ScreenShot
| Created | 2023.11.04 10:53 | Machine | s1_win7_x6403 |
| Filename | TEST32.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 56 detected (AIDetectMalware, Lazy, TrojanPWS, Save, malicious, ZexaF, evW@auZunKki, Attribute, HighConfidence, high confidence, DYZI, TrojanPSW, Bobik, kcmzgg, Gencirc, llsbr, SMOKELOADER, YXDJ3Z, score, Detected, ABRisk, NVSZ, Sabsik, Artemis, ai score=87, unsafe, Chgt, Meduza, q6bwEsZ7J7M, Static AI, Malicious PE, susgen, TrojanX, confidence, 100%) | ||
| md5 | 993c85b5b1c94bfa3b7f45117f567d09 | ||
| sha256 | cb6c640fbc6289b261bca0ee881bfcc8c4df2e89baaab7a4fed4e0e3b0dc9d37 | ||
| ssdeep | 12288:1SCFweWT8xCrC9ihr40AZWUBmEYvWe0kRUj8apA331/ZLGpn2OZ4H3ro:1lFweWT8x/9Ir40O8FvWeEJy3JZY63r | ||
| imphash | 1cae6a1b35a594d33372747b6f84b66d | ||
| impfuzzy | 96:LY4XH2WcpVFX97tkeQR5gWv5iaIVLmhX2:LY435cW6deX2 | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 56 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Attempts to detect Cuckoo Sandbox through the presence of a file |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates known Dapato Trojan files |
| watch | Creates known Dyreza Banking Trojan files |
| watch | Creates known Hupigon files |
| watch | Creates known Upatre files |
| watch | Detects VirtualBox through the presence of a file |
| watch | Harvests credentials from local email clients |
| watch | Harvests information related to installed instant messenger clients |
| notice | Looks up the external IP address |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA Applayer Protocol detection skipped
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA Applayer Protocol detection skipped
PE API
IAT(Import Address Table) Library
WS2_32.dll
0x4e128c closesocket
0x4e1290 WSACleanup
0x4e1294 WSAStartup
0x4e1298 socket
0x4e129c send
0x4e12a0 recv
0x4e12a4 htons
0x4e12a8 connect
0x4e12ac inet_pton
CRYPT32.dll
0x4e101c CryptUnprotectData
WININET.dll
0x4e126c InternetReadFile
0x4e1270 InternetOpenA
0x4e1274 InternetOpenUrlA
0x4e1278 InternetCloseHandle
0x4e127c InternetOpenW
0x4e1280 HttpQueryInfoW
0x4e1284 InternetQueryDataAvailable
ntdll.dll
0x4e12e4 NtQuerySystemInformation
0x4e12e8 NtQueryObject
RstrtMgr.DLL
0x4e1224 RmStartSession
0x4e1228 RmEndSession
0x4e122c RmRegisterResources
0x4e1230 RmGetList
KERNEL32.dll
0x4e1048 LocalFree
0x4e104c MultiByteToWideChar
0x4e1050 WideCharToMultiByte
0x4e1054 ResumeThread
0x4e1058 CreateProcessA
0x4e105c GetThreadContext
0x4e1060 SetThreadContext
0x4e1064 VirtualAlloc
0x4e1068 VirtualAllocEx
0x4e106c ReadProcessMemory
0x4e1070 WriteProcessMemory
0x4e1074 GetModuleFileNameA
0x4e1078 ExitProcess
0x4e107c GetFileSize
0x4e1080 GetFinalPathNameByHandleA
0x4e1084 GetLogicalDriveStringsW
0x4e1088 GetVolumeInformationW
