ScreenShot
| Created | 2024.04.03 13:43 | Machine | s1_win7_x6403 |
| Filename | space.php | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 34 detected (AIDetectMalware, RisePro, malicious, high confidence, score, Artemis, unsafe, Vz36, GenericKD, Attribute, HighConfidence, ADVG, DownLoader46, PRIVATELOADER, YXEDBZ, high, Detected, bxibh, Sabsik, PSWTroj, Casdet, KF3ZBI, MalPe, X2205, ZexaF, @7Z@aWkiERd, confidence, 100%) | ||
| md5 | 1f3e864a338535e78391706a36779415 | ||
| sha256 | 68e5335ef6066297ae018a6ed5071c38659d8edad80f79099a17f6fb7b2f07d4 | ||
| ssdeep | 98304:bDaih55bwCbRdjgHJsrEN7gJu3fRRujdz13l+iLG9tAjZbgPi7fU3FkWSQl8QOK:lvJ7gpsrW7hf/q3E4hpfU6QiTK | ||
| imphash | 4c8cb173aa80ccd2b7b9e8523b514fbe | ||
| impfuzzy | 24:CxgCiJ/G14AJiQmXJai1JcDRZcp+ZGvHZZZHgdpOovXkeJbt0+7RvPFQHwRmjM2E:CT++14ASXJ4Zcp+svZZZDat0+dTRYE | ||
Network IP location
Signature (43cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 34 AntiVirus engines on VirusTotal as malicious |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Attempts to create or modify system certificates |
| watch | Checks for the presence of known windows from debuggers and forensic tools |
| watch | Checks the CPU name from registry |
| watch | Checks the version of Bios |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects Virtual Machines through their custom firmware |
| watch | Detects VirtualBox through the presence of a registry key |
| watch | Detects VMWare through the in instruction feature |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Installs itself for autorun at Windows startup |
| watch | Uses Sysinternals tools in order to add additional command line functionality |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process space.php |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Expresses interest in specific running processes |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Craxs_RAT | Craxs RAT | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | Is_DotNET_EXE | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PNG_Format_Zero | PNG Format | binaries (download) |
| info | zip_file_format | ZIP file format | binaries (download) |
Network (10cnts) ?
Suricata ids
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE RisePro CnC Activity (Inbound)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE [ANY.RUN] RisePro TCP (Token)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE RisePro CnC Activity (Inbound)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
PE API
IAT(Import Address Table) Library
kernel32.dll
0xdf8000 GetModuleHandleA
USER32.dll
0xdf8008 wsprintfA
GDI32.dll
0xdf8010 CreateCompatibleBitmap
ADVAPI32.dll
0xdf8018 RegCreateKeyExA
SHELL32.dll
0xdf8020 ShellExecuteA
ole32.dll
0xdf8028 CoInitialize
WS2_32.dll
0xdf8030 WSAStartup
CRYPT32.dll
0xdf8038 CryptUnprotectData
SHLWAPI.dll
0xdf8040 PathFindExtensionA
gdiplus.dll
0xdf8048 GdipGetImageEncoders
SETUPAPI.dll
0xdf8050 SetupDiEnumDeviceInfo
