ScreenShot
| Created | 2024.01.29 08:02 | Machine | s1_win7_x6401 |
| Filename | btcgood.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 52457d397f4d5abc4d9de5dc74fd42c5 | ||
| sha256 | 2dfd108136c4763641f3cb14e384f162c6a79d6e992108f10cc145d5d50c5072 | ||
| ssdeep | 24576:xZay5jF27Jgkp9kR2pNCZK5XTatd5vaiXQ8jd5kRa1Friugxc8U:Gy5jF2lzp9kR2UgTatXvzJcugyL | ||
| imphash | 9d444da8b49ab1101a8445f51b82b024 | ||
| impfuzzy | 96:MMgEJEpXzWFDudWOyt9lak+oWv5viAU/FtQYOXt:tJEpDIWAFQBXt | ||
Network IP location
Signature (21cnts)
| Level | Description |
|---|---|
| watch | Attempts to detect Cuckoo Sandbox through the presence of a file |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates known Dapato Trojan files |
| watch | Creates known Dyreza Banking Trojan files |
| watch | Creates known Hupigon files |
| watch | Creates known Upatre files |
| watch | Detects VirtualBox through the presence of a file |
| watch | Harvests credentials from local email clients |
| watch | Harvests information related to installed instant messenger clients |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a shortcut to an executable file |
| notice | Looks up the external IP address |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt
SURICATA Applayer Protocol detection skipped
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt
SURICATA Applayer Protocol detection skipped
PE API
IAT(Import Address Table) Library
WS2_32.dll
0x1400e45e0 closesocket
0x1400e45e8 inet_pton
0x1400e45f0 WSAStartup
0x1400e45f8 send
0x1400e4600 socket
0x1400e4608 connect
0x1400e4610 recv
0x1400e4618 WSACleanup
0x1400e4620 htons
CRYPT32.dll
0x1400e4048 CryptUnprotectData
WININET.dll
0x1400e45a0 InternetQueryDataAvailable
0x1400e45a8 InternetReadFile
0x1400e45b0 InternetCloseHandle
0x1400e45b8 InternetOpenW
0x1400e45c0 InternetOpenUrlA
0x1400e45c8 InternetOpenA
0x1400e45d0 HttpQueryInfoW
ntdll.dll
0x1400e4690 NtQueryInformationProcess
0x1400e4698 NtOpenProcess
0x1400e46a0 NtQueryObject
0x1400e46a8 NtQuerySystemInformation
RstrtMgr.DLL
0x1400e4508 RmGetList
0x1400e4510 RmStartSession
0x1400e4518 RmEndSession
0x1400e4520 RmRegisterResources
KERNEL32.dll
0x1400e40a0 FindFirstFileW
0x1400e40a8 FindNextFileW
0x1400e40b0 FindClose
0x1400e40b8 CreateToolhelp32Snapshot
0x1400e40c0 Process32NextW
0x1400e40c8 LoadLibraryA
0x1400e40d0 Process32FirstW
0x1400e40d8 CloseHandle
0x1400e40e0 GetProcAddress
0x1400e40e8 FreeLibrary
0x1400e40f0 MultiByteToWideChar
0x1400e40f8 LocalFree
0x1400e4100 WideCharToMultiByte
0x1400e4108 GetExitCodeProcess
0x1400e4110 WriteProcessMemory
0x1400e4118 TerminateProcess
0x1400e4120 GetModuleFileNameW
0x1400e4128 WaitForSingleObject
