ScreenShot
| Created | 2023.09.21 18:14 | Machine | s1_win7_x6401 |
| Filename | exto.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 21 detected (AIDetectMalware, Kryptik, Eldorado, Attribute, HighConfidence, malicious, high confidence, GenKryptik, GOBL, score, Stealerc, PWSX, Inject4, Sabsik, Detected, BScope, Wacatac, Genetic, 2IOPZNDHrYF, HURI) | ||
| md5 | 27e81eda70881f1875c07fb6a9da8a5e | ||
| sha256 | 2eeb6e8d825add69f636c037423584f0fdde89fa08b22f0d86401808166058a6 | ||
| ssdeep | 12288:LoWddPenEp953bXeWJOTfo8o+NFJiJRTTw7KuLpJhz2wxns0m7dsfD5:n/PenEp953bQfo8LnAT87R/ns0m7Y | ||
| imphash | 275c1ac8a0a90e452d90c6b023f705b9 | ||
| impfuzzy | 24:s09scpVxgZCrttlS1wGzplJBl3eDoLoEOovbOZFuFZMvtGMAHTq+lEZHu95:V9scpV6CrttlS1wGzPpXc3fuFZGl0 | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 21 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Communicates with host for which no DNS query was performed |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | Yara rule detected in process memory |
| info | Command line console output was observed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x4d1000 Sleep
0x4d1004 GetConsoleWindow
0x4d1008 FormatMessageA
0x4d100c WideCharToMultiByte
0x4d1010 MultiByteToWideChar
0x4d1014 GetStringTypeW
0x4d1018 EnterCriticalSection
0x4d101c LeaveCriticalSection
0x4d1020 InitializeCriticalSectionEx
0x4d1024 DeleteCriticalSection
0x4d1028 LocalFree
0x4d102c GetLocaleInfoEx
0x4d1030 EncodePointer
0x4d1034 DecodePointer
0x4d1038 LCMapStringEx
0x4d103c CompareStringEx
0x4d1040 GetCPInfo
0x4d1044 IsProcessorFeaturePresent
0x4d1048 UnhandledExceptionFilter
0x4d104c SetUnhandledExceptionFilter
0x4d1050 GetCurrentProcess
0x4d1054 TerminateProcess
0x4d1058 QueryPerformanceCounter
0x4d105c GetCurrentProcessId
0x4d1060 GetCurrentThreadId
0x4d1064 GetSystemTimeAsFileTime
0x4d1068 InitializeSListHead
0x4d106c IsDebuggerPresent
0x4d1070 GetStartupInfoW
0x4d1074 GetModuleHandleW
0x4d1078 CreateFileW
0x4d107c RaiseException
0x4d1080 RtlUnwind
0x4d1084 InterlockedPushEntrySList
0x4d1088 InterlockedFlushSList
0x4d108c GetLastError
0x4d1090 SetLastError
0x4d1094 InitializeCriticalSectionAndSpinCount
0x4d1098 TlsAlloc
0x4d109c TlsGetValue
0x4d10a0 TlsSetValue
0x4d10a4 TlsFree
0x4d10a8 FreeLibrary
0x4d10ac GetProcAddress
0x4d10b0 LoadLibraryExW
0x4d10b4 GetStdHandle
0x4d10b8 WriteFile
0x4d10bc GetModuleFileNameW
0x4d10c0 ExitProcess
0x4d10c4 GetModuleHandleExW
0x4d10c8 GetCommandLineA
0x4d10cc GetCommandLineW
0x4d10d0 GetCurrentThread
0x4d10d4 HeapFree
0x4d10d8 HeapAlloc
0x4d10dc GetDateFormatW
0x4d10e0 GetTimeFormatW
0x4d10e4 CompareStringW
0x4d10e8 LCMapStringW
0x4d10ec GetLocaleInfoW
0x4d10f0 IsValidLocale
0x4d10f4 GetUserDefaultLCID
0x4d10f8 EnumSystemLocalesW
0x4d10fc GetFileType
0x4d1100 GetFileSizeEx
0x4d1104 SetFilePointerEx
0x4d1108 CloseHandle
0x4d110c FlushFileBuffers
0x4d1110 GetConsoleOutputCP
