ScreenShot
| Created | 2023.10.23 16:52 | Machine | s1_win7_x6401 |
| Filename | nalo.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 24 detected (AIDetectMalware, Smokeloader, Attribute, HighConfidence, malicious, high confidence, GenKryptik, GPIY, score, Injuke, Sabsik, Artemis, unsafe, Genetic, R002H0CJN23, CLASSIC, susgen, Kryptik, HUKQ, confidence) | ||
| md5 | 99187f5197d70ceccc4e0fde10fc7f30 | ||
| sha256 | daf028d78fbf206e389d5fb372480cb9a734a47f9ce55e5340199cbd79d5c644 | ||
| ssdeep | 24576:bLAPendTZihaqftTve/eXDzwi/kgDMAs:3JTZihaqfxseXPwisK | ||
| imphash | 067ff6f0af98324c9e25b1e575727bdd | ||
| impfuzzy | 48:SHdii9GcpVJxYWDoYMXtXqroxFGzPpU63fuFZGVw:oiigcpVJxYWMHXtXQoxFGTpUrb | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 24 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Communicates with host for which no DNS query was performed |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | Terminates another process |
| notice | Yara rule detected in process memory |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
PE API
IAT(Import Address Table) Library
USER32.dll
0x4d42a0 LogicalToPhysicalPoint
KERNEL32.dll
0x4d4000 UnhandledExceptionFilter
0x4d4004 CreateFileW
0x4d4008 CloseHandle
0x4d400c WaitForSingleObjectEx
0x4d4010 Sleep
0x4d4014 SwitchToThread
0x4d4018 GetCurrentThreadId
0x4d401c GetExitCodeThread
0x4d4020 GetNativeSystemInfo
0x4d4024 FormatMessageA
0x4d4028 EnterCriticalSection
0x4d402c LeaveCriticalSection
0x4d4030 InitializeCriticalSectionEx
0x4d4034 DeleteCriticalSection
0x4d4038 QueryPerformanceCounter
0x4d403c QueryPerformanceFrequency
0x4d4040 InitializeSRWLock
0x4d4044 ReleaseSRWLockExclusive
0x4d4048 AcquireSRWLockExclusive
0x4d404c TryAcquireSRWLockExclusive
0x4d4050 InitializeConditionVariable
0x4d4054 WakeConditionVariable
0x4d4058 WakeAllConditionVariable
0x4d405c SleepConditionVariableSRW
0x4d4060 LocalFree
0x4d4064 GetLocaleInfoEx
0x4d4068 EncodePointer
0x4d406c DecodePointer
0x4d4070 MultiByteToWideChar
0x4d4074 WideCharToMultiByte
0x4d4078 LCMapStringEx
0x4d407c SetFileInformationByHandle
0x4d4080 GetTempPathW
0x4d4084 FlsAlloc
0x4d4088 FlsGetValue
0x4d408c FlsSetValue
0x4d4090 FlsFree
0x4d4094 InitOnceExecuteOnce
0x4d4098 SleepConditionVariableCS
0x4d409c CreateEventExW
0x4d40a0 CreateSemaphoreExW
0x4d40a4 FlushProcessWriteBuffers
0x4d40a8 GetCurrentProcessorNumber
0x4d40ac GetSystemTimeAsFileTime
0x4d40b0 GetTickCount64
0x4d40b4 FreeLibraryWhenCallbackReturns
0x4d40b8 CreateThreadpoolWork
0x4d40bc SubmitThreadpoolWork
0x4d40c0 CloseThreadpoolWork
0x4d40c4 CreateThreadpoolTimer
0x4d40c8 SetThreadpoolTimer
0x4d40cc WaitForThreadpoolTimerCallbacks
0x4d40d0 CloseThreadpoolTimer
0x4d40d4 CreateThreadpoolWait
0x4d40d8 SetThreadpoolWait
0x4d40dc CloseThreadpoolWait
