ScreenShot
| Created | 2024.07.11 13:46 | Machine | s1_win7_x6403 |
| Filename | collect.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 25 detected (Mimikatz, malicious, moderate confidence, score, Vaqu, Attribute, HighConfidence, MalwareX, TrojanPSW, CLOUD, vggbz, Wacapew, QQPass, QQRob, Gtgl, susgen, confidence, HackTool) | ||
| md5 | 3c4abc6edb1572ceebfd635531e8d29e | ||
| sha256 | 248deb03554c5cfdfbab1c07e5b58466e358ca7e23781a1b5e5bdf434cd16ef3 | ||
| ssdeep | 3072:DOn5aQRM3K+GOqlsOEjp4z/25C21vtEL9cOXVb//UB:DO5JH2qlsUOTvtEHU | ||
| imphash | 40c31e47eda34373feff6f4fd535cbd1 | ||
| impfuzzy | 48:th+wDsUo/C6IR7/7oj0o1pGY56tMXJc+pp/j304:twwD3ZTEPGYAtMXJc+pp/z | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 25 AntiVirus engines on VirusTotal as malicious |
| watch | Locates and dumps memory from the lsass.exe process indicative of credential dumping |
| watch | Requests access to read memory contents of lsass.exe potentially indicative of credential dumping |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
ntdll.dll
0x140016320 RtlGetNtVersionNumbers
0x140016328 RtlUnwindEx
0x140016330 RtlCompressBuffer
0x140016338 RtlGetCompressionWorkSpaceSize
0x140016340 RtlStringFromGUID
0x140016348 RtlAdjustPrivilege
0x140016350 RtlFreeUnicodeString
0x140016358 NtQueryInformationProcess
0x140016360 NtQuerySystemInformation
SHLWAPI.dll
0x1400162c0 StrStrIW
ADVAPI32.dll
0x140016000 GetUserNameW
0x140016008 ConvertSidToStringSidW
crypt.dll
0x1400162e0 BCryptDestroyKey
0x1400162e8 BCryptGenerateSymmetricKey
0x1400162f0 BCryptSetProperty
0x1400162f8 BCryptCloseAlgorithmProvider
0x140016300 BCryptOpenAlgorithmProvider
0x140016308 BCryptDecrypt
0x140016310 BCryptGetProperty
USER32.dll
0x1400162d0 wsprintfW
CRYPT32.dll
0x140016038 CryptStringToBinaryA
Advapi32.dll
0x140016018 MD5Init
0x140016020 MD5Update
0x140016028 MD5Final
KERNEL32.dll
0x140016048 GetProcessHeap
0x140016050 GetConsoleCP
0x140016058 GetConsoleMode
0x140016060 GetFileSizeEx
0x140016068 SetFilePointerEx
0x140016070 SetStdHandle
0x140016078 WriteConsoleW
0x140016080 FreeEnvironmentStringsW
0x140016088 GetEnvironmentStringsW
0x140016090 WideCharToMultiByte
0x140016098 MultiByteToWideChar
0x1400160a0 GetCPInfo
0x1400160a8 GetOEMCP
0x1400160b0 GetACP
0x1400160b8 SetEnvironmentVariableW
0x1400160c0 FlushFileBuffers
0x1400160c8 HeapSize
0x1400160d0 HeapReAlloc
0x1400160d8 GetStringTypeW
0x1400160e0 GetStartupInfoW
0x1400160e8 LocalAlloc
0x1400160f0 CreateFileW
0x1400160f8 OpenProcess
0x140016100 CloseHandle
0x140016108 LocalFree
0x140016110 ExitProcess
0x140016118 GetCurrentProcessId
0x140016120 GetLastError
0x140016128 ReadProcessMemory
0x140016130 ReadFile
0x140016138 FindFirstFileW
0x140016140 FindNextFileW
0x140016148 lstrlenW
0x140016150 WriteFile
0x140016158 SetFilePointer
0x140016160 GetEnvironmentVariableW
0x140016168 SetEndOfFile
0x140016170 FindClose
0x140016178 GetFileSize
0x140016180 RtlCaptureContext
0x140016188 RtlLookupFunctionEntry
0x140016190 RtlVirtualUnwind
0x140016198 UnhandledExceptionFilter
0x1400161a0 SetUnhandledExceptionFilter
0x1400161a8 GetCurrentProcess
0x1400161b0 TerminateProcess
0x1400161b8 IsProcessorFeaturePresent
0x1400161c0 QueryPerformanceCounter
0x1400161c8 GetCurrentThreadId
0x1400161d0 GetSystemTimeAsFileTime
0x1400161d8 InitializeSListHead
0x1400161e0 IsDebuggerPresent
0x1400161e8 IsValidCodePage
0x1400161f0 GetModuleHandleW
0x1400161f8 FindFirstFileExW
0x140016200 SetLastError
0x140016208 EnterCriticalSection
0x140016210 LeaveCriticalSection
0x140016218 DeleteCriticalSection