ntdll.dll
0xdf8058 RtlUnicodeStringToAnsiString
RstrtMgr.DLL
0xdf8060 RmStartSession
kernel32.dll
0xdf8068 GetSystemTimeAsFileTime
0xdf806c CreateEventA
0xdf8070 GetModuleHandleA
0xdf8074 TerminateProcess
0xdf8078 GetCurrentProcess
0xdf807c CreateToolhelp32Snapshot
0xdf8080 Thread32First
0xdf8084 GetCurrentProcessId
0xdf8088 GetCurrentThreadId
0xdf808c OpenThread
0xdf8090 Thread32Next
0xdf8094 CloseHandle
0xdf8098 SuspendThread
0xdf809c ResumeThread
0xdf80a0 WriteProcessMemory
0xdf80a4 GetSystemInfo
0xdf80a8 VirtualAlloc
0xdf80ac VirtualProtect
0xdf80b0 VirtualFree
0xdf80b4 GetProcessAffinityMask
0xdf80b8 SetProcessAffinityMask
0xdf80bc GetCurrentThread
0xdf80c0 SetThreadAffinityMask
0xdf80c4 Sleep
0xdf80c8 LoadLibraryA
0xdf80cc FreeLibrary
0xdf80d0 GetTickCount
0xdf80d4 SystemTimeToFileTime
0xdf80d8 FileTimeToSystemTime
0xdf80dc GlobalFree
0xdf80e0 HeapAlloc
0xdf80e4 HeapFree
0xdf80e8 GetProcAddress
0xdf80ec ExitProcess
0xdf80f0 EnterCriticalSection
0xdf80f4 LeaveCriticalSection
0xdf80f8 InitializeCriticalSection
0xdf80fc DeleteCriticalSection
0xdf8100 MultiByteToWideChar
0xdf8104 GetModuleHandleW
0xdf8108 LoadResource
0xdf810c FindResourceExW
0xdf8110 FindResourceExA
0xdf8114 WideCharToMultiByte
0xdf8118 GetThreadLocale
0xdf811c GetUserDefaultLCID
0xdf8120 GetSystemDefaultLCID
0xdf8124 EnumResourceNamesA
0xdf8128 EnumResourceNamesW
0xdf812c EnumResourceLanguagesA
0xdf8130 EnumResourceLanguagesW
0xdf8134 EnumResourceTypesA
0xdf8138 EnumResourceTypesW
0xdf813c CreateFileW
0xdf8140 LoadLibraryW
0xdf8144 GetLastError
0xdf8148 GetCommandLineA
0xdf814c GetCPInfo
0xdf8150 InterlockedIncrement
0xdf8154 InterlockedDecrement
0xdf8158 GetACP
0xdf815c GetOEMCP
0xdf8160 IsValidCodePage
0xdf8164 TlsGetValue
0xdf8168 TlsAlloc
0xdf816c TlsSetValue
0xdf8170 TlsFree
0xdf8174 SetLastError
0xdf8178 UnhandledExceptionFilter
0xdf817c SetUnhandledExceptionFilter
0xdf8180 IsDebuggerPresent
0xdf8184 RaiseException
0xdf8188 LCMapStringA
0xdf818c LCMapStringW
0xdf8190 SetHandleCount
0xdf8194 GetStdHandle
0xdf8198 GetFileType
0xdf819c GetStartupInfoA
0xdf81a0 GetModuleFileNameA
0xdf81a4 FreeEnvironmentStringsA
0xdf81a8 GetEnvironmentStrings
0xdf81ac FreeEnvironmentStringsW
0xdf81b0 GetEnvironmentStringsW
0xdf81b4 HeapCreate
0xdf81b8 HeapDestroy
0xdf81bc QueryPerformanceCounter
0xdf81c0 HeapReAlloc
0xdf81c4 GetStringTypeA
0xdf81c8 GetStringTypeW
0xdf81cc GetLocaleInfoA
0xdf81d0 HeapSize
0xdf81d4 WriteFile
0xdf81d8 RtlUnwind
0xdf81dc SetFilePointer
0xdf81e0 GetConsoleCP
0xdf81e4 GetConsoleMode
0xdf81e8 InitializeCriticalSectionAndSpinCount
0xdf81ec SetStdHandle
0xdf81f0 WriteConsoleA
0xdf81f4 GetConsoleOutputCP
0xdf81f8 WriteConsoleW
0xdf81fc CreateFileA
0xdf8200 FlushFileBuffers
0xdf8204 VirtualQuery
EAT(Export Address Table) Library
0x464500 Start
kernel32.dll
0xdf8000 GetModuleHandleA
USER32.dll
0xdf8008 wsprintfA
GDI32.dll
0xdf8010 CreateCompatibleBitmap
ADVAPI32.dll
0xdf8018 RegCreateKeyExA
SHELL32.dll
0xdf8020 ShellExecuteA
ole32.dll
0xdf8028 CoInitialize
