ScreenShot
| Created | 2024.02.08 17:59 | Machine | s1_win7_x6403 |
| Filename | Update.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | db25dde66c6101eb5c357a1fecb34925 | ||
| sha256 | 59f21e4329cbd8850b396247ca86b79a465dc78d97e00deca22b8682a6f23532 | ||
| ssdeep | 49152:mY3ovEXrxYMJID2qHRTGEWEd7VMfh3lkKM/QbaclDEHyi:mY4vhKF3VOMDEHP | ||
| imphash | 2f0dd4ae651a4e78f4f7dc3368ed9781 | ||
| impfuzzy | 96:BEnWMWhorXBQn6xPx7zdW119H/LiN49FnJjrjz:BSWMWird7BWVHzLNJjrjz | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| watch | Attempts to create or modify system certificates |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Performs some HTTP requests |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (4cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
crypt.dll
0x1401bd168 BCryptGenRandom
ADVAPI32.dll
0x1401bd000 SystemFunction036
0x1401bd008 RegOpenKeyExW
0x1401bd010 RegQueryValueExW
0x1401bd018 RegCloseKey
kernel32.dll
0x1401bd1d8 SetHandleInformation
0x1401bd1e0 GetSystemInfo
0x1401bd1e8 SleepConditionVariableSRW
0x1401bd1f0 CreateIoCompletionPort
0x1401bd1f8 GetQueuedCompletionStatusEx
0x1401bd200 PostQueuedCompletionStatus
0x1401bd208 TryAcquireSRWLockExclusive
0x1401bd210 AcquireSRWLockShared
0x1401bd218 ReleaseSRWLockShared
0x1401bd220 ReleaseSRWLockExclusive
0x1401bd228 SetFileCompletionNotificationModes
0x1401bd230 AcquireSRWLockExclusive
0x1401bd238 GetCurrentThreadId
0x1401bd240 InitializeSListHead
0x1401bd248 FreeEnvironmentStringsW
0x1401bd250 DeleteProcThreadAttributeList
0x1401bd258 CompareStringOrdinal
0x1401bd260 GetLastError
0x1401bd268 AddVectoredExceptionHandler
0x1401bd270 SetThreadStackGuarantee
0x1401bd278 SwitchToThread
0x1401bd280 WaitForSingleObject
0x1401bd288 QueryPerformanceCounter
0x1401bd290 RtlCaptureContext
0x1401bd298 RtlVirtualUnwind
0x1401bd2a0 RtlLookupFunctionEntry
0x1401bd2a8 SetLastError
0x1401bd2b0 GetCurrentDirectoryW
0x1401bd2b8 GetEnvironmentStringsW
0x1401bd2c0 GetEnvironmentVariableW
0x1401bd2c8 GetCurrentProcess
0x1401bd2d0 IsProcessorFeaturePresent
0x1401bd2d8 SetFileInformationByHandle
0x1401bd2e0 DuplicateHandle
0x1401bd2e8 IsDebuggerPresent
0x1401bd2f0 GetStdHandle
0x1401bd2f8 GetCurrentProcessId
0x1401bd300 WriteFileEx
0x1401bd308 SleepEx
0x1401bd310 WakeAllConditionVariable
0x1401bd318 WakeConditionVariable
0x1401bd320 QueryPerformanceFrequency
0x1401bd328 HeapAlloc
0x1401bd330 GetProcessHeap
0x1401bd338 HeapFree
0x1401bd340 UnhandledExceptionFilter
0x1401bd348 HeapReAlloc
0x1401bd350 ReleaseMutex
0x1401bd358 GetModuleHandleA
0x1401bd360 GetProcAddress
0x1401bd368 CreateFileW
0x1401bd370 GetFinalPathNameByHandleW
0x1401bd378 SetUnhandledExceptionFilter
0x1401bd380 FreeConsole
0x1401bd388 GetConsoleMode
0x1401bd390 GetModuleHandleW
0x1401bd398 FormatMessageW
0x1401bd3a0 GetModuleFileNameW
