ScreenShot
| Created | 2023.08.10 09:49 | Machine | s1_win7_x6402 |
| Filename | Allergy List pdf.scr | ||
| Type | PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 8 detected (AIDetectMalware, Attribute, HighConfidence, malicious, high confidence, GenKryptik, GMQG, ZexaE, @NW@aK, gePdi) | ||
| md5 | 5a5268db3190beda118dfc8a2b0cdd56 | ||
| sha256 | 9da7e50d62b17a31deb55a55095d3e75853928529950c1b2d441f596a206bbcb | ||
| ssdeep | 49152:4vMYFzEf3VDViYBiSOETicHIntWws1TsVUQ6:YWRiYBi8TicHIntWwZV | ||
| imphash | 645d33b4ca0ca3c7aef403c11cfcf78f | ||
| impfuzzy | 48:1fCCalUVdLkO0vXlNFJlGvm/GcaqN7BGN6XM:1fCCAU3QO0fltlA2aqN7BVc | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process allergy list pdf.scr |
| notice | Creates executable files on the filesystem |
| notice | File has been identified by 8 AntiVirus engines on VirusTotal as malicious |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (9cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x89823c CloseHandle
0x898240 CreateSemaphoreW
0x898244 DeleteCriticalSection
0x898248 EnterCriticalSection
0x89824c ExitProcess
0x898250 FindClose
0x898254 FindFirstFileA
0x898258 FindNextFileA
0x89825c FreeLibrary
0x898260 GetCommandLineA
0x898264 GetConsoleWindow
0x898268 GetCurrentThreadId
0x89826c GetLastError
0x898270 GetModuleHandleA
0x898274 GetProcAddress
0x898278 GetTempPathA
0x89827c GetTickCount
0x898280 InitializeCriticalSection
0x898284 InterlockedDecrement
0x898288 InterlockedExchange
0x89828c InterlockedIncrement
0x898290 IsDBCSLeadByteEx
0x898294 LeaveCriticalSection
0x898298 LoadLibraryA
0x89829c MultiByteToWideChar
0x8982a0 OutputDebugStringA
0x8982a4 ReleaseSemaphore
0x8982a8 SetLastError
0x8982ac SetUnhandledExceptionFilter
0x8982b0 Sleep
0x8982b4 TlsAlloc
0x8982b8 TlsFree
0x8982bc TlsGetValue
0x8982c0 TlsSetValue
0x8982c4 VirtualAlloc
0x8982c8 VirtualProtect
0x8982cc VirtualQuery
0x8982d0 WaitForSingleObject
0x8982d4 WideCharToMultiByte
msvcrt.dll
0x8982dc _fdopen
0x8982e0 _fstat
0x8982e4 _lseek
0x8982e8 _read
0x8982ec _strdup
0x8982f0 _stricoll
0x8982f4 _write
msvcrt.dll
0x8982fc __getmainargs
0x898300 __mb_cur_max
0x898304 __p__environ
0x898308 __p__fmode
0x89830c __set_app_type
0x898310 _cexit
0x898314 _errno
0x898318 _filbuf
0x89831c _flsbuf
0x898320 _fpreset
0x898324 _fullpath
0x898328 _iob
0x89832c _isctype
0x898330 _onexit
0x898334 _pctype
0x898338 _setmode
0x89833c abort
0x898340 atexit
0x898344 atoi
0x898348 calloc
0x89834c fclose
0x898350 fflush
0x898354 fopen
0x898358 fputc
0x89835c fputs
0x898360 fread
0x898364 free
0x898368 fseek
0x89836c ftell
0x898370 fwrite
0x898374 getenv
0x898378 getwc
0x89837c iswctype
0x898380 localeconv
0x898384 malloc
0x898388 mbstowcs
0x89838c memchr
0x898390 memcmp
0x898394 memcpy
0x898398 memmove
0x89839c memset
0x8983a0 putwc
0x8983a4 realloc
