ScreenShot
| Created | 2024.08.07 09:57 | Machine | s1_win7_x6403 |
| Filename | setup.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 33 detected (AIDetectMalware, malicious, high confidence, score, Fragtor, Unsafe, Attribute, HighConfidence, DarkGate, Strab, Real Protect, moderate, Generic ML PUA, Static AI, Suspicious PE, Detected, ai score=81, Sonbokli, gen8, Maximus, ZexaF, iwW@a493owhi, Gencirc, susgen, confidence) | ||
| md5 | fc99ddf185aa553bf30c431cc897c903 | ||
| sha256 | 48860a4eb801109046a591d18809b1ff3e2b658f2a09c6fb36c4948cb88eb939 | ||
| ssdeep | 49152:Uk8BMMcyO6uzNJbIdNJbnwppkcWAta0PH1i:HasZ6uJJb6UJNa0 | ||
| imphash | 6482a570ab38408826cbdcd4c99083d1 | ||
| impfuzzy | 96:CxyWjzcpVSVt7SGa5etATMsMB0HlIg0Bt4:GyWftpWEgat4 | ||
Network IP location
Signature (10cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 33 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Detects the presence of Wine emulator |
| watch | Manipulates memory of a non-child process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Looks up the external IP address |
| notice | Performs some HTTP requests |
| notice | Starts servers listening |
| notice | Terminates another process |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | ftp_command | ftp command | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
ET POLICY External IP Check myexternalip.com
ET INFO TLS Handshake Failure
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
ET POLICY External IP Check myexternalip.com
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x48b06c SetEnvironmentVariableA
0x48b070 FreeEnvironmentStringsW
0x48b074 GetEnvironmentStringsW
0x48b078 GetCommandLineW
0x48b07c GetCommandLineA
0x48b080 GetOEMCP
0x48b084 IsValidCodePage
0x48b088 GetProcessHeap
0x48b08c FindFirstFileExA
0x48b090 GetTimeZoneInformation
0x48b094 SetEndOfFile
0x48b098 SetStdHandle
0x48b09c FlushFileBuffers
0x48b0a0 EnumSystemLocalesW
0x48b0a4 GetUserDefaultLCID
0x48b0a8 IsValidLocale
0x48b0ac GetTimeFormatW
0x48b0b0 GetDateFormatW
0x48b0b4 HeapFree
0x48b0b8 GetConsoleCP
0x48b0bc ReadConsoleW
0x48b0c0 WriteConsoleW
0x48b0c4 HeapSize
0x48b0c8 GetProcAddress
0x48b0cc HeapAlloc
0x48b0d0 FindResourceW
0x48b0d4 LoadResource
0x48b0d8 HeapReAlloc
0x48b0dc LockResource
0x48b0e0 GetLastError
0x48b0e4 Sleep
0x48b0e8 GetModuleHandleA
0x48b0ec SetProcessShutdownParameters
0x48b0f0 GetModuleFileNameW
0x48b0f4 TerminateProcess
0x48b0f8 VirtualAlloc
0x48b0fc HeapCreate
0x48b100 FindNextFileA
0x48b104 GetConsoleMode
0x48b108 GetACP
0x48b10c ExitProcess
0x48b110 GetModuleFileNameA
0x48b114 WriteFile
0x48b118 SetFilePointerEx
0x48b11c GetModuleHandleExW
0x48b120 ReleaseSRWLockExclusive
0x48b124 AcquireSRWLockExclusive
0x48b128 QueryPerformanceCounter