0x4e108c ReadFile
0x4e1090 SetFilePointer
0x4e1094 DecodePointer
0x4e1098 CloseHandle
0x4e109c RaiseException
0x4e10a0 GetLastError
0x4e10a4 HeapAlloc
0x4e10a8 HeapReAlloc
0x4e10ac HeapFree
0x4e10b0 HeapSize
0x4e10b4 GetProcessHeap
0x4e10b8 EnterCriticalSection
0x4e10bc LeaveCriticalSection
0x4e10c0 InitializeCriticalSectionEx
0x4e10c4 DeleteCriticalSection
0x4e10c8 GetCurrentProcess
0x4e10cc GetProcessId
0x4e10d0 OpenProcess
0x4e10d4 GlobalMemoryStatusEx
0x4e10d8 GetNativeSystemInfo
0x4e10dc GetProductInfo
0x4e10e0 GetModuleHandleA
0x4e10e4 GetModuleHandleW
0x4e10e8 GetProcAddress
0x4e10ec GetComputerNameW
0x4e10f0 GetTimeZoneInformation
0x4e10f4 GetGeoInfoA
0x4e10f8 GetUserGeoID
0x4e10fc IsDebuggerPresent
0x4e1100 UnhandledExceptionFilter
0x4e1104 SetUnhandledExceptionFilter
0x4e1108 SetLastError
0x4e110c TerminateProcess
0x4e1110 IsProcessorFeaturePresent
0x4e1114 GetSystemTimeAsFileTime
0x4e1118 GetCurrentProcessId
0x4e111c VirtualProtect
0x4e1120 VirtualQuery
0x4e1124 GetCurrentThreadId
0x4e1128 FreeLibrary
0x4e112c GetModuleHandleExW
0x4e1130 InitializeCriticalSectionAndSpinCount
0x4e1134 TlsAlloc
0x4e1138 TlsGetValue
0x4e113c TlsSetValue
0x4e1140 TlsFree
0x4e1144 LoadLibraryExW
0x4e1148 GetDateFormatW
0x4e114c GetTimeFormatW
0x4e1150 CompareStringW
0x4e1154 LCMapStringW
0x4e1158 GetLocaleInfoW
0x4e115c IsValidLocale
0x4e1160 GetUserDefaultLCID
0x4e1164 EnumSystemLocalesW
0x4e1168 GetStdHandle
0x4e116c GetFileType
0x4e1170 GetStartupInfoW
0x4e1174 FlushFileBuffers
0x4e1178 WriteFile
0x4e117c GetConsoleOutputCP
0x4e1180 GetConsoleMode
0x4e1184 GetFileSizeEx
0x4e1188 SetFilePointerEx
0x4e118c ReadConsoleW
0x4e1190 IsValidCodePage
0x4e1194 GetACP
0x4e1198 GetOEMCP
0x4e119c GetCPInfo
0x4e11a0 GetStringTypeW
0x4e11a4 SetStdHandle
0x4e11a8 GetModuleFileNameW
0x4e11ac CreateFileW
0x4e11b0 WriteConsoleW
0x4e11b4 EncodePointer
0x4e11b8 SetEndOfFile
0x4e11bc GetEnvironmentStringsW
0x4e11c0 FreeEnvironmentStringsW
0x4e11c4 SetEnvironmentVariableW
0x4e11c8 ReleaseSRWLockExclusive
0x4e11cc AcquireSRWLockExclusive
0x4e11d0 WakeAllConditionVariable
0x4e11d4 SleepConditionVariableSRW
0x4e11d8 QueryPerformanceCounter
0x4e11dc InitializeSListHead
0x4e11e0 RtlUnwind
0x4e11e4 LCMapStringEx
0x4e11e8 GetCommandLineA
0x4e11ec GetCommandLineW
0x4e11f0 GetSystemInfo
0x4e11f4 OutputDebugStringW
0x4e11f8 GetFileInformationByHandleEx
0x4e11fc AreFileApisANSI
0x4e1200 GetFileAttributesExW
0x4e1204 FormatMessageA
0x4e1208 GetLocaleInfoEx
0x4e120c GetCurrentDirectoryW
0x4e1210 FindClose
0x4e1214 FindFirstFileW
0x4e1218 FindFirstFileExW
0x4e121c FindNextFileW
USER32.dll
0x4e1250 GetDesktopWindow
0x4e1254 GetSystemMetrics
0x4e1258 ReleaseDC
0x4e125c GetWindowRect
0x4e1260 EnumDisplayDevicesW
0x4e1264 GetDC
