ScreenShot
| Created | 2024.03.21 07:20 | Machine | s1_win7_x6401 |
| Filename | ohara.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | |||
| md5 | 282dedc28c435180f5cf202ed21d8360 | ||
| sha256 | 6e9b3e026228da2ad904e04d0b1af64f831f2bb91f37aab770159e343d31acb0 | ||
| ssdeep | 24576:MwjdaqtAzvyp0KTZBKf9LbhwKMjjkPDaN2SETQTUNdkphvwGq:VhaFzyWKugjk+N2SETQT2ghvwGq | ||
| imphash | 25bd1649e75855dcadd9e9ac5c5a14b7 | ||
| impfuzzy | 96:vjEt9XFbWwR4Pc+p7tGOWq8fx6vw9GGGFWkO4u6om9doiyXLI1:AP9W+ctGHOowWMuCEI1 | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| watch | Uses Sysinternals tools in order to add additional command line functionality |
| notice | A process created a hidden window |
| notice | Creates a suspicious process |
| notice | Looks up the external IP address |
| notice | Performs some HTTP requests |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (9cnts) ?
Suricata ids
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
ET MALWARE [ANY.RUN] RisePro TCP (Token)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE [ANY.RUN] RisePro TCP (External IP)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x50d060 LocalAlloc
0x50d064 GetCurrentThreadId
0x50d068 GetModuleHandleA
0x50d06c GetLocaleInfoA
0x50d070 OpenProcess
0x50d074 CreateToolhelp32Snapshot
0x50d078 MultiByteToWideChar
0x50d07c Sleep
0x50d080 GetTempPathA
0x50d084 GetModuleHandleExA
0x50d088 GetTimeZoneInformation
0x50d08c GetTickCount64
0x50d090 CopyFileA
0x50d094 GetLastError
0x50d098 GetFileAttributesA
0x50d09c TzSpecificLocalTimeToSystemTime
0x50d0a0 CreateFileA
0x50d0a4 SetEvent
0x50d0a8 TerminateThread
0x50d0ac LoadLibraryA
0x50d0b0 GetVersionExA
0x50d0b4 DeleteFileA
0x50d0b8 Process32Next
0x50d0bc CloseHandle
0x50d0c0 GetSystemInfo
0x50d0c4 CreateThread
0x50d0c8 ResetEvent
0x50d0cc GetWindowsDirectoryA
0x50d0d0 HeapAlloc
0x50d0d4 SetFileAttributesA
0x50d0d8 GetLocalTime
0x50d0dc GetProcAddress
0x50d0e0 VirtualAllocEx
0x50d0e4 LocalFree
0x50d0e8 IsProcessorFeaturePresent
0x50d0ec GetFileSize
0x50d0f0 RemoveDirectoryA
0x50d0f4 ReadProcessMemory
0x50d0f8 GetCurrentProcessId
0x50d0fc GetProcessHeap
0x50d100 GlobalMemoryStatusEx
0x50d104 SetThreadExecutionState
0x50d108 FreeLibrary
0x50d10c WideCharToMultiByte
0x50d110 CreateRemoteThread
0x50d114 GetComputerNameExA
0x50d118 CreateDirectoryA
0x50d11c GetSystemTime
0x50d120 WaitForSingleObject
0x50d124 CreateEventA
0x50d128 GetPrivateProfileStringA
0x50d12c IsWow64Process
0x50d130 IsDebuggerPresent
0x50d134 VirtualQueryEx
0x50d138 GetComputerNameA
0x50d13c SetUnhandledExceptionFilter
0x50d140 InitializeCriticalSectionEx
