ScreenShot
| Created | 2023.09.16 14:17 | Machine | s1_win7_x6403_us |
| Filename | Project7.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 48 detected (AIDetectMalware, GenericKD, Artemis, Kryptik, Vtmt, malicious, confidence, 100%, TrojanPSW, Stealerc, ZexaF, QL0@aiW1@dmk, ABRisk, ZRNS, Attribute, HighConfidence, moderate confidence, GenKryptik, GNPJ, score, PWSX, Gencirc, thqee, Sality, moderate, Static AI, Suspicious PE, ai score=80, Sabsik, Detected, unsafe, Chgt, R002H0DIA23, Generic@AI, RDML, fig71e9Jd0X, iDeMQWy+jw, Krypt, susgen) | ||
| md5 | a7e4e478fbf4a1ff9a1be70ee8afd190 | ||
| sha256 | 9bdb51905b1eac04722007ffcc4a86f1bd84b618ca2610580e01acd21b98cdcb | ||
| ssdeep | 24576:+yZ64ndor0y8cvUfoPch+t62fXWbRTfZOwgh:1M8cxt6xNa | ||
| imphash | 91f6eb56df945aba8e2cf7fe16f491e4 | ||
| impfuzzy | 24:ccDoU9JcpVxgcmriJt3bSYEouzhyJBlaT7ov7rTQuFZ6GMAEWpOovbOPZHu9m:B9JcpVVmriJt3bSGuzA8/6UuFZol3H | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | infoStealer_browser_b_Zero | browser info stealer | binaries (download) |
| watch | ASPack_Zero | ASPack packed file | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x637000 VirtualAlloc
0x637004 VirtualFree
0x637008 GetProcAddress
0x63700c LoadLibraryA
0x637010 SetStdHandle
0x637014 FormatMessageA
0x637018 WideCharToMultiByte
0x63701c EnterCriticalSection
0x637020 LeaveCriticalSection
0x637024 InitializeCriticalSectionEx
0x637028 DeleteCriticalSection
0x63702c LocalFree
0x637030 GetLocaleInfoEx
0x637034 EncodePointer
0x637038 DecodePointer
0x63703c MultiByteToWideChar
0x637040 LCMapStringEx
0x637044 GetStringTypeW
0x637048 CompareStringEx
0x63704c GetCPInfo
0x637050 GetCurrentThreadId
0x637054 UnhandledExceptionFilter
0x637058 SetUnhandledExceptionFilter
0x63705c GetCurrentProcess
0x637060 TerminateProcess
0x637064 IsProcessorFeaturePresent
0x637068 IsDebuggerPresent
0x63706c RaiseException
0x637070 QueryPerformanceCounter
0x637074 GetCurrentProcessId
0x637078 GetSystemTimeAsFileTime
0x63707c InitializeSListHead
0x637080 GetStartupInfoW
0x637084 GetModuleHandleW
0x637088 GetLastError
0x63708c HeapAlloc
0x637090 HeapFree
0x637094 GetProcessHeap
0x637098 VirtualQuery
0x63709c FreeLibrary
0x6370a0 RtlUnwind
0x6370a4 InterlockedPushEntrySList
0x6370a8 InterlockedFlushSList
0x6370ac GetModuleFileNameW
0x6370b0 LoadLibraryExW
0x6370b4 SetLastError
0x6370b8 InitializeCriticalSectionAndSpinCount
0x6370bc TlsAlloc
0x6370c0 TlsGetValue
0x6370c4 TlsSetValue
0x6370c8 TlsFree
0x6370cc HeapValidate
0x6370d0 GetSystemInfo
0x6370d4 GetModuleHandleExW
0x6370d8 GetStdHandle
0x6370dc WriteFile
0x6370e0 ExitProcess
0x6370e4 GetCurrentThread
0x6370e8 HeapReAlloc
0x6370ec HeapSize
0x6370f0 HeapQueryInformation
0x6370f4 GetFileType
0x6370f8 OutputDebugStringW
0x6370fc WriteConsoleW
0x637100 SetConsoleCtrlHandler
0x637104 GetTempPathW
0x637108 GetDateFormatW
0x63710c GetTimeFormatW
0x637110 CompareStringW
0x637114 LCMapStringW
0x637118 GetLocaleInfoW
0x63711c IsValidLocale
0x637120 GetUserDefaultLCID
0x637124 EnumSystemLocalesW