GDI32.dll
0x4e1024 GetObjectW
0x4e1028 SelectObject
0x4e102c GetDeviceCaps
0x4e1030 DeleteObject
0x4e1034 DeleteDC
0x4e1038 CreateCompatibleDC
0x4e103c CreateCompatibleBitmap
0x4e1040 BitBlt
ADVAPI32.dll
0x4e1000 RegOpenKeyExA
0x4e1004 RegEnumKeyExA
0x4e1008 RegCloseKey
0x4e100c GetCurrentHwProfileW
0x4e1010 GetUserNameW
0x4e1014 RegQueryValueExA
SHELL32.dll
0x4e1238 SHGetKnownFolderPath
ole32.dll
0x4e12f0 CreateStreamOnHGlobal
0x4e12f4 CoTaskMemFree
SHLWAPI.dll
0x4e1240 None
0x4e1244 None
0x4e1248 None
gdiplus.dll
0x4e12b4 GdipGetImageEncoders
0x4e12b8 GdipGetImageEncodersSize
0x4e12bc GdipCreateBitmapFromHBITMAP
0x4e12c0 GdipCreateBitmapFromScan0
0x4e12c4 GdipSaveImageToStream
0x4e12c8 GdipAlloc
0x4e12cc GdipFree
0x4e12d0 GdiplusStartup
0x4e12d4 GdipCloneImage
0x4e12d8 GdiplusShutdown
0x4e12dc GdipDisposeImage
EAT(Export Address Table) is none
WS2_32.dll
0x4e128c closesocket
0x4e1290 WSACleanup
0x4e1294 WSAStartup
0x4e1298 socket
0x4e129c send
0x4e12a0 recv
0x4e12a4 htons
0x4e12a8 connect
0x4e12ac inet_pton
CRYPT32.dll
0x4e101c CryptUnprotectData
WININET.dll
0x4e126c InternetReadFile
0x4e1270 InternetOpenA
0x4e1274 InternetOpenUrlA
0x4e1278 InternetCloseHandle
0x4e127c InternetOpenW
0x4e1280 HttpQueryInfoW
0x4e1284 InternetQueryDataAvailable
ntdll.dll
0x4e12e4 NtQuerySystemInformation
0x4e12e8 NtQueryObject
RstrtMgr.DLL
0x4e1224 RmStartSession
0x4e1228 RmEndSession
0x4e122c RmRegisterResources
0x4e1230 RmGetList
KERNEL32.dll
0x4e1048 LocalFree
0x4e104c MultiByteToWideChar
0x4e1050 WideCharToMultiByte
0x4e1054 ResumeThread
0x4e1058 CreateProcessA
0x4e105c GetThreadContext
0x4e1060 SetThreadContext
0x4e1064 VirtualAlloc
0x4e1068 VirtualAllocEx
0x4e106c ReadProcessMemory
0x4e1070 WriteProcessMemory
0x4e1074 GetModuleFileNameA
0x4e1078 ExitProcess
0x4e107c GetFileSize
0x4e1080 GetFinalPathNameByHandleA
0x4e1084 GetLogicalDriveStringsW
0x4e1088 GetVolumeInformationW
0x4e108c ReadFile
0x4e1090 SetFilePointer
0x4e1094 DecodePointer
0x4e1098 CloseHandle
0x4e109c RaiseException
0x4e10a0 GetLastError
0x4e10a4 HeapAlloc
0x4e10a8 HeapReAlloc
0x4e10ac HeapFree
0x4e10b0 HeapSize
0x4e10b4 GetProcessHeap
0x4e10b8 EnterCriticalSection
0x4e10bc LeaveCriticalSection
0x4e10c0 InitializeCriticalSectionEx
0x4e10c4 DeleteCriticalSection
0x4e10c8 GetCurrentProcess
0x4e10cc GetProcessId
0x4e10d0 OpenProcess
0x4e10d4 GlobalMemoryStatusEx
0x4e10d8 GetNativeSystemInfo
0x4e10dc GetProductInfo
0x4e10e0 GetModuleHandleA
0x4e10e4 GetModuleHandleW
0x4e10e8 GetProcAddress
0x4e10ec GetComputerNameW
0x4e10f0 GetTimeZoneInformation
0x4e10f4 GetGeoInfoA
0x4e10f8 GetUserGeoID
0x4e10fc IsDebuggerPresent
0x4e1100 UnhandledExceptionFilter
0x4e1104 SetUnhandledExceptionFilter
0x4e1108 SetLastError
0x4e110c TerminateProcess