0x4d40e0 GetModuleHandleW
0x4d40e4 GetProcAddress
0x4d40e8 GetFileInformationByHandleEx
0x4d40ec CreateSymbolicLinkW
0x4d40f0 GetStringTypeW
0x4d40f4 CompareStringEx
0x4d40f8 GetCPInfo
0x4d40fc IsProcessorFeaturePresent
0x4d4100 GetCurrentProcessId
0x4d4104 InitializeSListHead
0x4d4108 IsDebuggerPresent
0x4d410c WriteConsoleW
0x4d4110 SetUnhandledExceptionFilter
0x4d4114 GetStartupInfoW
0x4d4118 GetCurrentProcess
0x4d411c TerminateProcess
0x4d4120 HeapSize
0x4d4124 RaiseException
0x4d4128 RtlUnwind
0x4d412c InterlockedPushEntrySList
0x4d4130 InterlockedFlushSList
0x4d4134 GetLastError
0x4d4138 SetLastError
0x4d413c InitializeCriticalSectionAndSpinCount
0x4d4140 TlsAlloc
0x4d4144 TlsGetValue
0x4d4148 TlsSetValue
0x4d414c TlsFree
0x4d4150 FreeLibrary
0x4d4154 LoadLibraryExW
0x4d4158 CreateThread
0x4d415c ExitThread
0x4d4160 ResumeThread
0x4d4164 FreeLibraryAndExitThread
0x4d4168 GetModuleHandleExW
0x4d416c GetStdHandle
0x4d4170 WriteFile
0x4d4174 GetModuleFileNameW
0x4d4178 ExitProcess
0x4d417c GetCommandLineA
0x4d4180 GetCommandLineW
0x4d4184 GetCurrentThread
0x4d4188 HeapFree
0x4d418c HeapAlloc
0x4d4190 GetDateFormatW
0x4d4194 GetTimeFormatW
0x4d4198 CompareStringW
0x4d419c LCMapStringW
0x4d41a0 GetLocaleInfoW
0x4d41a4 IsValidLocale
0x4d41a8 GetUserDefaultLCID
0x4d41ac EnumSystemLocalesW
0x4d41b0 GetFileType
0x4d41b4 SetConsoleCtrlHandler
0x4d41b8 FlushFileBuffers
0x4d41bc GetConsoleOutputCP
0x4d41c0 GetConsoleMode
0x4d41c4 ReadFile
0x4d41c8 GetFileSizeEx
0x4d41cc SetFilePointerEx
0x4d41d0 ReadConsoleW
0x4d41d4 HeapReAlloc
0x4d41d8 GetTimeZoneInformation
0x4d41dc OutputDebugStringW
0x4d41e0 FindClose
0x4d41e4 FindFirstFileExW
0x4d41e8 FindNextFileW
0x4d41ec IsValidCodePage
0x4d41f0 GetACP
0x4d41f4 GetOEMCP
0x4d41f8 GetEnvironmentStringsW
0x4d41fc FreeEnvironmentStringsW
0x4d4200 SetEnvironmentVariableW
0x4d4204 SetStdHandle
0x4d4208 GetProcessHeap
EAT(Export Address Table) Library
0x40232e GetYourOpinion
USER32.dll
0x4d42a0 LogicalToPhysicalPoint
KERNEL32.dll
0x4d4000 UnhandledExceptionFilter
0x4d4004 CreateFileW
0x4d4008 CloseHandle
0x4d400c WaitForSingleObjectEx
0x4d4010 Sleep
0x4d4014 SwitchToThread
0x4d4018 GetCurrentThreadId
0x4d401c GetExitCodeThread
0x4d4020 GetNativeSystemInfo
0x4d4024 FormatMessageA
0x4d4028 EnterCriticalSection
0x4d402c LeaveCriticalSection
0x4d4030 InitializeCriticalSectionEx
0x4d4034 DeleteCriticalSection
0x4d4038 QueryPerformanceCounter
0x4d403c QueryPerformanceFrequency
0x4d4040 InitializeSRWLock
0x4d4044 ReleaseSRWLockExclusive
0x4d4048 AcquireSRWLockExclusive
0x4d404c TryAcquireSRWLockExclusive
0x4d4050 InitializeConditionVariable
0x4d4054 WakeConditionVariable
0x4d4058 WakeAllConditionVariable
0x4d405c SleepConditionVariableSRW
0x4d4060 LocalFree
0x4d4064 GetLocaleInfoEx
0x4d4068 EncodePointer
