ScreenShot
Created | 2024.07.02 07:54 | Machine | s1_win7_x6403 |
Filename | buildcr.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 55 detected (AIDetectMalware, malicious, high confidence, score, Lockbit, Unsafe, Save, Attribute, HighConfidence, Kryptik, HXJY, Artemis, BootkitX, Strab, CLOUD, SMOKELOADER, YXEF2Z, Real Protect, moderate, Krypt, Detected, ai score=81, Malware@#3d11euvqed7s1, StealC, 19KREOO, Eldorado, ZexaF, Yq0@aiN8SzoG, BScope, Convagent, GdSda, Static AI, Malicious PE, susgen, Conwise, confidence, 100%) | ||
md5 | 88932ab33c38072946abc06b426d33b8 | ||
sha256 | d47e05b0ad27c651fb9cf73444e1f6a26514acb16998e92fca8be115ae6a2dee | ||
ssdeep | 12288:qIowhzaoWcGawk7yVe+H1JU7VuzpzS3oxAiXZcmQGLu5t15KBM0JiY3u3SZtr9XW:vhzL5MkmQ+H/2KFXVotzeM03aSpyr | ||
imphash | 9ab579f0940038199ed136d401eb2211 | ||
impfuzzy | 24:Zrm6HlTCkRkrcDoi8dQB9/CzRyYXqaLkeJ3QcfdYjYyvOHuO2SBOluf/jMrSGmEo:zS48dHtyYrhQcfCpm2SBOsWvo |
Network IP location
Signature (25cnts)
Level | Description |
---|---|
danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
danger | Executed a process and injected code into it |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Attempts to create or modify system certificates |
watch | Installs itself for autorun at Windows startup |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
watch | Uses suspicious command line tools or Windows utilities |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | An executable file was downloaded by the process buildcr.exe |
notice | Creates executable files on the filesystem |
notice | Drops a binary and executes it |
notice | Drops an executable to the user AppData folder |
notice | Foreign language identified in PE resource |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Potentially malicious URLs were found in the process memory dump |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks if process is being debugged by a debugger |
info | Command line console output was observed |
info | Queries for the computername |
Rules (28cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
warning | Generic_Malware_Zero_m | [m] Generic Malware | memory |
warning | Suspicious_Obfuscation_Script_2 | Suspicious obfuscation script (e.g. executable files) | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | schtasks_Zero | task schedule | memory |
watch | UPX_Zero | UPX packed file | binaries (download) |
notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
notice | Network_DGA | Communication using DGA | memory |
notice | Network_DNS | Communications use DNS | memory |
notice | Network_TCP_Socket | Communications over RAW Socket | memory |
notice | ScreenShot | Take ScreenShot | memory |
notice | Str_Win32_Http_API | Match Windows Http API call | memory |
notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerException__SetConsoleCtrl | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Network (10cnts) ?
Suricata ids
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET POLICY PE EXE or DLL Windows file download HTTP
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40b010 SetVolumeMountPointW
0x40b014 GetComputerNameW
0x40b018 SetCommBreak
0x40b01c SleepEx
0x40b020 GetCommProperties
0x40b024 GetModuleHandleW
0x40b028 GetTickCount
0x40b02c EnumCalendarInfoExW
0x40b030 GlobalAlloc
0x40b034 GetConsoleAliasExesLengthW
0x40b038 WriteConsoleOutputA
0x40b03c lstrcpynW
0x40b040 GetModuleFileNameW
0x40b044 GetConsoleAliasesW
0x40b048 CreateJobObjectW
0x40b04c GetProcAddress
0x40b050 LoadLibraryA
0x40b054 WriteConsoleA
0x40b058 UnhandledExceptionFilter
0x40b05c InterlockedExchangeAdd
0x40b060 LocalAlloc
0x40b064 AddAtomW
0x40b068 AddAtomA
0x40b06c FoldStringA
0x40b070 lstrcatW
0x40b074 GetConsoleTitleW
0x40b078 BuildCommDCBA
0x40b07c FindFirstVolumeW
0x40b080 AreFileApisANSI
0x40b084 ZombifyActCtx
0x40b088 GetLogicalDriveStringsW
0x40b08c GetLastError
0x40b090 OpenJobObjectA
0x40b094 CreateFileA
0x40b098 WriteConsoleW
0x40b09c MultiByteToWideChar
0x40b0a0 HeapAlloc
0x40b0a4 HeapReAlloc
