ScreenShot
| Created | 2023.12.14 19:32 | Machine | s1_win7_x6401 |
| Filename | statem_pdf.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 38 detected (AIDetectMalware, malicious, high confidence, score, Havokiz, Marte, unsafe, Havoc, Vq4k, AGen, Nsisx, Muj2LsPTQQM, Detected, ai score=80, Kcnw, Static AI, Malicious SFX, confidence) | ||
| md5 | 55461180284dcdf6ad0f3edaf8d68307 | ||
| sha256 | f28d1d2b068f4f4fb7de609d663c0be15102928624cc7c56ca0e146d9b47e616 | ||
| ssdeep | 6144:DE+yclwQKjdn+WPtYVJIoBf/fwWvs5++1Hzs5i:DBdlwHRn+WlYV+ufwW0E+BGi | ||
| imphash | 75e9596d74d063246ba6f3ac7c5369a0 | ||
| impfuzzy | 48:J9jOXRgLy1XFjsX1Pfc++6W3CYpZGtWXCuniLFH:JdcgLy1XFgX1Pfc++V/7GtWXCuniLFH | ||
Network IP location
Signature (23cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 38 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) |
| watch | One or more non-whitelisted processes were created |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Uses Sysinternals tools in order to add additional command line functionality |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An application raised an exception which may be indicative of an exploit crash |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Creates (office) documents on the filesystem |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Steals private information from local Internet browsers |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
Rules (48cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Client_SW_User_Data_Stealer | Client_SW_User_Data_Stealer | memory |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | infoStealer_browser_Zero | browser info stealer | memory |
| watch | Chrome_User_Data_Check_Zero | Google Chrome User Data Check | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| watch | Win32_WinRAR_SFX_Zero | Win32 WinRAR SFX | binaries (upload) |
| notice | BitCoin | Perform crypto currency mining | memory |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | PDF_Format_Z | PDF Format | binaries (download) |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | Virtual_currency_Zero | Virtual currency | memory |
| info | vmdetect | Possibly employs anti-virtualization techniques | memory |
| info | win_hook | Affect hook table | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x436000 GetLastError
0x436004 SetLastError
0x436008 FormatMessageW
0x43600c GetCurrentProcess
0x436010 DeviceIoControl
0x436014 SetFileTime
0x436018 CloseHandle
0x43601c CreateDirectoryW
0x436020 RemoveDirectoryW
0x436024 CreateFileW
0x436028 DeleteFileW
0x43602c CreateHardLinkW
0x436030 GetShortPathNameW
0x436034 GetLongPathNameW
0x436038 MoveFileW
0x43603c GetFileType
0x436040 GetStdHandle
0x436044 WriteFile
0x436048 ReadFile
0x43604c FlushFileBuffers
0x436050 SetEndOfFile
0x436054 SetFilePointer
0x436058 GetCurrentProcessId
0x43605c SetFileAttributesW
0x436060 GetFileAttributesW
0x436064 FindClose
0x436068 FindFirstFileW
0x43606c FindNextFileW
0x436070 InterlockedDecrement
0x436074 GetVersionExW
0x436078 GetCurrentDirectoryW
0x43607c GetFullPathNameW
0x436080 FoldStringW
0x436084 GetModuleFileNameW
0x436088 GetModuleHandleW
0x43608c FindResourceW
0x436090 FreeLibrary
0x436094 GetProcAddress
0x436098 ExitProcess
0x43609c SetThreadExecutionState
0x4360a0 Sleep
0x4360a4 LoadLibraryW
0x4360a8 GetSystemDirectoryW
0x4360ac CompareStringW
0x4360b0 AllocConsole
0x4360b4 FreeConsole
