ScreenShot
| Created | 2023.09.14 14:36 | Machine | s1_win7_x6403 |
| Filename | k5.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 12 detected (AIDetectMalware, ZexaF, xuW@amwLjzhi, Attribute, HighConfidence, malicious, high confidence, score, Generic@AI, RDML, dDIpoxiglDXj0hXpLNu+UA, Static AI, Suspicious PE, susgen, confidence, 100%) | ||
| md5 | 87f6774e25128d080fecd3fe5e15daa6 | ||
| sha256 | 4b348a11688dd83bf58edfb6020d5d3f5ea8cd017aaf6ff89592263896f055ca | ||
| ssdeep | 6144:YRQoL09mu6CHH9CZWUQKcSemuu6C3qECHH9CZWUQKcSemuu6C3qQc1:YWokcudCnx6C3fudCnx6C3Rc1 | ||
| imphash | 9dcc2fb8fef0355edecee5c713257e9c | ||
| impfuzzy | 48:XF/KA/XSv09sjKS5zGSY+nB6UyC8YBtMS175c+ppm+X3wU:1N4ptMS175c+ppm+T | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| watch | File has been identified by 12 AntiVirus engines on VirusTotal as malicious |
| watch | Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | The process wscript.exe wrote an executable file to disk |
| watch | Wscript.exe initiated network communications indicative of a script based payload download |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | This executable has a PDB path |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to a *.jungleheart .com Domain
ET INFO TLS Handshake Failure
SURICATA Applayer Wrong direction first Data
ET INFO DYNAMIC_DNS Query to a *.jungleheart .com Domain
ET INFO TLS Handshake Failure
SURICATA Applayer Wrong direction first Data
PE API
IAT(Import Address Table) Library
USER32.dll
0x41011c DispatchMessageW
0x410120 GetMessageW
0x410124 DefWindowProcW
0x410128 DestroyWindow
0x41012c CreateWindowExW
0x410130 EndDialog
0x410134 RegisterClassExW
0x410138 LoadAcceleratorsW
0x41013c LoadStringW
0x410140 ShowWindow
0x410144 EndPaint
0x410148 TranslateAcceleratorW
0x41014c TranslateMessage
0x410150 LoadIconW
0x410154 LoadCursorW
0x410158 PostQuitMessage
0x41015c DialogBoxParamW
0x410160 UpdateWindow
0x410164 BeginPaint
KERNEL32.dll
0x410000 GetModuleFileNameW
0x410004 DecodePointer
0x410008 WriteConsoleW
0x41000c CreateFileW
0x410010 SetFilePointerEx
0x410014 GetConsoleMode
0x410018 GetConsoleOutputCP
0x41001c FlushFileBuffers
0x410020 HeapReAlloc
0x410024 HeapSize
0x410028 GetProcessHeap
0x41002c LCMapStringW
0x410030 CompareStringW
0x410034 UnhandledExceptionFilter
0x410038 SetUnhandledExceptionFilter
0x41003c GetCurrentProcess
0x410040 TerminateProcess
0x410044 IsProcessorFeaturePresent
0x410048 QueryPerformanceCounter
0x41004c GetCurrentProcessId
0x410050 GetCurrentThreadId
0x410054 GetSystemTimeAsFileTime
0x410058 InitializeSListHead
0x41005c IsDebuggerPresent
0x410060 GetStartupInfoW
0x410064 GetModuleHandleW
0x410068 RtlUnwind
0x41006c GetLastError
0x410070 SetLastError
0x410074 EnterCriticalSection
0x410078 LeaveCriticalSection
0x41007c DeleteCriticalSection
0x410080 InitializeCriticalSectionAndSpinCount
0x410084 TlsAlloc
0x410088 TlsGetValue
0x41008c TlsSetValue
0x410090 TlsFree
0x410094 FreeLibrary
0x410098 GetProcAddress
0x41009c LoadLibraryExW
