ScreenShot
| Created | 2024.06.26 10:16 | Machine | s1_win7_x6403 |
| Filename | build.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 47 detected (AIDetectMalware, Strab, malicious, high confidence, score, Lockbit, Artemis, Unsafe, Save, Tepfer, Attribute, HighConfidence, Kryptik, HXJD, DropperX, Fareit, Yakes, CLOUD, InstaBot, rajyu, Pitou, SMOKELOADER, YXEFYZ, Real Protect, high, Stealc, Detected, STOP, SPON, LWKOWZ, Eldorado, R653711, ZexaF, 0q0@ae@LVKaG, BScope, Static AI, Suspicious PE, MxResIcn, HBBY, confidence, 100%) | ||
| md5 | 71b44c9a55f3b40681f6a5524ca9821d | ||
| sha256 | 9cea3ad8914836b158f4a3494c1b3b3dadc93af4d9a560cbec22742302de5439 | ||
| ssdeep | 12288:oFLV3SQMC2KjSnCs/urQO4VivUI6q9ulGvxnrgJMKut3KENjEhQEOuV:iSQaCsgUI6grzt3K4EWlu | ||
| imphash | 97bf980f6daa00a62d02c8545f869c7f | ||
| impfuzzy | 48:YOjFwU96rjknyvFtP3YUdFBI1tTQcf5YuuSBDS6:jPErjkyvFtoEfI1tTQcf54SBB | ||
Network IP location
Signature (27cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 47 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| warning | Generates some ICMP traffic |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to create or modify system certificates |
| watch | Installs itself for autorun at Windows startup |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process build.exe |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Foreign language identified in PE resource |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (30cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero_m | [m] Generic Malware | memory |
| warning | Suspicious_Obfuscation_Script_2 | Suspicious obfuscation script (e.g. executable files) | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | schtasks_Zero | task schedule | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (10cnts) ?
Suricata ids
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x414008 GetCommState
0x41400c CreateJobObjectW
0x414010 GetNamedPipeHandleStateA
0x414014 SetVolumeMountPointW
0x414018 GetTimeFormatA
0x41401c GetCommProperties
0x414020 GetModuleHandleW
0x414024 GetTickCount
0x414028 GetConsoleAliasesLengthA
0x41402c FormatMessageA
0x414030 ReadConsoleOutputA
0x414034 GetUserDefaultLangID
0x414038 GlobalAlloc
0x41403c LoadLibraryW
0x414040 GetLocaleInfoW
0x414044 GetCalendarInfoW
0x414048 lstrcpynW
0x41404c LocalReAlloc
0x414050 GetModuleFileNameW
0x414054 RaiseException
0x414058 GetConsoleAliasesW
0x41405c GlobalAddAtomA
0x414060 GetLastError
0x414064 GetProcAddress
0x414068 GetNumaHighestNodeNumber
0x41406c LoadLibraryA
0x414070 WriteConsoleA
0x414074 RegisterWaitForSingleObject
0x414078 AddAtomW
0x41407c OpenJobObjectW
0x414080 FoldStringA
0x414084 lstrcatW
0x414088 GetConsoleTitleW
0x41408c BuildCommDCBA
0x414090 GetShortPathNameW
0x414094 FileTimeToLocalFileTime
0x414098 FindFirstVolumeW
0x41409c OpenFileMappingA
0x4140a0 EnumCalendarInfoExA
0x4140a4 AreFileApisANSI
0x4140a8 InterlockedExchange
0x4140ac SetDefaultCommConfigA
0x4140b0 MultiByteToWideChar
0x4140b4 HeapAlloc
0x4140b8 HeapReAlloc
0x4140bc Sleep
0x4140c0 ExitProcess
0x4140c4 GetStartupInfoW
0x4140c8 RtlUnwind
0x4140cc TerminateProcess
0x4140d0 GetCurrentProcess
0x4140d4 UnhandledExceptionFilter
0x4140d8 SetUnhandledExceptionFilter
0x4140dc IsDebuggerPresent
0x4140e0 HeapFree
0x4140e4 GetCPInfo
0x4140e8 InterlockedIncrement
0x4140ec InterlockedDecrement
0x4140f0 GetACP
0x4140f4 GetOEMCP
0x4140f8 IsValidCodePage
0x4140fc TlsGetValue
0x414100 TlsAlloc
0x414104 TlsSetValue
0x414108 TlsFree
0x41410c SetLastError
0x414110 GetCurrentThreadId
0x414114 DeleteCriticalSection
0x414118 LeaveCriticalSection
0x41411c EnterCriticalSection
0x414120 VirtualFree