0x50d144 SetFilePointer
0x50d148 CreateFileW
0x50d14c AreFileApisANSI
0x50d150 EnterCriticalSection
0x50d154 GetFullPathNameW
0x50d158 GetDiskFreeSpaceW
0x50d15c LockFile
0x50d160 LeaveCriticalSection
0x50d164 InitializeCriticalSection
0x50d168 GetFullPathNameA
0x50d16c SetEndOfFile
0x50d170 GetTempPathW
0x50d174 GetFileAttributesW
0x50d178 FormatMessageW
0x50d17c GetDiskFreeSpaceA
0x50d180 DeleteFileW
0x50d184 UnlockFile
0x50d188 LockFileEx
0x50d18c DeleteCriticalSection
0x50d190 GetSystemTimeAsFileTime
0x50d194 FormatMessageA
0x50d198 QueryPerformanceCounter
0x50d19c GetTickCount
0x50d1a0 FlushFileBuffers
0x50d1a4 HeapSize
0x50d1a8 SetEnvironmentVariableW
0x50d1ac FreeEnvironmentStringsW
0x50d1b0 GetEnvironmentStringsW
0x50d1b4 GetCommandLineW
0x50d1b8 GetCommandLineA
0x50d1bc GetOEMCP
0x50d1c0 GetACP
0x50d1c4 IsValidCodePage
0x50d1c8 SetStdHandle
0x50d1cc HeapReAlloc
0x50d1d0 EnumSystemLocalesW
0x50d1d4 GetVolumeInformationA
0x50d1d8 CreateMutexA
0x50d1dc FindClose
0x50d1e0 lstrlenA
0x50d1e4 FindNextFileA
0x50d1e8 GetProcessId
0x50d1ec GetUserDefaultLocaleName
0x50d1f0 TerminateProcess
0x50d1f4 OutputDebugStringA
0x50d1f8 WriteFile
0x50d1fc GetCurrentProcess
0x50d200 SetLastError
0x50d204 HeapFree
0x50d208 FindFirstFileA
0x50d20c WriteProcessMemory
0x50d210 Process32First
0x50d214 ReadFile
0x50d218 GetPrivateProfileSectionNamesA
0x50d21c GetUserDefaultLCID
0x50d220 IsValidLocale
0x50d224 GetLocaleInfoW
0x50d228 LCMapStringW
0x50d22c CompareStringW
0x50d230 GetTimeFormatW
0x50d234 GetDateFormatW
0x50d238 GetFileSizeEx
0x50d23c GetConsoleOutputCP
0x50d240 ReadConsoleW
0x50d244 GetConsoleMode
0x50d248 GetStdHandle
0x50d24c GetModuleFileNameW
0x50d250 GetModuleHandleExW
0x50d254 ExitProcess
0x50d258 GetFileType
0x50d25c SetFilePointerEx
0x50d260 LoadLibraryExW
0x50d264 TlsFree
0x50d268 GetModuleFileNameA
0x50d26c lstrcpynA
0x50d270 TlsSetValue
0x50d274 TlsGetValue
0x50d278 TlsAlloc
0x50d27c InitializeCriticalSectionAndSpinCount
0x50d280 RaiseException
0x50d284 RtlUnwind
0x50d288 InitializeSListHead
0x50d28c GetStartupInfoW
0x50d290 UnhandledExceptionFilter
0x50d294 GetStringTypeW
0x50d298 FindFirstFileW
0x50d29c FindFirstFileExW
0x50d2a0 FindNextFileW
0x50d2a4 GetFileAttributesExW
0x50d2a8 GetFinalPathNameByHandleW
0x50d2ac GetModuleHandleW
0x50d2b0 GetFileInformationByHandleEx
0x50d2b4 GetLocaleInfoEx
0x50d2b8 InitializeSRWLock
0x50d2bc ReleaseSRWLockExclusive
0x50d2c0 AcquireSRWLockExclusive
0x50d2c4 TryAcquireSRWLockExclusive
0x50d2c8 LCMapStringEx
0x50d2cc EncodePointer
0x50d2d0 DecodePointer
0x50d2d4 CompareStringEx
0x50d2d8 GetCPInfo
