ScreenShot
| Created | 2023.12.22 08:13 | Machine | s1_win7_x6403 |
| Filename | build2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 58 detected (AIDetectMalware, Stealerc, malicious, high confidence, score, Stop, Lockbit, unsafe, GenericKD, Save, Attribute, HighConfidence, Kryptik, HVRN, Artemis, DropperX, kfrems, SmokeLoader, CLASSIC, jfpko, Siggen22, VIDAR, YXDLUZ, high, Krypt, Azorult, Detected, ai score=88, Sabsik, JGPNNI, Eldorado, R628292, ZexaF, sq0@amdLxQlG, BScope, Convagent, Genetic, Obfuscated, Static AI, Malicious PE, susgen, GenKryptik, ERHN, confidence, 100%) | ||
| md5 | e23c839edb489081120befe1e44b04db | ||
| sha256 | f68f73e9330202575e6476e37ed5bfaa11a52bfac4d1248c6fee5628f17c0cf7 | ||
| ssdeep | 6144:ZjLaN58Awvxfc4Y5YC/j8o74UhOfu8HV/7:tGN5xqtc4Yp/j8o1hUuOF | ||
| imphash | 24a8ecd73626ea109270e4a29851c3b1 | ||
| impfuzzy | 24:ptkrkztCFqZbXduulJcD6Uv0KgdTM6AtO4btoGAl5mfHuOZyvDkRT4RfplWHQOz2:0ITduLJP9toGA3iuDgcRfpIwQa | ||
Network IP location
Signature (23cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 58 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to create or modify system certificates |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Network activity contains more than one unique useragent |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (21cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Client_SW_User_Data_Stealer | Client_SW_User_Data_Stealer | memory |
| danger | Win32_PWS_Loki_m_Zero | Win32 PWS Loki | memory |
| warning | infoStealer_ftpClients_Zero | ftp clients info stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (6cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x428008 CreateFileA
0x42800c GetNativeSystemInfo
0x428010 FindFirstChangeNotificationW
0x428014 EnumCalendarInfoA
0x428018 GetConsoleAliasesLengthW
0x42801c EndUpdateResourceW
0x428020 InterlockedIncrement
0x428024 GetCurrentProcess
0x428028 SetComputerNameW
0x42802c GetComputerNameW
0x428030 BackupSeek
0x428034 GetProcessHeap
0x428038 GetWindowsDirectoryA
0x42803c LoadLibraryW
0x428040 SizeofResource
0x428044 Beep
0x428048 EnumResourceLanguagesA
0x42804c InterlockedExchange
0x428050 OpenMutexW
0x428054 GetLastError
0x428058 SetLastError
0x42805c GetProcAddress
0x428060 GetFullPathNameA
0x428064 LoadLibraryA
0x428068 CreateFileMappingA
0x42806c LocalAlloc
0x428070 FindFirstVolumeMountPointW
0x428074 BeginUpdateResourceA
0x428078 FindAtomA
0x42807c DeviceIoControl
0x428080 GlobalFindAtomW
0x428084 CreateIoCompletionPort
0x428088 GetModuleHandleA
0x42808c VirtualProtect
0x428090 SetCalendarInfoA
0x428094 OpenSemaphoreW
0x428098 GetVersionExA
0x42809c TerminateJobObject
0x4280a0 GlobalAddAtomW
0x4280a4 TlsFree
0x4280a8 LCMapStringW
0x4280ac lstrcpyA
0x4280b0 VirtualAlloc
0x4280b4 GetComputerNameA
0x4280b8 UnhandledExceptionFilter
0x4280bc SetUnhandledExceptionFilter
0x4280c0 GetStartupInfoW
0x4280c4 RaiseException
0x4280c8 RtlUnwind
0x4280cc GetModuleHandleW
0x4280d0 Sleep
0x4280d4 ExitProcess
0x4280d8 WriteFile
0x4280dc GetStdHandle
0x4280e0 GetModuleFileNameA
0x4280e4 GetCPInfo
0x4280e8 InterlockedDecrement
0x4280ec GetACP
0x4280f0 GetOEMCP
0x4280f4 IsValidCodePage
0x4280f8 TlsGetValue
0x4280fc TlsAlloc
0x428100 TlsSetValue
0x428104 GetCurrentThreadId
0x428108 TerminateProcess
0x42810c IsDebuggerPresent
0x428110 HeapAlloc
0x428114 HeapFree