0x4d1114 GetConsoleMode
0x4d1118 ReadFile
0x4d111c HeapReAlloc
0x4d1120 SetConsoleCtrlHandler
0x4d1124 GetTimeZoneInformation
0x4d1128 OutputDebugStringW
0x4d112c FindClose
0x4d1130 FindFirstFileExW
0x4d1134 FindNextFileW
0x4d1138 IsValidCodePage
0x4d113c GetACP
0x4d1140 GetOEMCP
0x4d1144 GetEnvironmentStringsW
0x4d1148 FreeEnvironmentStringsW
0x4d114c SetEnvironmentVariableW
0x4d1150 SetStdHandle
0x4d1154 GetProcessHeap
0x4d1158 ReadConsoleW
0x4d115c HeapSize
0x4d1160 WriteConsoleW
EAT(Export Address Table) Library
0x402176 ReloadData
KERNEL32.dll
0x4d1000 Sleep
0x4d1004 GetConsoleWindow
0x4d1008 FormatMessageA
0x4d100c WideCharToMultiByte
0x4d1010 MultiByteToWideChar
0x4d1014 GetStringTypeW
0x4d1018 EnterCriticalSection
0x4d101c LeaveCriticalSection
0x4d1020 InitializeCriticalSectionEx
0x4d1024 DeleteCriticalSection
0x4d1028 LocalFree
0x4d102c GetLocaleInfoEx
0x4d1030 EncodePointer
0x4d1034 DecodePointer
0x4d1038 LCMapStringEx
0x4d103c CompareStringEx
0x4d1040 GetCPInfo
0x4d1044 IsProcessorFeaturePresent
0x4d1048 UnhandledExceptionFilter
0x4d104c SetUnhandledExceptionFilter
0x4d1050 GetCurrentProcess
0x4d1054 TerminateProcess
0x4d1058 QueryPerformanceCounter
0x4d105c GetCurrentProcessId
0x4d1060 GetCurrentThreadId
0x4d1064 GetSystemTimeAsFileTime
0x4d1068 InitializeSListHead
0x4d106c IsDebuggerPresent
0x4d1070 GetStartupInfoW
0x4d1074 GetModuleHandleW
0x4d1078 CreateFileW
0x4d107c RaiseException
0x4d1080 RtlUnwind
0x4d1084 InterlockedPushEntrySList
0x4d1088 InterlockedFlushSList
0x4d108c GetLastError
0x4d1090 SetLastError
0x4d1094 InitializeCriticalSectionAndSpinCount
0x4d1098 TlsAlloc
0x4d109c TlsGetValue
0x4d10a0 TlsSetValue
0x4d10a4 TlsFree
0x4d10a8 FreeLibrary
0x4d10ac GetProcAddress
0x4d10b0 LoadLibraryExW
0x4d10b4 GetStdHandle
0x4d10b8 WriteFile
0x4d10bc GetModuleFileNameW
0x4d10c0 ExitProcess
0x4d10c4 GetModuleHandleExW
0x4d10c8 GetCommandLineA
0x4d10cc GetCommandLineW
0x4d10d0 GetCurrentThread
0x4d10d4 HeapFree
0x4d10d8 HeapAlloc
0x4d10dc GetDateFormatW
0x4d10e0 GetTimeFormatW
0x4d10e4 CompareStringW
0x4d10e8 LCMapStringW
0x4d10ec GetLocaleInfoW
0x4d10f0 IsValidLocale
0x4d10f4 GetUserDefaultLCID
0x4d10f8 EnumSystemLocalesW
0x4d10fc GetFileType
0x4d1100 GetFileSizeEx
0x4d1104 SetFilePointerEx
0x4d1108 CloseHandle
0x4d110c FlushFileBuffers
0x4d1110 GetConsoleOutputCP
0x4d1114 GetConsoleMode
0x4d1118 ReadFile
0x4d111c HeapReAlloc
0x4d1120 SetConsoleCtrlHandler
0x4d1124 GetTimeZoneInformation
0x4d1128 OutputDebugStringW
0x4d112c FindClose
0x4d1130 FindFirstFileExW
0x4d1134 FindNextFileW
0x4d1138 IsValidCodePage
0x4d113c GetACP
0x4d1140 GetOEMCP
0x4d1144 GetEnvironmentStringsW
0x4d1148 FreeEnvironmentStringsW
0x4d114c SetEnvironmentVariableW
0x4d1150 SetStdHandle
0x4d1154 GetProcessHeap
0x4d1158 ReadConsoleW
0x4d115c HeapSize
0x4d1160 WriteConsoleW
EAT(Export Address Table) Library
0x402176 ReloadData