0x1400e4130 ResumeThread
0x1400e4138 GetThreadContext
0x1400e4140 VirtualAllocEx
0x1400e4148 CreateProcessW
0x1400e4150 SetThreadContext
0x1400e4158 ExitProcess
0x1400e4160 ReadFile
0x1400e4168 GetModuleFileNameA
0x1400e4170 GetVolumeInformationW
0x1400e4178 GetGeoInfoA
0x1400e4180 HeapFree
0x1400e4188 EnterCriticalSection
0x1400e4190 GetCurrentProcess
0x1400e4198 GetProcessId
0x1400e41a0 GetProductInfo
0x1400e41a8 LeaveCriticalSection
0x1400e41b0 SetFilePointer
0x1400e41b8 InitializeCriticalSectionEx
0x1400e41c0 FreeEnvironmentStringsW
0x1400e41c8 GetModuleHandleA
0x1400e41d0 OpenProcess
0x1400e41d8 HeapSize
0x1400e41e0 GetLogicalDriveStringsW
0x1400e41e8 GetFinalPathNameByHandleA
0x1400e41f0 GetTimeZoneInformation
0x1400e41f8 GetLastError
0x1400e4200 HeapReAlloc
0x1400e4208 GetNativeSystemInfo
0x1400e4210 HeapAlloc
0x1400e4218 GetUserGeoID
0x1400e4220 DecodePointer
0x1400e4228 GetFileSize
0x1400e4230 DeleteCriticalSection
0x1400e4238 GetComputerNameW
0x1400e4240 GetProcessHeap
0x1400e4248 GlobalMemoryStatusEx
0x1400e4250 GetModuleHandleW
0x1400e4258 GetEnvironmentStringsW
0x1400e4260 RtlCaptureContext
0x1400e4268 RtlLookupFunctionEntry
0x1400e4270 RtlVirtualUnwind
0x1400e4278 IsDebuggerPresent
0x1400e4280 UnhandledExceptionFilter
0x1400e4288 SetUnhandledExceptionFilter
0x1400e4290 SetLastError
0x1400e4298 IsProcessorFeaturePresent
0x1400e42a0 GetCurrentProcessId
0x1400e42a8 GetSystemInfo
0x1400e42b0 VirtualAlloc
0x1400e42b8 VirtualProtect
0x1400e42c0 VirtualQuery
0x1400e42c8 GetCurrentThreadId
0x1400e42d0 FlsAlloc
0x1400e42d8 FlsGetValue
0x1400e42e0 FlsSetValue
0x1400e42e8 FlsFree
0x1400e42f0 InitializeCriticalSectionAndSpinCount
0x1400e42f8 LoadLibraryExW
0x1400e4300 GetDateFormatW
0x1400e4308 GetTimeFormatW
0x1400e4310 CompareStringW
0x1400e4318 LCMapStringW
0x1400e4320 GetLocaleInfoW
0x1400e4328 IsValidLocale
0x1400e4330 GetUserDefaultLCID
0x1400e4338 EnumSystemLocalesW
0x1400e4340 GetStdHandle
0x1400e4348 GetFileType
0x1400e4350 GetStartupInfoW
0x1400e4358 GetFileSizeEx
0x1400e4360 SetFilePointerEx
0x1400e4368 FlushFileBuffers
0x1400e4370 WriteFile
0x1400e4378 GetConsoleOutputCP
0x1400e4380 GetConsoleMode
0x1400e4388 RaiseException
0x1400e4390 ReadConsoleW
0x1400e4398 IsValidCodePage
0x1400e43a0 GetACP
0x1400e43a8 GetOEMCP
0x1400e43b0 GetCPInfo
0x1400e43b8 GetStringTypeW
0x1400e43c0 SetStdHandle
0x1400e43c8 SetEndOfFile
0x1400e43d0 WriteConsoleW
0x1400e43d8 OutputDebugStringW
0x1400e43e0 SetEnvironmentVariableW
0x1400e43e8 ReleaseSRWLockExclusive
0x1400e43f0 AcquireSRWLockExclusive
0x1400e43f8 WakeAllConditionVariable
0x1400e4400 SleepConditionVariableSRW
0x1400e4408 QueryPerformanceCounter
