ScreenShot
Created | 2023.11.16 19:02 | Machine | s1_win7_x6403 |
Filename | Morning.exe | ||
Type | PE32 executable (console) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | |||
md5 | 34b8f4812ef8821f651d1f74618d54a2 | ||
sha256 | bdcb0564911bdb1f151d4f58f82bce75a8c861ee251ea7273487a34fec865654 | ||
ssdeep | 12288:QqybYkkT2QnftLyH61+/SwNpo7crbhla7HVoPcItnbuc7ySwvSyKrg7:G/kT2QftLyH6OzdA7HVstnvESyKrg7 | ||
imphash | 0f2421503cbb5d49fe417b88d0084470 | ||
impfuzzy | 48:hcpe0tSS1w9iYWDND8tXlX/rGGz/Zi3ruFZzk5:hcpe0tSS1wAYW5D0XlXDGGbZxI |
Network IP location
Signature (27cnts)
Level | Description |
---|---|
danger | Executed a process and injected code into it |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Code injection by writing an executable or DLL to the memory of another process |
watch | Collects information about installed applications |
watch | Communicates with host for which no DNS query was performed |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | An executable file was downloaded by the process applaunch.exe |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Queries for potentially installed applications |
notice | Repeatedly searches for a not-found process |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | Sends data using the HTTP POST Method |
notice | Steals private information from local Internet browsers |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Collects information to fingerprint the system (MachineGuid |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | The executable uses a known packer |
info | This executable has a PDB path |
info | Tries to locate where the browsers are installed |
Rules (26cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
notice | Network_HTTP | Communications over HTTP | memory |
notice | ScreenShot | Take ScreenShot | memory |
notice | Str_Win32_Http_API | Match Windows Http API call | memory |
notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsDLL | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Network (10cnts) ?
Suricata ids
ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING Possible Generic Stealer Sending System Information
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING Possible Generic Stealer Sending System Information
PE API
IAT(Import Address Table) Library
USER32.dll
0x4dc2dc ValidateRgn
ADVAPI32.dll
0x4dc000 SetServiceStatus
KERNEL32.dll
0x4dc030 CreateFileW
0x4dc034 WaitForThreadpoolTimerCallbacks
0x4dc038 CloseHandle
0x4dc03c EnterCriticalSection
0x4dc040 LeaveCriticalSection
0x4dc044 InitializeCriticalSectionAndSpinCount
0x4dc048 DeleteCriticalSection
0x4dc04c SetEvent
0x4dc050 ResetEvent
0x4dc054 WaitForSingleObjectEx
0x4dc058 CreateEventW
0x4dc05c GetModuleHandleW
0x4dc060 GetProcAddress
0x4dc064 IsDebuggerPresent
0x4dc068 UnhandledExceptionFilter
0x4dc06c SetUnhandledExceptionFilter
0x4dc070 GetStartupInfoW
0x4dc074 IsProcessorFeaturePresent
0x4dc078 QueryPerformanceCounter
0x4dc07c GetCurrentProcessId
0x4dc080 GetCurrentThreadId
0x4dc084 GetSystemTimeAsFileTime
0x4dc088 InitializeSListHead
0x4dc08c GetCurrentProcess
0x4dc090 TerminateProcess
0x4dc094 Sleep
0x4dc098 SwitchToThread
0x4dc09c GetExitCodeThread
0x4dc0a0 GetNativeSystemInfo
