ScreenShot
| Created | 2024.07.15 16:42 | Machine | s1_win7_x6403 |
| Filename | buildz.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | a849c8e77640b84fb11c61c2caeaef24 | ||
| sha256 | 50e6f55976a9523622a8800986307d009cfcb437b5c3d1cd16af01bc80f14778 | ||
| ssdeep | 12288:JiLZhlSvNp0B6oswKscYIiKAsp7VrXMA2FXaIuzmM7Kzd6lVG9NdzX:qWvNpBVw1Tnjszr8lF5YmMA6lyPzX | ||
| imphash | 1bf8ebf879fee654fc9a3ea11df395e2 | ||
| impfuzzy | 48:wqFagJDnNtYcpe7C0ca3BBKAQfCQGAFNt:wqFagJDNtYcpe7Hca3NzU | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to create or modify system certificates |
| watch | Installs itself for autorun at Windows startup |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (22cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Suspicious_Obfuscation_Script_2 | Suspicious obfuscation script (e.g. executable files) | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (6cnts) ?
Suricata ids
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x4a1008 SetEndOfFile
0x4a100c LocalCompact
0x4a1010 CreateHardLinkA
0x4a1014 LoadLibraryW
0x4a1018 ReadConsoleInputA
0x4a101c FreeConsole
0x4a1020 IsBadCodePtr
0x4a1024 IsBadStringPtrA
0x4a1028 GlobalUnlock
0x4a102c GetLastError
0x4a1030 SetLastError
0x4a1034 GetProcAddress
0x4a1038 CreateJobSet
0x4a103c LoadLibraryA
0x4a1040 LocalAlloc
0x4a1044 AddAtomW
0x4a1048 CreateEventW
0x4a104c HeapLock
0x4a1050 HeapCompact
0x4a1054 GetModuleFileNameA
0x4a1058 GetOEMCP
0x4a105c GetCurrentDirectoryA
0x4a1060 GetFileTime
0x4a1064 Module32NextW
0x4a1068 GetDiskFreeSpaceExW
0x4a106c TerminateJobObject
0x4a1070 DebugBreak
0x4a1074 CloseHandle
0x4a1078 CreateFileW
0x4a107c FlushFileBuffers
0x4a1080 GetStringTypeW
0x4a1084 LCMapStringW
0x4a1088 EnumResourceTypesW
0x4a108c EnumResourceNamesW
0x4a1090 WriteConsoleW
0x4a1094 SetStdHandle
0x4a1098 HeapAlloc
0x4a109c GetModuleHandleW
0x4a10a0 ExitProcess
0x4a10a4 DecodePointer
0x4a10a8 GetCommandLineW
0x4a10ac HeapSetInformation
0x4a10b0 GetStartupInfoW
0x4a10b4 IsProcessorFeaturePresent
0x4a10b8 UnhandledExceptionFilter
0x4a10bc SetUnhandledExceptionFilter
0x4a10c0 IsDebuggerPresent
0x4a10c4 EncodePointer
0x4a10c8 TerminateProcess
0x4a10cc GetCurrentProcess
0x4a10d0 HeapFree
0x4a10d4 WriteFile
0x4a10d8 GetStdHandle
0x4a10dc GetModuleFileNameW
0x4a10e0 HeapCreate
0x4a10e4 ReadFile
0x4a10e8 EnterCriticalSection
0x4a10ec LeaveCriticalSection
0x4a10f0 InitializeCriticalSectionAndSpinCount
0x4a10f4 DeleteCriticalSection
0x4a10f8 TlsAlloc
0x4a10fc TlsGetValue
0x4a1100 TlsSetValue
0x4a1104 TlsFree
0x4a1108 InterlockedIncrement
0x4a110c GetCurrentThreadId
0x4a1110 InterlockedDecrement
0x4a1114 FreeEnvironmentStringsW
0x4a1118 GetEnvironmentStringsW
0x4a111c SetHandleCount
0x4a1120 GetFileType
0x4a1124 QueryPerformanceCounter
0x4a1128 GetTickCount
0x4a112c GetCurrentProcessId
0x4a1130 GetSystemTimeAsFileTime
0x4a1134 Sleep
0x4a1138 SetFilePointer
0x4a113c WideCharToMultiByte
0x4a1140 GetConsoleCP
0x4a1144 GetConsoleMode