0x1400e4410 InitializeSListHead
0x1400e4418 RtlUnwindEx
0x1400e4420 RtlUnwind
0x1400e4428 RtlPcToFileHeader
0x1400e4430 EncodePointer
0x1400e4438 TlsAlloc
0x1400e4440 TlsGetValue
0x1400e4448 TlsSetValue
0x1400e4450 TlsFree
0x1400e4458 VirtualQueryEx
0x1400e4460 ReadProcessMemory
0x1400e4468 VirtualFree
0x1400e4470 CreateFileMappingW
0x1400e4478 MapViewOfFile
0x1400e4480 UnmapViewOfFile
0x1400e4488 InitializeCriticalSection
0x1400e4490 LCMapStringEx
0x1400e4498 TryAcquireSRWLockExclusive
0x1400e44a0 GetFileInformationByHandleEx
0x1400e44a8 GetModuleHandleExW
0x1400e44b0 GetCommandLineA
0x1400e44b8 GetCommandLineW
0x1400e44c0 GetSystemTimeAsFileTime
0x1400e44c8 CreateFileW
0x1400e44d0 AreFileApisANSI
0x1400e44d8 GetFileAttributesExW
0x1400e44e0 FindFirstFileExW
0x1400e44e8 GetCurrentDirectoryW
0x1400e44f0 GetLocaleInfoEx
0x1400e44f8 FormatMessageA
USER32.dll
0x1400e4568 EnumDisplayDevicesW
0x1400e4570 GetDC
0x1400e4578 GetSystemMetrics
0x1400e4580 GetWindowRect
0x1400e4588 GetDesktopWindow
0x1400e4590 ReleaseDC
GDI32.dll
0x1400e4058 CreateCompatibleBitmap
0x1400e4060 SelectObject
0x1400e4068 CreateCompatibleDC
0x1400e4070 BitBlt
0x1400e4078 DeleteDC
0x1400e4080 GetObjectW
0x1400e4088 DeleteObject
0x1400e4090 GetDeviceCaps
ADVAPI32.dll
0x1400e4000 GetCurrentHwProfileW
0x1400e4008 RegCloseKey
0x1400e4010 RegQueryValueExA
0x1400e4018 RegOpenKeyExA
0x1400e4020 GetUserNameW
0x1400e4028 RegEnumKeyExA
0x1400e4030 CredEnumerateA
0x1400e4038 CredFree
SHELL32.dll
0x1400e4530 ShellExecuteW
0x1400e4538 SHGetKnownFolderPath
ole32.dll
0x1400e46b8 CoTaskMemFree
0x1400e46c0 CreateStreamOnHGlobal
SHLWAPI.dll
0x1400e4548 None
0x1400e4550 None
0x1400e4558 None
gdiplus.dll
0x1400e4630 GdiplusStartup
0x1400e4638 GdiplusShutdown
0x1400e4640 GdipGetImageEncoders
0x1400e4648 GdipCloneImage
0x1400e4650 GdipAlloc
0x1400e4658 GdipCreateBitmapFromHBITMAP
0x1400e4660 GdipDisposeImage
0x1400e4668 GdipCreateBitmapFromScan0
0x1400e4670 GdipSaveImageToStream
0x1400e4678 GdipGetImageEncodersSize
0x1400e4680 GdipFree
EAT(Export Address Table) is none
WS2_32.dll
0x1400e45e0 closesocket
0x1400e45e8 inet_pton
0x1400e45f0 WSAStartup
0x1400e45f8 send
0x1400e4600 socket
0x1400e4608 connect
0x1400e4610 recv
0x1400e4618 WSACleanup
0x1400e4620 htons
CRYPT32.dll
0x1400e4048 CryptUnprotectData
WININET.dll
0x1400e45a0 InternetQueryDataAvailable
0x1400e45a8 InternetReadFile
0x1400e45b0 InternetCloseHandle
0x1400e45b8 InternetOpenW
0x1400e45c0 InternetOpenUrlA
0x1400e45c8 InternetOpenA
0x1400e45d0 HttpQueryInfoW
ntdll.dll
0x1400e4690 NtQueryInformationProcess
0x1400e4698 NtOpenProcess
0x1400e46a0 NtQueryObject
0x1400e46a8 NtQuerySystemInformation
RstrtMgr.DLL
