ScreenShot
Created | 2024.07.11 09:26 | Machine | s1_win7_x6403 |
Filename | builds.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : mailcious | ||
VT API (file) | 45 detected (AIDetectMalware, Windows, Threat, Malicious, score, TrojanAitInject, Unsafe, Zusy, Attribute, HighConfidence, Vidar, MalwareX, Mikey, Convagent, Stealerc, u7OjaJEcchS, ZPACK, Real Protect, high, EncPk, Detected, ai score=88, AMAJ, Eldorado, R657752, BScope, PasswordStealer, Gencirc, Static AI, Malicious PE, confidence) | ||
md5 | 4022bc5f1dcdf1a90d117aa67917cc41 | ||
sha256 | 08ebf44504c59a45d9fb739eaf9c7ce1f8a57224674f55782f4373d13794006a | ||
ssdeep | 3072:HQZ37mj1bVbRKEglAlJacFn6nE+SoareNsagziP9ufWo8X:wZLE1b2EWi7USoalqufWR | ||
imphash | 14b0ac3afcc0fd8a741f8eb3917d4d03 | ||
impfuzzy | 48:n8Tqecsoc4jm5SYiT5t38fMo4rz+MmNUG:nkqecs0jKSYiT5t38fMTiNZ |
Network IP location
Signature (25cnts)
Level | Description |
---|---|
danger | File has been identified by 45 AntiVirus engines on VirusTotal as malicious |
watch | Attempts to create or modify system certificates |
watch | Checks the CPU name from registry |
watch | Collects information about installed applications |
watch | Communicates with host for which no DNS query was performed |
watch | Deletes executed files from disk |
watch | Executes one or more WMI queries |
watch | Harvests credentials from local FTP client softwares |
watch | Network activity contains more than one unique useragent |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Creates a suspicious process |
notice | Drops an executable to the user AppData folder |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Performs some HTTP requests |
notice | Queries for potentially installed applications |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Collects information to fingerprint the system (MachineGuid |
info | Command line console output was observed |
info | Queries for the computername |
info | Tries to locate where the browsers are installed |
Rules (23cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
watch | Antivirus | Contains references to security software | binaries (download) |
watch | Antivirus | Contains references to security software | binaries (upload) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerException__SetConsoleCtrl | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Network (6cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO TLS Handshake Failure
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x425154 wcslen
0x425158 memcmp
0x42515c strlen
0x425160 ??_U@YAPAXI@Z
0x425164 srand
0x425168 rand
0x42516c strncpy
0x425170 malloc
0x425174 _wtoi64
0x425178 atexit
0x42517c memchr
0x425180 ??_V@YAXPAX@Z
0x425184 __CxxFrameHandler3
0x425188 memmove
0x42518c strtok_s
0x425190 strchr
0x425194 strcpy_s
0x425198 memcpy
0x42519c memset
KERNEL32.dll
0x425014 MultiByteToWideChar
0x425018 LCMapStringW
0x42501c WideCharToMultiByte
0x425020 IsValidCodePage
0x425024 GetOEMCP
0x425028 GetACP
0x42502c ExitProcess
0x425030 GetCurrentProcess
0x425034 LocalAlloc
0x425038 lstrlenA
0x42503c HeapFree
0x425040 ReadProcessMemory
0x425044 VirtualQueryEx
0x425048 OpenProcess
0x42504c HeapAlloc
0x425050 GetProcessHeap
0x425054 GetStringTypeW
0x425058 FileTimeToSystemTime
0x42505c CloseHandle
0x425060 CreateProcessA
0x425064 GetDriveTypeA
0x425068 GetLogicalDriveStringsA
0x42506c WaitForSingleObject
0x425070 CreateThread
0x425074 CreateDirectoryA
0x425078 GetProcAddress
0x42507c LoadLibraryA
0x425080 lstrlenW
0x425084 ReadFile
0x425088 SetFilePointer
0x42508c GetFileSize
0x425090 GetFileInformationByHandle
0x425094 MapViewOfFile
0x425098 CreateFileMappingA
0x42509c CreateFileA
0x4250a0 WriteFile
0x4250a4 SystemTimeToFileTime