0x4100a0 EncodePointer
0x4100a4 RaiseException
0x4100a8 GetStdHandle
0x4100ac WriteFile
0x4100b0 ExitProcess
0x4100b4 GetModuleHandleExW
0x4100b8 HeapFree
0x4100bc CloseHandle
0x4100c0 WaitForSingleObject
0x4100c4 GetExitCodeProcess
0x4100c8 CreateProcessW
0x4100cc GetFileAttributesExW
0x4100d0 HeapAlloc
0x4100d4 FindClose
0x4100d8 FindFirstFileExW
0x4100dc FindNextFileW
0x4100e0 IsValidCodePage
0x4100e4 GetACP
0x4100e8 GetOEMCP
0x4100ec GetCPInfo
0x4100f0 GetCommandLineA
0x4100f4 GetCommandLineW
0x4100f8 MultiByteToWideChar
0x4100fc WideCharToMultiByte
0x410100 GetEnvironmentStringsW
0x410104 FreeEnvironmentStringsW
0x410108 SetEnvironmentVariableW
0x41010c SetStdHandle
0x410110 GetFileType
0x410114 GetStringTypeW
EAT(Export Address Table) is none
USER32.dll
0x41011c DispatchMessageW
0x410120 GetMessageW
0x410124 DefWindowProcW
0x410128 DestroyWindow
0x41012c CreateWindowExW
0x410130 EndDialog
0x410134 RegisterClassExW
0x410138 LoadAcceleratorsW
0x41013c LoadStringW
0x410140 ShowWindow
0x410144 EndPaint
0x410148 TranslateAcceleratorW
0x41014c TranslateMessage
0x410150 LoadIconW
0x410154 LoadCursorW
0x410158 PostQuitMessage
0x41015c DialogBoxParamW
0x410160 UpdateWindow
0x410164 BeginPaint
KERNEL32.dll
0x410000 GetModuleFileNameW
0x410004 DecodePointer
0x410008 WriteConsoleW
0x41000c CreateFileW
0x410010 SetFilePointerEx
0x410014 GetConsoleMode
0x410018 GetConsoleOutputCP
0x41001c FlushFileBuffers
0x410020 HeapReAlloc
0x410024 HeapSize
0x410028 GetProcessHeap
0x41002c LCMapStringW
0x410030 CompareStringW
0x410034 UnhandledExceptionFilter
0x410038 SetUnhandledExceptionFilter
0x41003c GetCurrentProcess
0x410040 TerminateProcess
0x410044 IsProcessorFeaturePresent
0x410048 QueryPerformanceCounter
0x41004c GetCurrentProcessId
0x410050 GetCurrentThreadId
0x410054 GetSystemTimeAsFileTime
0x410058 InitializeSListHead
0x41005c IsDebuggerPresent
0x410060 GetStartupInfoW
0x410064 GetModuleHandleW
0x410068 RtlUnwind
0x41006c GetLastError
0x410070 SetLastError
0x410074 EnterCriticalSection
0x410078 LeaveCriticalSection
0x41007c DeleteCriticalSection
0x410080 InitializeCriticalSectionAndSpinCount
0x410084 TlsAlloc
0x410088 TlsGetValue
0x41008c TlsSetValue
0x410090 TlsFree
0x410094 FreeLibrary
0x410098 GetProcAddress
0x41009c LoadLibraryExW
0x4100a0 EncodePointer
0x4100a4 RaiseException
0x4100a8 GetStdHandle
0x4100ac WriteFile
0x4100b0 ExitProcess
0x4100b4 GetModuleHandleExW
0x4100b8 HeapFree
0x4100bc CloseHandle
0x4100c0 WaitForSingleObject
0x4100c4 GetExitCodeProcess
0x4100c8 CreateProcessW
0x4100cc GetFileAttributesExW
0x4100d0 HeapAlloc
0x4100d4 FindClose
0x4100d8 FindFirstFileExW
0x4100dc FindNextFileW
0x4100e0 IsValidCodePage
0x4100e4 GetACP
0x4100e8 GetOEMCP
0x4100ec GetCPInfo
0x4100f0 GetCommandLineA
0x4100f4 GetCommandLineW
0x4100f8 MultiByteToWideChar
0x4100fc WideCharToMultiByte
0x410100 GetEnvironmentStringsW
0x410104 FreeEnvironmentStringsW
0x410108 SetEnvironmentVariableW
0x41010c SetStdHandle
0x410110 GetFileType
0x410114 GetStringTypeW
EAT(Export Address Table) is none