ScreenShot
Created | 2024.06.27 17:12 | Machine | s1_win7_x6401 |
Filename | build2.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 59 detected (AIDetectMalware, Tepfer, malicious, high confidence, score, Lockbit, GenericKD, Unsafe, Save, Kryptik, HXFH, Artemis, RansomX, Fareit, None, Generic@AI, RDML, M1YwbxGM05L411jvS8iJwg, MalwareCrypter, tcyfx, DownLoader46, VIDAR, YXEE4Z, Real Protect, high, Krypt, Detected, Androm, PSWTroj, Stealc, Smokeloader, R650823, ZexaF, uq0@aiZA9WgG, GdSda, Gencirc, ai score=84, susgen, HBBY, confidence, 100%) | ||
md5 | 335a64e110185d35bcfbc3ef86a382e9 | ||
sha256 | 8286d000d4045fe41788db22d353553ced31258eeaa0d52825e317f94d23dd9a | ||
ssdeep | 3072:V1dPzcpmx6U25NN9k9oqYRZn2uEm5nZTkvfXC5WhpNumh:V7Pz3xcNU9oquZ2uEmfTkXXNFumh | ||
imphash | b3f7368a77856522320ff0e8d452c570 | ||
impfuzzy | 24:rdbPaDeTMUkC1bkrIJcDAjgE4paOovEG/LiJEnchQFBRyv9kRT4BMjMVl77:rRaZsX4pdVG/mEchl9gcB5B |
Network IP location
Signature (34cnts)
Level | Description |
---|---|
danger | File has been identified by 59 AntiVirus engines on VirusTotal as malicious |
danger | Executed a process and injected code into it |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Checks the CPU name from registry |
watch | Collects information about installed applications |
watch | Communicates with host for which no DNS query was performed |
watch | Deletes executed files from disk |
watch | Harvests credentials from local FTP client softwares |
watch | Network activity contains more than one unique useragent |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Creates a suspicious process |
notice | Drops a binary and executes it |
notice | Drops an executable to the user AppData folder |
notice | Executes one or more WMI queries |
notice | Foreign language identified in PE resource |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Potentially malicious URLs were found in the process memory dump |
notice | Queries for potentially installed applications |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Collects information to fingerprint the system (MachineGuid |
info | Command line console output was observed |
info | Queries for the computername |
info | Tries to locate where the browsers are installed |
Rules (29cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | Client_SW_User_Data_Stealer | Client_SW_User_Data_Stealer | memory |
danger | Win32_PWS_Loki_m_Zero | Win32 PWS Loki | memory |
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
warning | infoStealer_ftpClients_Zero | ftp clients info stealer | memory |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
notice | Str_Win32_Http_API | Match Windows Http API call | memory |
info | anti_dbg | Checks if being debugged | memory |
info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
info | Check_Dlls | (no description) | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerException__SetConsoleCtrl | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Network (6cnts) ?
Suricata ids
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40d000 GlobalDeleteAtom
0x40d004 TryEnterCriticalSection
0x40d008 GetNumaProcessorNode
0x40d00c InterlockedDecrement
0x40d010 GetComputerNameW
0x40d014 GetTimeFormatA
0x40d018 GetModuleHandleW
0x40d01c EnumTimeFormatsA
0x40d020 ActivateActCtx
0x40d024 ReadFileScatter
0x40d028 WriteConsoleOutputA
0x40d02c InterlockedPopEntrySList
0x40d030 GetFileAttributesA
0x40d034 SetConsoleMode
0x40d038 GetConsoleAliasW
0x40d03c GetModuleFileNameW
0x40d040 SetConsoleTitleA
0x40d044 GetConsoleAliasesW
0x40d048 SetLastError
0x40d04c GetProcAddress
0x40d050 GetProcessHeaps
0x40d054 LocalLock
0x40d058 LoadLibraryA
0x40d05c UnhandledExceptionFilter
0x40d060 FreeEnvironmentStringsW
0x40d064 BuildCommDCBA
0x40d068 CompareStringA
0x40d06c GetShortPathNameW
0x40d070 GetFileInformationByHandle
0x40d074 LocalFileTimeToFileTime
