ScreenShot
| Created | 2024.07.08 07:52 | Machine | s1_win7_x6403 |
| Filename | PACKAGE_DEMO.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 56 detected (Common, malicious, high confidence, score, Lazy, Unsafe, Vj8t, Attribute, HighConfidence, SpywareX, ajbw, TrojanPSW, CLOUD, AGEN, MEDUZASTEALER, YXEEYZ, Detected, ai score=84, Multiverze, ABRisk, YBJW, R623197, Chgt, Gencirc, i0bBTWazAfA, Static AI, Suspicious PE, susgen, confidence) | ||
| md5 | e450ca946d4bf6173ebe3f00c3d08d81 | ||
| sha256 | 44e715e3d9b5434c099452cc2cd991b1f02d4aba25114341a37dc142efd089ff | ||
| ssdeep | 24576:Wi1kZ9SO9RfhEQ9A1rQmbGSbcG4SuyKs+P/3aC:rkZ9SO9RfpmOSbcGdJKsyaC | ||
| imphash | f82d1586094622bb592b2c4ed0e8dfb3 | ||
| impfuzzy | 96:4Ii/1WFDu3O0t9nrknJ5viOOfFtk+/LXt:4I61HZkYXt | ||
Network IP location
Signature (23cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 56 AntiVirus engines on VirusTotal as malicious |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Attempts to detect Cuckoo Sandbox through the presence of a file |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates known Dapato Trojan files |
| watch | Creates known Dyreza Banking Trojan files |
| watch | Creates known Hupigon files |
| watch | Creates known Upatre files |
| watch | Detects VirtualBox through the presence of a file |
| watch | Harvests credentials from local email clients |
| watch | Harvests information related to installed instant messenger clients |
| notice | Creates a shortcut to an executable file |
| notice | Looks up the external IP address |
| notice | Queries for potentially installed applications |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt
ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2
ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
SURICATA Applayer Protocol detection skipped
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt
ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2
ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
SURICATA Applayer Protocol detection skipped
PE API
IAT(Import Address Table) Library
WS2_32.dll
0x1400b8580 WSACleanup
0x1400b8588 htons
0x1400b8590 inet_pton
0x1400b8598 WSAStartup
0x1400b85a0 send
0x1400b85a8 socket
0x1400b85b0 connect
0x1400b85b8 recv
0x1400b85c0 closesocket
CRYPT32.dll
0x1400b8048 CryptUnprotectData
WININET.dll
0x1400b8548 InternetQueryDataAvailable
0x1400b8550 InternetReadFile
0x1400b8558 HttpQueryInfoW
0x1400b8560 InternetCloseHandle
0x1400b8568 InternetOpenUrlA
0x1400b8570 InternetOpenA
ntdll.dll
0x1400b8630 NtQueryObject
0x1400b8638 NtQuerySystemInformation
RstrtMgr.DLL