0x4360b8 AttachConsole
0x4360bc WriteConsoleW
0x4360c0 GetProcessAffinityMask
0x4360c4 CreateThread
0x4360c8 SetThreadPriority
0x4360cc InitializeCriticalSection
0x4360d0 EnterCriticalSection
0x4360d4 LeaveCriticalSection
0x4360d8 DeleteCriticalSection
0x4360dc SetEvent
0x4360e0 ResetEvent
0x4360e4 ReleaseSemaphore
0x4360e8 WaitForSingleObject
0x4360ec CreateEventW
0x4360f0 CreateSemaphoreW
0x4360f4 GetSystemTime
0x4360f8 SystemTimeToTzSpecificLocalTime
0x4360fc TzSpecificLocalTimeToSystemTime
0x436100 SystemTimeToFileTime
0x436104 FileTimeToLocalFileTime
0x436108 LocalFileTimeToFileTime
0x43610c FileTimeToSystemTime
0x436110 GetCPInfo
0x436114 IsDBCSLeadByte
0x436118 MultiByteToWideChar
0x43611c WideCharToMultiByte
0x436120 GlobalAlloc
0x436124 LockResource
0x436128 GlobalLock
0x43612c GlobalUnlock
0x436130 GlobalFree
0x436134 LoadResource
0x436138 SizeofResource
0x43613c SetCurrentDirectoryW
0x436140 GetTimeFormatW
0x436144 GetDateFormatW
0x436148 LocalFree
0x43614c GetExitCodeProcess
0x436150 GetLocalTime
0x436154 GetTickCount
0x436158 MapViewOfFile
0x43615c UnmapViewOfFile
0x436160 CreateFileMappingW
0x436164 OpenFileMappingW
0x436168 GetCommandLineW
0x43616c SetEnvironmentVariableW
0x436170 ExpandEnvironmentStringsW
0x436174 GetTempPathW
0x436178 MoveFileExW
0x43617c GetLocaleInfoW
0x436180 GetNumberFormatW
0x436184 DecodePointer
0x436188 SetFilePointerEx
0x43618c GetConsoleMode
0x436190 GetConsoleCP
0x436194 HeapSize
0x436198 SetStdHandle
0x43619c GetProcessHeap
0x4361a0 FreeEnvironmentStringsW
0x4361a4 GetEnvironmentStringsW
0x4361a8 GetCommandLineA
0x4361ac GetOEMCP
0x4361b0 RaiseException
0x4361b4 GetSystemInfo
0x4361b8 VirtualProtect
0x4361bc VirtualQuery
0x4361c0 LoadLibraryExA
0x4361c4 UnhandledExceptionFilter
0x4361c8 SetUnhandledExceptionFilter
0x4361cc TerminateProcess
0x4361d0 IsProcessorFeaturePresent
0x4361d4 IsDebuggerPresent
0x4361d8 GetStartupInfoW
0x4361dc QueryPerformanceCounter
0x4361e0 GetCurrentThreadId
0x4361e4 GetSystemTimeAsFileTime
0x4361e8 InitializeSListHead
0x4361ec RtlUnwind
0x4361f0 EncodePointer
0x4361f4 InitializeCriticalSectionAndSpinCount
0x4361f8 TlsAlloc
0x4361fc TlsGetValue
0x436200 TlsSetValue
0x436204 TlsFree
0x436208 LoadLibraryExW
0x43620c QueryPerformanceFrequency
0x436210 GetModuleHandleExW
0x436214 GetModuleFileNameA
0x436218 GetACP
0x43621c HeapFree
0x436220 HeapReAlloc
0x436224 HeapAlloc
0x436228 GetStringTypeW
0x43622c LCMapStringW
0x436230 FindFirstFileExA
0x436234 FindNextFileA
0x436238 IsValidCodePage
OLEAUT32.dll
0x436240 SysAllocString
0x436244 SysFreeString
0x436248 VariantClear
gdiplus.dll
0x436250 GdipAlloc
0x436254 GdipDisposeImage
0x436258 GdipCloneImage
0x43625c GdipCreateBitmapFromStream
0x436260 GdipCreateBitmapFromStreamICM
0x436264 GdipCreateHBITMAPFromBitmap
0x436268 GdiplusStartup
0x43626c GdiplusShutdown
0x436270 GdipFree
EAT(Export Address Table) Library
KERNEL32.dll
0x436000 GetLastError
0x436004 SetLastError
0x436008 FormatMessageW
0x43600c GetCurrentProcess
0x436010 DeviceIoControl
0x436014 SetFileTime
0x436018 CloseHandle
0x43601c CreateDirectoryW
0x436020 RemoveDirectoryW
0x436024 CreateFileW
0x436028 DeleteFileW
0x43602c CreateHardLinkW
0x436030 GetShortPathNameW
0x436034 GetLongPathNameW
0x436038 MoveFileW
0x43603c GetFileType
0x436040 GetStdHandle
0x436044 WriteFile
0x436048 ReadFile
0x43604c FlushFileBuffers
0x436050 SetEndOfFile
0x436054 SetFilePointer
0x436058 GetCurrentProcessId