0x1401bd3a8 ExitProcess
0x1401bd3b0 GetFullPathNameW
0x1401bd3b8 CreateNamedPipeW
0x1401bd3c0 ReadFileEx
0x1401bd3c8 GetSystemDirectoryW
0x1401bd3d0 GetWindowsDirectoryW
0x1401bd3d8 CreateProcessW
0x1401bd3e0 GetFileAttributesW
0x1401bd3e8 InitializeProcThreadAttributeList
0x1401bd3f0 UpdateProcThreadAttribute
0x1401bd3f8 MultiByteToWideChar
0x1401bd400 WriteConsoleW
0x1401bd408 CreateThread
0x1401bd410 GetCurrentThread
0x1401bd418 GetSystemTimeAsFileTime
0x1401bd420 GetTempPathW
0x1401bd428 WaitForSingleObjectEx
0x1401bd430 LoadLibraryA
0x1401bd438 CreateMutexA
0x1401bd440 GetConsoleWindow
0x1401bd448 AllocConsole
0x1401bd450 CloseHandle
user32.dll
0x1401bd4e8 ShowWindow
secur32.dll
0x1401bd490 QueryContextAttributesW
0x1401bd498 FreeContextBuffer
0x1401bd4a0 FreeCredentialsHandle
0x1401bd4a8 DeleteSecurityContext
0x1401bd4b0 ApplyControlToken
0x1401bd4b8 AcquireCredentialsHandleA
0x1401bd4c0 DecryptMessage
0x1401bd4c8 AcceptSecurityContext
0x1401bd4d0 EncryptMessage
0x1401bd4d8 InitializeSecurityContextW
ws2_32.dll
0x1401bd4f8 WSASend
0x1401bd500 send
0x1401bd508 recv
0x1401bd510 shutdown
0x1401bd518 getsockopt
0x1401bd520 ioctlsocket
0x1401bd528 connect
0x1401bd530 ind
0x1401bd538 WSASocketW
0x1401bd540 getpeername
0x1401bd548 getsockname
0x1401bd550 setsockopt
0x1401bd558 WSAIoctl
0x1401bd560 WSAGetLastError
0x1401bd568 WSAStartup
0x1401bd570 WSACleanup
0x1401bd578 freeaddrinfo
0x1401bd580 getaddrinfo
0x1401bd588 closesocket
crypt32.dll
0x1401bd178 CertDuplicateCertificateChain
0x1401bd180 CertEnumCertificatesInStore
0x1401bd188 CertAddCertificateContextToStore
0x1401bd190 CertOpenStore
0x1401bd198 CertDuplicateStore
0x1401bd1a0 CertDuplicateCertificateContext
0x1401bd1a8 CertFreeCertificateContext
0x1401bd1b0 CertFreeCertificateChain
0x1401bd1b8 CertVerifyCertificateChainPolicy
0x1401bd1c0 CertGetCertificateChain
0x1401bd1c8 CertCloseStore
ntdll.dll
0x1401bd460 NtCreateFile
0x1401bd468 NtDeviceIoControlFile
0x1401bd470 NtCancelIoFileEx
0x1401bd478 NtWriteFile
0x1401bd480 RtlNtStatusToDosError
VCRUNTIME140.dll
0x1401bd028 __current_exception_context
0x1401bd030 memcpy
0x1401bd038 __CxxFrameHandler3
0x1401bd040 __current_exception
0x1401bd048 memcmp
0x1401bd050 memmove
0x1401bd058 memset
0x1401bd060 _CxxThrowException
0x1401bd068 __C_specific_handler
api-ms-win-crt-math-l1-1-0.dll
0x1401bd0a0 pow
0x1401bd0a8 __setusermatherr
api-ms-win-crt-runtime-l1-1-0.dll
0x1401bd0b8 _cexit
0x1401bd0c0 _c_exit
0x1401bd0c8 _register_thread_local_exe_atexit_callback
0x1401bd0d0 _initterm_e
0x1401bd0d8 __p___argv
0x1401bd0e0 _exit
0x1401bd0e8 _seh_filter_exe
0x1401bd0f0 _initialize_onexit_table
0x1401bd0f8 _register_onexit_function
0x1401bd100 _crt_atexit
0x1401bd108 terminate
0x1401bd110 _set_app_type
0x1401bd118 _initterm
0x1401bd120 _get_initial_narrow_environment
