ScreenShot
Created | 2024.06.16 10:23 | Machine | s1_win7_x6403 |
Filename | WB.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 32 detected (FamVT, DumpModuleInfectiousNME, Nimnul, Wapomi, malicious, confidence, 100%, score, Banload, cstqaj, VJadtre, Real Protect, high, Obfuscate, Jadtre, Ramnit, Unsafe, Loader, Static AI, Malicious PE) | ||
md5 | 2ca46e1c431bc4a3e5a01921e1e13a50 | ||
sha256 | f764089e78f3fb6366d1e292c4636a8513f712876b51130f3f20be5083f22b48 | ||
ssdeep | 24576:qODP7Rw0u6pAJzL3VMucfssyk8jhvuCgfszlHW3/7DJjcv:qmP7OlSAxmu/Rjhvu70Y3/hjm | ||
imphash | 6b46852d52a20560bf06073226f2ddfe | ||
impfuzzy | 6:dBJAEHGDzyRlbRmVOZ/QHAzaz+SME9iXmJJcJOqRgKLbFLMKJAmeXw6wJuVMXXRL:VA/DzqYOZEAza6SMEMX+mOqRg8+mxHDh |
Network IP location
Signature (38cnts)
Level | Description |
---|---|
danger | Executed a process and injected code into it |
danger | File has been identified by 32 AntiVirus engines on VirusTotal as malicious |
watch | Attempts to create or modify system certificates |
watch | Communicates with host for which no DNS query was performed |
watch | Creates a windows hook that monitors keyboard input (keylogger) |
watch | Expresses interest in specific running processes |
watch | Installs itself for autorun at Windows startup |
watch | Network activity contains more than one unique useragent |
watch | One or more of the buffers contains an embedded PE file |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | A process attempted to delay the analysis task. |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Connects to a Dynamic DNS Domain |
notice | Creates a service |
notice | Creates executable files on the filesystem |
notice | Downloads a file or document from Google Drive |
notice | Drops a binary and executes it |
notice | Drops an executable to the user AppData folder |
notice | Foreign language identified in PE resource |
notice | Looks up the Dropbox cloud service |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Repeatedly searches for a not-found process |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Command line console output was observed |
info | One or more processes crashed |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | The file contains an unknown PE resource name possibly indicative of a packer |
info | Tries to locate where the browsers are installed |
Rules (28cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
watch | ASPack_Zero | ASPack packed file | binaries (download) |
watch | ASPack_Zero | ASPack packed file | binaries (upload) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
watch | Network_Downloader | File Downloader | binaries (download) |
watch | Network_Downloader | File Downloader | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | DllRegisterServer_Zero | execute regsvr32.exe | binaries (download) |
info | IsDLL | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | JPEG_Format_Zero | JPEG Format | binaries (download) |
info | mzp_file_format | MZP(Delphi) file format | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Network (23cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x64d294 LoadLibraryA
0x64d298 GetProcAddress
0x64d29c VirtualProtect
0x64d2a0 VirtualAlloc
0x64d2a4 VirtualFree
0x64d2a8 ExitProcess
USER32.DLL
0x64d2b0 GetScrollPos
GDI32.DLL
0x64d2b8 GetClipRgn
WINMM.DLL
0x64d2c0 midiStreamRestart
WINSPOOL.DRV
0x64d2c8 ClosePrinter
ADVAPI32.DLL
0x64d2d0 RegCloseKey
SHELL32.DLL
0x64d2d8 ShellExecuteA
OLE32.DLL
0x64d2e0 OleInitialize
OLEAUT32.DLL
0x64d2e8 UnRegisterTypeLib
COMCTL32.DLL
0x64d2f0 ImageList_Destroy
WS2_32.DLL
0x64d2f8 recv
COMDLG32.DLL
0x64d300 GetFileTitleA
EAT(Export Address Table) is none
KERNEL32.DLL
0x64d294 LoadLibraryA
0x64d298 GetProcAddress
0x64d29c VirtualProtect
0x64d2a0 VirtualAlloc
0x64d2a4 VirtualFree
0x64d2a8 ExitProcess
USER32.DLL
0x64d2b0 GetScrollPos
GDI32.DLL
0x64d2b8 GetClipRgn
WINMM.DLL
0x64d2c0 midiStreamRestart
WINSPOOL.DRV
0x64d2c8 ClosePrinter
ADVAPI32.DLL
0x64d2d0 RegCloseKey
SHELL32.DLL
0x64d2d8 ShellExecuteA
OLE32.DLL
0x64d2e0 OleInitialize
OLEAUT32.DLL
0x64d2e8 UnRegisterTypeLib
COMCTL32.DLL
0x64d2f0 ImageList_Destroy
WS2_32.DLL
0x64d2f8 recv
COMDLG32.DLL
0x64d300 GetFileTitleA
EAT(Export Address Table) is none