WS2_32.dll
0xdf8030 WSAStartup
CRYPT32.dll
0xdf8038 CryptUnprotectData
SHLWAPI.dll
0xdf8040 PathFindExtensionA
gdiplus.dll
0xdf8048 GdipGetImageEncoders
SETUPAPI.dll
0xdf8050 SetupDiEnumDeviceInfo
ntdll.dll
0xdf8058 RtlUnicodeStringToAnsiString
RstrtMgr.DLL
0xdf8060 RmStartSession
kernel32.dll
0xdf8068 GetSystemTimeAsFileTime
0xdf806c CreateEventA
0xdf8070 GetModuleHandleA
0xdf8074 TerminateProcess
0xdf8078 GetCurrentProcess
0xdf807c CreateToolhelp32Snapshot
0xdf8080 Thread32First
0xdf8084 GetCurrentProcessId
0xdf8088 GetCurrentThreadId
0xdf808c OpenThread
0xdf8090 Thread32Next
0xdf8094 CloseHandle
0xdf8098 SuspendThread
0xdf809c ResumeThread
0xdf80a0 WriteProcessMemory
0xdf80a4 GetSystemInfo
0xdf80a8 VirtualAlloc
0xdf80ac VirtualProtect
0xdf80b0 VirtualFree
0xdf80b4 GetProcessAffinityMask
0xdf80b8 SetProcessAffinityMask
0xdf80bc GetCurrentThread
0xdf80c0 SetThreadAffinityMask
0xdf80c4 Sleep
0xdf80c8 LoadLibraryA
0xdf80cc FreeLibrary
0xdf80d0 GetTickCount
0xdf80d4 SystemTimeToFileTime
0xdf80d8 FileTimeToSystemTime
0xdf80dc GlobalFree
0xdf80e0 HeapAlloc
0xdf80e4 HeapFree
0xdf80e8 GetProcAddress
0xdf80ec ExitProcess
0xdf80f0 EnterCriticalSection
0xdf80f4 LeaveCriticalSection
0xdf80f8 InitializeCriticalSection
0xdf80fc DeleteCriticalSection
0xdf8100 MultiByteToWideChar
0xdf8104 GetModuleHandleW
0xdf8108 LoadResource
0xdf810c FindResourceExW
0xdf8110 FindResourceExA
0xdf8114 WideCharToMultiByte
0xdf8118 GetThreadLocale
0xdf811c GetUserDefaultLCID
0xdf8120 GetSystemDefaultLCID
0xdf8124 EnumResourceNamesA
0xdf8128 EnumResourceNamesW
0xdf812c EnumResourceLanguagesA
0xdf8130 EnumResourceLanguagesW
0xdf8134 EnumResourceTypesA
0xdf8138 EnumResourceTypesW
0xdf813c CreateFileW
0xdf8140 LoadLibraryW
0xdf8144 GetLastError
0xdf8148 GetCommandLineA
0xdf814c GetCPInfo
0xdf8150 InterlockedIncrement
0xdf8154 InterlockedDecrement
0xdf8158 GetACP
0xdf815c GetOEMCP
0xdf8160 IsValidCodePage
0xdf8164 TlsGetValue
0xdf8168 TlsAlloc
0xdf816c TlsSetValue
0xdf8170 TlsFree
0xdf8174 SetLastError
0xdf8178 UnhandledExceptionFilter
0xdf817c SetUnhandledExceptionFilter
0xdf8180 IsDebuggerPresent
0xdf8184 RaiseException
0xdf8188 LCMapStringA
0xdf818c LCMapStringW
0xdf8190 SetHandleCount
0xdf8194 GetStdHandle
0xdf8198 GetFileType
0xdf819c GetStartupInfoA
0xdf81a0 GetModuleFileNameA
0xdf81a4 FreeEnvironmentStringsA
0xdf81a8 GetEnvironmentStrings
0xdf81ac FreeEnvironmentStringsW
0xdf81b0 GetEnvironmentStringsW
0xdf81b4 HeapCreate
0xdf81b8 HeapDestroy
0xdf81bc QueryPerformanceCounter
0xdf81c0 HeapReAlloc
0xdf81c4 GetStringTypeA
0xdf81c8 GetStringTypeW
0xdf81cc GetLocaleInfoA
0xdf81d0 HeapSize
0xdf81d4 WriteFile
0xdf81d8 RtlUnwind
0xdf81dc SetFilePointer
0xdf81e0 GetConsoleCP
0xdf81e4 GetConsoleMode
0xdf81e8 InitializeCriticalSectionAndSpinCount
0xdf81ec SetStdHandle
0xdf81f0 WriteConsoleA
0xdf81f4 GetConsoleOutputCP
0xdf81f8 WriteConsoleW
0xdf81fc CreateFileA
0xdf8200 FlushFileBuffers
0xdf8204 VirtualQuery
EAT(Export Address Table) Library
0x464500 Start