ScreenShot
| Created | 2024.06.12 07:36 | Machine | s1_win7_x6401 |
| Filename | seo_cr1.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 27 detected (AIDetectMalware, malicious, high confidence, score, Lockbit, Unsafe, Save, Attribute, HighConfidence, GenKryptik, GYPG, Artemis, Generic@AI, RDML, mtgATTehqFjXmF2jeIW, Real Protect, high, Outbreak, Casdet, ZexaF, ZBW@a0DnfThi, Static AI, Suspicious PE, confidence, 100%) | ||
| md5 | b2d33941295f236bebee0d3c389a8549 | ||
| sha256 | cfa0a176bad0046bd498a5a7f5140ca92734b096c541a54acd1b002f228ec47c | ||
| ssdeep | 24576:VUFFAjGxqL+VD3crlj8XR2GN19yK9fbxjSXIQ8j0b4qsfQ9Mrm94+CJWMD/NXChu:NKUo3klIXhNryuI2j0sVf9 | ||
| imphash | cbe5fc5e7bee4b0be15ed00994864f05 | ||
| impfuzzy | 24:fOovEIN+jvxvwZ46tMlJFDnDIl49hc+9MG9jMv:Wc2wZ46tF2jc+eGw | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 27 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Executes one or more WMI queries |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE [ANY.RUN] DarkGate HTTP POST Activity (TA577)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41f000 GetProcessHeap
0x41f004 CreateFileA
0x41f008 CloseHandle
0x41f00c GetCommandLineA
0x41f010 ConvertThreadToFiber
0x41f014 CreateFiber
0x41f018 SwitchToFiber
0x41f01c OpenThread
0x41f020 GetCurrentProcessId
0x41f024 GetTempPathA
0x41f028 WaitForSingleObject
0x41f02c GetFileSize
0x41f030 OpenFileMappingA
0x41f034 CreateNamedPipeA
0x41f038 CallNamedPipeA
0x41f03c ExitProcess
0x41f040 VirtualAlloc
0x41f044 GetNamedPipeHandleStateA
0x41f048 HeapLock
0x41f04c IsDebuggerPresent
0x41f050 UnhandledExceptionFilter
0x41f054 SetUnhandledExceptionFilter
0x41f058 GetCurrentProcess
0x41f05c TerminateProcess
0x41f060 IsProcessorFeaturePresent
0x41f064 GetStringTypeW
0x41f068 GetLastError
0x41f06c SetLastError
0x41f070 MultiByteToWideChar
0x41f074 GetACP
0x41f078 EncodePointer
0x41f07c DecodePointer
0x41f080 HeapAlloc
0x41f084 HeapFree
0x41f088 GetModuleHandleW
0x41f08c GetProcAddress
0x41f090 InitializeCriticalSectionAndSpinCount
0x41f094 TlsGetValue
0x41f098 TlsSetValue
0x41f09c FreeLibrary
0x41f0a0 LoadLibraryExW
0x41f0a4 LCMapStringW
0x41f0a8 EnterCriticalSection
0x41f0ac LeaveCriticalSection
0x41f0b0 DeleteCriticalSection
0x41f0b4 IsValidCodePage
0x41f0b8 GetOEMCP
0x41f0bc GetCPInfo
0x41f0c0 GetModuleHandleExW
0x41f0c4 WideCharToMultiByte
0x41f0c8 RaiseException
0x41f0cc RtlUnwind
0x41f0d0 SetStdHandle
0x41f0d4 WriteFile
0x41f0d8 GetConsoleCP
0x41f0dc GetConsoleMode
0x41f0e0 SetFilePointerEx
0x41f0e4 FlushFileBuffers
0x41f0e8 WriteConsoleW
0x41f0ec CreateFileW
EAT(Export Address Table) is none
KERNEL32.dll
0x41f000 GetProcessHeap
0x41f004 CreateFileA
0x41f008 CloseHandle
0x41f00c GetCommandLineA
0x41f010 ConvertThreadToFiber
0x41f014 CreateFiber
0x41f018 SwitchToFiber
0x41f01c OpenThread
0x41f020 GetCurrentProcessId
0x41f024 GetTempPathA
0x41f028 WaitForSingleObject
0x41f02c GetFileSize
0x41f030 OpenFileMappingA
0x41f034 CreateNamedPipeA
0x41f038 CallNamedPipeA
0x41f03c ExitProcess
0x41f040 VirtualAlloc
0x41f044 GetNamedPipeHandleStateA
0x41f048 HeapLock
0x41f04c IsDebuggerPresent
0x41f050 UnhandledExceptionFilter
0x41f054 SetUnhandledExceptionFilter
0x41f058 GetCurrentProcess
0x41f05c TerminateProcess
0x41f060 IsProcessorFeaturePresent
0x41f064 GetStringTypeW
0x41f068 GetLastError
0x41f06c SetLastError
0x41f070 MultiByteToWideChar
0x41f074 GetACP
0x41f078 EncodePointer
0x41f07c DecodePointer
0x41f080 HeapAlloc
0x41f084 HeapFree
0x41f088 GetModuleHandleW
0x41f08c GetProcAddress
0x41f090 InitializeCriticalSectionAndSpinCount
0x41f094 TlsGetValue
0x41f098 TlsSetValue
0x41f09c FreeLibrary
0x41f0a0 LoadLibraryExW
0x41f0a4 LCMapStringW
0x41f0a8 EnterCriticalSection
0x41f0ac LeaveCriticalSection
0x41f0b0 DeleteCriticalSection
0x41f0b4 IsValidCodePage
0x41f0b8 GetOEMCP
0x41f0bc GetCPInfo
0x41f0c0 GetModuleHandleExW
0x41f0c4 WideCharToMultiByte
0x41f0c8 RaiseException
0x41f0cc RtlUnwind
0x41f0d0 SetStdHandle
0x41f0d4 WriteFile
0x41f0d8 GetConsoleCP
0x41f0dc GetConsoleMode
0x41f0e0 SetFilePointerEx
0x41f0e4 FlushFileBuffers
0x41f0e8 WriteConsoleW
0x41f0ec CreateFileW
EAT(Export Address Table) is none