ScreenShot
| Created | 2023.09.15 17:34 | Machine | s1_win7_x6401 |
| Filename | expo.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 38 detected (AIDetectMalware, GGRT, Artemis, PasswordStealer, V0st, Kryptik, Eldorado, Attribute, HighConfidence, malicious, high confidence, ETFD, score, Exploitx, KillProc2, SMOKELOADER, YXDIOZ, Outbreak, Znyonm, Sabsik, Detected, ai score=80, unsafe, Genetic, CeppGcuQMQO, susgen, confidence, 100%) | ||
| md5 | f94bf3a0e3733958d4973ef664f78927 | ||
| sha256 | 7a266b1d528127259dc89f9d9410b19c5ab55247034db6e4ec8f37c1b51bee79 | ||
| ssdeep | 24576:DMdQ1KOpYU/hsYVNQnb3iUBDqd6a9Dhvh9wj78ptl:31F/hsYVNQ+UI6a3vHwj78pv | ||
| imphash | 62020f417898af4db9f3ac5ebd561fe6 | ||
| impfuzzy | 48:ooWfdz9vxcpVJxnYyXtXOr8bt8XzbQo3buFZGzA:ooWfV1xcpVJxnjXtXU8bt8XPQPb | ||
Network IP location
Signature (10cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 38 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | Yara rule detected in process memory |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
PE API
IAT(Import Address Table) Library
ole32.dll
0x5c02c0 CoGetObjectContext
0x5c02c4 CoGetApartmentType
KERNEL32.dll
0x5c0000 GetCPInfo
0x5c0004 CreateFileW
0x5c0008 HeapSize
0x5c000c FreeConsole
0x5c0010 RaiseException
0x5c0014 InitializeSRWLock
0x5c0018 ReleaseSRWLockExclusive
0x5c001c AcquireSRWLockExclusive
0x5c0020 TryAcquireSRWLockExclusive
0x5c0024 GetCurrentThreadId
0x5c0028 InitializeConditionVariable
0x5c002c WakeConditionVariable
0x5c0030 WakeAllConditionVariable
0x5c0034 SleepConditionVariableSRW
0x5c0038 FormatMessageA
0x5c003c WideCharToMultiByte
0x5c0040 MultiByteToWideChar
0x5c0044 GetStringTypeW
0x5c0048 InitOnceBeginInitialize
0x5c004c InitOnceComplete
0x5c0050 GetLastError
0x5c0054 FreeLibraryWhenCallbackReturns
0x5c0058 CreateThreadpoolWork
0x5c005c SubmitThreadpoolWork
0x5c0060 CloseThreadpoolWork
0x5c0064 GetModuleHandleExW
0x5c0068 RtlCaptureStackBackTrace
0x5c006c IsProcessorFeaturePresent
0x5c0070 EnterCriticalSection
0x5c0074 LeaveCriticalSection
0x5c0078 InitializeCriticalSectionEx
0x5c007c DeleteCriticalSection
0x5c0080 QueryPerformanceCounter
0x5c0084 QueryPerformanceFrequency
0x5c0088 CloseHandle
0x5c008c WaitForSingleObjectEx
0x5c0090 Sleep
0x5c0094 SwitchToThread
0x5c0098 GetExitCodeThread
0x5c009c GetNativeSystemInfo
0x5c00a0 LocalFree
0x5c00a4 GetLocaleInfoEx
0x5c00a8 EncodePointer
0x5c00ac DecodePointer
0x5c00b0 LCMapStringEx
0x5c00b4 SetFileInformationByHandle
0x5c00b8 GetTempPathW
0x5c00bc FlsAlloc
0x5c00c0 FlsGetValue
0x5c00c4 FlsSetValue
0x5c00c8 FlsFree
0x5c00cc InitOnceExecuteOnce
0x5c00d0 SleepConditionVariableCS
0x5c00d4 CreateEventExW
0x5c00d8 CreateSemaphoreExW
0x5c00dc FlushProcessWriteBuffers
0x5c00e0 GetCurrentProcessorNumber
0x5c00e4 GetSystemTimeAsFileTime
0x5c00e8 GetTickCount64
0x5c00ec CreateThreadpoolTimer
0x5c00f0 SetThreadpoolTimer
