ScreenShot
| Created | 2023.10.06 07:59 | Machine | s1_win7_x6403 |
| Filename | nano.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 501bd8c4a18e386f240b6d77d388cbb3 | ||
| sha256 | 28682b28680d4aca937081f79e939f7a14cdb18ba033c52f4c8f0f63ee0db9cb | ||
| ssdeep | 24576:XFxY5A0vimILMPcVZT6gH/A2Z46a9DhvhTTwFSMHTf:XP0vimILMP4l6SAO46a3v9wYMHTf | ||
| imphash | b092678fc438a3bc6ea71ba0ea4cfa08 | ||
| impfuzzy | 48:sghWBfWDz9vxcpVJxwYyXtXGrmcGtnzba63buFZGzQ:ZWBfWn1xcpVJxwjXtXMmcGtnPa9T | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Communicates with host for which no DNS query was performed |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | Yara rule detected in process memory |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
PE API
IAT(Import Address Table) Library
USER32.dll
0x58e2f0 GetClipCursor
ole32.dll
0x58e320 CoGetApartmentType
0x58e324 CoGetObjectContext
ADVAPI32.dll
0x58e000 RegDisablePredefinedCacheEx
KERNEL32.dll
0x58e030 ReadConsoleW
0x58e034 GetProcessHeap
0x58e038 HeapSize
0x58e03c CreateFileW
0x58e040 CreateSymbolicLinkW
0x58e044 FreeConsole
0x58e048 RaiseException
0x58e04c CloseHandle
0x58e050 WaitForSingleObjectEx
0x58e054 Sleep
0x58e058 SwitchToThread
0x58e05c GetCurrentThreadId
0x58e060 GetExitCodeThread
0x58e064 GetNativeSystemInfo
0x58e068 InitializeSRWLock
0x58e06c ReleaseSRWLockExclusive
0x58e070 AcquireSRWLockExclusive
0x58e074 TryAcquireSRWLockExclusive
0x58e078 InitializeConditionVariable
0x58e07c WakeConditionVariable
0x58e080 WakeAllConditionVariable
0x58e084 SleepConditionVariableSRW
0x58e088 FormatMessageA
0x58e08c WideCharToMultiByte
0x58e090 MultiByteToWideChar
0x58e094 GetStringTypeW
0x58e098 InitOnceBeginInitialize
0x58e09c InitOnceComplete
0x58e0a0 GetLastError
0x58e0a4 FreeLibraryWhenCallbackReturns
0x58e0a8 CreateThreadpoolWork
0x58e0ac SubmitThreadpoolWork
0x58e0b0 CloseThreadpoolWork
0x58e0b4 GetModuleHandleExW
0x58e0b8 RtlCaptureStackBackTrace
0x58e0bc IsProcessorFeaturePresent
0x58e0c0 EnterCriticalSection
0x58e0c4 LeaveCriticalSection
0x58e0c8 InitializeCriticalSectionEx
0x58e0cc DeleteCriticalSection
0x58e0d0 QueryPerformanceCounter
0x58e0d4 QueryPerformanceFrequency
0x58e0d8 LocalFree
0x58e0dc GetLocaleInfoEx
0x58e0e0 EncodePointer
0x58e0e4 DecodePointer
0x58e0e8 LCMapStringEx
0x58e0ec SetFileInformationByHandle
0x58e0f0 GetTempPathW
0x58e0f4 FlsAlloc
0x58e0f8 FlsGetValue
0x58e0fc FlsSetValue
0x58e100 FlsFree
0x58e104 InitOnceExecuteOnce
0x58e108 SleepConditionVariableCS
0x58e10c CreateEventExW
0x58e110 CreateSemaphoreExW
0x58e114 FlushProcessWriteBuffers
0x58e118 GetCurrentProcessorNumber
0x58e11c GetSystemTimeAsFileTime
0x58e120 GetTickCount64
0x58e124 CreateThreadpoolTimer
0x58e128 SetThreadpoolTimer
0x58e12c WaitForThreadpoolTimerCallbacks
0x58e130 CloseThreadpoolTimer
0x58e134 CreateThreadpoolWait
0x58e138 SetThreadpoolWait
