ScreenShot
| Created | 2023.10.04 07:42 | Machine | s1_win7_x6401 |
| Filename | Setup.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 24 detected (AIDetectMalware, Lazy, Attribute, HighConfidence, malicious, high confidence, score, Stealerc, SpywareX, ai score=87, Sabsik, Detected, BScope, TrojanPSW, Convagent, Genetic, SmokeLoader, CLASSIC, Krypt) | ||
| md5 | 46a22f0849344f152364d921c3c28435 | ||
| sha256 | 1041ffa7fe11147bca657c7f9b58b76a63fab9bedd01e37726e7a5f9df72aed2 | ||
| ssdeep | 24576:WwzT5gWn2HsJRx/6a9DhvhSCPhwtzZc7m6fgA7:dx/6a3vtqtu7m6 | ||
| imphash | 0019c5cc9dc02122ed11385f5bfdf094 | ||
| impfuzzy | 48:sghfBfWDz99rxHRyXtXFc+p5t8dz2Qo3ruFZGf:ZfBfWnDrxHMXtXFc+p5t8dqQ/c | ||
Network IP location
Signature (20cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Executed a process and injected code into it |
| warning | File has been identified by 24 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Communicates with host for which no DNS query was performed |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Terminates another process |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Network_SMTP_dotNet | Communications smtp | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
USER32.dll
0x5a82e4 GetClipCursor
ole32.dll
0x5a8314 CoGetApartmentType
0x5a8318 CoGetObjectContext
ADVAPI32.dll
0x5a8000 RegDisablePredefinedCacheEx
KERNEL32.dll
0x5a8030 ReadConsoleW
0x5a8034 ReadFile
0x5a8038 CreateFileW
0x5a803c WriteConsoleW
0x5a8040 CreateEventW
0x5a8044 FreeConsole
0x5a8048 RaiseException
0x5a804c CloseHandle
0x5a8050 WaitForSingleObjectEx
0x5a8054 Sleep
0x5a8058 SwitchToThread
0x5a805c GetCurrentThreadId
0x5a8060 GetExitCodeThread
0x5a8064 GetNativeSystemInfo
0x5a8068 InitializeSRWLock
0x5a806c ReleaseSRWLockExclusive
0x5a8070 AcquireSRWLockExclusive
0x5a8074 TryAcquireSRWLockExclusive
0x5a8078 InitializeConditionVariable
0x5a807c WakeConditionVariable
0x5a8080 WakeAllConditionVariable
0x5a8084 SleepConditionVariableSRW
0x5a8088 FormatMessageA
0x5a808c InitOnceBeginInitialize
0x5a8090 InitOnceComplete
0x5a8094 GetLastError
0x5a8098 FreeLibraryWhenCallbackReturns
0x5a809c CreateThreadpoolWork
0x5a80a0 SubmitThreadpoolWork
0x5a80a4 CloseThreadpoolWork
0x5a80a8 GetModuleHandleExW
0x5a80ac RtlCaptureStackBackTrace
0x5a80b0 IsProcessorFeaturePresent
0x5a80b4 QueryPerformanceCounter
0x5a80b8 QueryPerformanceFrequency
0x5a80bc LocalFree
0x5a80c0 GetLocaleInfoEx
0x5a80c4 SetFileInformationByHandle
0x5a80c8 GetTempPathW
0x5a80cc FlsAlloc
0x5a80d0 FlsGetValue
0x5a80d4 FlsSetValue
0x5a80d8 FlsFree
0x5a80dc InitializeCriticalSectionEx
0x5a80e0 InitOnceExecuteOnce
0x5a80e4 SleepConditionVariableCS
0x5a80e8 CreateEventExW
0x5a80ec CreateSemaphoreExW
0x5a80f0 FlushProcessWriteBuffers
0x5a80f4 GetCurrentProcessorNumber
0x5a80f8 GetSystemTimeAsFileTime
0x5a80fc GetTickCount64
0x5a8100 CreateThreadpoolTimer
0x5a8104 SetThreadpoolTimer
0x5a8108 WaitForThreadpoolTimerCallbacks