0x414124 VirtualAlloc
0x414128 HeapCreate
0x41412c WriteFile
0x414130 GetStdHandle
0x414134 GetModuleFileNameA
0x414138 WideCharToMultiByte
0x41413c GetConsoleCP
0x414140 GetConsoleMode
0x414144 FlushFileBuffers
0x414148 HeapSize
0x41414c InitializeCriticalSectionAndSpinCount
0x414150 FreeEnvironmentStringsW
0x414154 GetEnvironmentStringsW
0x414158 GetCommandLineW
0x41415c SetHandleCount
0x414160 GetFileType
0x414164 GetStartupInfoA
0x414168 QueryPerformanceCounter
0x41416c GetCurrentProcessId
0x414170 GetSystemTimeAsFileTime
0x414174 LCMapStringA
0x414178 LCMapStringW
0x41417c GetStringTypeA
0x414180 GetStringTypeW
0x414184 GetLocaleInfoA
0x414188 GetConsoleOutputCP
0x41418c WriteConsoleW
0x414190 SetFilePointer
0x414194 SetStdHandle
0x414198 ReadFile
0x41419c CreateFileA
0x4141a0 CloseHandle
0x4141a4 GetModuleHandleA
USER32.dll
0x4141ac LoadIconA
ADVAPI32.dll
0x414000 GetSidSubAuthorityCount
EAT(Export Address Table) is none
KERNEL32.dll
0x414008 GetCommState
0x41400c CreateJobObjectW
0x414010 GetNamedPipeHandleStateA
0x414014 SetVolumeMountPointW
0x414018 GetTimeFormatA
0x41401c GetCommProperties
0x414020 GetModuleHandleW
0x414024 GetTickCount
0x414028 GetConsoleAliasesLengthA
0x41402c FormatMessageA
0x414030 ReadConsoleOutputA
0x414034 GetUserDefaultLangID
0x414038 GlobalAlloc
0x41403c LoadLibraryW
0x414040 GetLocaleInfoW
0x414044 GetCalendarInfoW
0x414048 lstrcpynW
0x41404c LocalReAlloc
0x414050 GetModuleFileNameW
0x414054 RaiseException
0x414058 GetConsoleAliasesW
0x41405c GlobalAddAtomA
0x414060 GetLastError
0x414064 GetProcAddress
0x414068 GetNumaHighestNodeNumber
0x41406c LoadLibraryA
0x414070 WriteConsoleA
0x414074 RegisterWaitForSingleObject
0x414078 AddAtomW
0x41407c OpenJobObjectW
0x414080 FoldStringA
0x414084 lstrcatW
0x414088 GetConsoleTitleW
0x41408c BuildCommDCBA
0x414090 GetShortPathNameW
0x414094 FileTimeToLocalFileTime
0x414098 FindFirstVolumeW
0x41409c OpenFileMappingA
0x4140a0 EnumCalendarInfoExA
0x4140a4 AreFileApisANSI
0x4140a8 InterlockedExchange
0x4140ac SetDefaultCommConfigA
0x4140b0 MultiByteToWideChar
0x4140b4 HeapAlloc
0x4140b8 HeapReAlloc
0x4140bc Sleep
0x4140c0 ExitProcess
0x4140c4 GetStartupInfoW
0x4140c8 RtlUnwind
0x4140cc TerminateProcess
0x4140d0 GetCurrentProcess
0x4140d4 UnhandledExceptionFilter
0x4140d8 SetUnhandledExceptionFilter
0x4140dc IsDebuggerPresent
0x4140e0 HeapFree
0x4140e4 GetCPInfo
0x4140e8 InterlockedIncrement
0x4140ec InterlockedDecrement
0x4140f0 GetACP
0x4140f4 GetOEMCP
0x4140f8 IsValidCodePage
0x4140fc TlsGetValue
0x414100 TlsAlloc
0x414104 TlsSetValue
0x414108 TlsFree
0x41410c SetLastError
0x414110 GetCurrentThreadId
0x414114 DeleteCriticalSection
0x414118 LeaveCriticalSection
0x41411c EnterCriticalSection
0x414120 VirtualFree
0x414124 VirtualAlloc
0x414128 HeapCreate
0x41412c WriteFile
0x414130 GetStdHandle
0x414134 GetModuleFileNameA
0x414138 WideCharToMultiByte
0x41413c GetConsoleCP
0x414140 GetConsoleMode
0x414144 FlushFileBuffers
0x414148 HeapSize
0x41414c InitializeCriticalSectionAndSpinCount
0x414150 FreeEnvironmentStringsW
0x414154 GetEnvironmentStringsW
0x414158 GetCommandLineW
0x41415c SetHandleCount
0x414160 GetFileType
0x414164 GetStartupInfoA
0x414168 QueryPerformanceCounter
0x41416c GetCurrentProcessId
0x414170 GetSystemTimeAsFileTime
0x414174 LCMapStringA
0x414178 LCMapStringW
0x41417c GetStringTypeA
0x414180 GetStringTypeW
0x414184 GetLocaleInfoA
0x414188 GetConsoleOutputCP
0x41418c WriteConsoleW
0x414190 SetFilePointer
0x414194 SetStdHandle
0x414198 ReadFile
0x41419c CreateFileA
0x4141a0 CloseHandle
0x4141a4 GetModuleHandleA
USER32.dll
0x4141ac LoadIconA
ADVAPI32.dll
0x414000 GetSidSubAuthorityCount
EAT(Export Address Table) is none