40e0d8 GetOEMCP
0x40e0dc IsValidCodePage
0x40e0e0 TerminateProcess
0x40e0e4 GetCurrentProcess
0x40e0e8 UnhandledExceptionFilter
0x40e0ec IsDebuggerPresent
0x40e0f0 LeaveCriticalSection
0x40e0f4 EnterCriticalSection
0x40e0f8 InitializeCriticalSectionAndSpinCount
0x40e0fc HeapAlloc
0x40e100 HeapReAlloc
0x40e104 RtlUnwind
0x40e108 LCMapStringA
0x40e10c MultiByteToWideChar
0x40e110 LCMapStringW
0x40e114 GetStringTypeA
0x40e118 GetStringTypeW
0x40e11c GetLocaleInfoA
0x40e120 HeapSize
USER32.dll
0x40e128 ShowWindow
ADVAPI32.dll
0x40e000 RegDeleteKeyA
EAT(Export Address Table) is none
KERNEL32.dll
0x40e008 WaitForSingleObject
0x40e00c CreateThread
0x40e010 lstrlenW
0x40e014 VirtualProtect
0x40e018 GetProcAddress
0x40e01c LoadLibraryA
0x40e020 VirtualAlloc
0x40e024 LockResource
0x40e028 LoadResource
0x40e02c SizeofResource
0x40e030 Sleep
0x40e034 GetModuleHandleW
0x40e038 GetLastError
0x40e03c CreateMutexA
0x40e040 GetModuleHandleA
0x40e044 SetCurrentDirectoryW
0x40e048 MoveFileW
0x40e04c GetConsoleWindow
0x40e050 FindResourceW
0x40e054 OpenFileMappingA
0x40e058 GetCommandLineA
0x40e05c SetUnhandledExceptionFilter
0x40e060 ExitProcess
0x40e064 WriteFile
0x40e068 GetStdHandle
0x40e06c GetModuleFileNameA
0x40e070 FreeEnvironmentStringsA
0x40e074 GetEnvironmentStrings
0x40e078 FreeEnvironmentStringsW
0x40e07c WideCharToMultiByte
0x40e080 GetEnvironmentStringsW
0x40e084 SetHandleCount
0x40e088 GetFileType
0x40e08c GetStartupInfoA
0x40e090 DeleteCriticalSection
0x40e094 TlsGetValue
0x40e098 TlsAlloc
0x40e09c TlsSetValue
0x40e0a0 TlsFree
0x40e0a4 InterlockedIncrement
0x40e0a8 SetLastError
0x40e0ac GetCurrentThreadId
0x40e0b0 InterlockedDecrement
0x40e0b4 HeapCreate
0x40e0b8 VirtualFree
0x40e0bc HeapFree
0x40e0c0 QueryPerformanceCounter
0x40e0c4 GetTickCount
0x40e0c8 GetCurrentProcessId
0x40e0cc GetSystemTimeAsFileTime
0x40e0d0 GetCPInfo
0x40e0d4 GetACP
0x40e0d8 GetOEMCP
0x40e0dc IsValidCodePage
0x40e0e0 TerminateProcess
0x40e0e4 GetCurrentProcess
0x40e0e8 UnhandledExceptionFilter
0x40e0ec IsDebuggerPresent
0x40e0f0 LeaveCriticalSection
0x40e0f4 EnterCriticalSection
0x40e0f8 InitializeCriticalSectionAndSpinCount
0x40e0fc HeapAlloc
0x40e100 HeapReAlloc
0x40e104 RtlUnwind
0x40e108 LCMapStringA
0x40e10c MultiByteToWideChar
0x40e110 LCMapStringW
0x40e114 GetStringTypeA
0x40e118 GetStringTypeW
0x40e11c GetLocaleInfoA
0x40e120 HeapSize
USER32.dll
0x40e128 ShowWindow
ADVAPI32.dll
0x40e000 RegDeleteKeyA
EAT(Export Address Table) is none