0x1400b84b8 RmStartSession
0x1400b84c0 RmEndSession
0x1400b84c8 RmGetList
0x1400b84d0 RmRegisterResources
KERNEL32.dll
0x1400b80a0 FindFirstFileW
0x1400b80a8 FindNextFileW
0x1400b80b0 FindClose
0x1400b80b8 OpenProcess
0x1400b80c0 CreateToolhelp32Snapshot
0x1400b80c8 Process32NextW
0x1400b80d0 LoadLibraryA
0x1400b80d8 Process32FirstW
0x1400b80e0 CloseHandle
0x1400b80e8 GetSystemInfo
0x1400b80f0 GetProcAddress
0x1400b80f8 ReadProcessMemory
0x1400b8100 FreeLibrary
0x1400b8108 VirtualQueryEx
0x1400b8110 MultiByteToWideChar
0x1400b8118 LocalFree
0x1400b8120 WideCharToMultiByte
0x1400b8128 TerminateProcess
0x1400b8130 GetModuleFileNameW
0x1400b8138 CreateMutexA
0x1400b8140 ReleaseMutex
0x1400b8148 OpenMutexA
0x1400b8150 ExitProcess
0x1400b8158 ReadFile
0x1400b8160 GetModuleFileNameA
0x1400b8168 GetVolumeInformationW
0x1400b8170 GetGeoInfoA
0x1400b8178 HeapFree
0x1400b8180 EnterCriticalSection
0x1400b8188 GetCurrentProcess
0x1400b8190 GetProcessId
0x1400b8198 GetProductInfo
0x1400b81a0 LeaveCriticalSection
0x1400b81a8 SetFilePointer
0x1400b81b0 InitializeCriticalSectionEx
0x1400b81b8 FreeEnvironmentStringsW
0x1400b81c0 GetModuleHandleA
0x1400b81c8 HeapSize
0x1400b81d0 GetLogicalDriveStringsW
0x1400b81d8 GetFinalPathNameByHandleA
0x1400b81e0 GetTimeZoneInformation
0x1400b81e8 GetLastError
0x1400b81f0 HeapReAlloc
0x1400b81f8 GetNativeSystemInfo
0x1400b8200 HeapAlloc
0x1400b8208 GetUserGeoID
0x1400b8210 DecodePointer
0x1400b8218 GetFileSize
0x1400b8220 DeleteCriticalSection
0x1400b8228 GetComputerNameW
0x1400b8230 GetProcessHeap
0x1400b8238 GlobalMemoryStatusEx
0x1400b8240 GetModuleHandleW
0x1400b8248 GetEnvironmentStringsW
0x1400b8250 RtlCaptureContext
0x1400b8258 RtlLookupFunctionEntry
0x1400b8260 UnhandledExceptionFilter
0x1400b8268 SetUnhandledExceptionFilter
0x1400b8270 SetLastError
0x1400b8278 IsProcessorFeaturePresent
0x1400b8280 GetCurrentProcessId
0x1400b8288 GetSystemTimeAsFileTime
0x1400b8290 VirtualAlloc
0x1400b8298 VirtualProtect
0x1400b82a0 VirtualQuery
0x1400b82a8 GetCurrentThreadId
0x1400b82b0 GetStdHandle
0x1400b82b8 GetFileType
0x1400b82c0 GetStartupInfoW
0x1400b82c8 FlsAlloc
0x1400b82d0 FlsGetValue
0x1400b82d8 FlsSetValue
0x1400b82e0 FlsFree
0x1400b82e8 InitializeCriticalSectionAndSpinCount
0x1400b82f0 LoadLibraryExW
0x1400b82f8 GetDateFormatW
0x1400b8300 GetTimeFormatW
0x1400b8308 CompareStringW
0x1400b8310 LCMapStringW
0x1400b8318 GetLocaleInfoW
0x1400b8320 IsValidLocale
0x1400b8328 GetUserDefaultLCID
0x1400b8330 EnumSystemLocalesW
0x1400b8338 GetFileSizeEx
0x1400b8340 SetFilePointerEx
0x1400b8348 FlushFileBuffers
0x1400b8350 WriteFile
