ScreenShot
| Created | 2024.03.29 07:50 | Machine | s1_win7_x6401 |
| Filename | go.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 54 detected (AIDetectMalware, Dapato, malicious, high confidence, score, TjnDroppr, S28495190, FakeAlert, unsafe, Save, Attribute, HighConfidence, GenericRXTU, DcRat, BNER4NzZWDL, ZPACK, R002C0DCS24, high, Tnega, Detected, ai score=89, 102OIFV, Lazy, Eldorado, R497632, BScope, Nitol, Genetic, Rwhl, Static AI, Malicious PE, susgen, Tiny, confidence, 100%) | ||
| md5 | 7f264ba8e4c519ce90c6e3b430945476 | ||
| sha256 | 5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f | ||
| ssdeep | 6144:rKeacbD2RU5+csDgVortcBiWg3cPXblkqDHd16Z6Zm5rULuW1+inHsvzUHFYWg5l:r3y1/D+McxaZvkL1pHyzWPp4xje9 | ||
| imphash | a9c887a4f18a3fede2cc29ceea138ed3 | ||
| impfuzzy | 6:HMJqX0umyRwXJxSBS0H5sD4sIWDLb4iPEcn:sJqpRSY58PLPXn | ||
Network IP location
Signature (25cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 54 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Installs itself for autorun at Windows startup |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (44cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | AsyncRat | AsyncRat Payload | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Network_Downloader | File Downloader | memory |
| watch | schtasks_Zero | task schedule | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | Win32_Trojan_PWS_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (download) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | Is_DotNET_EXE | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
Suricata ids
ET DROP Spamhaus DROP Listed Traffic Inbound group 22
ET INFO DYNAMIC_DNS Query to a *.dynuddns .net Domain
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
ET MALWARE Generic AsyncRAT Style SSL Cert
ET INFO DYNAMIC_DNS Query to a *.dynuddns .net Domain
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
ET MALWARE Generic AsyncRAT Style SSL Cert
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x4805f0 malloc
0x4805f4 memset
0x4805f8 strcmp
0x4805fc strcpy
0x480600 getenv
0x480604 sprintf
0x480608 fopen
0x48060c fwrite
0x480610 fclose
0x480614 __argc
0x480618 __argv
0x48061c _environ
0x480620 _XcptFilter
0x480624 __set_app_type
0x480628 _controlfp
0x48062c __getmainargs
0x480630 exit
shell32.dll
0x480638 ShellExecuteA
kernel32.dll
0x480640 SetUnhandledExceptionFilter
EAT(Export Address Table) is none
msvcrt.dll
0x4805f0 malloc
0x4805f4 memset
0x4805f8 strcmp
0x4805fc strcpy
0x480600 getenv
0x480604 sprintf
0x480608 fopen
0x48060c fwrite
0x480610 fclose
0x480614 __argc
0x480618 __argv
0x48061c _environ
0x480620 _XcptFilter
0x480624 __set_app_type
0x480628 _controlfp
0x48062c __getmainargs
0x480630 exit
shell32.dll
0x480638 ShellExecuteA
kernel32.dll
0x480640 SetUnhandledExceptionFilter
EAT(Export Address Table) is none