0x5c00f4 WaitForThreadpoolTimerCallbacks
0x5c00f8 CloseThreadpoolTimer
0x5c00fc CreateThreadpoolWait
0x5c0100 SetThreadpoolWait
0x5c0104 CloseThreadpoolWait
0x5c0108 GetModuleHandleW
0x5c010c GetProcAddress
0x5c0110 GetFileInformationByHandleEx
0x5c0114 CreateSymbolicLinkW
0x5c0118 CompareStringEx
0x5c011c WriteConsoleW
0x5c0120 InitializeCriticalSectionAndSpinCount
0x5c0124 SetEvent
0x5c0128 ResetEvent
0x5c012c CreateEventW
0x5c0130 IsDebuggerPresent
0x5c0134 UnhandledExceptionFilter
0x5c0138 SetUnhandledExceptionFilter
0x5c013c GetStartupInfoW
0x5c0140 GetCurrentProcess
0x5c0144 TerminateProcess
0x5c0148 GetCurrentProcessId
0x5c014c InitializeSListHead
0x5c0150 ReadConsoleW
0x5c0154 RtlUnwind
0x5c0158 InterlockedPushEntrySList
0x5c015c InterlockedFlushSList
0x5c0160 SetLastError
0x5c0164 TlsAlloc
0x5c0168 TlsGetValue
0x5c016c TlsSetValue
0x5c0170 TlsFree
0x5c0174 FreeLibrary
0x5c0178 LoadLibraryExW
0x5c017c CreateThread
0x5c0180 ExitThread
0x5c0184 ResumeThread
0x5c0188 FreeLibraryAndExitThread
0x5c018c ExitProcess
0x5c0190 GetModuleFileNameW
0x5c0194 GetStdHandle
0x5c0198 WriteFile
0x5c019c GetCommandLineA
0x5c01a0 GetCommandLineW
0x5c01a4 GetCurrentThread
0x5c01a8 HeapFree
0x5c01ac SetConsoleCtrlHandler
0x5c01b0 HeapAlloc
0x5c01b4 GetDateFormatW
0x5c01b8 GetTimeFormatW
0x5c01bc CompareStringW
0x5c01c0 LCMapStringW
0x5c01c4 GetLocaleInfoW
0x5c01c8 IsValidLocale
0x5c01cc GetUserDefaultLCID
0x5c01d0 EnumSystemLocalesW
0x5c01d4 GetFileType
0x5c01d8 GetFileSizeEx
0x5c01dc SetFilePointerEx
0x5c01e0 FlushFileBuffers
0x5c01e4 GetConsoleOutputCP
0x5c01e8 GetConsoleMode
0x5c01ec ReadFile
0x5c01f0 HeapReAlloc
0x5c01f4 GetTimeZoneInformation
0x5c01f8 FindClose
0x5c01fc FindFirstFileExW
0x5c0200 FindNextFileW
0x5c0204 IsValidCodePage
0x5c0208 GetACP
0x5c020c GetOEMCP
0x5c0210 GetEnvironmentStringsW
0x5c0214 FreeEnvironmentStringsW
0x5c0218 SetEnvironmentVariableW
0x5c021c GetProcessHeap
0x5c0220 OutputDebugStringW
0x5c0224 SetStdHandle
EAT(Export Address Table) is none
ole32.dll
0x5c02c0 CoGetObjectContext
0x5c02c4 CoGetApartmentType
KERNEL32.dll
0x5c0000 GetCPInfo
0x5c0004 CreateFileW
0x5c0008 HeapSize
0x5c000c FreeConsole
0x5c0010 RaiseException
0x5c0014 InitializeSRWLock
0x5c0018 ReleaseSRWLockExclusive
0x5c001c AcquireSRWLockExclusive
0x5c0020 TryAcquireSRWLockExclusive
0x5c0024 GetCurrentThreadId
0x5c0028 InitializeConditionVariable
0x5c002c WakeConditionVariable
0x5c0030 WakeAllConditionVariable
0x5c0034 SleepConditionVariableSRW
0x5c0038 FormatMessageA
0x5c003c WideCharToMultiByte
0x5c0040 MultiByteToWideChar
0x5c0044 GetStringTypeW
0x5c0048 InitOnceBeginInitialize
0x5c004c InitOnceComplete
0x5c0050 GetLastError
0x5c0054 FreeLibraryWhenCallbackReturns
0x5c0058 CreateThreadpoolWork
0x5c005c SubmitThreadpoolWork
0x5c0060 CloseThreadpoolWork
0x5c0064 GetModuleHandleExW
0x5c0068 RtlCaptureStackBackTrace
0x5c006c IsProcessorFeaturePresent
