ScreenShot
| Created | 2024.08.09 07:53 | Machine | s1_win7_x6403 |
| Filename | buildz.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | b7cb7f2b5cd9bd047710650295dc88f7 | ||
| sha256 | e01c0429a58b33013305aab35ef863cd2b88962e479e39566a687ca37c68510f | ||
| ssdeep | 12288:9CwgCcyMy1Nncixi2NWXCAcrIQBjljKsFKfFDKZNF:9cCp9KGiAAcUwjljKAK8ZNF | ||
| imphash | 8476d457b634f13fb056aaafe72c2253 | ||
| impfuzzy | 24:9LFkrePMDo6lklUYtJulRe2cfUcHuOZyv4hvT4QjMFluo3gvE:EkAClUYGvcfUMuyvcdsE3 | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| watch | Attempts to create or modify system certificates |
| watch | Installs itself for autorun at Windows startup |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | Foreign language identified in PE resource |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (22cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Suspicious_Obfuscation_Script_2 | Suspicious obfuscation script (e.g. executable files) | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (6cnts) ?
Suricata ids
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x49e008 OpenJobObjectA
0x49e00c InterlockedDecrement
0x49e010 ZombifyActCtx
0x49e014 FreeEnvironmentStringsA
0x49e018 GetModuleHandleW
0x49e01c GetConsoleAliasesA
0x49e020 LoadLibraryW
0x49e024 SetVolumeMountPointA
0x49e028 WriteConsoleW
0x49e02c GetAtomNameW
0x49e030 SetUnhandledExceptionFilter
0x49e034 GetProcAddress
0x49e038 LoadLibraryA
0x49e03c OpenWaitableTimerW
0x49e040 LocalAlloc
0x49e044 GetCommMask
0x49e048 EnumDateFormatsA
0x49e04c CreateWaitableTimerW
0x49e050 lstrcatW
0x49e054 FindFirstVolumeW
0x49e058 AreFileApisANSI
0x49e05c SetLastError
0x49e060 GetNumaProcessorNode
0x49e064 GetLastError
0x49e068 HeapFree
0x49e06c GetStartupInfoW
0x49e070 TerminateProcess
0x49e074 GetCurrentProcess
0x49e078 UnhandledExceptionFilter
0x49e07c IsDebuggerPresent
0x49e080 HeapCreate
0x49e084 VirtualFree
0x49e088 DeleteCriticalSection
0x49e08c LeaveCriticalSection
0x49e090 EnterCriticalSection
0x49e094 HeapAlloc
0x49e098 VirtualAlloc
0x49e09c HeapReAlloc
0x49e0a0 Sleep
0x49e0a4 ExitProcess
0x49e0a8 WriteFile
0x49e0ac GetStdHandle
0x49e0b0 GetModuleFileNameA
0x49e0b4 GetModuleFileNameW
0x49e0b8 FreeEnvironmentStringsW
0x49e0bc GetEnvironmentStringsW
0x49e0c0 GetCommandLineW
0x49e0c4 SetHandleCount
0x49e0c8 GetFileType
0x49e0cc GetStartupInfoA
0x49e0d0 TlsGetValue
0x49e0d4 TlsAlloc
0x49e0d8 TlsSetValue
0x49e0dc TlsFree
0x49e0e0 InterlockedIncrement
0x49e0e4 GetCurrentThreadId
0x49e0e8 QueryPerformanceCounter
0x49e0ec GetTickCount
0x49e0f0 GetCurrentProcessId
0x49e0f4 GetSystemTimeAsFileTime
0x49e0f8 SetFilePointer
0x49e0fc WideCharToMultiByte
0x49e100 GetConsoleCP
0x49e104 GetConsoleMode
