ScreenShot
| Created | 2024.04.03 13:46 | Machine | s1_win7_x6401 |
| Filename | getimage15.php | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 36 detected (AIDetectMalware, RisePro, malicious, high confidence, score, Artemis, unsafe, Vqaq, Attribute, HighConfidence, ADVG, FileRepMalware, Misc, Generic@AI, RDML, sHWr2Fytn8ybIcGdE4SSdg, hwiam, DownLoader46, high, Detected, Sabsik, IATQJI, MalPe, X2205, ZexaF, @7Z@aiF5Q1l, Chgt, QQPass, QQRob, Cdhl, confidence, 100%) | ||
| md5 | 2dc9ceba069ad4540a8a5bd03b4b4f4d | ||
| sha256 | 0d5dfa5333b6138322fb6cc306002fa5cc36db62576867856866bbd98031c43d | ||
| ssdeep | 98304:pvzTUXYDZ6ZSyVsysRfmWXsEJxf6OaRB9Yep8ZqTxM8qlnkaTelzKRhFgZJxAMGI:SX0yVhsRtZnF2OdqVMhkWuzKjOZJ5AlK | ||
| imphash | 4c8cb173aa80ccd2b7b9e8523b514fbe | ||
| impfuzzy | 24:CxgCiJ/G14AJiQmXJai1JcDRZcp+ZGvHZZZHgdpOovXkeJbt0+7RvPFQHwRmjM2E:CT++14ASXJ4Zcp+svZZZDat0+dTRYE | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 36 AntiVirus engines on VirusTotal as malicious |
| watch | Checks for the presence of known windows from debuggers and forensic tools |
| watch | Checks the version of Bios |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects Virtual Machines through their custom firmware |
| watch | Detects VirtualBox through the presence of a registry key |
| watch | Detects VMWare through the in instruction feature |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Expresses interest in specific running processes |
| notice | Looks up the external IP address |
| notice | Performs some HTTP requests |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (6cnts) ?
Suricata ids
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE [ANY.RUN] RisePro TCP (Token)
PE API
IAT(Import Address Table) Library
kernel32.dll
0xdeb000 GetModuleHandleA
USER32.dll
0xdeb008 wsprintfA
GDI32.dll
0xdeb010 CreateCompatibleBitmap
ADVAPI32.dll
0xdeb018 RegCreateKeyExA
SHELL32.dll
0xdeb020 ShellExecuteA
ole32.dll
0xdeb028 CoInitialize
WS2_32.dll
0xdeb030 WSAStartup
CRYPT32.dll
0xdeb038 CryptUnprotectData
SHLWAPI.dll
0xdeb040 PathFindExtensionA
gdiplus.dll
0xdeb048 GdipGetImageEncoders
SETUPAPI.dll
0xdeb050 SetupDiEnumDeviceInfo
ntdll.dll
0xdeb058 RtlUnicodeStringToAnsiString
RstrtMgr.DLL
0xdeb060 RmStartSession
kernel32.dll
0xdeb068 GetSystemTimeAsFileTime
0xdeb06c CreateEventA
0xdeb070 GetModuleHandleA
0xdeb074 TerminateProcess
0xdeb078 GetCurrentProcess
0xdeb07c CreateToolhelp32Snapshot
0xdeb080 Thread32First
0xdeb084 GetCurrentProcessId
0xdeb088 GetCurrentThreadId
0xdeb08c OpenThread
0xdeb090 Thread32Next
0xdeb094 CloseHandle
0xdeb098 SuspendThread
0xdeb09c ResumeThread
0xdeb0a0 WriteProcessMemory
0xdeb0a4 GetSystemInfo
0xdeb0a8 VirtualAlloc
0xdeb0ac VirtualProtect
