ScreenShot
Created | 2023.11.13 10:58 | Machine | s1_win7_x6403 |
Filename | build.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | |||
md5 | 90dd1720cb5f0a539358d8895d3fd27a | ||
sha256 | e69a88b0f9ec61f4acf22f9a3d96f60eb3a04db58a74eb4315700ac465de9e01 | ||
ssdeep | 3072:6F6GZCIbIXZhMUXjB4xowmDKQ9x4Ua9JKFuo:6F8RZ+Ro5HHSKF | ||
imphash | bfbdb436476f8fcaaef94d931ea729c9 | ||
impfuzzy | 24:hDCqTf4NvhDo1ttUalSfjlENY/JlUyer6wxGTO1EkEQh:1Cqr4Nv8tp8fua7wGNC |
Network IP location
Signature (28cnts)
Level | Description |
---|---|
watch | Attempts to create or modify system certificates |
watch | Checks the CPU name from registry |
watch | Collects information about installed applications |
watch | Communicates with host for which no DNS query was performed |
watch | Harvests credentials from local email clients |
watch | Harvests credentials from local FTP client softwares |
watch | Network activity contains more than one unique useragent |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | An executable file was downloaded by the process build.exe |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | Executes one or more WMI queries |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Performs some HTTP requests |
notice | Queries for potentially installed applications |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | Sends data using the HTTP POST Method |
notice | Steals private information from local Internet browsers |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Collects information to fingerprint the system (MachineGuid |
info | Command line console output was observed |
info | Queries for the computername |
info | Tries to locate where the browsers are installed |
Rules (24cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerException__SetConsoleCtrl | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsDLL | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Network (14cnts) ?
Suricata ids
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
PE API
IAT(Import Address Table) Library
SHLWAPI.dll
0x4190cc None
msvcrt.dll
0x4190dc strlen
0x4190e0 memcmp
0x4190e4 strcpy_s
0x4190e8 srand
0x4190ec memcpy
0x4190f0 strncpy
0x4190f4 malloc
0x4190f8 _wtoi64
0x4190fc rand
0x419100 memset
0x419104 atexit
0x419108 strchr
0x41910c strtok_s
0x419110 ??_U@YAPAXI@Z
KERNEL32.dll
0x419010 GetStringTypeW
0x419014 MultiByteToWideChar
0x419018 LCMapStringW
0x41901c ExitProcess
0x419020 lstrlenA
0x419024 LocalAlloc
0x419028 VirtualProtect
0x41902c FileTimeToSystemTime
0x419030 GetProcAddress
0x419034 LoadLibraryA
0x419038 IsValidCodePage
0x41903c GetOEMCP
0x419040 GetACP
0x419044 GetCPInfo
0x419048 WideCharToMultiByte
0x41904c HeapAlloc
0x419050 InterlockedDecrement
0x419054 UnhandledExceptionFilter
0x419058 SetUnhandledExceptionFilter
0x41905c IsDebuggerPresent
0x419060 EncodePointer
0x419064 DecodePointer
0x419068 TerminateProcess
0x41906c GetCurrentProcess
0x419070 InitializeCriticalSectionAndSpinCount
0x419074 LeaveCriticalSection
0x419078 EnterCriticalSection
0x41907c GetLastError
0x419080 HeapFree
0x419084 RtlUnwind
0x419088 GetModuleHandleW
0x41908c Sleep
0x419090 WriteFile
0x419094 GetStdHandle
0x419098 GetModuleFileNameW
0x41909c LoadLibraryW
0x4190a0 TlsGetValue
0x4190a4 TlsSetValue
0x4190a8 InterlockedIncrement
0x4190ac SetLastError
0x4190b0 GetCurrentThreadId
USER32.dll
0x4190d4 CharToOemA
ADVAPI32.dll
0x419000 RegGetValueA
0x419004 RegOpenKeyExA
0x419008 GetCurrentHwProfileA
ole32.dll
0x419118 CoCreateInstance
0x41911c CoSetProxyBlanket
0x419120 CoInitializeSecurity
0x419124 CoInitializeEx
OLEAUT32.dll
0x4190b8 SysFreeString
0x4190bc VariantInit
0x4190c0 VariantClear
0x4190c4 SysAllocString
EAT(Export Address Table) is none
SHLWAPI.dll
0x4190cc None
msvcrt.dll
0x4190dc strlen
0x4190e0 memcmp
0x4190e4 strcpy_s
0x4190e8 srand
0x4190ec memcpy
0x4190f0 strncpy
0x4190f4 malloc
0x4190f8 _wtoi64
0x4190fc rand
0x419100 memset
0x419104 atexit
0x419108 strchr
0x41910c strtok_s
0x419110 ??_U@YAPAXI@Z
KERNEL32.dll
0x419010 GetStringTypeW
0x419014 MultiByteToWideChar
0x419018 LCMapStringW
0x41901c ExitProcess
0x419020 lstrlenA
0x419024 LocalAlloc
0x419028 VirtualProtect
0x41902c FileTimeToSystemTime
0x419030 GetProcAddress
0x419034 LoadLibraryA
0x419038 IsValidCodePage
0x41903c GetOEMCP
0x419040 GetACP
0x419044 GetCPInfo
0x419048 WideCharToMultiByte
0x41904c HeapAlloc
0x419050 InterlockedDecrement
0x419054 UnhandledExceptionFilter
0x419058 SetUnhandledExceptionFilter
0x41905c IsDebuggerPresent
0x419060 EncodePointer
0x419064 DecodePointer
0x419068 TerminateProcess
0x41906c GetCurrentProcess
0x419070 InitializeCriticalSectionAndSpinCount
0x419074 LeaveCriticalSection
0x419078 EnterCriticalSection
0x41907c GetLastError
0x419080 HeapFree
0x419084 RtlUnwind
0x419088 GetModuleHandleW
0x41908c Sleep
0x419090 WriteFile
0x419094 GetStdHandle
0x419098 GetModuleFileNameW
0x41909c LoadLibraryW
0x4190a0 TlsGetValue
0x4190a4 TlsSetValue
0x4190a8 InterlockedIncrement
0x4190ac SetLastError
0x4190b0 GetCurrentThreadId
USER32.dll
0x4190d4 CharToOemA
ADVAPI32.dll
0x419000 RegGetValueA
0x419004 RegOpenKeyExA
0x419008 GetCurrentHwProfileA
ole32.dll
0x419118 CoCreateInstance
0x41911c CoSetProxyBlanket
0x419120 CoInitializeSecurity
0x419124 CoInitializeEx
OLEAUT32.dll
0x4190b8 SysFreeString
0x4190bc VariantInit
0x4190c0 VariantClear
0x4190c4 SysAllocString
EAT(Export Address Table) is none