0x48b12c GetTickCount
0x48b130 CloseHandle
0x48b134 EnterCriticalSection
0x48b138 LeaveCriticalSection
0x48b13c InitializeCriticalSectionEx
0x48b140 DeleteCriticalSection
0x48b144 SetEvent
0x48b148 WaitForSingleObject
0x48b14c CreateEventW
0x48b150 MultiByteToWideChar
0x48b154 QueryPerformanceFrequency
0x48b158 GetSystemDirectoryW
0x48b15c FreeLibrary
0x48b160 GetModuleHandleW
0x48b164 LoadLibraryW
0x48b168 WideCharToMultiByte
0x48b16c SetLastError
0x48b170 FormatMessageW
0x48b174 MoveFileExW
0x48b178 WaitForSingleObjectEx
0x48b17c GetEnvironmentVariableA
0x48b180 GetStdHandle
0x48b184 GetFileType
0x48b188 ReadFile
0x48b18c PeekNamedPipe
0x48b190 WaitForMultipleObjects
0x48b194 GetCurrentProcessId
0x48b198 SleepEx
0x48b19c VerSetConditionMask
0x48b1a0 VerifyVersionInfoW
0x48b1a4 CreateFileW
0x48b1a8 GetFileSizeEx
0x48b1ac GetCurrentDirectoryW
0x48b1b0 DeleteFileW
0x48b1b4 FindClose
0x48b1b8 GetFileAttributesW
0x48b1bc GetFullPathNameW
0x48b1c0 GetTempPathW
0x48b1c4 AreFileApisANSI
0x48b1c8 InitializeCriticalSectionAndSpinCount
0x48b1cc SwitchToThread
0x48b1d0 TlsAlloc
0x48b1d4 TlsGetValue
0x48b1d8 TlsSetValue
0x48b1dc TlsFree
0x48b1e0 GetSystemTimeAsFileTime
0x48b1e4 EncodePointer
0x48b1e8 DecodePointer
0x48b1ec CompareStringW
0x48b1f0 LCMapStringW
0x48b1f4 GetLocaleInfoW
0x48b1f8 GetStringTypeW
0x48b1fc GetCPInfo
0x48b200 UnhandledExceptionFilter
0x48b204 SetUnhandledExceptionFilter
0x48b208 GetCurrentProcess
0x48b20c IsProcessorFeaturePresent
0x48b210 GetCurrentThreadId
0x48b214 InitializeSListHead
0x48b218 IsDebuggerPresent
0x48b21c GetStartupInfoW
0x48b220 RtlUnwind
0x48b224 RaiseException
0x48b228 LoadLibraryExW
0x48b22c GetDriveTypeW
0x48b230 SystemTimeToTzSpecificLocalTime
0x48b234 FileTimeToSystemTime
0x48b238 CreateThread
0x48b23c ExitThread
0x48b240 FreeLibraryAndExitThread
0x48b244 SizeofResource
WS2_32.dll
0x48b260 getsockopt
0x48b264 gethostname
0x48b268 ioctlsocket
0x48b26c getpeername
0x48b270 sendto
0x48b274 recvfrom
0x48b278 freeaddrinfo
0x48b27c getaddrinfo
0x48b280 recv
0x48b284 listen
0x48b288 htonl
0x48b28c getsockname
0x48b290 connect
0x48b294 ind
0x48b298 accept
0x48b29c select
0x48b2a0 __WSAFDIsSet
0x48b2a4 socket
0x48b2a8 htons
0x48b2ac WSAIoctl
0x48b2b0 setsockopt
0x48b2b4 WSACleanup
0x48b2b8 WSAStartup
0x48b2bc inet_ntop
0x48b2c0 ntohs
0x48b2c4 inet_pton
0x48b2c8 WSAGetLastError
0x48b2cc WSASetLastError
0x48b2d0 closesocket
0x48b2d4 WSAWaitForMultipleEvents
0x48b2d8 WSAResetEvent
0x48b2dc WSAEventSelect
0x48b2e0 WSAEnumNetworkEvents
0x48b2e4 WSACreateEvent
0x48b2e8 WSACloseEvent
0x48b2ec send
CRYPT32.dll
0x48b028 PFXImportCertStore
0x48b02c CryptStringToBinaryW
0x48b030 CryptDecodeObjectEx
0x48b034 CertFindCertificateInStore
0x48b038 CertEnumCertificatesInStore