0x40b0a8 GetStartupInfoW
0x40b0ac TerminateProcess
0x40b0b0 GetCurrentProcess
0x40b0b4 SetUnhandledExceptionFilter
0x40b0b8 IsDebuggerPresent
0x40b0bc GetCPInfo
0x40b0c0 InterlockedIncrement
0x40b0c4 InterlockedDecrement
0x40b0c8 GetACP
0x40b0cc GetOEMCP
0x40b0d0 IsValidCodePage
0x40b0d4 TlsGetValue
0x40b0d8 TlsAlloc
0x40b0dc TlsSetValue
0x40b0e0 TlsFree
0x40b0e4 SetLastError
0x40b0e8 GetCurrentThreadId
0x40b0ec DeleteCriticalSection
0x40b0f0 LeaveCriticalSection
0x40b0f4 EnterCriticalSection
0x40b0f8 HeapFree
0x40b0fc VirtualFree
0x40b100 VirtualAlloc
0x40b104 HeapCreate
0x40b108 Sleep
0x40b10c ExitProcess
0x40b110 WriteFile
0x40b114 GetStdHandle
0x40b118 GetModuleFileNameA
0x40b11c SetHandleCount
0x40b120 GetFileType
0x40b124 GetStartupInfoA
0x40b128 HeapSize
0x40b12c FreeEnvironmentStringsW
0x40b130 GetEnvironmentStringsW
0x40b134 GetCommandLineW
0x40b138 QueryPerformanceCounter
0x40b13c GetCurrentProcessId
0x40b140 GetSystemTimeAsFileTime
0x40b144 LCMapStringA
0x40b148 WideCharToMultiByte
0x40b14c LCMapStringW
0x40b150 GetStringTypeA
0x40b154 GetStringTypeW
0x40b158 GetLocaleInfoA
0x40b15c InitializeCriticalSectionAndSpinCount
0x40b160 RtlUnwind
0x40b164 ReadFile
0x40b168 GetConsoleCP
0x40b16c GetConsoleMode
0x40b170 FlushFileBuffers
0x40b174 SetFilePointer
0x40b178 SetStdHandle
0x40b17c CloseHandle
0x40b180 GetConsoleOutputCP
GDI32.dll
0x40b008 GetCharWidth32W
ADVAPI32.dll
0x40b000 EnumDependentServicesW
ole32.dll
0x40b190 CoTaskMemAlloc
WINHTTP.dll
0x40b188 WinHttpAddRequestHeaders
EAT(Export Address Table) is none
KERNEL32.dll
0x40b010 SetVolumeMountPointW
0x40b014 GetComputerNameW
0x40b018 SetCommBreak
0x40b01c SleepEx
0x40b020 GetCommProperties
0x40b024 GetModuleHandleW
0x40b028 GetTickCount
0x40b02c EnumCalendarInfoExW
0x40b030 GlobalAlloc
0x40b034 GetConsoleAliasExesLengthW
0x40b038 WriteConsoleOutputA
0x40b03c lstrcpynW
0x40b040 GetModuleFileNameW
0x40b044 GetConsoleAliasesW
0x40b048 CreateJobObjectW
0x40b04c GetProcAddress
0x40b050 LoadLibraryA
0x40b054 WriteConsoleA
0x40b058 UnhandledExceptionFilter
0x40b05c InterlockedExchangeAdd
0x40b060 LocalAlloc
0x40b064 AddAtomW
0x40b068 AddAtomA
0x40b06c FoldStringA
0x40b070 lstrcatW
0x40b074 GetConsoleTitleW
0x40b078 BuildCommDCBA
0x40b07c FindFirstVolumeW
0x40b080 AreFileApisANSI
0x40b084 ZombifyActCtx
0x40b088 GetLogicalDriveStringsW
0x40b08c GetLastError
0x40b090 OpenJobObjectA
0x40b094 CreateFileA
0x40b098 WriteConsoleW
0x40b09c MultiByteToWideChar
0x40b0a0 HeapAlloc
0x40b0a4 HeapReAlloc
0x40b0a8 GetStartupInfoW
0x40b0ac TerminateProcess
0x40b0b0 GetCurrentProcess
0x40b0b4 SetUnhandledExceptionFilter
0x40b0b8 IsDebuggerPresent
0x40b0bc GetCPInfo
0x40b0c0 InterlockedIncrement
0x40b0c4 InterlockedDecrement
0x40b0c8 GetACP
0x40b0cc GetOEMCP
0x40b0d0 IsValidCodePage
0x40b0d4 TlsGetValue
0x40b0d8 TlsAlloc
0x40b0dc TlsSetValue
0x40b0e0 TlsFree
0x40b0e4 SetLastError
0x40b0e8 GetCurrentThreadId
0x40b0ec DeleteCriticalSection
0x40b0f0 LeaveCriticalSection
0x40b0f4 EnterCriticalSection
0x40b0f8 HeapFree
0x40b0fc VirtualFree
0x40b100 VirtualAlloc
0x40b104 HeapCreate
0x40b108 Sleep
0x40b10c ExitProcess
0x40b110 WriteFile
0x40b114 GetStdHandle
0x40b118 GetModuleFileNameA
0x40b11c SetHandleCount
0x40b120 GetFileType
0x40b124 GetStartupInfoA
0x40b128 HeapSize
0x40b12c FreeEnvironmentStringsW
0x40b130 GetEnvironmentStringsW
0x40b134 GetCommandLineW
0x40b138 QueryPerformanceCounter
0x40b13c GetCurrentProcessId
0x40b140 GetSystemTimeAsFileTime
0x40b144 LCMapStringA
0x40b148 WideCharToMultiByte
0x40b14c LCMapStringW
0x40b150 GetStringTypeA
0x40b154 GetStringTypeW
0x40b158 GetLocaleInfoA
0x40b15c InitializeCriticalSectionAndSpinCount
0x40b160 RtlUnwind
0x40b164 ReadFile
0x40b168 GetConsoleCP
0x40b16c GetConsoleMode
0x40b170 FlushFileBuffers
0x40b174 SetFilePointer
0x40b178 SetStdHandle
0x40b17c CloseHandle
0x40b180 GetConsoleOutputCP
GDI32.dll
0x40b008 GetCharWidth32W
ADVAPI32.dll
0x40b000 EnumDependentServicesW
ole32.dll
0x40b190 CoTaskMemAlloc
WINHTTP.dll
0x40b188 WinHttpAddRequestHeaders
EAT(Export Address Table) is none