0xdeb0b0 VirtualFree
0xdeb0b4 GetProcessAffinityMask
0xdeb0b8 SetProcessAffinityMask
0xdeb0bc GetCurrentThread
0xdeb0c0 SetThreadAffinityMask
0xdeb0c4 Sleep
0xdeb0c8 LoadLibraryA
0xdeb0cc FreeLibrary
0xdeb0d0 GetTickCount
0xdeb0d4 SystemTimeToFileTime
0xdeb0d8 FileTimeToSystemTime
0xdeb0dc GlobalFree
0xdeb0e0 HeapAlloc
0xdeb0e4 HeapFree
0xdeb0e8 GetProcAddress
0xdeb0ec ExitProcess
0xdeb0f0 EnterCriticalSection
0xdeb0f4 LeaveCriticalSection
0xdeb0f8 InitializeCriticalSection
0xdeb0fc DeleteCriticalSection
0xdeb100 MultiByteToWideChar
0xdeb104 GetModuleHandleW
0xdeb108 LoadResource
0xdeb10c FindResourceExW
0xdeb110 FindResourceExA
0xdeb114 WideCharToMultiByte
0xdeb118 GetThreadLocale
0xdeb11c GetUserDefaultLCID
0xdeb120 GetSystemDefaultLCID
0xdeb124 EnumResourceNamesA
0xdeb128 EnumResourceNamesW
0xdeb12c EnumResourceLanguagesA
0xdeb130 EnumResourceLanguagesW
0xdeb134 EnumResourceTypesA
0xdeb138 EnumResourceTypesW
0xdeb13c CreateFileW
0xdeb140 LoadLibraryW
0xdeb144 GetLastError
0xdeb148 GetCommandLineA
0xdeb14c GetCPInfo
0xdeb150 InterlockedIncrement
0xdeb154 InterlockedDecrement
0xdeb158 GetACP
0xdeb15c GetOEMCP
0xdeb160 IsValidCodePage
0xdeb164 TlsGetValue
0xdeb168 TlsAlloc
0xdeb16c TlsSetValue
0xdeb170 TlsFree
0xdeb174 SetLastError
0xdeb178 UnhandledExceptionFilter
0xdeb17c SetUnhandledExceptionFilter
0xdeb180 IsDebuggerPresent
0xdeb184 RaiseException
0xdeb188 LCMapStringA
0xdeb18c LCMapStringW
0xdeb190 SetHandleCount
0xdeb194 GetStdHandle
0xdeb198 GetFileType
0xdeb19c GetStartupInfoA
0xdeb1a0 GetModuleFileNameA
0xdeb1a4 FreeEnvironmentStringsA
0xdeb1a8 GetEnvironmentStrings
0xdeb1ac FreeEnvironmentStringsW
0xdeb1b0 GetEnvironmentStringsW
0xdeb1b4 HeapCreate
0xdeb1b8 HeapDestroy
0xdeb1bc QueryPerformanceCounter
0xdeb1c0 HeapReAlloc
0xdeb1c4 GetStringTypeA
0xdeb1c8 GetStringTypeW
0xdeb1cc GetLocaleInfoA
0xdeb1d0 HeapSize
0xdeb1d4 WriteFile
0xdeb1d8 RtlUnwind
0xdeb1dc SetFilePointer
0xdeb1e0 GetConsoleCP
0xdeb1e4 GetConsoleMode
0xdeb1e8 InitializeCriticalSectionAndSpinCount
0xdeb1ec SetStdHandle
0xdeb1f0 WriteConsoleA
0xdeb1f4 GetConsoleOutputCP
0xdeb1f8 WriteConsoleW
0xdeb1fc CreateFileA
0xdeb200 FlushFileBuffers
0xdeb204 VirtualQuery
EAT(Export Address Table) Library
0x466a40 Start
kernel32.dll
0xdeb000 GetModuleHandleA
USER32.dll
0xdeb008 wsprintfA
GDI32.dll
0xdeb010 CreateCompatibleBitmap
ADVAPI32.dll
0xdeb018 RegCreateKeyExA
SHELL32.dll
0xdeb020 ShellExecuteA
ole32.dll
0xdeb028 CoInitialize
WS2_32.dll
0xdeb030 WSAStartup
CRYPT32.dll
0xdeb038 CryptUnprotectData
SHLWAPI.dll
0xdeb040 PathFindExtensionA
gdiplus.dll
0xdeb048 GdipGetImageEncoders
SETUPAPI.dll
0xdeb050 SetupDiEnumDeviceInfo
ntdll.dll
0xdeb058 RtlUnicodeStringToAnsiString
RstrtMgr.DLL