0x58e13c CloseThreadpoolWait
0x58e140 GetModuleHandleW
0x58e144 GetProcAddress
0x58e148 GetFileInformationByHandleEx
0x58e14c WriteConsoleW
0x58e150 CompareStringEx
0x58e154 GetCPInfo
0x58e158 InitializeCriticalSectionAndSpinCount
0x58e15c SetEvent
0x58e160 ResetEvent
0x58e164 CreateEventW
0x58e168 GetCurrentProcessId
0x58e16c InitializeSListHead
0x58e170 IsDebuggerPresent
0x58e174 UnhandledExceptionFilter
0x58e178 SetUnhandledExceptionFilter
0x58e17c GetStartupInfoW
0x58e180 GetCurrentProcess
0x58e184 TerminateProcess
0x58e188 SetStdHandle
0x58e18c RtlUnwind
0x58e190 InterlockedPushEntrySList
0x58e194 InterlockedFlushSList
0x58e198 SetLastError
0x58e19c TlsAlloc
0x58e1a0 TlsGetValue
0x58e1a4 TlsSetValue
0x58e1a8 TlsFree
0x58e1ac FreeLibrary
0x58e1b0 LoadLibraryExW
0x58e1b4 CreateThread
0x58e1b8 ExitThread
0x58e1bc ResumeThread
0x58e1c0 FreeLibraryAndExitThread
0x58e1c4 GetStdHandle
0x58e1c8 WriteFile
0x58e1cc GetModuleFileNameW
0x58e1d0 ExitProcess
0x58e1d4 GetCommandLineA
0x58e1d8 GetCommandLineW
0x58e1dc GetCurrentThread
0x58e1e0 HeapFree
0x58e1e4 SetConsoleCtrlHandler
0x58e1e8 HeapAlloc
0x58e1ec GetDateFormatW
0x58e1f0 GetTimeFormatW
0x58e1f4 CompareStringW
0x58e1f8 LCMapStringW
0x58e1fc GetLocaleInfoW
0x58e200 IsValidLocale
0x58e204 GetUserDefaultLCID
0x58e208 EnumSystemLocalesW
0x58e20c GetFileType
0x58e210 GetFileSizeEx
0x58e214 SetFilePointerEx
0x58e218 FlushFileBuffers
0x58e21c GetConsoleOutputCP
0x58e220 GetConsoleMode
0x58e224 ReadFile
0x58e228 HeapReAlloc
0x58e22c GetTimeZoneInformation
0x58e230 OutputDebugStringW
0x58e234 FindClose
0x58e238 FindFirstFileExW
0x58e23c FindNextFileW
0x58e240 IsValidCodePage
0x58e244 GetACP
0x58e248 GetOEMCP
0x58e24c GetEnvironmentStringsW
0x58e250 FreeEnvironmentStringsW
0x58e254 SetEnvironmentVariableW
EAT(Export Address Table) is none
USER32.dll
0x58e2f0 GetClipCursor
ole32.dll
0x58e320 CoGetApartmentType
0x58e324 CoGetObjectContext
ADVAPI32.dll
0x58e000 RegDisablePredefinedCacheEx
KERNEL32.dll
0x58e030 ReadConsoleW
0x58e034 GetProcessHeap
0x58e038 HeapSize
0x58e03c CreateFileW
0x58e040 CreateSymbolicLinkW
0x58e044 FreeConsole
0x58e048 RaiseException
0x58e04c CloseHandle
0x58e050 WaitForSingleObjectEx
0x58e054 Sleep
0x58e058 SwitchToThread
0x58e05c GetCurrentThreadId
0x58e060 GetExitCodeThread
0x58e064 GetNativeSystemInfo
0x58e068 InitializeSRWLock
0x58e06c ReleaseSRWLockExclusive
0x58e070 AcquireSRWLockExclusive
0x58e074 TryAcquireSRWLockExclusive
0x58e078 InitializeConditionVariable
0x58e07c WakeConditionVariable
0x58e080 WakeAllConditionVariable
0x58e084 SleepConditionVariableSRW
0x58e088 FormatMessageA
0x58e08c WideCharToMultiByte
0x58e090 MultiByteToWideChar
0x58e094 GetStringTypeW
0x58e098 InitOnceBeginInitialize
0x58e09c InitOnceComplete
0x58e0a0 GetLastError
0x58e0a4 FreeLibraryWhenCallbackReturns
0x58e0a8 CreateThreadpoolWork