0x4a1148 GetCPInfo
0x4a114c GetACP
0x4a1150 IsValidCodePage
0x4a1154 MultiByteToWideChar
0x4a1158 RtlUnwind
0x4a115c HeapSize
0x4a1160 HeapReAlloc
0x4a1164 RaiseException
USER32.dll
0x4a116c GetMessageTime
0x4a1170 GetKeyboardLayout
0x4a1174 CharUpperBuffA
0x4a1178 SetCursorPos
0x4a117c LoadMenuW
0x4a1180 GetSysColorBrush
0x4a1184 GetSystemMetrics
0x4a1188 SetCaretPos
GDI32.dll
0x4a1000 GetCharWidthW
ole32.dll
0x4a1190 CoUnmarshalHresult
EAT(Export Address Table) is none
KERNEL32.dll
0x4a1008 SetEndOfFile
0x4a100c LocalCompact
0x4a1010 CreateHardLinkA
0x4a1014 LoadLibraryW
0x4a1018 ReadConsoleInputA
0x4a101c FreeConsole
0x4a1020 IsBadCodePtr
0x4a1024 IsBadStringPtrA
0x4a1028 GlobalUnlock
0x4a102c GetLastError
0x4a1030 SetLastError
0x4a1034 GetProcAddress
0x4a1038 CreateJobSet
0x4a103c LoadLibraryA
0x4a1040 LocalAlloc
0x4a1044 AddAtomW
0x4a1048 CreateEventW
0x4a104c HeapLock
0x4a1050 HeapCompact
0x4a1054 GetModuleFileNameA
0x4a1058 GetOEMCP
0x4a105c GetCurrentDirectoryA
0x4a1060 GetFileTime
0x4a1064 Module32NextW
0x4a1068 GetDiskFreeSpaceExW
0x4a106c TerminateJobObject
0x4a1070 DebugBreak
0x4a1074 CloseHandle
0x4a1078 CreateFileW
0x4a107c FlushFileBuffers
0x4a1080 GetStringTypeW
0x4a1084 LCMapStringW
0x4a1088 EnumResourceTypesW
0x4a108c EnumResourceNamesW
0x4a1090 WriteConsoleW
0x4a1094 SetStdHandle
0x4a1098 HeapAlloc
0x4a109c GetModuleHandleW
0x4a10a0 ExitProcess
0x4a10a4 DecodePointer
0x4a10a8 GetCommandLineW
0x4a10ac HeapSetInformation
0x4a10b0 GetStartupInfoW
0x4a10b4 IsProcessorFeaturePresent
0x4a10b8 UnhandledExceptionFilter
0x4a10bc SetUnhandledExceptionFilter
0x4a10c0 IsDebuggerPresent
0x4a10c4 EncodePointer
0x4a10c8 TerminateProcess
0x4a10cc GetCurrentProcess
0x4a10d0 HeapFree
0x4a10d4 WriteFile
0x4a10d8 GetStdHandle
0x4a10dc GetModuleFileNameW
0x4a10e0 HeapCreate
0x4a10e4 ReadFile
0x4a10e8 EnterCriticalSection
0x4a10ec LeaveCriticalSection
0x4a10f0 InitializeCriticalSectionAndSpinCount
0x4a10f4 DeleteCriticalSection
0x4a10f8 TlsAlloc
0x4a10fc TlsGetValue
0x4a1100 TlsSetValue
0x4a1104 TlsFree
0x4a1108 InterlockedIncrement
0x4a110c GetCurrentThreadId
0x4a1110 InterlockedDecrement
0x4a1114 FreeEnvironmentStringsW
0x4a1118 GetEnvironmentStringsW
0x4a111c SetHandleCount
0x4a1120 GetFileType
0x4a1124 QueryPerformanceCounter
0x4a1128 GetTickCount
0x4a112c GetCurrentProcessId
0x4a1130 GetSystemTimeAsFileTime
0x4a1134 Sleep
0x4a1138 SetFilePointer
0x4a113c WideCharToMultiByte
0x4a1140 GetConsoleCP
0x4a1144 GetConsoleMode
0x4a1148 GetCPInfo
0x4a114c GetACP
0x4a1150 IsValidCodePage
0x4a1154 MultiByteToWideChar
0x4a1158 RtlUnwind
0x4a115c HeapSize
0x4a1160 HeapReAlloc
0x4a1164 RaiseException
USER32.dll
0x4a116c GetMessageTime
0x4a1170 GetKeyboardLayout
0x4a1174 CharUpperBuffA
0x4a1178 SetCursorPos
0x4a117c LoadMenuW
0x4a1180 GetSysColorBrush
0x4a1184 GetSystemMetrics
0x4a1188 SetCaretPos
GDI32.dll
0x4a1000 GetCharWidthW
ole32.dll
0x4a1190 CoUnmarshalHresult
EAT(Export Address Table) is none