0x1400b8358 GetConsoleOutputCP
0x1400b8360 GetConsoleMode
0x1400b8368 ReadConsoleW
0x1400b8370 RaiseException
0x1400b8378 IsValidCodePage
0x1400b8380 GetACP
0x1400b8388 GetOEMCP
0x1400b8390 GetCPInfo
0x1400b8398 GetStringTypeW
0x1400b83a0 SetEndOfFile
0x1400b83a8 SetStdHandle
0x1400b83b0 CreateFileW
0x1400b83b8 WriteConsoleW
0x1400b83c0 OutputDebugStringW
0x1400b83c8 SetEnvironmentVariableW
0x1400b83d0 SetEvent
0x1400b83d8 ResetEvent
0x1400b83e0 WaitForSingleObjectEx
0x1400b83e8 CreateEventW
0x1400b83f0 QueryPerformanceCounter
0x1400b83f8 InitializeSListHead
0x1400b8400 RtlUnwindEx
0x1400b8408 RtlUnwind
0x1400b8410 RtlPcToFileHeader
0x1400b8418 EncodePointer
0x1400b8420 TlsAlloc
0x1400b8428 TlsGetValue
0x1400b8430 TlsSetValue
0x1400b8438 TlsFree
0x1400b8440 CompareStringEx
0x1400b8448 LCMapStringEx
0x1400b8450 IsDebuggerPresent
0x1400b8458 GetCommandLineA
0x1400b8460 GetCommandLineW
0x1400b8468 RtlVirtualUnwind
0x1400b8470 GetModuleHandleExW
0x1400b8478 GetFileInformationByHandleEx
0x1400b8480 AreFileApisANSI
0x1400b8488 GetFileAttributesExW
0x1400b8490 FindFirstFileExW
0x1400b8498 GetCurrentDirectoryW
0x1400b84a0 GetLocaleInfoEx
0x1400b84a8 FormatMessageA
USER32.dll
0x1400b8510 GetWindowRect
0x1400b8518 GetDC
0x1400b8520 EnumDisplayDevicesW
0x1400b8528 ReleaseDC
0x1400b8530 GetSystemMetrics
0x1400b8538 GetDesktopWindow
GDI32.dll
0x1400b8058 CreateCompatibleBitmap
0x1400b8060 SelectObject
0x1400b8068 CreateCompatibleDC
0x1400b8070 GetDeviceCaps
0x1400b8078 DeleteDC
0x1400b8080 GetObjectW
0x1400b8088 DeleteObject
0x1400b8090 BitBlt
ADVAPI32.dll
0x1400b8000 GetCurrentHwProfileW
0x1400b8008 RegCloseKey
0x1400b8010 RegQueryValueExA
0x1400b8018 RegOpenKeyExA
0x1400b8020 GetUserNameW
0x1400b8028 RegEnumKeyExA
0x1400b8030 CredEnumerateA
0x1400b8038 CredFree
SHELL32.dll
0x1400b84e0 SHGetKnownFolderPath
ole32.dll
0x1400b8648 CoTaskMemFree
0x1400b8650 CreateStreamOnHGlobal
SHLWAPI.dll
0x1400b84f0 None
0x1400b84f8 None
0x1400b8500 None
gdiplus.dll
0x1400b85d0 GdipCloneImage
0x1400b85d8 GdiplusShutdown
0x1400b85e0 GdipCreateBitmapFromHBITMAP
0x1400b85e8 GdipDisposeImage
0x1400b85f0 GdiplusStartup
0x1400b85f8 GdipAlloc
0x1400b8600 GdipGetImageEncoders
0x1400b8608 GdipCreateBitmapFromScan0
0x1400b8610 GdipSaveImageToStream
0x1400b8618 GdipGetImageEncodersSize
0x1400b8620 GdipFree
EAT(Export Address Table) is none
WS2_32.dll
0x1400b8580 WSACleanup
0x1400b8588 htons
0x1400b8590 inet_pton
0x1400b8598 WSAStartup
0x1400b85a0 send
0x1400b85a8 socket
0x1400b85b0 connect
0x1400b85b8 recv
0x1400b85c0 closesocket
CRYPT32.dll
0x1400b8048 CryptUnprotectData
WININET.dll