0x50d2dc WriteConsoleW
USER32.dll
0x50d324 wsprintfA
0x50d328 GetSystemMetrics
0x50d32c MessageBoxA
0x50d330 GetWindowRect
0x50d334 EnumDisplayDevicesA
0x50d338 GetDC
0x50d33c GetKeyboardLayoutList
0x50d340 CharNextA
0x50d344 GetCursorPos
0x50d348 GetDesktopWindow
0x50d34c ReleaseDC
GDI32.dll
0x50d048 CreateCompatibleBitmap
0x50d04c SelectObject
0x50d050 CreateCompatibleDC
0x50d054 DeleteObject
0x50d058 BitBlt
ADVAPI32.dll
0x50d000 RegCloseKey
0x50d004 LsaClose
0x50d008 LsaOpenPolicy
0x50d00c RegEnumKeyA
0x50d010 RegGetValueA
0x50d014 GetCurrentHwProfileA
0x50d018 LsaFreeMemory
0x50d01c RegQueryValueExA
0x50d020 CredEnumerateA
0x50d024 RegCreateKeyExA
0x50d028 GetUserNameA
0x50d02c RegSetValueExA
0x50d030 RegOpenKeyExA
0x50d034 LsaQueryInformationPolicy
0x50d038 RegEnumKeyExA
SHELL32.dll
0x50d310 ShellExecuteA
0x50d314 SHGetFolderPathA
ole32.dll
0x50d3ac CoInitialize
0x50d3b0 CoCreateInstance
0x50d3b4 CoInitializeEx
0x50d3b8 CoUninitialize
WS2_32.dll
0x50d354 WSAStartup
0x50d358 socket
0x50d35c connect
0x50d360 recv
0x50d364 freeaddrinfo
0x50d368 setsockopt
0x50d36c WSAGetLastError
0x50d370 shutdown
0x50d374 WSACleanup
0x50d378 closesocket
0x50d37c getaddrinfo
CRYPT32.dll
0x50d040 CryptUnprotectData
SHLWAPI.dll
0x50d31c PathFindExtensionA
gdiplus.dll
0x50d384 GdipGetImageEncoders
0x50d388 GdiplusShutdown
0x50d38c GdiplusStartup
0x50d390 GdipSaveImageToFile
0x50d394 GdipGetImageEncodersSize
0x50d398 GdipDisposeImage
0x50d39c GdipCreateBitmapFromHBITMAP
SETUPAPI.dll
0x50d2fc SetupDiEnumDeviceInfo
0x50d300 SetupDiGetDeviceInterfaceDetailA
0x50d304 SetupDiGetClassDevsA
0x50d308 SetupDiEnumDeviceInterfaces
ntdll.dll
0x50d3a4 RtlUnicodeStringToAnsiString
RstrtMgr.DLL
0x50d2e4 RmStartSession
0x50d2e8 RmGetList
0x50d2ec RmRegisterResources
0x50d2f0 RmShutdown
0x50d2f4 RmEndSession
EAT(Export Address Table) Library
0x4625a0 Start
KERNEL32.dll
0x50d060 LocalAlloc
0x50d064 GetCurrentThreadId
0x50d068 GetModuleHandleA
0x50d06c GetLocaleInfoA
0x50d070 OpenProcess
0x50d074 CreateToolhelp32Snapshot
0x50d078 MultiByteToWideChar
0x50d07c Sleep
0x50d080 GetTempPathA
0x50d084 GetModuleHandleExA
0x50d088 GetTimeZoneInformation
0x50d08c GetTickCount64
0x50d090 CopyFileA
0x50d094 GetLastError
0x50d098 GetFileAttributesA
0x50d09c TzSpecificLocalTimeToSystemTime
0x50d0a0 CreateFileA
0x50d0a4 SetEvent
0x50d0a8 TerminateThread
0x50d0ac LoadLibraryA
0x50d0b0 GetVersionExA
0x50d0b4 DeleteFileA
0x50d0b8 Process32Next
0x50d0bc CloseHandle
0x50d0c0 GetSystemInfo
0x50d0c4 CreateThread
0x50d0c8 ResetEvent
0x50d0cc GetWindowsDirectoryA
0x50d0d0 HeapAlloc
0x50d0d4 SetFileAttributesA