0x49e108 GetCPInfo
0x49e10c GetACP
0x49e110 GetOEMCP
0x49e114 IsValidCodePage
0x49e118 InitializeCriticalSectionAndSpinCount
0x49e11c RtlUnwind
0x49e120 MultiByteToWideChar
0x49e124 SetStdHandle
0x49e128 WriteConsoleA
0x49e12c GetConsoleOutputCP
0x49e130 LCMapStringA
0x49e134 LCMapStringW
0x49e138 GetStringTypeA
0x49e13c GetStringTypeW
0x49e140 GetLocaleInfoA
0x49e144 FlushFileBuffers
0x49e148 ReadFile
0x49e14c HeapSize
0x49e150 CreateFileA
0x49e154 CloseHandle
ADVAPI32.dll
0x49e000 ReadEventLogA
EAT(Export Address Table) is none
KERNEL32.dll
0x49e008 OpenJobObjectA
0x49e00c InterlockedDecrement
0x49e010 ZombifyActCtx
0x49e014 FreeEnvironmentStringsA
0x49e018 GetModuleHandleW
0x49e01c GetConsoleAliasesA
0x49e020 LoadLibraryW
0x49e024 SetVolumeMountPointA
0x49e028 WriteConsoleW
0x49e02c GetAtomNameW
0x49e030 SetUnhandledExceptionFilter
0x49e034 GetProcAddress
0x49e038 LoadLibraryA
0x49e03c OpenWaitableTimerW
0x49e040 LocalAlloc
0x49e044 GetCommMask
0x49e048 EnumDateFormatsA
0x49e04c CreateWaitableTimerW
0x49e050 lstrcatW
0x49e054 FindFirstVolumeW
0x49e058 AreFileApisANSI
0x49e05c SetLastError
0x49e060 GetNumaProcessorNode
0x49e064 GetLastError
0x49e068 HeapFree
0x49e06c GetStartupInfoW
0x49e070 TerminateProcess
0x49e074 GetCurrentProcess
0x49e078 UnhandledExceptionFilter
0x49e07c IsDebuggerPresent
0x49e080 HeapCreate
0x49e084 VirtualFree
0x49e088 DeleteCriticalSection
0x49e08c LeaveCriticalSection
0x49e090 EnterCriticalSection
0x49e094 HeapAlloc
0x49e098 VirtualAlloc
0x49e09c HeapReAlloc
0x49e0a0 Sleep
0x49e0a4 ExitProcess
0x49e0a8 WriteFile
0x49e0ac GetStdHandle
0x49e0b0 GetModuleFileNameA
0x49e0b4 GetModuleFileNameW
0x49e0b8 FreeEnvironmentStringsW
0x49e0bc GetEnvironmentStringsW
0x49e0c0 GetCommandLineW
0x49e0c4 SetHandleCount
0x49e0c8 GetFileType
0x49e0cc GetStartupInfoA
0x49e0d0 TlsGetValue
0x49e0d4 TlsAlloc
0x49e0d8 TlsSetValue
0x49e0dc TlsFree
0x49e0e0 InterlockedIncrement
0x49e0e4 GetCurrentThreadId
0x49e0e8 QueryPerformanceCounter
0x49e0ec GetTickCount
0x49e0f0 GetCurrentProcessId
0x49e0f4 GetSystemTimeAsFileTime
0x49e0f8 SetFilePointer
0x49e0fc WideCharToMultiByte
0x49e100 GetConsoleCP
0x49e104 GetConsoleMode
0x49e108 GetCPInfo
0x49e10c GetACP
0x49e110 GetOEMCP
0x49e114 IsValidCodePage
0x49e118 InitializeCriticalSectionAndSpinCount
0x49e11c RtlUnwind
0x49e120 MultiByteToWideChar
0x49e124 SetStdHandle
0x49e128 WriteConsoleA
0x49e12c GetConsoleOutputCP
0x49e130 LCMapStringA
0x49e134 LCMapStringW
0x49e138 GetStringTypeA
0x49e13c GetStringTypeW
0x49e140 GetLocaleInfoA
0x49e144 FlushFileBuffers
0x49e148 ReadFile
0x49e14c HeapSize
0x49e150 CreateFileA
0x49e154 CloseHandle
ADVAPI32.dll
0x49e000 ReadEventLogA
EAT(Export Address Table) is none