ScreenShot
| Created | 2023.12.07 11:47 | Machine | s1_win7_x6403 |
| Filename | Application.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 35 detected (AIDetectMalware, ruW@bSJZebei, AdwareLinkury, malicious, confidence, 100%, Attribute, HighConfidence, high confidence, score, FileRepMalware, AGEN, R06CC0XL623, Static AI, Suspicious PE, ai score=82, Wacatac, BScope, unsafe, Generic@AI, RDML, ViMpBtJGzyRg1BpQ, susgen) | ||
| md5 | 3ba788943ce69ebe9bbd218606fd8547 | ||
| sha256 | 13f53967b03017371c9385a4266b5f3169afe48e933a5cbbf95f24843c05f376 | ||
| ssdeep | 6144:xOsvv2XehpGU3HufTii8q0xH9h6edHyQYQFRkVli17iJiy8BNg2AOxT4hR:9BHL6edHytQEiy8BNg2khR | ||
| imphash | b6dba263daca1c4e70a9fb4873536e29 | ||
| impfuzzy | 24:hyO4rpM8zBdu9QHZ2cpVWcstwX7M3JBl3eDoro0OovbOxv1GM+HFZxNM1wudVSTT:4PpMwWcpV5stwX7MPpX+3RaFZij+gHK | ||
Network IP location
Signature (28cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 35 AntiVirus engines on VirusTotal as malicious |
| warning | Generates some ICMP traffic |
| watch | Checks the version of Bios |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Installs itself for autorun at Windows startup |
| watch | Network activity contains more than one unique useragent |
| watch | One or more of the buffers contains an embedded PE file |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process gfsvc.exe |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Executes one or more WMI queries |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Terminates another process |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (8cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | Is_DotNET_EXE | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
ET POLICY curl User-Agent Outbound
ET INFO Executable Download from dotted-quad Host
ET HUNTING curl User-Agent to Dotted Quad
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Executable Download from dotted-quad Host
ET HUNTING curl User-Agent to Dotted Quad
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x435018 GetModuleFileNameA
0x43501c CreateMutexA
0x435020 CopyFileA
0x435024 GetLastError
0x435028 GetCurrentProcessId
0x43502c GetCurrentProcess
0x435030 Sleep
0x435034 GetComputerNameA
0x435038 CheckRemoteDebuggerPresent
0x43503c WriteConsoleW
0x435040 K32EnumProcesses
0x435044 CloseHandle
0x435048 K32GetModuleFileNameExA
0x43504c OpenProcess
0x435050 CreateDirectoryA
0x435054 TerminateProcess
0x435058 HeapSize
0x43505c CreateFileW
0x435060 GetProcessHeap
0x435064 SetStdHandle
0x435068 SetEnvironmentVariableW
0x43506c FreeEnvironmentStringsW
0x435070 GetEnvironmentStringsW
0x435074 GetOEMCP
0x435078 GetACP
0x43507c IsValidCodePage
0x435080 FindNextFileW
0x435084 FindFirstFileExW
0x435088 FindClose
0x43508c HeapReAlloc
0x435090 ReadConsoleW
0x435094 WideCharToMultiByte
0x435098 EnterCriticalSection
0x43509c LeaveCriticalSection
0x4350a0 InitializeCriticalSectionEx
0x4350a4 DeleteCriticalSection
0x4350a8 EncodePointer
0x4350ac DecodePointer
0x4350b0 MultiByteToWideChar
0x4350b4 LCMapStringEx
0x4350b8 GetStringTypeW
0x4350bc GetCPInfo
0x4350c0 UnhandledExceptionFilter
0x4350c4 SetUnhandledExceptionFilter
0x4350c8 IsProcessorFeaturePresent
0x4350cc QueryPerformanceCounter
0x4350d0 GetCurrentThreadId
0x4350d4 GetSystemTimeAsFileTime
0x4350d8 InitializeSListHead
0x4350dc IsDebuggerPresent
0x4350e0 GetStartupInfoW
0x4350e4 GetModuleHandleW
0x4350e8 RtlUnwind
0x4350ec RaiseException
0x4350f0 SetLastError
0x4350f4 InitializeCriticalSectionAndSpinCount
0x4350f8 TlsAlloc
0x4350fc TlsGetValue
0x435100 TlsSetValue
0x435104 TlsFree
0x435108 FreeLibrary
0x43510c GetProcAddress
0x435110 LoadLibraryExW
0x435114 ExitProcess
0x435118 GetModuleHandleExW
0x43511c GetStdHandle
0x435120 WriteFile