0x50d0d8 GetLocalTime
0x50d0dc GetProcAddress
0x50d0e0 VirtualAllocEx
0x50d0e4 LocalFree
0x50d0e8 IsProcessorFeaturePresent
0x50d0ec GetFileSize
0x50d0f0 RemoveDirectoryA
0x50d0f4 ReadProcessMemory
0x50d0f8 GetCurrentProcessId
0x50d0fc GetProcessHeap
0x50d100 GlobalMemoryStatusEx
0x50d104 SetThreadExecutionState
0x50d108 FreeLibrary
0x50d10c WideCharToMultiByte
0x50d110 CreateRemoteThread
0x50d114 GetComputerNameExA
0x50d118 CreateDirectoryA
0x50d11c GetSystemTime
0x50d120 WaitForSingleObject
0x50d124 CreateEventA
0x50d128 GetPrivateProfileStringA
0x50d12c IsWow64Process
0x50d130 IsDebuggerPresent
0x50d134 VirtualQueryEx
0x50d138 GetComputerNameA
0x50d13c SetUnhandledExceptionFilter
0x50d140 InitializeCriticalSectionEx
0x50d144 SetFilePointer
0x50d148 CreateFileW
0x50d14c AreFileApisANSI
0x50d150 EnterCriticalSection
0x50d154 GetFullPathNameW
0x50d158 GetDiskFreeSpaceW
0x50d15c LockFile
0x50d160 LeaveCriticalSection
0x50d164 InitializeCriticalSection
0x50d168 GetFullPathNameA
0x50d16c SetEndOfFile
0x50d170 GetTempPathW
0x50d174 GetFileAttributesW
0x50d178 FormatMessageW
0x50d17c GetDiskFreeSpaceA
0x50d180 DeleteFileW
0x50d184 UnlockFile
0x50d188 LockFileEx
0x50d18c DeleteCriticalSection
0x50d190 GetSystemTimeAsFileTime
0x50d194 FormatMessageA
0x50d198 QueryPerformanceCounter
0x50d19c GetTickCount
0x50d1a0 FlushFileBuffers
0x50d1a4 HeapSize
0x50d1a8 SetEnvironmentVariableW
0x50d1ac FreeEnvironmentStringsW
0x50d1b0 GetEnvironmentStringsW
0x50d1b4 GetCommandLineW
0x50d1b8 GetCommandLineA
0x50d1bc GetOEMCP
0x50d1c0 GetACP
0x50d1c4 IsValidCodePage
0x50d1c8 SetStdHandle
0x50d1cc HeapReAlloc
0x50d1d0 EnumSystemLocalesW
0x50d1d4 GetVolumeInformationA
0x50d1d8 CreateMutexA
0x50d1dc FindClose
0x50d1e0 lstrlenA
0x50d1e4 FindNextFileA
0x50d1e8 GetProcessId
0x50d1ec GetUserDefaultLocaleName
0x50d1f0 TerminateProcess
0x50d1f4 OutputDebugStringA
0x50d1f8 WriteFile
0x50d1fc GetCurrentProcess
0x50d200 SetLastError
0x50d204 HeapFree
0x50d208 FindFirstFileA
0x50d20c WriteProcessMemory
0x50d210 Process32First
0x50d214 ReadFile
0x50d218 GetPrivateProfileSectionNamesA
0x50d21c GetUserDefaultLCID
0x50d220 IsValidLocale
0x50d224 GetLocaleInfoW
0x50d228 LCMapStringW
0x50d22c CompareStringW
0x50d230 GetTimeFormatW
0x50d234 GetDateFormatW
0x50d238 GetFileSizeEx
0x50d23c GetConsoleOutputCP
0x50d240 ReadConsoleW
0x50d244 GetConsoleMode
0x50d248 GetStdHandle
0x50d24c GetModuleFileNameW
0x50d250 GetModuleHandleExW
0x50d254 ExitProcess
0x50d258 GetFileType
0x50d25c SetFilePointerEx
0x50d260 LoadLibraryExW
0x50d264 TlsFree
0x50d268 GetModuleFileNameA
0x50d26c lstrcpynA
