ScreenShot
| Created | 2024.06.25 07:57 | Machine | s1_win7_x6403 |
| Filename | Main.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 61 detected (AIDetectMalware, Vidar, Windows, Threat, Malicious, score, Fragtor, Unsafe, Vo0i, Attribute, HighConfidence, Artemis, CryptoStl, Trojanx, Stealerc, TrojanPSW, Redcap, kmdmfk, Cl4R3ucypxL, xvqpd, YXEDXZ, Real Protect, high, Detected, ai score=80, Malware@#hvhruuheed8l, StealC, ABRisk, IDZY, BScope, Mars, GdSda, Gencirc, Static AI, Suspicious PE, confidence, 100%) | ||
| md5 | 9ec7f08c85bfa1b267761f225b68ab0b | ||
| sha256 | 9f685df11e2b24e55ae610d8fe4f9ea005b8dba84d4de97be0cce7fc7ae3c5ca | ||
| ssdeep | 3072:AZWAfSR9CehJX4rRUiAPukFhm8qfuDUM41wvnFsocOHYpk5GK+lGjCQYpY:WDEBbAUUkFhfDs1w/uFrYjCQYp | ||
| imphash | 554d949fd335dd5958de0342706fbbec | ||
| impfuzzy | 24:8sQ8yqvf9xfbbl9JzRNjlvt7Do8jaYHCtBlSfMDkYJlU2yDfT3wxbEOq1EQN:8d8yqv1Rbh95hojtB8fMHCMgwc | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 61 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to create or modify system certificates |
| watch | Communicates with host for which no DNS query was performed |
| watch | Network activity contains more than one unique useragent |
| notice | Executes one or more WMI queries |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (6cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x424108 strlen
0x42410c __CxxFrameHandler3
0x424110 memcmp
0x424114 strcmp
0x424118 ??_U@YAPAXI@Z
0x42411c strncpy
0x424120 malloc
0x424124 _wtoi64
0x424128 atexit
0x42412c ??_V@YAXPAX@Z
0x424130 memmove
0x424134 memchr
0x424138 strtok_s
0x42413c strcpy_s
0x424140 strchr
0x424144 memcpy
0x424148 memset
KERNEL32.dll
0x424010 IsProcessorFeaturePresent
0x424014 ExitProcess
0x424018 GetCurrentProcess
0x42401c LocalAlloc
0x424020 ReadProcessMemory
0x424024 VirtualQueryEx
0x424028 OpenProcess
0x42402c FileTimeToSystemTime
0x424030 CloseHandle
0x424034 CreateDirectoryA
0x424038 WaitForSingleObject
0x42403c CreateThread
0x424040 GetDriveTypeA
0x424044 GetLogicalDriveStringsA
0x424048 GetProcAddress
0x42404c LoadLibraryA
0x424050 HeapAlloc
0x424054 HeapFree
0x424058 LoadLibraryW
0x42405c GetStringTypeW
0x424060 MultiByteToWideChar
0x424064 LCMapStringW
0x424068 WideCharToMultiByte
0x42406c GetModuleFileNameW
0x424070 GetStdHandle
0x424074 WriteFile
0x424078 Sleep
0x42407c RaiseException
0x424080 EncodePointer
0x424084 GetLastError
0x424088 DecodePointer
0x42408c UnhandledExceptionFilter
0x424090 SetUnhandledExceptionFilter
0x424094 IsDebuggerPresent
0x424098 TerminateProcess
0x42409c InitializeCriticalSectionAndSpinCount
0x4240a0 LeaveCriticalSection
0x4240a4 EnterCriticalSection
0x4240a8 RtlUnwind
0x4240ac GetCPInfo