0x4dc0a4 GetStringTypeW
0x4dc0a8 WideCharToMultiByte
0x4dc0ac MultiByteToWideChar
0x4dc0b0 FormatMessageA
0x4dc0b4 EncodePointer
0x4dc0b8 DecodePointer
0x4dc0bc QueryPerformanceFrequency
0x4dc0c0 InitializeSRWLock
0x4dc0c4 ReleaseSRWLockExclusive
0x4dc0c8 AcquireSRWLockExclusive
0x4dc0cc TryAcquireSRWLockExclusive
0x4dc0d0 InitializeConditionVariable
0x4dc0d4 WakeConditionVariable
0x4dc0d8 WakeAllConditionVariable
0x4dc0dc SleepConditionVariableSRW
0x4dc0e0 InitializeCriticalSectionEx
0x4dc0e4 LCMapStringEx
0x4dc0e8 LocalFree
0x4dc0ec GetLocaleInfoEx
0x4dc0f0 SetFileInformationByHandle
0x4dc0f4 GetTempPathW
0x4dc0f8 FlsAlloc
0x4dc0fc FlsGetValue
0x4dc100 FlsSetValue
0x4dc104 FlsFree
0x4dc108 InitOnceExecuteOnce
0x4dc10c SleepConditionVariableCS
0x4dc110 CreateEventExW
0x4dc114 CreateSemaphoreExW
0x4dc118 FlushProcessWriteBuffers
0x4dc11c GetCurrentProcessorNumber
0x4dc120 GetTickCount64
0x4dc124 FreeLibraryWhenCallbackReturns
0x4dc128 CreateThreadpoolWork
0x4dc12c SubmitThreadpoolWork
0x4dc130 CloseThreadpoolWork
0x4dc134 CreateThreadpoolTimer
0x4dc138 SetThreadpoolTimer
0x4dc13c WriteConsoleW
0x4dc140 CloseThreadpoolTimer
0x4dc144 CreateThreadpoolWait
0x4dc148 SetThreadpoolWait
0x4dc14c CloseThreadpoolWait
0x4dc150 GetFileInformationByHandleEx
0x4dc154 CreateSymbolicLinkW
0x4dc158 CompareStringEx
0x4dc15c GetCPInfo
0x4dc160 HeapSize
0x4dc164 RaiseException
0x4dc168 RtlUnwind
0x4dc16c InterlockedPushEntrySList
0x4dc170 InterlockedFlushSList
0x4dc174 GetLastError
0x4dc178 SetLastError
0x4dc17c TlsAlloc
0x4dc180 TlsGetValue
0x4dc184 TlsSetValue
0x4dc188 TlsFree
0x4dc18c FreeLibrary
0x4dc190 LoadLibraryExW
0x4dc194 ExitProcess
0x4dc198 GetModuleHandleExW
0x4dc19c GetModuleFileNameW
0x4dc1a0 GetStdHandle
0x4dc1a4 WriteFile
0x4dc1a8 GetCommandLineA
0x4dc1ac GetCommandLineW
0x4dc1b0 CreateThread
0x4dc1b4 ExitThread
0x4dc1b8 ResumeThread
0x4dc1bc FreeLibraryAndExitThread
0x4dc1c0 GetCurrentThread
0x4dc1c4 HeapFree
0x4dc1c8 HeapAlloc
0x4dc1cc FindClose
0x4dc1d0 FindFirstFileExW
0x4dc1d4 FindNextFileW
0x4dc1d8 IsValidCodePage
0x4dc1dc GetACP
0x4dc1e0 GetOEMCP
0x4dc1e4 GetEnvironmentStringsW
0x4dc1e8 FreeEnvironmentStringsW
0x4dc1ec SetEnvironmentVariableW
0x4dc1f0 GetDateFormatW
0x4dc1f4 GetTimeFormatW
0x4dc1f8 CompareStringW
0x4dc1fc LCMapStringW
0x4dc200 GetLocaleInfoW
0x4dc204 IsValidLocale
0x4dc208 GetUserDefaultLCID
0x4dc20c EnumSystemLocalesW
0x4dc210 GetProcessHeap
0x4dc214 GetFileType
0x4dc218 SetConsoleCtrlHandler
0x4dc21c OutputDebugStringW
0x4dc220 SetStdHandle
0x4dc224 GetFileSizeEx
0x4dc228 SetFilePointerEx
0x4dc22c FlushFileBuffers
0x4dc230 GetConsoleOutputCP
0x4dc234 GetConsoleMode
0x4dc238 ReadFile
0x4dc23c ReadConsoleW
0x4dc240 HeapReAlloc
0x4dc244 GetTimeZoneInformation
EAT(Export Address Table) Library
0x405abf _GetPhysicalSize@12
USER32.dll
0x4dc2dc ValidateRgn
ADVAPI32.dll
0x4dc000 SetServiceStatus
KERNEL32.dll
0x4dc030 CreateFileW
0x4dc034 WaitForThreadpoolTimerCallbacks
0x4dc038 CloseHandle
0x4dc03c EnterCriticalSection
0x4dc040 LeaveCriticalSection
0x4dc044 InitializeCriticalSectionAndSpinCount
0x4dc048 DeleteCriticalSection
0x4dc04c SetEvent
0x4dc050 ResetEvent
0x4dc054 WaitForSingleObjectEx
0x4dc058 CreateEventW
0x4dc05c GetModuleHandleW
0x4dc060 GetProcAddress