0xdeb060 RmStartSession
kernel32.dll
0xdeb068 GetSystemTimeAsFileTime
0xdeb06c CreateEventA
0xdeb070 GetModuleHandleA
0xdeb074 TerminateProcess
0xdeb078 GetCurrentProcess
0xdeb07c CreateToolhelp32Snapshot
0xdeb080 Thread32First
0xdeb084 GetCurrentProcessId
0xdeb088 GetCurrentThreadId
0xdeb08c OpenThread
0xdeb090 Thread32Next
0xdeb094 CloseHandle
0xdeb098 SuspendThread
0xdeb09c ResumeThread
0xdeb0a0 WriteProcessMemory
0xdeb0a4 GetSystemInfo
0xdeb0a8 VirtualAlloc
0xdeb0ac VirtualProtect
0xdeb0b0 VirtualFree
0xdeb0b4 GetProcessAffinityMask
0xdeb0b8 SetProcessAffinityMask
0xdeb0bc GetCurrentThread
0xdeb0c0 SetThreadAffinityMask
0xdeb0c4 Sleep
0xdeb0c8 LoadLibraryA
0xdeb0cc FreeLibrary
0xdeb0d0 GetTickCount
0xdeb0d4 SystemTimeToFileTime
0xdeb0d8 FileTimeToSystemTime
0xdeb0dc GlobalFree
0xdeb0e0 HeapAlloc
0xdeb0e4 HeapFree
0xdeb0e8 GetProcAddress
0xdeb0ec ExitProcess
0xdeb0f0 EnterCriticalSection
0xdeb0f4 LeaveCriticalSection
0xdeb0f8 InitializeCriticalSection
0xdeb0fc DeleteCriticalSection
0xdeb100 MultiByteToWideChar
0xdeb104 GetModuleHandleW
0xdeb108 LoadResource
0xdeb10c FindResourceExW
0xdeb110 FindResourceExA
0xdeb114 WideCharToMultiByte
0xdeb118 GetThreadLocale
0xdeb11c GetUserDefaultLCID
0xdeb120 GetSystemDefaultLCID
0xdeb124 EnumResourceNamesA
0xdeb128 EnumResourceNamesW
0xdeb12c EnumResourceLanguagesA
0xdeb130 EnumResourceLanguagesW
0xdeb134 EnumResourceTypesA
0xdeb138 EnumResourceTypesW
0xdeb13c CreateFileW
0xdeb140 LoadLibraryW
0xdeb144 GetLastError
0xdeb148 GetCommandLineA
0xdeb14c GetCPInfo
0xdeb150 InterlockedIncrement
0xdeb154 InterlockedDecrement
0xdeb158 GetACP
0xdeb15c GetOEMCP
0xdeb160 IsValidCodePage
0xdeb164 TlsGetValue
0xdeb168 TlsAlloc
0xdeb16c TlsSetValue
0xdeb170 TlsFree
0xdeb174 SetLastError
0xdeb178 UnhandledExceptionFilter
0xdeb17c SetUnhandledExceptionFilter
0xdeb180 IsDebuggerPresent
0xdeb184 RaiseException
0xdeb188 LCMapStringA
0xdeb18c LCMapStringW
0xdeb190 SetHandleCount
0xdeb194 GetStdHandle
0xdeb198 GetFileType
0xdeb19c GetStartupInfoA
0xdeb1a0 GetModuleFileNameA
0xdeb1a4 FreeEnvironmentStringsA
0xdeb1a8 GetEnvironmentStrings
0xdeb1ac FreeEnvironmentStringsW
0xdeb1b0 GetEnvironmentStringsW
0xdeb1b4 HeapCreate
0xdeb1b8 HeapDestroy
0xdeb1bc QueryPerformanceCounter
0xdeb1c0 HeapReAlloc
0xdeb1c4 GetStringTypeA
0xdeb1c8 GetStringTypeW
0xdeb1cc GetLocaleInfoA
0xdeb1d0 HeapSize
0xdeb1d4 WriteFile
0xdeb1d8 RtlUnwind
0xdeb1dc SetFilePointer
0xdeb1e0 GetConsoleCP
0xdeb1e4 GetConsoleMode
0xdeb1e8 InitializeCriticalSectionAndSpinCount
0xdeb1ec SetStdHandle
0xdeb1f0 WriteConsoleA
0xdeb1f4 GetConsoleOutputCP
0xdeb1f8 WriteConsoleW
0xdeb1fc CreateFileA
0xdeb200 FlushFileBuffers
0xdeb204 VirtualQuery
EAT(Export Address Table) Library
0x466a40 Start