0x428118 HeapSize
0x42811c GetModuleFileNameW
0x428120 FreeEnvironmentStringsW
0x428124 GetEnvironmentStringsW
0x428128 GetCommandLineW
0x42812c SetHandleCount
0x428130 GetFileType
0x428134 GetStartupInfoA
0x428138 DeleteCriticalSection
0x42813c HeapCreate
0x428140 VirtualFree
0x428144 QueryPerformanceCounter
0x428148 GetTickCount
0x42814c GetCurrentProcessId
0x428150 GetSystemTimeAsFileTime
0x428154 LeaveCriticalSection
0x428158 EnterCriticalSection
0x42815c InitializeCriticalSectionAndSpinCount
0x428160 LCMapStringA
0x428164 WideCharToMultiByte
0x428168 MultiByteToWideChar
0x42816c GetStringTypeA
0x428170 GetStringTypeW
0x428174 GetLocaleInfoA
0x428178 HeapReAlloc
USER32.dll
0x428180 IsWindowEnabled
GDI32.dll
0x428000 GetDeviceGammaRamp
WINHTTP.dll
0x428188 WinHttpCheckPlatform
EAT(Export Address Table) is none
KERNEL32.dll
0x428008 CreateFileA
0x42800c GetNativeSystemInfo
0x428010 FindFirstChangeNotificationW
0x428014 EnumCalendarInfoA
0x428018 GetConsoleAliasesLengthW
0x42801c EndUpdateResourceW
0x428020 InterlockedIncrement
0x428024 GetCurrentProcess
0x428028 SetComputerNameW
0x42802c GetComputerNameW
0x428030 BackupSeek
0x428034 GetProcessHeap
0x428038 GetWindowsDirectoryA
0x42803c LoadLibraryW
0x428040 SizeofResource
0x428044 Beep
0x428048 EnumResourceLanguagesA
0x42804c InterlockedExchange
0x428050 OpenMutexW
0x428054 GetLastError
0x428058 SetLastError
0x42805c GetProcAddress
0x428060 GetFullPathNameA
0x428064 LoadLibraryA
0x428068 CreateFileMappingA
0x42806c LocalAlloc
0x428070 FindFirstVolumeMountPointW
0x428074 BeginUpdateResourceA
0x428078 FindAtomA
0x42807c DeviceIoControl
0x428080 GlobalFindAtomW
0x428084 CreateIoCompletionPort
0x428088 GetModuleHandleA
0x42808c VirtualProtect
0x428090 SetCalendarInfoA
0x428094 OpenSemaphoreW
0x428098 GetVersionExA
0x42809c TerminateJobObject
0x4280a0 GlobalAddAtomW
0x4280a4 TlsFree
0x4280a8 LCMapStringW
0x4280ac lstrcpyA
0x4280b0 VirtualAlloc
0x4280b4 GetComputerNameA
0x4280b8 UnhandledExceptionFilter
0x4280bc SetUnhandledExceptionFilter
0x4280c0 GetStartupInfoW
0x4280c4 RaiseException
0x4280c8 RtlUnwind
0x4280cc GetModuleHandleW
0x4280d0 Sleep
0x4280d4 ExitProcess
0x4280d8 WriteFile
0x4280dc GetStdHandle
0x4280e0 GetModuleFileNameA
0x4280e4 GetCPInfo
0x4280e8 InterlockedDecrement
0x4280ec GetACP
0x4280f0 GetOEMCP
0x4280f4 IsValidCodePage
0x4280f8 TlsGetValue
0x4280fc TlsAlloc
0x428100 TlsSetValue
0x428104 GetCurrentThreadId
0x428108 TerminateProcess
0x42810c IsDebuggerPresent
0x428110 HeapAlloc
0x428114 HeapFree
0x428118 HeapSize
0x42811c GetModuleFileNameW
0x428120 FreeEnvironmentStringsW
0x428124 GetEnvironmentStringsW
0x428128 GetCommandLineW
0x42812c SetHandleCount
0x428130 GetFileType
0x428134 GetStartupInfoA
0x428138 DeleteCriticalSection
0x42813c HeapCreate
0x428140 VirtualFree
0x428144 QueryPerformanceCounter
0x428148 GetTickCount
0x42814c GetCurrentProcessId
0x428150 GetSystemTimeAsFileTime
0x428154 LeaveCriticalSection
0x428158 EnterCriticalSection
0x42815c InitializeCriticalSectionAndSpinCount
0x428160 LCMapStringA
0x428164 WideCharToMultiByte
0x428168 MultiByteToWideChar
0x42816c GetStringTypeA
0x428170 GetStringTypeW
0x428174 GetLocaleInfoA
0x428178 HeapReAlloc
USER32.dll
0x428180 IsWindowEnabled
GDI32.dll
0x428000 GetDeviceGammaRamp
WINHTTP.dll
0x428188 WinHttpCheckPlatform
EAT(Export Address Table) is none