ScreenShot
| Created | 2023.11.07 07:56 | Machine | s1_win7_x6401 |
| Filename | Protected.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | a22595ce0f38b327951c42e18ad3eaaf | ||
| sha256 | 7a20db5d819b030f6b5a73104a5519d58743282a54aacfc444adf459ad5168bd | ||
| ssdeep | 12288:NusT4cgRdrEAzvHG4zhsT4cgRdrEAzvHG4zj4Btw2YPRKOu7b6WF:NusGRdrEAbm4zhsGRdrEAbm4zj4BGTu1 | ||
| imphash | f582161b9c9fbd36bdec6ac13c3d7dd6 | ||
| impfuzzy | 48:P9z/1xQwzQZwggwegkRxW3Yl39pxxgLxoT+yrmFNiWc4lhHw+8xmHIkSMwZDrlxD:P9z/1xQGQZfgZgkRxWuNpxxgLxQ+yrmE | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Yara rule detected in process memory |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Raccoon_Stealer_1_Zero | Raccoon Stealer | binaries (upload) |
| danger | Win_Trojan_Formbook_m_Zero | Used Formbook[m] | memory |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (10cnts) ?
Suricata ids
ET MALWARE FormBook CnC Checkin (GET)
ET INFO Namecheap URL Forward
ET INFO Namecheap URL Forward
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x4b5000 GetProcAddress
0x4b5004 GetModuleHandleW
MSVBVM60.DLL
0x4b500c __vbaVarTstGt
0x4b5010 None
0x4b5014 __vbaStrI2
0x4b5018 _CIcos
0x4b501c _adj_fptan
0x4b5020 __vbaVarMove
0x4b5024 __vbaVarVargNofree
0x4b5028 __vbaAryMove
0x4b502c __vbaFreeVar
0x4b5030 __vbaStrVarMove
0x4b5034 __vbaLenBstr
0x4b5038 __vbaFreeVarList
0x4b503c None
0x4b5040 _adj_fdiv_m64
0x4b5044 None
0x4b5048 __vbaFreeObjList
0x4b504c _adj_fprem1
0x4b5050 __vbaStrCat
0x4b5054 __vbaSetSystemError
0x4b5058 __vbaHresultCheckObj
0x4b505c _adj_fdiv_m32
0x4b5060 __vbaAryDestruct
0x4b5064 None
0x4b5068 None
0x4b506c __vbaObjSet
0x4b5070 None
0x4b5074 _adj_fdiv_m16i
0x4b5078 __vbaObjSetAddref
0x4b507c _adj_fdivr_m16i
0x4b5080 __vbaRefVarAry
0x4b5084 _CIsin
0x4b5088 __vbaChkstk
0x4b508c EVENT_SINK_AddRef
0x4b5090 __vbaAryConstruct2
0x4b5094 __vbaVarTstEq
0x4b5098 None
0x4b509c DllFunctionCall
0x4b50a0 _adj_fpatan
0x4b50a4 __vbaRedim
0x4b50a8 EVENT_SINK_Release
0x4b50ac __vbaNew
0x4b50b0 _CIsqrt
0x4b50b4 EVENT_SINK_QueryInterface
0x4b50b8 __vbaStr2Vec
0x4b50bc __vbaExceptHandler
0x4b50c0 __vbaStrToUnicode
0x4b50c4 None
0x4b50c8 _adj_fprem
0x4b50cc _adj_fdivr_m64
0x4b50d0 None
0x4b50d4 __vbaFPException
0x4b50d8 GetMem4
0x4b50dc __vbaStrVarVal
0x4b50e0 __vbaUbound
0x4b50e4 __vbaVarCat
0x4b50e8 None
0x4b50ec _CIlog
0x4b50f0 __vbaNew2
0x4b50f4 _adj_fdiv_m32i
0x4b50f8 _adj_fdivr_m32i
0x4b50fc __vbaStrCopy