0x5a810c CloseThreadpoolTimer
0x5a8110 CreateThreadpoolWait
0x5a8114 SetThreadpoolWait
0x5a8118 CloseThreadpoolWait
0x5a811c GetModuleHandleW
0x5a8120 GetProcAddress
0x5a8124 GetFileInformationByHandleEx
0x5a8128 CreateSymbolicLinkW
0x5a812c EnterCriticalSection
0x5a8130 LeaveCriticalSection
0x5a8134 DeleteCriticalSection
0x5a8138 InitializeCriticalSectionAndSpinCount
0x5a813c SetEvent
0x5a8140 ResetEvent
0x5a8144 DecodePointer
0x5a8148 IsDebuggerPresent
0x5a814c UnhandledExceptionFilter
0x5a8150 SetUnhandledExceptionFilter
0x5a8154 GetStartupInfoW
0x5a8158 GetCurrentProcess
0x5a815c TerminateProcess
0x5a8160 GetCurrentProcessId
0x5a8164 InitializeSListHead
0x5a8168 HeapReAlloc
0x5a816c RtlUnwind
0x5a8170 InterlockedPushEntrySList
0x5a8174 InterlockedFlushSList
0x5a8178 SetLastError
0x5a817c EncodePointer
0x5a8180 TlsAlloc
0x5a8184 TlsGetValue
0x5a8188 TlsSetValue
0x5a818c TlsFree
0x5a8190 FreeLibrary
0x5a8194 LoadLibraryExW
0x5a8198 CreateThread
0x5a819c ExitThread
0x5a81a0 ResumeThread
0x5a81a4 FreeLibraryAndExitThread
0x5a81a8 ExitProcess
0x5a81ac GetModuleFileNameW
0x5a81b0 GetStdHandle
0x5a81b4 WriteFile
0x5a81b8 GetCommandLineA
0x5a81bc GetCommandLineW
0x5a81c0 GetCurrentThread
0x5a81c4 SetConsoleCtrlHandler
0x5a81c8 HeapAlloc
0x5a81cc HeapFree
0x5a81d0 GetDateFormatW
0x5a81d4 GetTimeFormatW
0x5a81d8 CompareStringW
0x5a81dc LCMapStringW
0x5a81e0 GetLocaleInfoW
0x5a81e4 IsValidLocale
0x5a81e8 GetUserDefaultLCID
0x5a81ec EnumSystemLocalesW
0x5a81f0 GetFileType
0x5a81f4 GetFileSizeEx
0x5a81f8 SetFilePointerEx
0x5a81fc FindClose
0x5a8200 FindFirstFileExW
0x5a8204 FindNextFileW
0x5a8208 IsValidCodePage
0x5a820c GetACP
0x5a8210 GetOEMCP
0x5a8214 GetCPInfo
0x5a8218 MultiByteToWideChar
0x5a821c WideCharToMultiByte
0x5a8220 GetEnvironmentStringsW
0x5a8224 FreeEnvironmentStringsW
0x5a8228 SetEnvironmentVariableW
0x5a822c GetProcessHeap
0x5a8230 OutputDebugStringW
0x5a8234 SetStdHandle
0x5a8238 GetStringTypeW
0x5a823c FlushFileBuffers
0x5a8240 GetConsoleOutputCP
0x5a8244 GetConsoleMode
0x5a8248 HeapSize
EAT(Export Address Table) is none
USER32.dll
0x5a82e4 GetClipCursor
ole32.dll
0x5a8314 CoGetApartmentType
0x5a8318 CoGetObjectContext
ADVAPI32.dll
0x5a8000 RegDisablePredefinedCacheEx
KERNEL32.dll
0x5a8030 ReadConsoleW
0x5a8034 ReadFile
0x5a8038 CreateFileW
0x5a803c WriteConsoleW
0x5a8040 CreateEventW
0x5a8044 FreeConsole
0x5a8048 RaiseException
0x5a804c CloseHandle
0x5a8050 WaitForSingleObjectEx
0x5a8054 Sleep
0x5a8058 SwitchToThread
0x5a805c GetCurrentThreadId
0x5a8060 GetExitCodeThread
0x5a8064 GetNativeSystemInfo
0x5a8068 InitializeSRWLock
0x5a806c ReleaseSRWLockExclusive
0x5a8070 AcquireSRWLockExclusive
0x5a8074 TryAcquireSRWLockExclusive
0x5a8078 InitializeConditionVariable
0x5a807c WakeConditionVariable
0x5a8080 WakeAllConditionVariable
0x5a8084 SleepConditionVariableSRW
0x5a8088 FormatMessageA
0x5a808c InitOnceBeginInitialize
0x5a8090 InitOnceComplete
0x5a8094 GetLastError