0x1400e4508 RmGetList
0x1400e4510 RmStartSession
0x1400e4518 RmEndSession
0x1400e4520 RmRegisterResources
KERNEL32.dll
0x1400e40a0 FindFirstFileW
0x1400e40a8 FindNextFileW
0x1400e40b0 FindClose
0x1400e40b8 CreateToolhelp32Snapshot
0x1400e40c0 Process32NextW
0x1400e40c8 LoadLibraryA
0x1400e40d0 Process32FirstW
0x1400e40d8 CloseHandle
0x1400e40e0 GetProcAddress
0x1400e40e8 FreeLibrary
0x1400e40f0 MultiByteToWideChar
0x1400e40f8 LocalFree
0x1400e4100 WideCharToMultiByte
0x1400e4108 GetExitCodeProcess
0x1400e4110 WriteProcessMemory
0x1400e4118 TerminateProcess
0x1400e4120 GetModuleFileNameW
0x1400e4128 WaitForSingleObject
0x1400e4130 ResumeThread
0x1400e4138 GetThreadContext
0x1400e4140 VirtualAllocEx
0x1400e4148 CreateProcessW
0x1400e4150 SetThreadContext
0x1400e4158 ExitProcess
0x1400e4160 ReadFile
0x1400e4168 GetModuleFileNameA
0x1400e4170 GetVolumeInformationW
0x1400e4178 GetGeoInfoA
0x1400e4180 HeapFree
0x1400e4188 EnterCriticalSection
0x1400e4190 GetCurrentProcess
0x1400e4198 GetProcessId
0x1400e41a0 GetProductInfo
0x1400e41a8 LeaveCriticalSection
0x1400e41b0 SetFilePointer
0x1400e41b8 InitializeCriticalSectionEx
0x1400e41c0 FreeEnvironmentStringsW
0x1400e41c8 GetModuleHandleA
0x1400e41d0 OpenProcess
0x1400e41d8 HeapSize
0x1400e41e0 GetLogicalDriveStringsW
0x1400e41e8 GetFinalPathNameByHandleA
0x1400e41f0 GetTimeZoneInformation
0x1400e41f8 GetLastError
0x1400e4200 HeapReAlloc
0x1400e4208 GetNativeSystemInfo
0x1400e4210 HeapAlloc
0x1400e4218 GetUserGeoID
0x1400e4220 DecodePointer
0x1400e4228 GetFileSize
0x1400e4230 DeleteCriticalSection
0x1400e4238 GetComputerNameW
0x1400e4240 GetProcessHeap
0x1400e4248 GlobalMemoryStatusEx
0x1400e4250 GetModuleHandleW
0x1400e4258 GetEnvironmentStringsW
0x1400e4260 RtlCaptureContext
0x1400e4268 RtlLookupFunctionEntry
0x1400e4270 RtlVirtualUnwind
0x1400e4278 IsDebuggerPresent
0x1400e4280 UnhandledExceptionFilter
0x1400e4288 SetUnhandledExceptionFilter
0x1400e4290 SetLastError
0x1400e4298 IsProcessorFeaturePresent
0x1400e42a0 GetCurrentProcessId
0x1400e42a8 GetSystemInfo
0x1400e42b0 VirtualAlloc
0x1400e42b8 VirtualProtect
0x1400e42c0 VirtualQuery
0x1400e42c8 GetCurrentThreadId
0x1400e42d0 FlsAlloc
0x1400e42d8 FlsGetValue
0x1400e42e0 FlsSetValue
0x1400e42e8 FlsFree
0x1400e42f0 InitializeCriticalSectionAndSpinCount
0x1400e42f8 LoadLibraryExW
0x1400e4300 GetDateFormatW
0x1400e4308 GetTimeFormatW
0x1400e4310 CompareStringW
0x1400e4318 LCMapStringW
0x1400e4320 GetLocaleInfoW
0x1400e4328 IsValidLocale
0x1400e4330 GetUserDefaultLCID
0x1400e4338 EnumSystemLocalesW
0x1400e4340 GetStdHandle
0x1400e4348 GetFileType
0x1400e4350 GetStartupInfoW
0x1400e4358 GetFileSizeEx
0x1400e4360 SetFilePointerEx