0x1401bd128 _initialize_narrow_environment
0x1401bd130 _configure_narrow_argv
0x1401bd138 __p___argc
0x1401bd140 exit
api-ms-win-crt-stdio-l1-1-0.dll
0x1401bd150 _set_fmode
0x1401bd158 __p__commode
api-ms-win-crt-locale-l1-1-0.dll
0x1401bd090 _configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll
0x1401bd078 _set_new_mode
0x1401bd080 free
EAT(Export Address Table) is none
crypt.dll
0x1401bd168 BCryptGenRandom
ADVAPI32.dll
0x1401bd000 SystemFunction036
0x1401bd008 RegOpenKeyExW
0x1401bd010 RegQueryValueExW
0x1401bd018 RegCloseKey
kernel32.dll
0x1401bd1d8 SetHandleInformation
0x1401bd1e0 GetSystemInfo
0x1401bd1e8 SleepConditionVariableSRW
0x1401bd1f0 CreateIoCompletionPort
0x1401bd1f8 GetQueuedCompletionStatusEx
0x1401bd200 PostQueuedCompletionStatus
0x1401bd208 TryAcquireSRWLockExclusive
0x1401bd210 AcquireSRWLockShared
0x1401bd218 ReleaseSRWLockShared
0x1401bd220 ReleaseSRWLockExclusive
0x1401bd228 SetFileCompletionNotificationModes
0x1401bd230 AcquireSRWLockExclusive
0x1401bd238 GetCurrentThreadId
0x1401bd240 InitializeSListHead
0x1401bd248 FreeEnvironmentStringsW
0x1401bd250 DeleteProcThreadAttributeList
0x1401bd258 CompareStringOrdinal
0x1401bd260 GetLastError
0x1401bd268 AddVectoredExceptionHandler
0x1401bd270 SetThreadStackGuarantee
0x1401bd278 SwitchToThread
0x1401bd280 WaitForSingleObject
0x1401bd288 QueryPerformanceCounter
0x1401bd290 RtlCaptureContext
0x1401bd298 RtlVirtualUnwind
0x1401bd2a0 RtlLookupFunctionEntry
0x1401bd2a8 SetLastError
0x1401bd2b0 GetCurrentDirectoryW
0x1401bd2b8 GetEnvironmentStringsW
0x1401bd2c0 GetEnvironmentVariableW
0x1401bd2c8 GetCurrentProcess
0x1401bd2d0 IsProcessorFeaturePresent
0x1401bd2d8 SetFileInformationByHandle
0x1401bd2e0 DuplicateHandle
0x1401bd2e8 IsDebuggerPresent
0x1401bd2f0 GetStdHandle
0x1401bd2f8 GetCurrentProcessId
0x1401bd300 WriteFileEx
0x1401bd308 SleepEx
0x1401bd310 WakeAllConditionVariable
0x1401bd318 WakeConditionVariable
0x1401bd320 QueryPerformanceFrequency
0x1401bd328 HeapAlloc
0x1401bd330 GetProcessHeap
0x1401bd338 HeapFree
0x1401bd340 UnhandledExceptionFilter
0x1401bd348 HeapReAlloc
0x1401bd350 ReleaseMutex
0x1401bd358 GetModuleHandleA
0x1401bd360 GetProcAddress
0x1401bd368 CreateFileW
0x1401bd370 GetFinalPathNameByHandleW
0x1401bd378 SetUnhandledExceptionFilter
0x1401bd380 FreeConsole
0x1401bd388 GetConsoleMode
0x1401bd390 GetModuleHandleW
0x1401bd398 FormatMessageW
0x1401bd3a0 GetModuleFileNameW
0x1401bd3a8 ExitProcess
0x1401bd3b0 GetFullPathNameW
0x1401bd3b8 CreateNamedPipeW
0x1401bd3c0 ReadFileEx
0x1401bd3c8 GetSystemDirectoryW
0x1401bd3d0 GetWindowsDirectoryW
0x1401bd3d8 CreateProcessW
0x1401bd3e0 GetFileAttributesW
0x1401bd3e8 InitializeProcThreadAttributeList
0x1401bd3f0 UpdateProcThreadAttribute
0x1401bd3f8 MultiByteToWideChar
0x1401bd400 WriteConsoleW
0x1401bd408 CreateThread