0x50d270 TlsSetValue
0x50d274 TlsGetValue
0x50d278 TlsAlloc
0x50d27c InitializeCriticalSectionAndSpinCount
0x50d280 RaiseException
0x50d284 RtlUnwind
0x50d288 InitializeSListHead
0x50d28c GetStartupInfoW
0x50d290 UnhandledExceptionFilter
0x50d294 GetStringTypeW
0x50d298 FindFirstFileW
0x50d29c FindFirstFileExW
0x50d2a0 FindNextFileW
0x50d2a4 GetFileAttributesExW
0x50d2a8 GetFinalPathNameByHandleW
0x50d2ac GetModuleHandleW
0x50d2b0 GetFileInformationByHandleEx
0x50d2b4 GetLocaleInfoEx
0x50d2b8 InitializeSRWLock
0x50d2bc ReleaseSRWLockExclusive
0x50d2c0 AcquireSRWLockExclusive
0x50d2c4 TryAcquireSRWLockExclusive
0x50d2c8 LCMapStringEx
0x50d2cc EncodePointer
0x50d2d0 DecodePointer
0x50d2d4 CompareStringEx
0x50d2d8 GetCPInfo
0x50d2dc WriteConsoleW
USER32.dll
0x50d324 wsprintfA
0x50d328 GetSystemMetrics
0x50d32c MessageBoxA
0x50d330 GetWindowRect
0x50d334 EnumDisplayDevicesA
0x50d338 GetDC
0x50d33c GetKeyboardLayoutList
0x50d340 CharNextA
0x50d344 GetCursorPos
0x50d348 GetDesktopWindow
0x50d34c ReleaseDC
GDI32.dll
0x50d048 CreateCompatibleBitmap
0x50d04c SelectObject
0x50d050 CreateCompatibleDC
0x50d054 DeleteObject
0x50d058 BitBlt
ADVAPI32.dll
0x50d000 RegCloseKey
0x50d004 LsaClose
0x50d008 LsaOpenPolicy
0x50d00c RegEnumKeyA
0x50d010 RegGetValueA
0x50d014 GetCurrentHwProfileA
0x50d018 LsaFreeMemory
0x50d01c RegQueryValueExA
0x50d020 CredEnumerateA
0x50d024 RegCreateKeyExA
0x50d028 GetUserNameA
0x50d02c RegSetValueExA
0x50d030 RegOpenKeyExA
0x50d034 LsaQueryInformationPolicy
0x50d038 RegEnumKeyExA
SHELL32.dll
0x50d310 ShellExecuteA
0x50d314 SHGetFolderPathA
ole32.dll
0x50d3ac CoInitialize
0x50d3b0 CoCreateInstance
0x50d3b4 CoInitializeEx
0x50d3b8 CoUninitialize
WS2_32.dll
0x50d354 WSAStartup
0x50d358 socket
0x50d35c connect
0x50d360 recv
0x50d364 freeaddrinfo
0x50d368 setsockopt
0x50d36c WSAGetLastError
0x50d370 shutdown
0x50d374 WSACleanup
0x50d378 closesocket
0x50d37c getaddrinfo
CRYPT32.dll
0x50d040 CryptUnprotectData
SHLWAPI.dll
0x50d31c PathFindExtensionA
gdiplus.dll
0x50d384 GdipGetImageEncoders
0x50d388 GdiplusShutdown
0x50d38c GdiplusStartup
0x50d390 GdipSaveImageToFile
0x50d394 GdipGetImageEncodersSize
0x50d398 GdipDisposeImage
0x50d39c GdipCreateBitmapFromHBITMAP
SETUPAPI.dll
0x50d2fc SetupDiEnumDeviceInfo
0x50d300 SetupDiGetDeviceInterfaceDetailA
0x50d304 SetupDiGetClassDevsA
0x50d308 SetupDiEnumDeviceInterfaces
ntdll.dll
0x50d3a4 RtlUnicodeStringToAnsiString
RstrtMgr.DLL
0x50d2e4 RmStartSession
0x50d2e8 RmGetList
0x50d2ec RmRegisterResources
0x50d2f0 RmShutdown
0x50d2f4 RmEndSession
EAT(Export Address Table) Library
0x4625a0 Start