0x1400e4368 FlushFileBuffers
0x1400e4370 WriteFile
0x1400e4378 GetConsoleOutputCP
0x1400e4380 GetConsoleMode
0x1400e4388 RaiseException
0x1400e4390 ReadConsoleW
0x1400e4398 IsValidCodePage
0x1400e43a0 GetACP
0x1400e43a8 GetOEMCP
0x1400e43b0 GetCPInfo
0x1400e43b8 GetStringTypeW
0x1400e43c0 SetStdHandle
0x1400e43c8 SetEndOfFile
0x1400e43d0 WriteConsoleW
0x1400e43d8 OutputDebugStringW
0x1400e43e0 SetEnvironmentVariableW
0x1400e43e8 ReleaseSRWLockExclusive
0x1400e43f0 AcquireSRWLockExclusive
0x1400e43f8 WakeAllConditionVariable
0x1400e4400 SleepConditionVariableSRW
0x1400e4408 QueryPerformanceCounter
0x1400e4410 InitializeSListHead
0x1400e4418 RtlUnwindEx
0x1400e4420 RtlUnwind
0x1400e4428 RtlPcToFileHeader
0x1400e4430 EncodePointer
0x1400e4438 TlsAlloc
0x1400e4440 TlsGetValue
0x1400e4448 TlsSetValue
0x1400e4450 TlsFree
0x1400e4458 VirtualQueryEx
0x1400e4460 ReadProcessMemory
0x1400e4468 VirtualFree
0x1400e4470 CreateFileMappingW
0x1400e4478 MapViewOfFile
0x1400e4480 UnmapViewOfFile
0x1400e4488 InitializeCriticalSection
0x1400e4490 LCMapStringEx
0x1400e4498 TryAcquireSRWLockExclusive
0x1400e44a0 GetFileInformationByHandleEx
0x1400e44a8 GetModuleHandleExW
0x1400e44b0 GetCommandLineA
0x1400e44b8 GetCommandLineW
0x1400e44c0 GetSystemTimeAsFileTime
0x1400e44c8 CreateFileW
0x1400e44d0 AreFileApisANSI
0x1400e44d8 GetFileAttributesExW
0x1400e44e0 FindFirstFileExW
0x1400e44e8 GetCurrentDirectoryW
0x1400e44f0 GetLocaleInfoEx
0x1400e44f8 FormatMessageA
USER32.dll
0x1400e4568 EnumDisplayDevicesW
0x1400e4570 GetDC
0x1400e4578 GetSystemMetrics
0x1400e4580 GetWindowRect
0x1400e4588 GetDesktopWindow
0x1400e4590 ReleaseDC
GDI32.dll
0x1400e4058 CreateCompatibleBitmap
0x1400e4060 SelectObject
0x1400e4068 CreateCompatibleDC
0x1400e4070 BitBlt
0x1400e4078 DeleteDC
0x1400e4080 GetObjectW
0x1400e4088 DeleteObject
0x1400e4090 GetDeviceCaps
ADVAPI32.dll
0x1400e4000 GetCurrentHwProfileW
0x1400e4008 RegCloseKey
0x1400e4010 RegQueryValueExA
0x1400e4018 RegOpenKeyExA
0x1400e4020 GetUserNameW
0x1400e4028 RegEnumKeyExA
0x1400e4030 CredEnumerateA
0x1400e4038 CredFree
SHELL32.dll
0x1400e4530 ShellExecuteW
0x1400e4538 SHGetKnownFolderPath
ole32.dll
0x1400e46b8 CoTaskMemFree
0x1400e46c0 CreateStreamOnHGlobal
SHLWAPI.dll
0x1400e4548 None
0x1400e4550 None
0x1400e4558 None
gdiplus.dll
0x1400e4630 GdiplusStartup
0x1400e4638 GdiplusShutdown
0x1400e4640 GdipGetImageEncoders
0x1400e4648 GdipCloneImage
0x1400e4650 GdipAlloc
0x1400e4658 GdipCreateBitmapFromHBITMAP
0x1400e4660 GdipDisposeImage
0x1400e4668 GdipCreateBitmapFromScan0
0x1400e4670 GdipSaveImageToStream
0x1400e4678 GdipGetImageEncodersSize
0x1400e4680 GdipFree
EAT(Export Address Table) is none