0x1400b8548 InternetQueryDataAvailable
0x1400b8550 InternetReadFile
0x1400b8558 HttpQueryInfoW
0x1400b8560 InternetCloseHandle
0x1400b8568 InternetOpenUrlA
0x1400b8570 InternetOpenA
ntdll.dll
0x1400b8630 NtQueryObject
0x1400b8638 NtQuerySystemInformation
RstrtMgr.DLL
0x1400b84b8 RmStartSession
0x1400b84c0 RmEndSession
0x1400b84c8 RmGetList
0x1400b84d0 RmRegisterResources
KERNEL32.dll
0x1400b80a0 FindFirstFileW
0x1400b80a8 FindNextFileW
0x1400b80b0 FindClose
0x1400b80b8 OpenProcess
0x1400b80c0 CreateToolhelp32Snapshot
0x1400b80c8 Process32NextW
0x1400b80d0 LoadLibraryA
0x1400b80d8 Process32FirstW
0x1400b80e0 CloseHandle
0x1400b80e8 GetSystemInfo
0x1400b80f0 GetProcAddress
0x1400b80f8 ReadProcessMemory
0x1400b8100 FreeLibrary
0x1400b8108 VirtualQueryEx
0x1400b8110 MultiByteToWideChar
0x1400b8118 LocalFree
0x1400b8120 WideCharToMultiByte
0x1400b8128 TerminateProcess
0x1400b8130 GetModuleFileNameW
0x1400b8138 CreateMutexA
0x1400b8140 ReleaseMutex
0x1400b8148 OpenMutexA
0x1400b8150 ExitProcess
0x1400b8158 ReadFile
0x1400b8160 GetModuleFileNameA
0x1400b8168 GetVolumeInformationW
0x1400b8170 GetGeoInfoA
0x1400b8178 HeapFree
0x1400b8180 EnterCriticalSection
0x1400b8188 GetCurrentProcess
0x1400b8190 GetProcessId
0x1400b8198 GetProductInfo
0x1400b81a0 LeaveCriticalSection
0x1400b81a8 SetFilePointer
0x1400b81b0 InitializeCriticalSectionEx
0x1400b81b8 FreeEnvironmentStringsW
0x1400b81c0 GetModuleHandleA
0x1400b81c8 HeapSize
0x1400b81d0 GetLogicalDriveStringsW
0x1400b81d8 GetFinalPathNameByHandleA
0x1400b81e0 GetTimeZoneInformation
0x1400b81e8 GetLastError
0x1400b81f0 HeapReAlloc
0x1400b81f8 GetNativeSystemInfo
0x1400b8200 HeapAlloc
0x1400b8208 GetUserGeoID
0x1400b8210 DecodePointer
0x1400b8218 GetFileSize
0x1400b8220 DeleteCriticalSection
0x1400b8228 GetComputerNameW
0x1400b8230 GetProcessHeap
0x1400b8238 GlobalMemoryStatusEx
0x1400b8240 GetModuleHandleW
0x1400b8248 GetEnvironmentStringsW
0x1400b8250 RtlCaptureContext
0x1400b8258 RtlLookupFunctionEntry
0x1400b8260 UnhandledExceptionFilter
0x1400b8268 SetUnhandledExceptionFilter
0x1400b8270 SetLastError
0x1400b8278 IsProcessorFeaturePresent
0x1400b8280 GetCurrentProcessId
0x1400b8288 GetSystemTimeAsFileTime
0x1400b8290 VirtualAlloc
0x1400b8298 VirtualProtect
0x1400b82a0 VirtualQuery
0x1400b82a8 GetCurrentThreadId
0x1400b82b0 GetStdHandle
0x1400b82b8 GetFileType
0x1400b82c0 GetStartupInfoW
0x1400b82c8 FlsAlloc
0x1400b82d0 FlsGetValue
0x1400b82d8 FlsSetValue
0x1400b82e0 FlsFree
0x1400b82e8 InitializeCriticalSectionAndSpinCount
0x1400b82f0 LoadLibraryExW
0x1400b82f8 GetDateFormatW
0x1400b8300 GetTimeFormatW
0x1400b8308 CompareStringW