0x1401bd410 GetCurrentThread
0x1401bd418 GetSystemTimeAsFileTime
0x1401bd420 GetTempPathW
0x1401bd428 WaitForSingleObjectEx
0x1401bd430 LoadLibraryA
0x1401bd438 CreateMutexA
0x1401bd440 GetConsoleWindow
0x1401bd448 AllocConsole
0x1401bd450 CloseHandle
user32.dll
0x1401bd4e8 ShowWindow
secur32.dll
0x1401bd490 QueryContextAttributesW
0x1401bd498 FreeContextBuffer
0x1401bd4a0 FreeCredentialsHandle
0x1401bd4a8 DeleteSecurityContext
0x1401bd4b0 ApplyControlToken
0x1401bd4b8 AcquireCredentialsHandleA
0x1401bd4c0 DecryptMessage
0x1401bd4c8 AcceptSecurityContext
0x1401bd4d0 EncryptMessage
0x1401bd4d8 InitializeSecurityContextW
ws2_32.dll
0x1401bd4f8 WSASend
0x1401bd500 send
0x1401bd508 recv
0x1401bd510 shutdown
0x1401bd518 getsockopt
0x1401bd520 ioctlsocket
0x1401bd528 connect
0x1401bd530 ind
0x1401bd538 WSASocketW
0x1401bd540 getpeername
0x1401bd548 getsockname
0x1401bd550 setsockopt
0x1401bd558 WSAIoctl
0x1401bd560 WSAGetLastError
0x1401bd568 WSAStartup
0x1401bd570 WSACleanup
0x1401bd578 freeaddrinfo
0x1401bd580 getaddrinfo
0x1401bd588 closesocket
crypt32.dll
0x1401bd178 CertDuplicateCertificateChain
0x1401bd180 CertEnumCertificatesInStore
0x1401bd188 CertAddCertificateContextToStore
0x1401bd190 CertOpenStore
0x1401bd198 CertDuplicateStore
0x1401bd1a0 CertDuplicateCertificateContext
0x1401bd1a8 CertFreeCertificateContext
0x1401bd1b0 CertFreeCertificateChain
0x1401bd1b8 CertVerifyCertificateChainPolicy
0x1401bd1c0 CertGetCertificateChain
0x1401bd1c8 CertCloseStore
ntdll.dll
0x1401bd460 NtCreateFile
0x1401bd468 NtDeviceIoControlFile
0x1401bd470 NtCancelIoFileEx
0x1401bd478 NtWriteFile
0x1401bd480 RtlNtStatusToDosError
VCRUNTIME140.dll
0x1401bd028 __current_exception_context
0x1401bd030 memcpy
0x1401bd038 __CxxFrameHandler3
0x1401bd040 __current_exception
0x1401bd048 memcmp
0x1401bd050 memmove
0x1401bd058 memset
0x1401bd060 _CxxThrowException
0x1401bd068 __C_specific_handler
api-ms-win-crt-math-l1-1-0.dll
0x1401bd0a0 pow
0x1401bd0a8 __setusermatherr
api-ms-win-crt-runtime-l1-1-0.dll
0x1401bd0b8 _cexit
0x1401bd0c0 _c_exit
0x1401bd0c8 _register_thread_local_exe_atexit_callback
0x1401bd0d0 _initterm_e
0x1401bd0d8 __p___argv
0x1401bd0e0 _exit
0x1401bd0e8 _seh_filter_exe
0x1401bd0f0 _initialize_onexit_table
0x1401bd0f8 _register_onexit_function
0x1401bd100 _crt_atexit
0x1401bd108 terminate
0x1401bd110 _set_app_type
0x1401bd118 _initterm
0x1401bd120 _get_initial_narrow_environment
0x1401bd128 _initialize_narrow_environment
0x1401bd130 _configure_narrow_argv
0x1401bd138 __p___argc
0x1401bd140 exit
api-ms-win-crt-stdio-l1-1-0.dll
0x1401bd150 _set_fmode
0x1401bd158 __p__commode
api-ms-win-crt-locale-l1-1-0.dll
0x1401bd090 _configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll
0x1401bd078 _set_new_mode
0x1401bd080 free
EAT(Export Address Table) is none