0x48b03c CertAddCertificateContextToStore
0x48b040 CertFindExtension
0x48b044 CertGetNameStringW
0x48b048 CryptQueryObject
0x48b04c CertCreateCertificateChainEngine
0x48b050 CertFreeCertificateChainEngine
0x48b054 CertGetCertificateChain
0x48b058 CertFreeCertificateChain
0x48b05c CertFreeCertificateContext
0x48b060 CertCloseStore
0x48b064 CertOpenStore
WININET.dll
0x48b24c InternetReadFile
0x48b250 InternetCloseHandle
0x48b254 InternetOpenA
0x48b258 InternetOpenUrlA
crypt.dll
0x48b2f4 BCryptGenRandom
ADVAPI32.dll
0x48b000 CryptAcquireContextW
0x48b004 CryptReleaseContext
0x48b008 CryptGetHashParam
0x48b00c CryptCreateHash
0x48b010 CryptHashData
0x48b014 CryptDestroyHash
0x48b018 CryptDestroyKey
0x48b01c CryptImportKey
0x48b020 CryptEncrypt
EAT(Export Address Table) is none
KERNEL32.dll
0x48b06c SetEnvironmentVariableA
0x48b070 FreeEnvironmentStringsW
0x48b074 GetEnvironmentStringsW
0x48b078 GetCommandLineW
0x48b07c GetCommandLineA
0x48b080 GetOEMCP
0x48b084 IsValidCodePage
0x48b088 GetProcessHeap
0x48b08c FindFirstFileExA
0x48b090 GetTimeZoneInformation
0x48b094 SetEndOfFile
0x48b098 SetStdHandle
0x48b09c FlushFileBuffers
0x48b0a0 EnumSystemLocalesW
0x48b0a4 GetUserDefaultLCID
0x48b0a8 IsValidLocale
0x48b0ac GetTimeFormatW
0x48b0b0 GetDateFormatW
0x48b0b4 HeapFree
0x48b0b8 GetConsoleCP
0x48b0bc ReadConsoleW
0x48b0c0 WriteConsoleW
0x48b0c4 HeapSize
0x48b0c8 GetProcAddress
0x48b0cc HeapAlloc
0x48b0d0 FindResourceW
0x48b0d4 LoadResource
0x48b0d8 HeapReAlloc
0x48b0dc LockResource
0x48b0e0 GetLastError
0x48b0e4 Sleep
0x48b0e8 GetModuleHandleA
0x48b0ec SetProcessShutdownParameters
0x48b0f0 GetModuleFileNameW
0x48b0f4 TerminateProcess
0x48b0f8 VirtualAlloc
0x48b0fc HeapCreate
0x48b100 FindNextFileA
0x48b104 GetConsoleMode
0x48b108 GetACP
0x48b10c ExitProcess
0x48b110 GetModuleFileNameA
0x48b114 WriteFile
0x48b118 SetFilePointerEx
0x48b11c GetModuleHandleExW
0x48b120 ReleaseSRWLockExclusive
0x48b124 AcquireSRWLockExclusive
0x48b128 QueryPerformanceCounter
0x48b12c GetTickCount
0x48b130 CloseHandle
0x48b134 EnterCriticalSection
0x48b138 LeaveCriticalSection
0x48b13c InitializeCriticalSectionEx
0x48b140 DeleteCriticalSection
0x48b144 SetEvent
0x48b148 WaitForSingleObject
0x48b14c CreateEventW
0x48b150 MultiByteToWideChar
0x48b154 QueryPerformanceFrequency
0x48b158 GetSystemDirectoryW
0x48b15c FreeLibrary
0x48b160 GetModuleHandleW
0x48b164 LoadLibraryW
0x48b168 WideCharToMultiByte
0x48b16c SetLastError
0x48b170 FormatMessageW
0x48b174 MoveFileExW
0x48b178 WaitForSingleObjectEx
0x48b17c GetEnvironmentVariableA
0x48b180 GetStdHandle
0x48b184 GetFileType
0x48b188 ReadFile
0x48b18c PeekNamedPipe
0x48b190 WaitForMultipleObjects
0x48b194 GetCurrentProcessId
0x48b198 SleepEx
0x48b19c VerSetConditionMask
0x48b1a0 VerifyVersionInfoW