0x8983a8 setlocale
0x8983ac setvbuf
0x8983b0 signal
0x8983b4 sprintf
0x8983b8 strchr
0x8983bc strcmp
0x8983c0 strcoll
0x8983c4 strerror
0x8983c8 strftime
0x8983cc strlen
0x8983d0 strtod
0x8983d4 strtoul
0x8983d8 strxfrm
0x8983dc tolower
0x8983e0 towlower
0x8983e4 towupper
0x8983e8 ungetc
0x8983ec ungetwc
0x8983f0 vfprintf
0x8983f4 wcscoll
0x8983f8 wcsftime
0x8983fc wcslen
0x898400 wcstombs
0x898404 wcsxfrm
USER32.dll
0x89840c ShowWindow
EAT(Export Address Table) is none
KERNEL32.dll
0x89823c CloseHandle
0x898240 CreateSemaphoreW
0x898244 DeleteCriticalSection
0x898248 EnterCriticalSection
0x89824c ExitProcess
0x898250 FindClose
0x898254 FindFirstFileA
0x898258 FindNextFileA
0x89825c FreeLibrary
0x898260 GetCommandLineA
0x898264 GetConsoleWindow
0x898268 GetCurrentThreadId
0x89826c GetLastError
0x898270 GetModuleHandleA
0x898274 GetProcAddress
0x898278 GetTempPathA
0x89827c GetTickCount
0x898280 InitializeCriticalSection
0x898284 InterlockedDecrement
0x898288 InterlockedExchange
0x89828c InterlockedIncrement
0x898290 IsDBCSLeadByteEx
0x898294 LeaveCriticalSection
0x898298 LoadLibraryA
0x89829c MultiByteToWideChar
0x8982a0 OutputDebugStringA
0x8982a4 ReleaseSemaphore
0x8982a8 SetLastError
0x8982ac SetUnhandledExceptionFilter
0x8982b0 Sleep
0x8982b4 TlsAlloc
0x8982b8 TlsFree
0x8982bc TlsGetValue
0x8982c0 TlsSetValue
0x8982c4 VirtualAlloc
0x8982c8 VirtualProtect
0x8982cc VirtualQuery
0x8982d0 WaitForSingleObject
0x8982d4 WideCharToMultiByte
msvcrt.dll
0x8982dc _fdopen
0x8982e0 _fstat
0x8982e4 _lseek
0x8982e8 _read
0x8982ec _strdup
0x8982f0 _stricoll
0x8982f4 _write
msvcrt.dll
0x8982fc __getmainargs
0x898300 __mb_cur_max
0x898304 __p__environ
0x898308 __p__fmode
0x89830c __set_app_type
0x898310 _cexit
0x898314 _errno
0x898318 _filbuf
0x89831c _flsbuf
0x898320 _fpreset
0x898324 _fullpath
0x898328 _iob
0x89832c _isctype
0x898330 _onexit
0x898334 _pctype
0x898338 _setmode
0x89833c abort
0x898340 atexit
0x898344 atoi
0x898348 calloc
0x89834c fclose
0x898350 fflush
0x898354 fopen
0x898358 fputc
0x89835c fputs
0x898360 fread
0x898364 free
0x898368 fseek
0x89836c ftell
0x898370 fwrite
0x898374 getenv
0x898378 getwc
0x89837c iswctype
0x898380 localeconv
0x898384 malloc
0x898388 mbstowcs
0x89838c memchr
0x898390 memcmp
0x898394 memcpy
0x898398 memmove
0x89839c memset
0x8983a0 putwc
0x8983a4 realloc
0x8983a8 setlocale
0x8983ac setvbuf
0x8983b0 signal
0x8983b4 sprintf
0x8983b8 strchr
0x8983bc strcmp
0x8983c0 strcoll
0x8983c4 strerror
0x8983c8 strftime
0x8983cc strlen
0x8983d0 strtod
0x8983d4 strtoul
0x8983d8 strxfrm
0x8983dc tolower
0x8983e0 towlower
0x8983e4 towupper
0x8983e8 ungetc
0x8983ec ungetwc
0x8983f0 vfprintf
0x8983f4 wcscoll
0x8983f8 wcsftime
0x8983fc wcslen
0x898400 wcstombs
0x898404 wcsxfrm
USER32.dll
0x89840c ShowWindow
EAT(Export Address Table) is none