0x43605c SetFileAttributesW
0x436060 GetFileAttributesW
0x436064 FindClose
0x436068 FindFirstFileW
0x43606c FindNextFileW
0x436070 InterlockedDecrement
0x436074 GetVersionExW
0x436078 GetCurrentDirectoryW
0x43607c GetFullPathNameW
0x436080 FoldStringW
0x436084 GetModuleFileNameW
0x436088 GetModuleHandleW
0x43608c FindResourceW
0x436090 FreeLibrary
0x436094 GetProcAddress
0x436098 ExitProcess
0x43609c SetThreadExecutionState
0x4360a0 Sleep
0x4360a4 LoadLibraryW
0x4360a8 GetSystemDirectoryW
0x4360ac CompareStringW
0x4360b0 AllocConsole
0x4360b4 FreeConsole
0x4360b8 AttachConsole
0x4360bc WriteConsoleW
0x4360c0 GetProcessAffinityMask
0x4360c4 CreateThread
0x4360c8 SetThreadPriority
0x4360cc InitializeCriticalSection
0x4360d0 EnterCriticalSection
0x4360d4 LeaveCriticalSection
0x4360d8 DeleteCriticalSection
0x4360dc SetEvent
0x4360e0 ResetEvent
0x4360e4 ReleaseSemaphore
0x4360e8 WaitForSingleObject
0x4360ec CreateEventW
0x4360f0 CreateSemaphoreW
0x4360f4 GetSystemTime
0x4360f8 SystemTimeToTzSpecificLocalTime
0x4360fc TzSpecificLocalTimeToSystemTime
0x436100 SystemTimeToFileTime
0x436104 FileTimeToLocalFileTime
0x436108 LocalFileTimeToFileTime
0x43610c FileTimeToSystemTime
0x436110 GetCPInfo
0x436114 IsDBCSLeadByte
0x436118 MultiByteToWideChar
0x43611c WideCharToMultiByte
0x436120 GlobalAlloc
0x436124 LockResource
0x436128 GlobalLock
0x43612c GlobalUnlock
0x436130 GlobalFree
0x436134 LoadResource
0x436138 SizeofResource
0x43613c SetCurrentDirectoryW
0x436140 GetTimeFormatW
0x436144 GetDateFormatW
0x436148 LocalFree
0x43614c GetExitCodeProcess
0x436150 GetLocalTime
0x436154 GetTickCount
0x436158 MapViewOfFile
0x43615c UnmapViewOfFile
0x436160 CreateFileMappingW
0x436164 OpenFileMappingW
0x436168 GetCommandLineW
0x43616c SetEnvironmentVariableW
0x436170 ExpandEnvironmentStringsW
0x436174 GetTempPathW
0x436178 MoveFileExW
0x43617c GetLocaleInfoW
0x436180 GetNumberFormatW
0x436184 DecodePointer
0x436188 SetFilePointerEx
0x43618c GetConsoleMode
0x436190 GetConsoleCP
0x436194 HeapSize
0x436198 SetStdHandle
0x43619c GetProcessHeap
0x4361a0 FreeEnvironmentStringsW
0x4361a4 GetEnvironmentStringsW
0x4361a8 GetCommandLineA
0x4361ac GetOEMCP
0x4361b0 RaiseException
0x4361b4 GetSystemInfo
0x4361b8 VirtualProtect
0x4361bc VirtualQuery
0x4361c0 LoadLibraryExA
0x4361c4 UnhandledExceptionFilter
0x4361c8 SetUnhandledExceptionFilter
0x4361cc TerminateProcess
0x4361d0 IsProcessorFeaturePresent
0x4361d4 IsDebuggerPresent
0x4361d8 GetStartupInfoW
0x4361dc QueryPerformanceCounter
0x4361e0 GetCurrentThreadId
0x4361e4 GetSystemTimeAsFileTime
0x4361e8 InitializeSListHead
0x4361ec RtlUnwind
0x4361f0 EncodePointer
0x4361f4 InitializeCriticalSectionAndSpinCount
0x4361f8 TlsAlloc
0x4361fc TlsGetValue
0x436200 TlsSetValue
0x436204 TlsFree
0x436208 LoadLibraryExW
0x43620c QueryPerformanceFrequency
0x436210 GetModuleHandleExW
0x436214 GetModuleFileNameA
0x436218 GetACP
0x43621c HeapFree
0x436220 HeapReAlloc
0x436224 HeapAlloc
0x436228 GetStringTypeW
0x43622c LCMapStringW
0x436230 FindFirstFileExA
0x436234 FindNextFileA
0x436238 IsValidCodePage
OLEAUT32.dll
0x436240 SysAllocString
0x436244 SysFreeString
0x436248 VariantClear
gdiplus.dll
0x436250 GdipAlloc
0x436254 GdipDisposeImage
0x436258 GdipCloneImage
0x43625c GdipCreateBitmapFromStream
0x436260 GdipCreateBitmapFromStreamICM
0x436264 GdipCreateHBITMAPFromBitmap
0x436268 GdiplusStartup
0x43626c GdiplusShutdown
0x436270 GdipFree
EAT(Export Address Table) Library