ScreenShot
| Created | 2023.09.07 19:06 | Machine | s1_win7_x6403 |
| Filename | no230.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 14 detected (AIDetectMalware, malicious, high confidence, Attribute, HighConfidence, score, Phonzy, PWSX, Generic@AI, RDML, Jd11O, BRPU4FaytIufHEEA, susgen, ZexaF, qyW@a4l0Vkmi, confidence) | ||
| md5 | 79aeea7e2cae474eba241c822e5f99e8 | ||
| sha256 | 5fa9d9b71791483ca380f09e1fc946b0ba7d68cfb73147bf80aa472b72497ef3 | ||
| ssdeep | 6144:BypnplhoSByJCTT8rxblMDcUWO7jD4wcGB:ByppboSByqAlliPD1B | ||
| imphash | caa8d22a27bdeecfeb10143eed185335 | ||
| impfuzzy | 24:OSLCECipOmtMS1BGhlJeDc+pl3eDoLoEOovFkPvRRZHu9oGM3:OSeECpmtMS1BGOc+ppXcpnT | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Communicates with host for which no DNS query was performed |
| watch | File has been identified by 14 AntiVirus engines on VirusTotal as malicious |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | Terminates another process |
| notice | Yara rule detected in process memory |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
PE API
IAT(Import Address Table) Library
USER32.dll
0x416110 GetIconInfo
0x416114 LoadIconA
0x416118 GetWindowTextA
0x41611c GetForegroundWindow
KERNEL32.dll
0x416000 GetCommandLineW
0x416004 WriteConsoleW
0x416008 CreateFileW
0x41600c UnhandledExceptionFilter
0x416010 SetUnhandledExceptionFilter
0x416014 GetCurrentProcess
0x416018 TerminateProcess
0x41601c IsProcessorFeaturePresent
0x416020 QueryPerformanceCounter
0x416024 GetCurrentProcessId
0x416028 GetCurrentThreadId
0x41602c GetSystemTimeAsFileTime
0x416030 InitializeSListHead
0x416034 IsDebuggerPresent
0x416038 GetStartupInfoW
0x41603c GetModuleHandleW
0x416040 CloseHandle
0x416044 RaiseException
0x416048 RtlUnwind
0x41604c GetLastError
0x416050 SetLastError
0x416054 EncodePointer
0x416058 EnterCriticalSection
0x41605c LeaveCriticalSection
0x416060 DeleteCriticalSection
0x416064 InitializeCriticalSectionAndSpinCount
0x416068 TlsAlloc
0x41606c TlsGetValue
0x416070 TlsSetValue
0x416074 TlsFree
0x416078 FreeLibrary
0x41607c GetProcAddress
0x416080 LoadLibraryExW
0x416084 GetStdHandle
0x416088 WriteFile
0x41608c GetModuleFileNameW
0x416090 ExitProcess
0x416094 GetModuleHandleExW
0x416098 GetCommandLineA
0x41609c DecodePointer
0x4160a0 HeapAlloc
0x4160a4 HeapFree
0x4160a8 CompareStringW
0x4160ac LCMapStringW
0x4160b0 GetFileType
0x4160b4 FindClose
0x4160b8 FindFirstFileExW
0x4160bc FindNextFileW
0x4160c0 IsValidCodePage
0x4160c4 GetACP
0x4160c8 GetOEMCP
0x4160cc GetCPInfo
0x4160d0 MultiByteToWideChar
0x4160d4 WideCharToMultiByte
0x4160d8 GetEnvironmentStringsW
0x4160dc FreeEnvironmentStringsW
0x4160e0 SetEnvironmentVariableW
0x4160e4 SetStdHandle
0x4160e8 GetStringTypeW
0x4160ec GetProcessHeap
0x4160f0 FlushFileBuffers
0x4160f4 GetConsoleOutputCP
0x4160f8 GetConsoleMode
0x4160fc GetFileSizeEx
0x416100 SetFilePointerEx
0x416104 HeapSize
0x416108 HeapReAlloc
EAT(Export Address Table) is none
USER32.dll
0x416110 GetIconInfo
0x416114 LoadIconA
0x416118 GetWindowTextA
0x41611c GetForegroundWindow
KERNEL32.dll
0x416000 GetCommandLineW
0x416004 WriteConsoleW
0x416008 CreateFileW
0x41600c UnhandledExceptionFilter
0x416010 SetUnhandledExceptionFilter
0x416014 GetCurrentProcess
0x416018 TerminateProcess
0x41601c IsProcessorFeaturePresent
0x416020 QueryPerformanceCounter
0x416024 GetCurrentProcessId
0x416028 GetCurrentThreadId
0x41602c GetSystemTimeAsFileTime
0x416030 InitializeSListHead
0x416034 IsDebuggerPresent
0x416038 GetStartupInfoW
0x41603c GetModuleHandleW
0x416040 CloseHandle
0x416044 RaiseException
0x416048 RtlUnwind
0x41604c GetLastError
0x416050 SetLastError
0x416054 EncodePointer
0x416058 EnterCriticalSection
0x41605c LeaveCriticalSection
0x416060 DeleteCriticalSection
0x416064 InitializeCriticalSectionAndSpinCount
0x416068 TlsAlloc
0x41606c TlsGetValue
0x416070 TlsSetValue
0x416074 TlsFree
0x416078 FreeLibrary
0x41607c GetProcAddress
0x416080 LoadLibraryExW
0x416084 GetStdHandle
0x416088 WriteFile
0x41608c GetModuleFileNameW
0x416090 ExitProcess
0x416094 GetModuleHandleExW
0x416098 GetCommandLineA
0x41609c DecodePointer
0x4160a0 HeapAlloc
0x4160a4 HeapFree
0x4160a8 CompareStringW
0x4160ac LCMapStringW
0x4160b0 GetFileType
0x4160b4 FindClose
0x4160b8 FindFirstFileExW
0x4160bc FindNextFileW
0x4160c0 IsValidCodePage
0x4160c4 GetACP
0x4160c8 GetOEMCP
0x4160cc GetCPInfo
0x4160d0 MultiByteToWideChar
0x4160d4 WideCharToMultiByte
0x4160d8 GetEnvironmentStringsW
0x4160dc FreeEnvironmentStringsW
0x4160e0 SetEnvironmentVariableW
0x4160e4 SetStdHandle
0x4160e8 GetStringTypeW
0x4160ec GetProcessHeap
0x4160f0 FlushFileBuffers
0x4160f4 GetConsoleOutputCP
0x4160f8 GetConsoleMode
0x4160fc GetFileSizeEx
0x416100 SetFilePointerEx
0x416104 HeapSize
0x416108 HeapReAlloc
EAT(Export Address Table) is none