0x4250a8 GetLocalTime
0x4250ac GetTickCount
0x4250b0 lstrcatA
0x4250b4 lstrcpyA
0x4250b8 GetCPInfo
0x4250bc GetComputerNameA
0x4250c0 LoadLibraryW
0x4250c4 InterlockedDecrement
0x4250c8 GetCurrentThreadId
0x4250cc SetLastError
0x4250d0 InterlockedIncrement
0x4250d4 TlsSetValue
0x4250d8 TlsGetValue
0x4250dc GetModuleFileNameW
0x4250e0 RaiseException
0x4250e4 GetLastError
0x4250e8 UnhandledExceptionFilter
0x4250ec SetUnhandledExceptionFilter
0x4250f0 IsDebuggerPresent
0x4250f4 EncodePointer
0x4250f8 DecodePointer
0x4250fc TerminateProcess
0x425100 InitializeCriticalSectionAndSpinCount
0x425104 LeaveCriticalSection
0x425108 EnterCriticalSection
0x42510c RtlUnwind
0x425110 GetModuleHandleW
0x425114 Sleep
0x425118 GetStdHandle
USER32.dll
0x425144 CharToOemA
0x425148 GetDesktopWindow
0x42514c wsprintfW
ADVAPI32.dll
0x425000 GetUserNameA
0x425004 RegOpenKeyExA
0x425008 RegGetValueA
0x42500c GetCurrentHwProfileA
SHELL32.dll
0x425134 SHFileOperationA
ole32.dll
0x4251a4 CoInitializeSecurity
0x4251a8 CoInitializeEx
0x4251ac CoSetProxyBlanket
0x4251b0 CoCreateInstance
OLEAUT32.dll
0x425120 SysAllocString
0x425124 VariantInit
0x425128 VariantClear
0x42512c SysFreeString
SHLWAPI.dll
0x42513c None
EAT(Export Address Table) is none
msvcrt.dll
0x425154 wcslen
0x425158 memcmp
0x42515c strlen
0x425160 ??_U@YAPAXI@Z
0x425164 srand
0x425168 rand
0x42516c strncpy
0x425170 malloc
0x425174 _wtoi64
0x425178 atexit
0x42517c memchr
0x425180 ??_V@YAXPAX@Z
0x425184 __CxxFrameHandler3
0x425188 memmove
0x42518c strtok_s
0x425190 strchr
0x425194 strcpy_s
0x425198 memcpy
0x42519c memset
KERNEL32.dll
0x425014 MultiByteToWideChar
0x425018 LCMapStringW
0x42501c WideCharToMultiByte
0x425020 IsValidCodePage
0x425024 GetOEMCP
0x425028 GetACP
0x42502c ExitProcess
0x425030 GetCurrentProcess
0x425034 LocalAlloc
0x425038 lstrlenA
0x42503c HeapFree
0x425040 ReadProcessMemory
0x425044 VirtualQueryEx
0x425048 OpenProcess
0x42504c HeapAlloc
0x425050 GetProcessHeap
0x425054 GetStringTypeW
0x425058 FileTimeToSystemTime
0x42505c CloseHandle
0x425060 CreateProcessA
0x425064 GetDriveTypeA
0x425068 GetLogicalDriveStringsA
0x42506c WaitForSingleObject
0x425070 CreateThread
0x425074 CreateDirectoryA
0x425078 GetProcAddress
0x42507c LoadLibraryA
0x425080 lstrlenW
0x425084 ReadFile
0x425088 SetFilePointer
0x42508c GetFileSize
0x425090 GetFileInformationByHandle
0x425094 MapViewOfFile
0x425098 CreateFileMappingA
0x42509c CreateFileA
0x4250a0 WriteFile
0x4250a4 SystemTimeToFileTime
0x4250a8 GetLocalTime
0x4250ac GetTickCount
0x4250b0 lstrcatA
0x4250b4 lstrcpyA
0x4250b8 GetCPInfo
0x4250bc GetComputerNameA
0x4250c0 LoadLibraryW
0x4250c4 InterlockedDecrement
0x4250c8 GetCurrentThreadId
0x4250cc SetLastError
0x4250d0 InterlockedIncrement
0x4250d4 TlsSetValue
0x4250d8 TlsGetValue
0x4250dc GetModuleFileNameW
0x4250e0 RaiseException
0x4250e4 GetLastError
0x4250e8 UnhandledExceptionFilter
0x4250ec SetUnhandledExceptionFilter
0x4250f0 IsDebuggerPresent
0x4250f4 EncodePointer
0x4250f8 DecodePointer
0x4250fc TerminateProcess
0x425100 InitializeCriticalSectionAndSpinCount
0x425104 LeaveCriticalSection
0x425108 EnterCriticalSection
0x42510c RtlUnwind
0x425110 GetModuleHandleW
0x425114 Sleep
0x425118 GetStdHandle
USER32.dll
0x425144 CharToOemA
0x425148 GetDesktopWindow
0x42514c wsprintfW
ADVAPI32.dll
0x425000 GetUserNameA
0x425004 RegOpenKeyExA
0x425008 RegGetValueA
0x42500c GetCurrentHwProfileA
SHELL32.dll
0x425134 SHFileOperationA
ole32.dll
0x4251a4 CoInitializeSecurity
0x4251a8 CoInitializeEx
0x4251ac CoSetProxyBlanket
0x4251b0 CoCreateInstance
OLEAUT32.dll
0x425120 SysAllocString
0x425124 VariantInit
0x425128 VariantClear
0x42512c SysFreeString
SHLWAPI.dll
0x42513c None
EAT(Export Address Table) is none