0x4d406c DecodePointer
0x4d4070 MultiByteToWideChar
0x4d4074 WideCharToMultiByte
0x4d4078 LCMapStringEx
0x4d407c SetFileInformationByHandle
0x4d4080 GetTempPathW
0x4d4084 FlsAlloc
0x4d4088 FlsGetValue
0x4d408c FlsSetValue
0x4d4090 FlsFree
0x4d4094 InitOnceExecuteOnce
0x4d4098 SleepConditionVariableCS
0x4d409c CreateEventExW
0x4d40a0 CreateSemaphoreExW
0x4d40a4 FlushProcessWriteBuffers
0x4d40a8 GetCurrentProcessorNumber
0x4d40ac GetSystemTimeAsFileTime
0x4d40b0 GetTickCount64
0x4d40b4 FreeLibraryWhenCallbackReturns
0x4d40b8 CreateThreadpoolWork
0x4d40bc SubmitThreadpoolWork
0x4d40c0 CloseThreadpoolWork
0x4d40c4 CreateThreadpoolTimer
0x4d40c8 SetThreadpoolTimer
0x4d40cc WaitForThreadpoolTimerCallbacks
0x4d40d0 CloseThreadpoolTimer
0x4d40d4 CreateThreadpoolWait
0x4d40d8 SetThreadpoolWait
0x4d40dc CloseThreadpoolWait
0x4d40e0 GetModuleHandleW
0x4d40e4 GetProcAddress
0x4d40e8 GetFileInformationByHandleEx
0x4d40ec CreateSymbolicLinkW
0x4d40f0 GetStringTypeW
0x4d40f4 CompareStringEx
0x4d40f8 GetCPInfo
0x4d40fc IsProcessorFeaturePresent
0x4d4100 GetCurrentProcessId
0x4d4104 InitializeSListHead
0x4d4108 IsDebuggerPresent
0x4d410c WriteConsoleW
0x4d4110 SetUnhandledExceptionFilter
0x4d4114 GetStartupInfoW
0x4d4118 GetCurrentProcess
0x4d411c TerminateProcess
0x4d4120 HeapSize
0x4d4124 RaiseException
0x4d4128 RtlUnwind
0x4d412c InterlockedPushEntrySList
0x4d4130 InterlockedFlushSList
0x4d4134 GetLastError
0x4d4138 SetLastError
0x4d413c InitializeCriticalSectionAndSpinCount
0x4d4140 TlsAlloc
0x4d4144 TlsGetValue
0x4d4148 TlsSetValue
0x4d414c TlsFree
0x4d4150 FreeLibrary
0x4d4154 LoadLibraryExW
0x4d4158 CreateThread
0x4d415c ExitThread
0x4d4160 ResumeThread
0x4d4164 FreeLibraryAndExitThread
0x4d4168 GetModuleHandleExW
0x4d416c GetStdHandle
0x4d4170 WriteFile
0x4d4174 GetModuleFileNameW
0x4d4178 ExitProcess
0x4d417c GetCommandLineA
0x4d4180 GetCommandLineW
0x4d4184 GetCurrentThread
0x4d4188 HeapFree
0x4d418c HeapAlloc
0x4d4190 GetDateFormatW
0x4d4194 GetTimeFormatW
0x4d4198 CompareStringW
0x4d419c LCMapStringW
0x4d41a0 GetLocaleInfoW
0x4d41a4 IsValidLocale
0x4d41a8 GetUserDefaultLCID
0x4d41ac EnumSystemLocalesW
0x4d41b0 GetFileType
0x4d41b4 SetConsoleCtrlHandler
0x4d41b8 FlushFileBuffers
0x4d41bc GetConsoleOutputCP
0x4d41c0 GetConsoleMode
0x4d41c4 ReadFile
0x4d41c8 GetFileSizeEx
0x4d41cc SetFilePointerEx
0x4d41d0 ReadConsoleW
0x4d41d4 HeapReAlloc
0x4d41d8 GetTimeZoneInformation
0x4d41dc OutputDebugStringW
0x4d41e0 FindClose
0x4d41e4 FindFirstFileExW
0x4d41e8 FindNextFileW
0x4d41ec IsValidCodePage
0x4d41f0 GetACP
0x4d41f4 GetOEMCP
0x4d41f8 GetEnvironmentStringsW
0x4d41fc FreeEnvironmentStringsW
0x4d4200 SetEnvironmentVariableW
0x4d4204 SetStdHandle
0x4d4208 GetProcessHeap
EAT(Export Address Table) Library
0x40232e GetYourOpinion