0x4dc064 IsDebuggerPresent
0x4dc068 UnhandledExceptionFilter
0x4dc06c SetUnhandledExceptionFilter
0x4dc070 GetStartupInfoW
0x4dc074 IsProcessorFeaturePresent
0x4dc078 QueryPerformanceCounter
0x4dc07c GetCurrentProcessId
0x4dc080 GetCurrentThreadId
0x4dc084 GetSystemTimeAsFileTime
0x4dc088 InitializeSListHead
0x4dc08c GetCurrentProcess
0x4dc090 TerminateProcess
0x4dc094 Sleep
0x4dc098 SwitchToThread
0x4dc09c GetExitCodeThread
0x4dc0a0 GetNativeSystemInfo
0x4dc0a4 GetStringTypeW
0x4dc0a8 WideCharToMultiByte
0x4dc0ac MultiByteToWideChar
0x4dc0b0 FormatMessageA
0x4dc0b4 EncodePointer
0x4dc0b8 DecodePointer
0x4dc0bc QueryPerformanceFrequency
0x4dc0c0 InitializeSRWLock
0x4dc0c4 ReleaseSRWLockExclusive
0x4dc0c8 AcquireSRWLockExclusive
0x4dc0cc TryAcquireSRWLockExclusive
0x4dc0d0 InitializeConditionVariable
0x4dc0d4 WakeConditionVariable
0x4dc0d8 WakeAllConditionVariable
0x4dc0dc SleepConditionVariableSRW
0x4dc0e0 InitializeCriticalSectionEx
0x4dc0e4 LCMapStringEx
0x4dc0e8 LocalFree
0x4dc0ec GetLocaleInfoEx
0x4dc0f0 SetFileInformationByHandle
0x4dc0f4 GetTempPathW
0x4dc0f8 FlsAlloc
0x4dc0fc FlsGetValue
0x4dc100 FlsSetValue
0x4dc104 FlsFree
0x4dc108 InitOnceExecuteOnce
0x4dc10c SleepConditionVariableCS
0x4dc110 CreateEventExW
0x4dc114 CreateSemaphoreExW
0x4dc118 FlushProcessWriteBuffers
0x4dc11c GetCurrentProcessorNumber
0x4dc120 GetTickCount64
0x4dc124 FreeLibraryWhenCallbackReturns
0x4dc128 CreateThreadpoolWork
0x4dc12c SubmitThreadpoolWork
0x4dc130 CloseThreadpoolWork
0x4dc134 CreateThreadpoolTimer
0x4dc138 SetThreadpoolTimer
0x4dc13c WriteConsoleW
0x4dc140 CloseThreadpoolTimer
0x4dc144 CreateThreadpoolWait
0x4dc148 SetThreadpoolWait
0x4dc14c CloseThreadpoolWait
0x4dc150 GetFileInformationByHandleEx
0x4dc154 CreateSymbolicLinkW
0x4dc158 CompareStringEx
0x4dc15c GetCPInfo
0x4dc160 HeapSize
0x4dc164 RaiseException
0x4dc168 RtlUnwind
0x4dc16c InterlockedPushEntrySList
0x4dc170 InterlockedFlushSList
0x4dc174 GetLastError
0x4dc178 SetLastError
0x4dc17c TlsAlloc
0x4dc180 TlsGetValue
0x4dc184 TlsSetValue
0x4dc188 TlsFree
0x4dc18c FreeLibrary
0x4dc190 LoadLibraryExW
0x4dc194 ExitProcess
0x4dc198 GetModuleHandleExW
0x4dc19c GetModuleFileNameW
0x4dc1a0 GetStdHandle
0x4dc1a4 WriteFile
0x4dc1a8 GetCommandLineA
0x4dc1ac GetCommandLineW
0x4dc1b0 CreateThread
0x4dc1b4 ExitThread
0x4dc1b8 ResumeThread
0x4dc1bc FreeLibraryAndExitThread
0x4dc1c0 GetCurrentThread
0x4dc1c4 HeapFree
0x4dc1c8 HeapAlloc
0x4dc1cc FindClose
0x4dc1d0 FindFirstFileExW
0x4dc1d4 FindNextFileW
0x4dc1d8 IsValidCodePage
0x4dc1dc GetACP
0x4dc1e0 GetOEMCP
0x4dc1e4 GetEnvironmentStringsW
0x4dc1e8 FreeEnvironmentStringsW
0x4dc1ec SetEnvironmentVariableW
0x4dc1f0 GetDateFormatW
0x4dc1f4 GetTimeFormatW
0x4dc1f8 CompareStringW
0x4dc1fc LCMapStringW
0x4dc200 GetLocaleInfoW
0x4dc204 IsValidLocale
0x4dc208 GetUserDefaultLCID
0x4dc20c EnumSystemLocalesW
0x4dc210 GetProcessHeap
0x4dc214 GetFileType
0x4dc218 SetConsoleCtrlHandler
0x4dc21c OutputDebugStringW
0x4dc220 SetStdHandle
0x4dc224 GetFileSizeEx
0x4dc228 SetFilePointerEx
0x4dc22c FlushFileBuffers
0x4dc230 GetConsoleOutputCP
0x4dc234 GetConsoleMode
0x4dc238 ReadFile
0x4dc23c ReadConsoleW
0x4dc240 HeapReAlloc
0x4dc244 GetTimeZoneInformation
EAT(Export Address Table) Library
0x405abf _GetPhysicalSize@12