0x435124 GetModuleFileNameW
0x435128 GetCommandLineA
0x43512c GetCommandLineW
0x435130 GetFileSizeEx
0x435134 SetFilePointerEx
0x435138 GetFileType
0x43513c FlushFileBuffers
0x435140 GetConsoleOutputCP
0x435144 GetConsoleMode
0x435148 HeapFree
0x43514c HeapAlloc
0x435150 CompareStringW
0x435154 LCMapStringW
0x435158 GetLocaleInfoW
0x43515c IsValidLocale
0x435160 GetUserDefaultLCID
0x435164 EnumSystemLocalesW
0x435168 ReadFile
0x43516c SetEndOfFile
ADVAPI32.dll
0x435000 RegCloseKey
0x435004 RegQueryValueExA
0x435008 RegSetValueExA
0x43500c RegOpenKeyExA
0x435010 GetUserNameA
SHELL32.dll
0x435188 ShellExecuteA
ole32.dll
0x4351a4 CoUninitialize
0x4351a8 CoSetProxyBlanket
0x4351ac CoInitializeSecurity
0x4351b0 CoInitializeEx
0x4351b4 CoCreateInstance
OLEAUT32.dll
0x435174 VariantClear
0x435178 SysAllocString
0x43517c SysFreeString
0x435180 VariantInit
WININET.dll
0x435190 InternetCloseHandle
0x435194 InternetReadFile
0x435198 InternetOpenW
0x43519c InternetOpenUrlA
EAT(Export Address Table) is none
KERNEL32.dll
0x435018 GetModuleFileNameA
0x43501c CreateMutexA
0x435020 CopyFileA
0x435024 GetLastError
0x435028 GetCurrentProcessId
0x43502c GetCurrentProcess
0x435030 Sleep
0x435034 GetComputerNameA
0x435038 CheckRemoteDebuggerPresent
0x43503c WriteConsoleW
0x435040 K32EnumProcesses
0x435044 CloseHandle
0x435048 K32GetModuleFileNameExA
0x43504c OpenProcess
0x435050 CreateDirectoryA
0x435054 TerminateProcess
0x435058 HeapSize
0x43505c CreateFileW
0x435060 GetProcessHeap
0x435064 SetStdHandle
0x435068 SetEnvironmentVariableW
0x43506c FreeEnvironmentStringsW
0x435070 GetEnvironmentStringsW
0x435074 GetOEMCP
0x435078 GetACP
0x43507c IsValidCodePage
0x435080 FindNextFileW
0x435084 FindFirstFileExW
0x435088 FindClose
0x43508c HeapReAlloc
0x435090 ReadConsoleW
0x435094 WideCharToMultiByte
0x435098 EnterCriticalSection
0x43509c LeaveCriticalSection
0x4350a0 InitializeCriticalSectionEx
0x4350a4 DeleteCriticalSection
0x4350a8 EncodePointer
0x4350ac DecodePointer
0x4350b0 MultiByteToWideChar
0x4350b4 LCMapStringEx
0x4350b8 GetStringTypeW
0x4350bc GetCPInfo
0x4350c0 UnhandledExceptionFilter
0x4350c4 SetUnhandledExceptionFilter
0x4350c8 IsProcessorFeaturePresent
0x4350cc QueryPerformanceCounter
0x4350d0 GetCurrentThreadId
0x4350d4 GetSystemTimeAsFileTime
0x4350d8 InitializeSListHead
0x4350dc IsDebuggerPresent
0x4350e0 GetStartupInfoW
0x4350e4 GetModuleHandleW
0x4350e8 RtlUnwind
0x4350ec RaiseException
0x4350f0 SetLastError
0x4350f4 InitializeCriticalSectionAndSpinCount
0x4350f8 TlsAlloc
0x4350fc TlsGetValue
0x435100 TlsSetValue
0x435104 TlsFree
0x435108 FreeLibrary
0x43510c GetProcAddress
0x435110 LoadLibraryExW
0x435114 ExitProcess
0x435118 GetModuleHandleExW
0x43511c GetStdHandle
0x435120 WriteFile
0x435124 GetModuleFileNameW
0x435128 GetCommandLineA
0x43512c GetCommandLineW
0x435130 GetFileSizeEx
0x435134 SetFilePointerEx
0x435138 GetFileType
0x43513c FlushFileBuffers
0x435140 GetConsoleOutputCP
0x435144 GetConsoleMode
0x435148 HeapFree
0x43514c HeapAlloc
0x435150 CompareStringW
0x435154 LCMapStringW
0x435158 GetLocaleInfoW
0x43515c IsValidLocale
0x435160 GetUserDefaultLCID
0x435164 EnumSystemLocalesW
0x435168 ReadFile
0x43516c SetEndOfFile
ADVAPI32.dll
0x435000 RegCloseKey
0x435004 RegQueryValueExA
0x435008 RegSetValueExA
0x43500c RegOpenKeyExA
0x435010 GetUserNameA
SHELL32.dll
0x435188 ShellExecuteA
ole32.dll
0x4351a4 CoUninitialize
0x4351a8 CoSetProxyBlanket
0x4351ac CoInitializeSecurity
0x4351b0 CoInitializeEx
0x4351b4 CoCreateInstance
OLEAUT32.dll
0x435174 VariantClear
0x435178 SysAllocString
0x43517c SysFreeString
0x435180 VariantInit
WININET.dll
0x435190 InternetCloseHandle
0x435194 InternetReadFile
0x435198 InternetOpenW
0x43519c InternetOpenUrlA
EAT(Export Address Table) is none