0x4240b0 InterlockedIncrement
0x4240b4 InterlockedDecrement
0x4240b8 GetACP
0x4240bc GetOEMCP
0x4240c0 IsValidCodePage
0x4240c4 TlsGetValue
0x4240c8 TlsSetValue
0x4240cc GetModuleHandleW
0x4240d0 SetLastError
0x4240d4 GetCurrentThreadId
USER32.dll
0x424100 CharToOemA
ADVAPI32.dll
0x424000 RegOpenKeyExA
0x424004 RegGetValueA
0x424008 GetCurrentHwProfileA
SHELL32.dll
0x4240f0 SHFileOperationA
ole32.dll
0x424150 CoInitializeSecurity
0x424154 CoInitializeEx
0x424158 CoSetProxyBlanket
0x42415c CoCreateInstance
OLEAUT32.dll
0x4240dc VariantInit
0x4240e0 SysAllocString
0x4240e4 SysFreeString
0x4240e8 VariantClear
SHLWAPI.dll
0x4240f8 None
EAT(Export Address Table) is none
msvcrt.dll
0x424108 strlen
0x42410c __CxxFrameHandler3
0x424110 memcmp
0x424114 strcmp
0x424118 ??_U@YAPAXI@Z
0x42411c strncpy
0x424120 malloc
0x424124 _wtoi64
0x424128 atexit
0x42412c ??_V@YAXPAX@Z
0x424130 memmove
0x424134 memchr
0x424138 strtok_s
0x42413c strcpy_s
0x424140 strchr
0x424144 memcpy
0x424148 memset
KERNEL32.dll
0x424010 IsProcessorFeaturePresent
0x424014 ExitProcess
0x424018 GetCurrentProcess
0x42401c LocalAlloc
0x424020 ReadProcessMemory
0x424024 VirtualQueryEx
0x424028 OpenProcess
0x42402c FileTimeToSystemTime
0x424030 CloseHandle
0x424034 CreateDirectoryA
0x424038 WaitForSingleObject
0x42403c CreateThread
0x424040 GetDriveTypeA
0x424044 GetLogicalDriveStringsA
0x424048 GetProcAddress
0x42404c LoadLibraryA
0x424050 HeapAlloc
0x424054 HeapFree
0x424058 LoadLibraryW
0x42405c GetStringTypeW
0x424060 MultiByteToWideChar
0x424064 LCMapStringW
0x424068 WideCharToMultiByte
0x42406c GetModuleFileNameW
0x424070 GetStdHandle
0x424074 WriteFile
0x424078 Sleep
0x42407c RaiseException
0x424080 EncodePointer
0x424084 GetLastError
0x424088 DecodePointer
0x42408c UnhandledExceptionFilter
0x424090 SetUnhandledExceptionFilter
0x424094 IsDebuggerPresent
0x424098 TerminateProcess
0x42409c InitializeCriticalSectionAndSpinCount
0x4240a0 LeaveCriticalSection
0x4240a4 EnterCriticalSection
0x4240a8 RtlUnwind
0x4240ac GetCPInfo
0x4240b0 InterlockedIncrement
0x4240b4 InterlockedDecrement
0x4240b8 GetACP
0x4240bc GetOEMCP
0x4240c0 IsValidCodePage
0x4240c4 TlsGetValue
0x4240c8 TlsSetValue
0x4240cc GetModuleHandleW
0x4240d0 SetLastError
0x4240d4 GetCurrentThreadId
USER32.dll
0x424100 CharToOemA
ADVAPI32.dll
0x424000 RegOpenKeyExA
0x424004 RegGetValueA
0x424008 GetCurrentHwProfileA
SHELL32.dll
0x4240f0 SHFileOperationA
ole32.dll
0x424150 CoInitializeSecurity
0x424154 CoInitializeEx
0x424158 CoSetProxyBlanket
0x42415c CoCreateInstance
OLEAUT32.dll
0x4240dc VariantInit
0x4240e0 SysAllocString
0x4240e4 SysFreeString
0x4240e8 VariantClear
SHLWAPI.dll
0x4240f8 None
EAT(Export Address Table) is none