0x5a8098 FreeLibraryWhenCallbackReturns
0x5a809c CreateThreadpoolWork
0x5a80a0 SubmitThreadpoolWork
0x5a80a4 CloseThreadpoolWork
0x5a80a8 GetModuleHandleExW
0x5a80ac RtlCaptureStackBackTrace
0x5a80b0 IsProcessorFeaturePresent
0x5a80b4 QueryPerformanceCounter
0x5a80b8 QueryPerformanceFrequency
0x5a80bc LocalFree
0x5a80c0 GetLocaleInfoEx
0x5a80c4 SetFileInformationByHandle
0x5a80c8 GetTempPathW
0x5a80cc FlsAlloc
0x5a80d0 FlsGetValue
0x5a80d4 FlsSetValue
0x5a80d8 FlsFree
0x5a80dc InitializeCriticalSectionEx
0x5a80e0 InitOnceExecuteOnce
0x5a80e4 SleepConditionVariableCS
0x5a80e8 CreateEventExW
0x5a80ec CreateSemaphoreExW
0x5a80f0 FlushProcessWriteBuffers
0x5a80f4 GetCurrentProcessorNumber
0x5a80f8 GetSystemTimeAsFileTime
0x5a80fc GetTickCount64
0x5a8100 CreateThreadpoolTimer
0x5a8104 SetThreadpoolTimer
0x5a8108 WaitForThreadpoolTimerCallbacks
0x5a810c CloseThreadpoolTimer
0x5a8110 CreateThreadpoolWait
0x5a8114 SetThreadpoolWait
0x5a8118 CloseThreadpoolWait
0x5a811c GetModuleHandleW
0x5a8120 GetProcAddress
0x5a8124 GetFileInformationByHandleEx
0x5a8128 CreateSymbolicLinkW
0x5a812c EnterCriticalSection
0x5a8130 LeaveCriticalSection
0x5a8134 DeleteCriticalSection
0x5a8138 InitializeCriticalSectionAndSpinCount
0x5a813c SetEvent
0x5a8140 ResetEvent
0x5a8144 DecodePointer
0x5a8148 IsDebuggerPresent
0x5a814c UnhandledExceptionFilter
0x5a8150 SetUnhandledExceptionFilter
0x5a8154 GetStartupInfoW
0x5a8158 GetCurrentProcess
0x5a815c TerminateProcess
0x5a8160 GetCurrentProcessId
0x5a8164 InitializeSListHead
0x5a8168 HeapReAlloc
0x5a816c RtlUnwind
0x5a8170 InterlockedPushEntrySList
0x5a8174 InterlockedFlushSList
0x5a8178 SetLastError
0x5a817c EncodePointer
0x5a8180 TlsAlloc
0x5a8184 TlsGetValue
0x5a8188 TlsSetValue
0x5a818c TlsFree
0x5a8190 FreeLibrary
0x5a8194 LoadLibraryExW
0x5a8198 CreateThread
0x5a819c ExitThread
0x5a81a0 ResumeThread
0x5a81a4 FreeLibraryAndExitThread
0x5a81a8 ExitProcess
0x5a81ac GetModuleFileNameW
0x5a81b0 GetStdHandle
0x5a81b4 WriteFile
0x5a81b8 GetCommandLineA
0x5a81bc GetCommandLineW
0x5a81c0 GetCurrentThread
0x5a81c4 SetConsoleCtrlHandler
0x5a81c8 HeapAlloc
0x5a81cc HeapFree
0x5a81d0 GetDateFormatW
0x5a81d4 GetTimeFormatW
0x5a81d8 CompareStringW
0x5a81dc LCMapStringW
0x5a81e0 GetLocaleInfoW
0x5a81e4 IsValidLocale
0x5a81e8 GetUserDefaultLCID
0x5a81ec EnumSystemLocalesW
0x5a81f0 GetFileType
0x5a81f4 GetFileSizeEx
0x5a81f8 SetFilePointerEx
0x5a81fc FindClose
0x5a8200 FindFirstFileExW
0x5a8204 FindNextFileW
0x5a8208 IsValidCodePage
0x5a820c GetACP
0x5a8210 GetOEMCP
0x5a8214 GetCPInfo
0x5a8218 MultiByteToWideChar
0x5a821c WideCharToMultiByte
0x5a8220 GetEnvironmentStringsW
0x5a8224 FreeEnvironmentStringsW
0x5a8228 SetEnvironmentVariableW
0x5a822c GetProcessHeap
0x5a8230 OutputDebugStringW
0x5a8234 SetStdHandle
0x5a8238 GetStringTypeW
0x5a823c FlushFileBuffers
0x5a8240 GetConsoleOutputCP
0x5a8244 GetConsoleMode
0x5a8248 HeapSize
EAT(Export Address Table) is none