ScreenShot
| Created | 2024.06.25 07:44 | Machine | s1_win7_x6403 |
| Filename | ExtExport2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 40 detected (AIDetectMalware, Autoit, malicious, moderate confidence, score, TrojanAitInject, Unsafe, Save, Artemis, FileRepMalware, fgnl, CLASSIC, moderate, GPCX, Detected, RedLine, lvmpx, Sabsik, Strab, AZWT7U, Eldorado, R002H01FO24, MxResIcn, confidence, 100%, GXI#3DGW) | ||
| md5 | 901a623dbccaa22525373cd36195ee14 | ||
| sha256 | b5e250a95073b5dfe33f66c13cc89da0fc8d3af226e5efb06bb8fcfd9a4cd6ec | ||
| ssdeep | 12288:SYV6MorX7qzuC3QHO9FQVHPF51jgcN6S5UesUInNnpo2R2:hBXu9HGaVHN6S5U5Rn/Y | ||
| imphash | fc6683d30d9f25244a50fd5357825e79 | ||
| impfuzzy | 12:VA/DzqYOZkKDHLB78r4B3ExjLAkcOaiTQQnd3mxCHH:V0DBaPHLB7PxExjLAkcOV2kn | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 40 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to create or modify system certificates |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Looks up the external IP address |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Suspicious_Obfuscation_Script_2 | Suspicious obfuscation script (e.g. executable files) | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (10cnts) ?
Suricata ids
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE RedLine Stealer - CheckConnect Response
ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
SURICATA HTTP unable to match response to request
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET MALWARE RedLine Stealer - CheckConnect Response
ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
SURICATA HTTP unable to match response to request
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x5668c0 LoadLibraryA
0x5668c4 GetProcAddress
0x5668c8 VirtualProtect
0x5668cc VirtualAlloc
0x5668d0 VirtualFree
0x5668d4 ExitProcess
ADVAPI32.dll
0x5668dc GetAce
COMCTL32.dll
0x5668e4 ImageList_Remove
COMDLG32.dll
0x5668ec GetOpenFileNameW
GDI32.dll
0x5668f4 LineTo
IPHLPAPI.DLL
0x5668fc IcmpSendEcho
MPR.dll
0x566904 WNetUseConnectionW
ole32.dll
0x56690c CoGetObject
OLEAUT32.dll
0x566914 VariantInit
PSAPI.DLL
0x56691c GetProcessMemoryInfo
SHELL32.dll
0x566924 DragFinish
USER32.dll
0x56692c GetDC
USERENV.dll
0x566934 LoadUserProfileW
UxTheme.dll
0x56693c IsThemeActive
VERSION.dll
0x566944 VerQueryValueW
WININET.dll
0x56694c FtpOpenFileW
WINMM.dll
0x566954 timeGetTime
WSOCK32.dll
0x56695c connect
EAT(Export Address Table) is none
KERNEL32.DLL
0x5668c0 LoadLibraryA
0x5668c4 GetProcAddress
0x5668c8 VirtualProtect
0x5668cc VirtualAlloc
0x5668d0 VirtualFree
0x5668d4 ExitProcess
ADVAPI32.dll
0x5668dc GetAce
COMCTL32.dll
0x5668e4 ImageList_Remove
COMDLG32.dll
0x5668ec GetOpenFileNameW
GDI32.dll
0x5668f4 LineTo
IPHLPAPI.DLL
0x5668fc IcmpSendEcho
MPR.dll
0x566904 WNetUseConnectionW
ole32.dll
0x56690c CoGetObject
OLEAUT32.dll
0x566914 VariantInit
PSAPI.DLL
0x56691c GetProcessMemoryInfo
SHELL32.dll
0x566924 DragFinish
USER32.dll
0x56692c GetDC
USERENV.dll
0x566934 LoadUserProfileW
UxTheme.dll
0x56693c IsThemeActive
VERSION.dll
0x566944 VerQueryValueW
WININET.dll
0x56694c FtpOpenFileW
WINMM.dll
0x566954 timeGetTime
WSOCK32.dll
0x56695c connect
EAT(Export Address Table) is none