0x5c0070 EnterCriticalSection
0x5c0074 LeaveCriticalSection
0x5c0078 InitializeCriticalSectionEx
0x5c007c DeleteCriticalSection
0x5c0080 QueryPerformanceCounter
0x5c0084 QueryPerformanceFrequency
0x5c0088 CloseHandle
0x5c008c WaitForSingleObjectEx
0x5c0090 Sleep
0x5c0094 SwitchToThread
0x5c0098 GetExitCodeThread
0x5c009c GetNativeSystemInfo
0x5c00a0 LocalFree
0x5c00a4 GetLocaleInfoEx
0x5c00a8 EncodePointer
0x5c00ac DecodePointer
0x5c00b0 LCMapStringEx
0x5c00b4 SetFileInformationByHandle
0x5c00b8 GetTempPathW
0x5c00bc FlsAlloc
0x5c00c0 FlsGetValue
0x5c00c4 FlsSetValue
0x5c00c8 FlsFree
0x5c00cc InitOnceExecuteOnce
0x5c00d0 SleepConditionVariableCS
0x5c00d4 CreateEventExW
0x5c00d8 CreateSemaphoreExW
0x5c00dc FlushProcessWriteBuffers
0x5c00e0 GetCurrentProcessorNumber
0x5c00e4 GetSystemTimeAsFileTime
0x5c00e8 GetTickCount64
0x5c00ec CreateThreadpoolTimer
0x5c00f0 SetThreadpoolTimer
0x5c00f4 WaitForThreadpoolTimerCallbacks
0x5c00f8 CloseThreadpoolTimer
0x5c00fc CreateThreadpoolWait
0x5c0100 SetThreadpoolWait
0x5c0104 CloseThreadpoolWait
0x5c0108 GetModuleHandleW
0x5c010c GetProcAddress
0x5c0110 GetFileInformationByHandleEx
0x5c0114 CreateSymbolicLinkW
0x5c0118 CompareStringEx
0x5c011c WriteConsoleW
0x5c0120 InitializeCriticalSectionAndSpinCount
0x5c0124 SetEvent
0x5c0128 ResetEvent
0x5c012c CreateEventW
0x5c0130 IsDebuggerPresent
0x5c0134 UnhandledExceptionFilter
0x5c0138 SetUnhandledExceptionFilter
0x5c013c GetStartupInfoW
0x5c0140 GetCurrentProcess
0x5c0144 TerminateProcess
0x5c0148 GetCurrentProcessId
0x5c014c InitializeSListHead
0x5c0150 ReadConsoleW
0x5c0154 RtlUnwind
0x5c0158 InterlockedPushEntrySList
0x5c015c InterlockedFlushSList
0x5c0160 SetLastError
0x5c0164 TlsAlloc
0x5c0168 TlsGetValue
0x5c016c TlsSetValue
0x5c0170 TlsFree
0x5c0174 FreeLibrary
0x5c0178 LoadLibraryExW
0x5c017c CreateThread
0x5c0180 ExitThread
0x5c0184 ResumeThread
0x5c0188 FreeLibraryAndExitThread
0x5c018c ExitProcess
0x5c0190 GetModuleFileNameW
0x5c0194 GetStdHandle
0x5c0198 WriteFile
0x5c019c GetCommandLineA
0x5c01a0 GetCommandLineW
0x5c01a4 GetCurrentThread
0x5c01a8 HeapFree
0x5c01ac SetConsoleCtrlHandler
0x5c01b0 HeapAlloc
0x5c01b4 GetDateFormatW
0x5c01b8 GetTimeFormatW
0x5c01bc CompareStringW
0x5c01c0 LCMapStringW
0x5c01c4 GetLocaleInfoW
0x5c01c8 IsValidLocale
0x5c01cc GetUserDefaultLCID
0x5c01d0 EnumSystemLocalesW
0x5c01d4 GetFileType
0x5c01d8 GetFileSizeEx
0x5c01dc SetFilePointerEx
0x5c01e0 FlushFileBuffers
0x5c01e4 GetConsoleOutputCP
0x5c01e8 GetConsoleMode
0x5c01ec ReadFile
0x5c01f0 HeapReAlloc
0x5c01f4 GetTimeZoneInformation
0x5c01f8 FindClose
0x5c01fc FindFirstFileExW
0x5c0200 FindNextFileW
0x5c0204 IsValidCodePage
0x5c0208 GetACP
0x5c020c GetOEMCP
0x5c0210 GetEnvironmentStringsW
0x5c0214 FreeEnvironmentStringsW
0x5c0218 SetEnvironmentVariableW
0x5c021c GetProcessHeap
0x5c0220 OutputDebugStringW
0x5c0224 SetStdHandle
EAT(Export Address Table) is none