ScreenShot
| Created | 2024.07.12 17:01 | Machine | s1_win7_x6401 |
| Filename | Sеtup.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 45 detected (AIDetectMalware, Malicious, score, Zusy, Unsafe, Cryptnot, Vbsk, Attribute, HighConfidence, Artemis, Barys, TrojanPSW, rLw0cFpN2KM, xxlvc, Real Protect, Detected, ai score=88, QYAA, CryptBot, ZexaF, Z@aKOsQsg, PasswordStealer, Genetic, QQPass, QQRob, Pjgl, QNZO3DGW) | ||
| md5 | 56a5cb142c58843c3ed84e02d2af1a2c | ||
| sha256 | 19d930dca13749f06d8837ef4134ccb7b0af0175af53cd69a8fc4e1afc771e21 | ||
| ssdeep | 49152:sA7xFPOvpdikrlyqq57WqUDG+lC3Qy5uDBn4Sud5pXQikcW:sA7xTf315uDB4dXQ2W | ||
| imphash | 196992c146062db84cbd73903ca4b0ad | ||
| impfuzzy | 24:8fiFCDq+kLEGTX5XGKJkNJlkvlbDcq30GXZy:8fir+k4GTXJGKJkNJlkvpwq30GQ | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 45 AntiVirus engines on VirusTotal as malicious |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET INFO HTTP Request to a *.top domain
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0xbcd154 DeleteCriticalSection
0xbcd158 EnterCriticalSection
0xbcd15c FreeLibrary
0xbcd160 GetLastError
0xbcd164 GetModuleHandleA
0xbcd168 GetModuleHandleW
0xbcd16c GetProcAddress
0xbcd170 GetStartupInfoA
0xbcd174 InitializeCriticalSection
0xbcd178 IsDBCSLeadByteEx
0xbcd17c LeaveCriticalSection
0xbcd180 LoadLibraryA
0xbcd184 MultiByteToWideChar
0xbcd188 SetUnhandledExceptionFilter
0xbcd18c Sleep
0xbcd190 TlsGetValue
0xbcd194 VirtualProtect
0xbcd198 VirtualQuery
0xbcd19c WideCharToMultiByte
0xbcd1a0 lstrlenA
msvcrt.dll
0xbcd1a8 __getmainargs
0xbcd1ac __initenv
0xbcd1b0 __lconv_init
0xbcd1b4 __mb_cur_max
0xbcd1b8 __p__acmdln
0xbcd1bc __p__commode
0xbcd1c0 __p__fmode
0xbcd1c4 __set_app_type
0xbcd1c8 __setusermatherr
0xbcd1cc _amsg_exit
0xbcd1d0 _cexit
0xbcd1d4 _errno
0xbcd1d8 _initterm
0xbcd1dc _iob
0xbcd1e0 _lock
0xbcd1e4 _onexit
0xbcd1e8 _unlock
0xbcd1ec abort
0xbcd1f0 atoi
0xbcd1f4 calloc
0xbcd1f8 exit
0xbcd1fc fputc
0xbcd200 free
0xbcd204 fwrite
0xbcd208 getc
0xbcd20c islower
0xbcd210 isspace
0xbcd214 isupper
0xbcd218 isxdigit
0xbcd21c localeconv
0xbcd220 malloc
0xbcd224 memcpy
0xbcd228 memset
0xbcd22c perror
0xbcd230 printf
0xbcd234 realloc
0xbcd238 setlocale
0xbcd23c signal
0xbcd240 strchr
0xbcd244 strerror
0xbcd248 strlen
0xbcd24c strncmp
0xbcd250 strtol
0xbcd254 strtoul
0xbcd258 tolower
0xbcd25c ungetc
0xbcd260 vfprintf
0xbcd264 wcslen
EAT(Export Address Table) Library
0x50a04a main
KERNEL32.dll
0xbcd154 DeleteCriticalSection
0xbcd158 EnterCriticalSection
0xbcd15c FreeLibrary
0xbcd160 GetLastError
0xbcd164 GetModuleHandleA
0xbcd168 GetModuleHandleW
0xbcd16c GetProcAddress
0xbcd170 GetStartupInfoA
0xbcd174 InitializeCriticalSection
0xbcd178 IsDBCSLeadByteEx
0xbcd17c LeaveCriticalSection
0xbcd180 LoadLibraryA
0xbcd184 MultiByteToWideChar
0xbcd188 SetUnhandledExceptionFilter
0xbcd18c Sleep
0xbcd190 TlsGetValue
0xbcd194 VirtualProtect
0xbcd198 VirtualQuery
0xbcd19c WideCharToMultiByte
0xbcd1a0 lstrlenA
msvcrt.dll
0xbcd1a8 __getmainargs
0xbcd1ac __initenv
0xbcd1b0 __lconv_init
0xbcd1b4 __mb_cur_max
0xbcd1b8 __p__acmdln
0xbcd1bc __p__commode
0xbcd1c0 __p__fmode
0xbcd1c4 __set_app_type
0xbcd1c8 __setusermatherr
0xbcd1cc _amsg_exit
0xbcd1d0 _cexit
0xbcd1d4 _errno
0xbcd1d8 _initterm
0xbcd1dc _iob
0xbcd1e0 _lock
0xbcd1e4 _onexit
0xbcd1e8 _unlock
0xbcd1ec abort
0xbcd1f0 atoi
0xbcd1f4 calloc
0xbcd1f8 exit
0xbcd1fc fputc
0xbcd200 free
0xbcd204 fwrite
0xbcd208 getc
0xbcd20c islower
0xbcd210 isspace
0xbcd214 isupper
0xbcd218 isxdigit
0xbcd21c localeconv
0xbcd220 malloc
0xbcd224 memcpy
0xbcd228 memset
0xbcd22c perror
0xbcd230 printf
0xbcd234 realloc
0xbcd238 setlocale
0xbcd23c signal
0xbcd240 strchr
0xbcd244 strerror
0xbcd248 strlen
0xbcd24c strncmp
0xbcd250 strtol
0xbcd254 strtoul
0xbcd258 tolower
0xbcd25c ungetc
0xbcd260 vfprintf
0xbcd264 wcslen
EAT(Export Address Table) Library
0x50a04a main