0x4b5100 __vbaI4Str
0x4b5104 __vbaFreeStrList
0x4b5108 _adj_fdivr_m32
0x4b510c _adj_fdiv_r
0x4b5110 None
0x4b5114 __vbaI4Var
0x4b5118 None
0x4b511c __vbaAryLock
0x4b5120 __vbaVarAdd
0x4b5124 __vbaStrToAnsi
0x4b5128 __vbaVarDup
0x4b512c __vbaVarCopy
0x4b5130 None
0x4b5134 _CIatan
0x4b5138 __vbaStrMove
0x4b513c __vbaCastObj
0x4b5140 __vbaR8IntI4
0x4b5144 _allmul
0x4b5148 _CItan
0x4b514c None
0x4b5150 __vbaAryUnlock
0x4b5154 _CIexp
0x4b5158 __vbaFreeStr
0x4b515c __vbaFreeObj
EAT(Export Address Table) is none
KERNEL32.DLL
0x4b5000 GetProcAddress
0x4b5004 GetModuleHandleW
MSVBVM60.DLL
0x4b500c __vbaVarTstGt
0x4b5010 None
0x4b5014 __vbaStrI2
0x4b5018 _CIcos
0x4b501c _adj_fptan
0x4b5020 __vbaVarMove
0x4b5024 __vbaVarVargNofree
0x4b5028 __vbaAryMove
0x4b502c __vbaFreeVar
0x4b5030 __vbaStrVarMove
0x4b5034 __vbaLenBstr
0x4b5038 __vbaFreeVarList
0x4b503c None
0x4b5040 _adj_fdiv_m64
0x4b5044 None
0x4b5048 __vbaFreeObjList
0x4b504c _adj_fprem1
0x4b5050 __vbaStrCat
0x4b5054 __vbaSetSystemError
0x4b5058 __vbaHresultCheckObj
0x4b505c _adj_fdiv_m32
0x4b5060 __vbaAryDestruct
0x4b5064 None
0x4b5068 None
0x4b506c __vbaObjSet
0x4b5070 None
0x4b5074 _adj_fdiv_m16i
0x4b5078 __vbaObjSetAddref
0x4b507c _adj_fdivr_m16i
0x4b5080 __vbaRefVarAry
0x4b5084 _CIsin
0x4b5088 __vbaChkstk
0x4b508c EVENT_SINK_AddRef
0x4b5090 __vbaAryConstruct2
0x4b5094 __vbaVarTstEq
0x4b5098 None
0x4b509c DllFunctionCall
0x4b50a0 _adj_fpatan
0x4b50a4 __vbaRedim
0x4b50a8 EVENT_SINK_Release
0x4b50ac __vbaNew
0x4b50b0 _CIsqrt
0x4b50b4 EVENT_SINK_QueryInterface
0x4b50b8 __vbaStr2Vec
0x4b50bc __vbaExceptHandler
0x4b50c0 __vbaStrToUnicode
0x4b50c4 None
0x4b50c8 _adj_fprem
0x4b50cc _adj_fdivr_m64
0x4b50d0 None
0x4b50d4 __vbaFPException
0x4b50d8 GetMem4
0x4b50dc __vbaStrVarVal
0x4b50e0 __vbaUbound
0x4b50e4 __vbaVarCat
0x4b50e8 None
0x4b50ec _CIlog
0x4b50f0 __vbaNew2
0x4b50f4 _adj_fdiv_m32i
0x4b50f8 _adj_fdivr_m32i
0x4b50fc __vbaStrCopy
0x4b5100 __vbaI4Str
0x4b5104 __vbaFreeStrList
0x4b5108 _adj_fdivr_m32
0x4b510c _adj_fdiv_r
0x4b5110 None
0x4b5114 __vbaI4Var
0x4b5118 None
0x4b511c __vbaAryLock
0x4b5120 __vbaVarAdd
0x4b5124 __vbaStrToAnsi
0x4b5128 __vbaVarDup
0x4b512c __vbaVarCopy
0x4b5130 None
0x4b5134 _CIatan
0x4b5138 __vbaStrMove
0x4b513c __vbaCastObj
0x4b5140 __vbaR8IntI4
0x4b5144 _allmul
0x4b5148 _CItan
0x4b514c None
0x4b5150 __vbaAryUnlock
0x4b5154 _CIexp
0x4b5158 __vbaFreeStr
0x4b515c __vbaFreeObj
EAT(Export Address Table) is none