0x58e0ac SubmitThreadpoolWork
0x58e0b0 CloseThreadpoolWork
0x58e0b4 GetModuleHandleExW
0x58e0b8 RtlCaptureStackBackTrace
0x58e0bc IsProcessorFeaturePresent
0x58e0c0 EnterCriticalSection
0x58e0c4 LeaveCriticalSection
0x58e0c8 InitializeCriticalSectionEx
0x58e0cc DeleteCriticalSection
0x58e0d0 QueryPerformanceCounter
0x58e0d4 QueryPerformanceFrequency
0x58e0d8 LocalFree
0x58e0dc GetLocaleInfoEx
0x58e0e0 EncodePointer
0x58e0e4 DecodePointer
0x58e0e8 LCMapStringEx
0x58e0ec SetFileInformationByHandle
0x58e0f0 GetTempPathW
0x58e0f4 FlsAlloc
0x58e0f8 FlsGetValue
0x58e0fc FlsSetValue
0x58e100 FlsFree
0x58e104 InitOnceExecuteOnce
0x58e108 SleepConditionVariableCS
0x58e10c CreateEventExW
0x58e110 CreateSemaphoreExW
0x58e114 FlushProcessWriteBuffers
0x58e118 GetCurrentProcessorNumber
0x58e11c GetSystemTimeAsFileTime
0x58e120 GetTickCount64
0x58e124 CreateThreadpoolTimer
0x58e128 SetThreadpoolTimer
0x58e12c WaitForThreadpoolTimerCallbacks
0x58e130 CloseThreadpoolTimer
0x58e134 CreateThreadpoolWait
0x58e138 SetThreadpoolWait
0x58e13c CloseThreadpoolWait
0x58e140 GetModuleHandleW
0x58e144 GetProcAddress
0x58e148 GetFileInformationByHandleEx
0x58e14c WriteConsoleW
0x58e150 CompareStringEx
0x58e154 GetCPInfo
0x58e158 InitializeCriticalSectionAndSpinCount
0x58e15c SetEvent
0x58e160 ResetEvent
0x58e164 CreateEventW
0x58e168 GetCurrentProcessId
0x58e16c InitializeSListHead
0x58e170 IsDebuggerPresent
0x58e174 UnhandledExceptionFilter
0x58e178 SetUnhandledExceptionFilter
0x58e17c GetStartupInfoW
0x58e180 GetCurrentProcess
0x58e184 TerminateProcess
0x58e188 SetStdHandle
0x58e18c RtlUnwind
0x58e190 InterlockedPushEntrySList
0x58e194 InterlockedFlushSList
0x58e198 SetLastError
0x58e19c TlsAlloc
0x58e1a0 TlsGetValue
0x58e1a4 TlsSetValue
0x58e1a8 TlsFree
0x58e1ac FreeLibrary
0x58e1b0 LoadLibraryExW
0x58e1b4 CreateThread
0x58e1b8 ExitThread
0x58e1bc ResumeThread
0x58e1c0 FreeLibraryAndExitThread
0x58e1c4 GetStdHandle
0x58e1c8 WriteFile
0x58e1cc GetModuleFileNameW
0x58e1d0 ExitProcess
0x58e1d4 GetCommandLineA
0x58e1d8 GetCommandLineW
0x58e1dc GetCurrentThread
0x58e1e0 HeapFree
0x58e1e4 SetConsoleCtrlHandler
0x58e1e8 HeapAlloc
0x58e1ec GetDateFormatW
0x58e1f0 GetTimeFormatW
0x58e1f4 CompareStringW
0x58e1f8 LCMapStringW
0x58e1fc GetLocaleInfoW
0x58e200 IsValidLocale
0x58e204 GetUserDefaultLCID
0x58e208 EnumSystemLocalesW
0x58e20c GetFileType
0x58e210 GetFileSizeEx
0x58e214 SetFilePointerEx
0x58e218 FlushFileBuffers
0x58e21c GetConsoleOutputCP
0x58e220 GetConsoleMode
0x58e224 ReadFile
0x58e228 HeapReAlloc
0x58e22c GetTimeZoneInformation
0x58e230 OutputDebugStringW
0x58e234 FindClose
0x58e238 FindFirstFileExW
0x58e23c FindNextFileW
0x58e240 IsValidCodePage
0x58e244 GetACP
0x58e248 GetOEMCP
0x58e24c GetEnvironmentStringsW
0x58e250 FreeEnvironmentStringsW
0x58e254 SetEnvironmentVariableW
EAT(Export Address Table) is none