0x4e1110 IsProcessorFeaturePresent
0x4e1114 GetSystemTimeAsFileTime
0x4e1118 GetCurrentProcessId
0x4e111c VirtualProtect
0x4e1120 VirtualQuery
0x4e1124 GetCurrentThreadId
0x4e1128 FreeLibrary
0x4e112c GetModuleHandleExW
0x4e1130 InitializeCriticalSectionAndSpinCount
0x4e1134 TlsAlloc
0x4e1138 TlsGetValue
0x4e113c TlsSetValue
0x4e1140 TlsFree
0x4e1144 LoadLibraryExW
0x4e1148 GetDateFormatW
0x4e114c GetTimeFormatW
0x4e1150 CompareStringW
0x4e1154 LCMapStringW
0x4e1158 GetLocaleInfoW
0x4e115c IsValidLocale
0x4e1160 GetUserDefaultLCID
0x4e1164 EnumSystemLocalesW
0x4e1168 GetStdHandle
0x4e116c GetFileType
0x4e1170 GetStartupInfoW
0x4e1174 FlushFileBuffers
0x4e1178 WriteFile
0x4e117c GetConsoleOutputCP
0x4e1180 GetConsoleMode
0x4e1184 GetFileSizeEx
0x4e1188 SetFilePointerEx
0x4e118c ReadConsoleW
0x4e1190 IsValidCodePage
0x4e1194 GetACP
0x4e1198 GetOEMCP
0x4e119c GetCPInfo
0x4e11a0 GetStringTypeW
0x4e11a4 SetStdHandle
0x4e11a8 GetModuleFileNameW
0x4e11ac CreateFileW
0x4e11b0 WriteConsoleW
0x4e11b4 EncodePointer
0x4e11b8 SetEndOfFile
0x4e11bc GetEnvironmentStringsW
0x4e11c0 FreeEnvironmentStringsW
0x4e11c4 SetEnvironmentVariableW
0x4e11c8 ReleaseSRWLockExclusive
0x4e11cc AcquireSRWLockExclusive
0x4e11d0 WakeAllConditionVariable
0x4e11d4 SleepConditionVariableSRW
0x4e11d8 QueryPerformanceCounter
0x4e11dc InitializeSListHead
0x4e11e0 RtlUnwind
0x4e11e4 LCMapStringEx
0x4e11e8 GetCommandLineA
0x4e11ec GetCommandLineW
0x4e11f0 GetSystemInfo
0x4e11f4 OutputDebugStringW
0x4e11f8 GetFileInformationByHandleEx
0x4e11fc AreFileApisANSI
0x4e1200 GetFileAttributesExW
0x4e1204 FormatMessageA
0x4e1208 GetLocaleInfoEx
0x4e120c GetCurrentDirectoryW
0x4e1210 FindClose
0x4e1214 FindFirstFileW
0x4e1218 FindFirstFileExW
0x4e121c FindNextFileW
USER32.dll
0x4e1250 GetDesktopWindow
0x4e1254 GetSystemMetrics
0x4e1258 ReleaseDC
0x4e125c GetWindowRect
0x4e1260 EnumDisplayDevicesW
0x4e1264 GetDC
GDI32.dll
0x4e1024 GetObjectW
0x4e1028 SelectObject
0x4e102c GetDeviceCaps
0x4e1030 DeleteObject
0x4e1034 DeleteDC
0x4e1038 CreateCompatibleDC
0x4e103c CreateCompatibleBitmap
0x4e1040 BitBlt
ADVAPI32.dll
0x4e1000 RegOpenKeyExA
0x4e1004 RegEnumKeyExA
0x4e1008 RegCloseKey
0x4e100c GetCurrentHwProfileW
0x4e1010 GetUserNameW
0x4e1014 RegQueryValueExA
SHELL32.dll
0x4e1238 SHGetKnownFolderPath
ole32.dll
0x4e12f0 CreateStreamOnHGlobal
0x4e12f4 CoTaskMemFree
SHLWAPI.dll
0x4e1240 None
0x4e1244 None
0x4e1248 None
gdiplus.dll
0x4e12b4 GdipGetImageEncoders
0x4e12b8 GdipGetImageEncodersSize
0x4e12bc GdipCreateBitmapFromHBITMAP
0x4e12c0 GdipCreateBitmapFromScan0
0x4e12c4 GdipSaveImageToStream
0x4e12c8 GdipAlloc
0x4e12cc GdipFree
0x4e12d0 GdiplusStartup
0x4e12d4 GdipCloneImage
0x4e12d8 GdiplusShutdown
0x4e12dc GdipDisposeImage
EAT(Export Address Table) is none