0x1400b8310 LCMapStringW
0x1400b8318 GetLocaleInfoW
0x1400b8320 IsValidLocale
0x1400b8328 GetUserDefaultLCID
0x1400b8330 EnumSystemLocalesW
0x1400b8338 GetFileSizeEx
0x1400b8340 SetFilePointerEx
0x1400b8348 FlushFileBuffers
0x1400b8350 WriteFile
0x1400b8358 GetConsoleOutputCP
0x1400b8360 GetConsoleMode
0x1400b8368 ReadConsoleW
0x1400b8370 RaiseException
0x1400b8378 IsValidCodePage
0x1400b8380 GetACP
0x1400b8388 GetOEMCP
0x1400b8390 GetCPInfo
0x1400b8398 GetStringTypeW
0x1400b83a0 SetEndOfFile
0x1400b83a8 SetStdHandle
0x1400b83b0 CreateFileW
0x1400b83b8 WriteConsoleW
0x1400b83c0 OutputDebugStringW
0x1400b83c8 SetEnvironmentVariableW
0x1400b83d0 SetEvent
0x1400b83d8 ResetEvent
0x1400b83e0 WaitForSingleObjectEx
0x1400b83e8 CreateEventW
0x1400b83f0 QueryPerformanceCounter
0x1400b83f8 InitializeSListHead
0x1400b8400 RtlUnwindEx
0x1400b8408 RtlUnwind
0x1400b8410 RtlPcToFileHeader
0x1400b8418 EncodePointer
0x1400b8420 TlsAlloc
0x1400b8428 TlsGetValue
0x1400b8430 TlsSetValue
0x1400b8438 TlsFree
0x1400b8440 CompareStringEx
0x1400b8448 LCMapStringEx
0x1400b8450 IsDebuggerPresent
0x1400b8458 GetCommandLineA
0x1400b8460 GetCommandLineW
0x1400b8468 RtlVirtualUnwind
0x1400b8470 GetModuleHandleExW
0x1400b8478 GetFileInformationByHandleEx
0x1400b8480 AreFileApisANSI
0x1400b8488 GetFileAttributesExW
0x1400b8490 FindFirstFileExW
0x1400b8498 GetCurrentDirectoryW
0x1400b84a0 GetLocaleInfoEx
0x1400b84a8 FormatMessageA
USER32.dll
0x1400b8510 GetWindowRect
0x1400b8518 GetDC
0x1400b8520 EnumDisplayDevicesW
0x1400b8528 ReleaseDC
0x1400b8530 GetSystemMetrics
0x1400b8538 GetDesktopWindow
GDI32.dll
0x1400b8058 CreateCompatibleBitmap
0x1400b8060 SelectObject
0x1400b8068 CreateCompatibleDC
0x1400b8070 GetDeviceCaps
0x1400b8078 DeleteDC
0x1400b8080 GetObjectW
0x1400b8088 DeleteObject
0x1400b8090 BitBlt
ADVAPI32.dll
0x1400b8000 GetCurrentHwProfileW
0x1400b8008 RegCloseKey
0x1400b8010 RegQueryValueExA
0x1400b8018 RegOpenKeyExA
0x1400b8020 GetUserNameW
0x1400b8028 RegEnumKeyExA
0x1400b8030 CredEnumerateA
0x1400b8038 CredFree
SHELL32.dll
0x1400b84e0 SHGetKnownFolderPath
ole32.dll
0x1400b8648 CoTaskMemFree
0x1400b8650 CreateStreamOnHGlobal
SHLWAPI.dll
0x1400b84f0 None
0x1400b84f8 None
0x1400b8500 None
gdiplus.dll
0x1400b85d0 GdipCloneImage
0x1400b85d8 GdiplusShutdown
0x1400b85e0 GdipCreateBitmapFromHBITMAP
0x1400b85e8 GdipDisposeImage
0x1400b85f0 GdiplusStartup
0x1400b85f8 GdipAlloc
0x1400b8600 GdipGetImageEncoders
0x1400b8608 GdipCreateBitmapFromScan0
0x1400b8610 GdipSaveImageToStream
0x1400b8618 GdipGetImageEncodersSize
0x1400b8620 GdipFree
EAT(Export Address Table) is none