0x140016220 InitializeCriticalSectionAndSpinCount
0x140016228 TlsAlloc
0x140016230 TlsGetValue
0x140016238 TlsSetValue
0x140016240 TlsFree
0x140016248 FreeLibrary
0x140016250 GetProcAddress
0x140016258 LoadLibraryExW
0x140016260 RaiseException
0x140016268 GetStdHandle
0x140016270 GetModuleFileNameW
0x140016278 GetModuleHandleExW
0x140016280 GetCommandLineA
0x140016288 GetCommandLineW
0x140016290 HeapAlloc
0x140016298 HeapFree
0x1400162a0 CompareStringW
0x1400162a8 LCMapStringW
0x1400162b0 GetFileType
EAT(Export Address Table) is none
ntdll.dll
0x140016320 RtlGetNtVersionNumbers
0x140016328 RtlUnwindEx
0x140016330 RtlCompressBuffer
0x140016338 RtlGetCompressionWorkSpaceSize
0x140016340 RtlStringFromGUID
0x140016348 RtlAdjustPrivilege
0x140016350 RtlFreeUnicodeString
0x140016358 NtQueryInformationProcess
0x140016360 NtQuerySystemInformation
SHLWAPI.dll
0x1400162c0 StrStrIW
ADVAPI32.dll
0x140016000 GetUserNameW
0x140016008 ConvertSidToStringSidW
crypt.dll
0x1400162e0 BCryptDestroyKey
0x1400162e8 BCryptGenerateSymmetricKey
0x1400162f0 BCryptSetProperty
0x1400162f8 BCryptCloseAlgorithmProvider
0x140016300 BCryptOpenAlgorithmProvider
0x140016308 BCryptDecrypt
0x140016310 BCryptGetProperty
USER32.dll
0x1400162d0 wsprintfW
CRYPT32.dll
0x140016038 CryptStringToBinaryA
Advapi32.dll
0x140016018 MD5Init
0x140016020 MD5Update
0x140016028 MD5Final
KERNEL32.dll
0x140016048 GetProcessHeap
0x140016050 GetConsoleCP
0x140016058 GetConsoleMode
0x140016060 GetFileSizeEx
0x140016068 SetFilePointerEx
0x140016070 SetStdHandle
0x140016078 WriteConsoleW
0x140016080 FreeEnvironmentStringsW
0x140016088 GetEnvironmentStringsW
0x140016090 WideCharToMultiByte
0x140016098 MultiByteToWideChar
0x1400160a0 GetCPInfo
0x1400160a8 GetOEMCP
0x1400160b0 GetACP
0x1400160b8 SetEnvironmentVariableW
0x1400160c0 FlushFileBuffers
0x1400160c8 HeapSize
0x1400160d0 HeapReAlloc
0x1400160d8 GetStringTypeW
0x1400160e0 GetStartupInfoW
0x1400160e8 LocalAlloc
0x1400160f0 CreateFileW
0x1400160f8 OpenProcess
0x140016100 CloseHandle
0x140016108 LocalFree
0x140016110 ExitProcess
0x140016118 GetCurrentProcessId
0x140016120 GetLastError
0x140016128 ReadProcessMemory
0x140016130 ReadFile
0x140016138 FindFirstFileW
0x140016140 FindNextFileW
0x140016148 lstrlenW
0x140016150 WriteFile
0x140016158 SetFilePointer
0x140016160 GetEnvironmentVariableW
0x140016168 SetEndOfFile
0x140016170 FindClose
0x140016178 GetFileSize
0x140016180 RtlCaptureContext
0x140016188 RtlLookupFunctionEntry
0x140016190 RtlVirtualUnwind
0x140016198 UnhandledExceptionFilter
0x1400161a0 SetUnhandledExceptionFilter
0x1400161a8 GetCurrentProcess
0x1400161b0 TerminateProcess
0x1400161b8 IsProcessorFeaturePresent
0x1400161c0 QueryPerformanceCounter
0x1400161c8 GetCurrentThreadId
0x1400161d0 GetSystemTimeAsFileTime
0x1400161d8 InitializeSListHead
0x1400161e0 IsDebuggerPresent
0x1400161e8 IsValidCodePage
0x1400161f0 GetModuleHandleW
0x1400161f8 FindFirstFileExW
0x140016200 SetLastError
0x140016208 EnterCriticalSection
0x140016210 LeaveCriticalSection
0x140016218 DeleteCriticalSection
0x140016220 InitializeCriticalSectionAndSpinCount
0x140016228 TlsAlloc
0x140016230 TlsGetValue
0x140016238 TlsSetValue
0x140016240 TlsFree
0x140016248 FreeLibrary
0x140016250 GetProcAddress
0x140016258 LoadLibraryExW
0x140016260 RaiseException
0x140016268 GetStdHandle
0x140016270 GetModuleFileNameW
0x140016278 GetModuleHandleExW
0x140016280 GetCommandLineA
0x140016288 GetCommandLineW
0x140016290 HeapAlloc
0x140016298 HeapFree
0x1400162a0 CompareStringW
0x1400162a8 LCMapStringW
0x1400162b0 GetFileType
EAT(Export Address Table) is none