0x40d078 MultiByteToWideChar
0x40d07c GetCommandLineA
0x40d080 GetStartupInfoA
0x40d084 RaiseException
0x40d088 RtlUnwind
0x40d08c TerminateProcess
0x40d090 GetCurrentProcess
0x40d094 SetUnhandledExceptionFilter
0x40d098 IsDebuggerPresent
0x40d09c GetCPInfo
0x40d0a0 InterlockedIncrement
0x40d0a4 GetACP
0x40d0a8 GetOEMCP
0x40d0ac IsValidCodePage
0x40d0b0 TlsGetValue
0x40d0b4 TlsAlloc
0x40d0b8 TlsSetValue
0x40d0bc TlsFree
0x40d0c0 GetCurrentThreadId
0x40d0c4 GetLastError
0x40d0c8 HeapAlloc
0x40d0cc HeapFree
0x40d0d0 EnterCriticalSection
0x40d0d4 LeaveCriticalSection
0x40d0d8 Sleep
0x40d0dc ExitProcess
0x40d0e0 WriteFile
0x40d0e4 GetStdHandle
0x40d0e8 GetModuleFileNameA
0x40d0ec FreeEnvironmentStringsA
0x40d0f0 GetEnvironmentStrings
0x40d0f4 WideCharToMultiByte
0x40d0f8 GetEnvironmentStringsW
0x40d0fc SetHandleCount
0x40d100 GetFileType
0x40d104 DeleteCriticalSection
0x40d108 HeapCreate
0x40d10c VirtualFree
0x40d110 QueryPerformanceCounter
0x40d114 GetTickCount
0x40d118 GetCurrentProcessId
0x40d11c GetSystemTimeAsFileTime
0x40d120 LCMapStringA
0x40d124 LCMapStringW
0x40d128 GetStringTypeA
0x40d12c GetStringTypeW
0x40d130 GetLocaleInfoA
0x40d134 SetFilePointer
0x40d138 GetConsoleCP
0x40d13c GetConsoleMode
0x40d140 VirtualAlloc
0x40d144 HeapReAlloc
0x40d148 HeapSize
0x40d14c InitializeCriticalSectionAndSpinCount
0x40d150 SetStdHandle
0x40d154 WriteConsoleA
0x40d158 GetConsoleOutputCP
0x40d15c WriteConsoleW
0x40d160 FlushFileBuffers
0x40d164 CreateFileA
0x40d168 CloseHandle
EAT(Export Address Table) is none
KERNEL32.dll
0x40d000 GlobalDeleteAtom
0x40d004 TryEnterCriticalSection
0x40d008 GetNumaProcessorNode
0x40d00c InterlockedDecrement
0x40d010 GetComputerNameW
0x40d014 GetTimeFormatA
0x40d018 GetModuleHandleW
0x40d01c EnumTimeFormatsA
0x40d020 ActivateActCtx
0x40d024 ReadFileScatter
0x40d028 WriteConsoleOutputA
0x40d02c InterlockedPopEntrySList
0x40d030 GetFileAttributesA
0x40d034 SetConsoleMode
0x40d038 GetConsoleAliasW
0x40d03c GetModuleFileNameW
0x40d040 SetConsoleTitleA
0x40d044 GetConsoleAliasesW
0x40d048 SetLastError
0x40d04c GetProcAddress
0x40d050 GetProcessHeaps
0x40d054 LocalLock
0x40d058 LoadLibraryA
0x40d05c UnhandledExceptionFilter
0x40d060 FreeEnvironmentStringsW
0x40d064 BuildCommDCBA
0x40d068 CompareStringA
0x40d06c GetShortPathNameW
0x40d070 GetFileInformationByHandle
0x40d074 LocalFileTimeToFileTime
0x40d078 MultiByteToWideChar
0x40d07c GetCommandLineA
0x40d080 GetStartupInfoA
0x40d084 RaiseException
0x40d088 RtlUnwind
0x40d08c TerminateProcess
0x40d090 GetCurrentProcess
0x40d094 SetUnhandledExceptionFilter
0x40d098 IsDebuggerPresent
0x40d09c GetCPInfo
0x40d0a0 InterlockedIncrement
0x40d0a4 GetACP
0x40d0a8 GetOEMCP
0x40d0ac IsValidCodePage
0x40d0b0 TlsGetValue
0x40d0b4 TlsAlloc
0x40d0b8 TlsSetValue
0x40d0bc TlsFree
0x40d0c0 GetCurrentThreadId
0x40d0c4 GetLastError
0x40d0c8 HeapAlloc
0x40d0cc HeapFree
0x40d0d0 EnterCriticalSection
0x40d0d4 LeaveCriticalSection
0x40d0d8 Sleep
0x40d0dc ExitProcess
0x40d0e0 WriteFile
0x40d0e4 GetStdHandle
0x40d0e8 GetModuleFileNameA
0x40d0ec FreeEnvironmentStringsA
0x40d0f0 GetEnvironmentStrings
0x40d0f4 WideCharToMultiByte
0x40d0f8 GetEnvironmentStringsW
0x40d0fc SetHandleCount
0x40d100 GetFileType
0x40d104 DeleteCriticalSection
0x40d108 HeapCreate
0x40d10c VirtualFree
0x40d110 QueryPerformanceCounter
0x40d114 GetTickCount
0x40d118 GetCurrentProcessId
0x40d11c GetSystemTimeAsFileTime
0x40d120 LCMapStringA
0x40d124 LCMapStringW
0x40d128 GetStringTypeA
0x40d12c GetStringTypeW
0x40d130 GetLocaleInfoA
0x40d134 SetFilePointer
0x40d138 GetConsoleCP
0x40d13c GetConsoleMode
0x40d140 VirtualAlloc
0x40d144 HeapReAlloc
0x40d148 HeapSize
0x40d14c InitializeCriticalSectionAndSpinCount
0x40d150 SetStdHandle
0x40d154 WriteConsoleA
0x40d158 GetConsoleOutputCP
0x40d15c WriteConsoleW
0x40d160 FlushFileBuffers
0x40d164 CreateFileA
0x40d168 CloseHandle
EAT(Export Address Table) is none