ScreenShot
| Created | 2023.12.20 07:59 | Machine | s1_win7_x6403 |
| Filename | helper.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 07bf5c0cec29332eaee4559712044afa | ||
| sha256 | 0081ec4836a7ecf5b428ba410dc9a86d679cb0d6ef8bb52dc7c8721efc3a4b3d | ||
| ssdeep | 3072:rmLd2f5yZBRE34J8Quhn0o2lGPetr2MVbc1ugYSpGd9Prw2HvrKe2NphPK:y5EOb38QS2/Zbc1ugYSpG3THeNp | ||
| imphash | e1ed1b87d365b2ea75670bba09649dc7 | ||
| impfuzzy | 24:+JDRcpuMUKteS1GMdlJeDc+pl39xuXSOovbO9ZivR:+cp3teS1GMic+ppu3AR | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Reads the systems User Agent and subsequently performs requests |
| notice | Sends data using the HTTP POST Method |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (8cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x410000 VirtualProtect
0x410004 VirtualFree
0x410008 GetCurrentProcess
0x41000c VirtualAlloc
0x410010 GetModuleHandleA
0x410014 GetProcAddress
0x410018 ExitProcess
0x41001c GetModuleHandleW
0x410020 BuildCommDCBAndTimeoutsA
0x410024 WriteConsoleW
0x410028 CloseHandle
0x41002c CreateFileW
0x410030 SetFilePointerEx
0x410034 GetConsoleMode
0x410038 GetConsoleOutputCP
0x41003c FlushFileBuffers
0x410040 HeapReAlloc
0x410044 HeapSize
0x410048 UnhandledExceptionFilter
0x41004c SetUnhandledExceptionFilter
0x410050 TerminateProcess
0x410054 IsProcessorFeaturePresent
0x410058 QueryPerformanceCounter
0x41005c GetCurrentProcessId
0x410060 GetCurrentThreadId
0x410064 GetSystemTimeAsFileTime
0x410068 InitializeSListHead
0x41006c IsDebuggerPresent
0x410070 GetStartupInfoW
0x410074 RtlUnwind
0x410078 RaiseException
0x41007c GetLastError
0x410080 SetLastError
0x410084 EncodePointer
0x410088 EnterCriticalSection
0x41008c LeaveCriticalSection
0x410090 DeleteCriticalSection
0x410094 InitializeCriticalSectionAndSpinCount
0x410098 TlsAlloc
0x41009c TlsGetValue
0x4100a0 TlsSetValue
0x4100a4 TlsFree
0x4100a8 FreeLibrary
0x4100ac LoadLibraryExW
0x4100b0 GetStdHandle
0x4100b4 WriteFile
0x4100b8 GetModuleFileNameW
0x4100bc GetModuleHandleExW
0x4100c0 HeapFree
0x4100c4 HeapAlloc
0x4100c8 FindClose
0x4100cc FindFirstFileExW
0x4100d0 FindNextFileW
0x4100d4 IsValidCodePage
0x4100d8 GetACP
0x4100dc GetOEMCP
0x4100e0 GetCPInfo
0x4100e4 GetCommandLineA
0x4100e8 GetCommandLineW
0x4100ec MultiByteToWideChar
0x4100f0 WideCharToMultiByte
0x4100f4 GetEnvironmentStringsW
0x4100f8 FreeEnvironmentStringsW
0x4100fc SetStdHandle
0x410100 GetFileType
0x410104 GetStringTypeW
0x410108 LCMapStringW
0x41010c GetProcessHeap
0x410110 DecodePointer
EAT(Export Address Table) is none
KERNEL32.dll
0x410000 VirtualProtect
0x410004 VirtualFree
0x410008 GetCurrentProcess
0x41000c VirtualAlloc
0x410010 GetModuleHandleA
0x410014 GetProcAddress
0x410018 ExitProcess
0x41001c GetModuleHandleW
0x410020 BuildCommDCBAndTimeoutsA
0x410024 WriteConsoleW
0x410028 CloseHandle
0x41002c CreateFileW
0x410030 SetFilePointerEx
0x410034 GetConsoleMode
0x410038 GetConsoleOutputCP
0x41003c FlushFileBuffers
0x410040 HeapReAlloc
0x410044 HeapSize
0x410048 UnhandledExceptionFilter
0x41004c SetUnhandledExceptionFilter
0x410050 TerminateProcess
0x410054 IsProcessorFeaturePresent
0x410058 QueryPerformanceCounter
0x41005c GetCurrentProcessId
0x410060 GetCurrentThreadId
0x410064 GetSystemTimeAsFileTime
0x410068 InitializeSListHead
0x41006c IsDebuggerPresent
0x410070 GetStartupInfoW
0x410074 RtlUnwind
0x410078 RaiseException
0x41007c GetLastError
0x410080 SetLastError
0x410084 EncodePointer
0x410088 EnterCriticalSection
0x41008c LeaveCriticalSection
0x410090 DeleteCriticalSection
0x410094 InitializeCriticalSectionAndSpinCount
0x410098 TlsAlloc
0x41009c TlsGetValue
0x4100a0 TlsSetValue
0x4100a4 TlsFree
0x4100a8 FreeLibrary
0x4100ac LoadLibraryExW
0x4100b0 GetStdHandle
0x4100b4 WriteFile
0x4100b8 GetModuleFileNameW
0x4100bc GetModuleHandleExW
0x4100c0 HeapFree
0x4100c4 HeapAlloc
0x4100c8 FindClose
0x4100cc FindFirstFileExW
0x4100d0 FindNextFileW
0x4100d4 IsValidCodePage
0x4100d8 GetACP
0x4100dc GetOEMCP
0x4100e0 GetCPInfo
0x4100e4 GetCommandLineA
0x4100e8 GetCommandLineW
0x4100ec MultiByteToWideChar
0x4100f0 WideCharToMultiByte
0x4100f4 GetEnvironmentStringsW
0x4100f8 FreeEnvironmentStringsW
0x4100fc SetStdHandle
0x410100 GetFileType
0x410104 GetStringTypeW
0x410108 LCMapStringW
0x41010c GetProcessHeap
0x410110 DecodePointer
EAT(Export Address Table) is none