0x48b1a4 CreateFileW
0x48b1a8 GetFileSizeEx
0x48b1ac GetCurrentDirectoryW
0x48b1b0 DeleteFileW
0x48b1b4 FindClose
0x48b1b8 GetFileAttributesW
0x48b1bc GetFullPathNameW
0x48b1c0 GetTempPathW
0x48b1c4 AreFileApisANSI
0x48b1c8 InitializeCriticalSectionAndSpinCount
0x48b1cc SwitchToThread
0x48b1d0 TlsAlloc
0x48b1d4 TlsGetValue
0x48b1d8 TlsSetValue
0x48b1dc TlsFree
0x48b1e0 GetSystemTimeAsFileTime
0x48b1e4 EncodePointer
0x48b1e8 DecodePointer
0x48b1ec CompareStringW
0x48b1f0 LCMapStringW
0x48b1f4 GetLocaleInfoW
0x48b1f8 GetStringTypeW
0x48b1fc GetCPInfo
0x48b200 UnhandledExceptionFilter
0x48b204 SetUnhandledExceptionFilter
0x48b208 GetCurrentProcess
0x48b20c IsProcessorFeaturePresent
0x48b210 GetCurrentThreadId
0x48b214 InitializeSListHead
0x48b218 IsDebuggerPresent
0x48b21c GetStartupInfoW
0x48b220 RtlUnwind
0x48b224 RaiseException
0x48b228 LoadLibraryExW
0x48b22c GetDriveTypeW
0x48b230 SystemTimeToTzSpecificLocalTime
0x48b234 FileTimeToSystemTime
0x48b238 CreateThread
0x48b23c ExitThread
0x48b240 FreeLibraryAndExitThread
0x48b244 SizeofResource
WS2_32.dll
0x48b260 getsockopt
0x48b264 gethostname
0x48b268 ioctlsocket
0x48b26c getpeername
0x48b270 sendto
0x48b274 recvfrom
0x48b278 freeaddrinfo
0x48b27c getaddrinfo
0x48b280 recv
0x48b284 listen
0x48b288 htonl
0x48b28c getsockname
0x48b290 connect
0x48b294 ind
0x48b298 accept
0x48b29c select
0x48b2a0 __WSAFDIsSet
0x48b2a4 socket
0x48b2a8 htons
0x48b2ac WSAIoctl
0x48b2b0 setsockopt
0x48b2b4 WSACleanup
0x48b2b8 WSAStartup
0x48b2bc inet_ntop
0x48b2c0 ntohs
0x48b2c4 inet_pton
0x48b2c8 WSAGetLastError
0x48b2cc WSASetLastError
0x48b2d0 closesocket
0x48b2d4 WSAWaitForMultipleEvents
0x48b2d8 WSAResetEvent
0x48b2dc WSAEventSelect
0x48b2e0 WSAEnumNetworkEvents
0x48b2e4 WSACreateEvent
0x48b2e8 WSACloseEvent
0x48b2ec send
CRYPT32.dll
0x48b028 PFXImportCertStore
0x48b02c CryptStringToBinaryW
0x48b030 CryptDecodeObjectEx
0x48b034 CertFindCertificateInStore
0x48b038 CertEnumCertificatesInStore
0x48b03c CertAddCertificateContextToStore
0x48b040 CertFindExtension
0x48b044 CertGetNameStringW
0x48b048 CryptQueryObject
0x48b04c CertCreateCertificateChainEngine
0x48b050 CertFreeCertificateChainEngine
0x48b054 CertGetCertificateChain
0x48b058 CertFreeCertificateChain
0x48b05c CertFreeCertificateContext
0x48b060 CertCloseStore
0x48b064 CertOpenStore
WININET.dll
0x48b24c InternetReadFile
0x48b250 InternetCloseHandle
0x48b254 InternetOpenA
0x48b258 InternetOpenUrlA
crypt.dll
0x48b2f4 BCryptGenRandom
ADVAPI32.dll
0x48b000 CryptAcquireContextW
0x48b004 CryptReleaseContext
0x48b008 CryptGetHashParam
0x48b00c CryptCreateHash
0x48b010 CryptHashData
0x48b014 CryptDestroyHash
0x48b018 CryptDestroyKey
0x48b01c CryptImportKey
0x48b020 CryptEncrypt
EAT(Export Address Table) is none