0x637128 CloseHandle
0x63712c FlushFileBuffers
0x637130 GetConsoleOutputCP
0x637134 GetConsoleMode
0x637138 ReadFile
0x63713c GetFileSizeEx
0x637140 SetFilePointerEx
0x637144 ReadConsoleW
0x637148 GetTimeZoneInformation
0x63714c FindClose
0x637150 FindFirstFileExW
0x637154 FindNextFileW
0x637158 IsValidCodePage
0x63715c GetACP
0x637160 GetOEMCP
0x637164 GetCommandLineA
0x637168 GetCommandLineW
0x63716c GetEnvironmentStringsW
0x637170 FreeEnvironmentStringsW
0x637174 SetEnvironmentVariableW
0x637178 CreateFileW
EAT(Export Address Table) is none
KERNEL32.dll
0x637000 VirtualAlloc
0x637004 VirtualFree
0x637008 GetProcAddress
0x63700c LoadLibraryA
0x637010 SetStdHandle
0x637014 FormatMessageA
0x637018 WideCharToMultiByte
0x63701c EnterCriticalSection
0x637020 LeaveCriticalSection
0x637024 InitializeCriticalSectionEx
0x637028 DeleteCriticalSection
0x63702c LocalFree
0x637030 GetLocaleInfoEx
0x637034 EncodePointer
0x637038 DecodePointer
0x63703c MultiByteToWideChar
0x637040 LCMapStringEx
0x637044 GetStringTypeW
0x637048 CompareStringEx
0x63704c GetCPInfo
0x637050 GetCurrentThreadId
0x637054 UnhandledExceptionFilter
0x637058 SetUnhandledExceptionFilter
0x63705c GetCurrentProcess
0x637060 TerminateProcess
0x637064 IsProcessorFeaturePresent
0x637068 IsDebuggerPresent
0x63706c RaiseException
0x637070 QueryPerformanceCounter
0x637074 GetCurrentProcessId
0x637078 GetSystemTimeAsFileTime
0x63707c InitializeSListHead
0x637080 GetStartupInfoW
0x637084 GetModuleHandleW
0x637088 GetLastError
0x63708c HeapAlloc
0x637090 HeapFree
0x637094 GetProcessHeap
0x637098 VirtualQuery
0x63709c FreeLibrary
0x6370a0 RtlUnwind
0x6370a4 InterlockedPushEntrySList
0x6370a8 InterlockedFlushSList
0x6370ac GetModuleFileNameW
0x6370b0 LoadLibraryExW
0x6370b4 SetLastError
0x6370b8 InitializeCriticalSectionAndSpinCount
0x6370bc TlsAlloc
0x6370c0 TlsGetValue
0x6370c4 TlsSetValue
0x6370c8 TlsFree
0x6370cc HeapValidate
0x6370d0 GetSystemInfo
0x6370d4 GetModuleHandleExW
0x6370d8 GetStdHandle
0x6370dc WriteFile
0x6370e0 ExitProcess
0x6370e4 GetCurrentThread
0x6370e8 HeapReAlloc
0x6370ec HeapSize
0x6370f0 HeapQueryInformation
0x6370f4 GetFileType
0x6370f8 OutputDebugStringW
0x6370fc WriteConsoleW
0x637100 SetConsoleCtrlHandler
0x637104 GetTempPathW
0x637108 GetDateFormatW
0x63710c GetTimeFormatW
0x637110 CompareStringW
0x637114 LCMapStringW
0x637118 GetLocaleInfoW
0x63711c IsValidLocale
0x637120 GetUserDefaultLCID
0x637124 EnumSystemLocalesW
0x637128 CloseHandle
0x63712c FlushFileBuffers
0x637130 GetConsoleOutputCP
0x637134 GetConsoleMode
0x637138 ReadFile
0x63713c GetFileSizeEx
0x637140 SetFilePointerEx
0x637144 ReadConsoleW
0x637148 GetTimeZoneInformation
0x63714c FindClose
0x637150 FindFirstFileExW
0x637154 FindNextFileW
0x637158 IsValidCodePage
0x63715c GetACP
0x637160 GetOEMCP
0x637164 GetCommandLineA
0x637168 GetCommandLineW
0x63716c GetEnvironmentStringsW
0x637170 FreeEnvironmentStringsW
0x637174 SetEnvironmentVariableW
0x637178 CreateFileW
EAT(Export Address Table) is none