ScreenShot
| Created | 2024.08.09 07:51 | Machine | s1_win7_x6401 |
| Filename | kitty.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | |||
| md5 | 0ec1f7cc17b6402cd2df150e0e5e92ca | ||
| sha256 | 4c5ca5701285337a96298ebf994f8ba013d290c63afa65b5c2b05771fbbb9ed4 | ||
| ssdeep | 6144:nx9ooeWfqpO3HS0f+KIXDyqR9NKtU5tyt7EJtdb/yw0cV3IOfe52GGZ2OGe+CKip:nx9onKM2+KIXrLGw0ci22OGe+CKiV9pz | ||
| imphash | 89d186e701948ed4026afa52bc6342f0 | ||
| impfuzzy | 48:ZW0XOzMrlvqQcpV5CrMdtmG7pZO3gFZS70HNwjo:tXm2lSQcpV5oMdtmG7pZ9SkNw8 | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| watch | Checks the version of Bios |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects Avast Antivirus through the presence of a library |
| watch | Harvests credentials from local email clients |
| watch | Installs itself for autorun at Windows startup |
| notice | A process attempted to delay the analysis task. |
| notice | An executable file was downloaded by the process cerker.exe |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Executes one or more WMI queries |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Command line console output was observed |
| info | Queries for the computername |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (6cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE ZharkBot User-Agent Observed
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE ZharkBot User-Agent Observed
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x43d018 ReadProcessMemory
0x43d01c WriteProcessMemory
0x43d020 GetModuleHandleA
0x43d024 GetProcAddress
0x43d028 GetEnvironmentVariableA
0x43d02c CreateDirectoryA
0x43d030 WaitForSingleObject
0x43d034 CreateMutexA
0x43d038 Sleep
0x43d03c GetModuleFileNameA
0x43d040 VirtualProtectEx
0x43d044 CreateProcessW
0x43d048 GetVersion
0x43d04c GetComputerNameA
0x43d050 WriteConsoleW
0x43d054 HeapSize
0x43d058 CreateFileW
0x43d05c GetProcessHeap
0x43d060 SetStdHandle
0x43d064 VirtualAllocEx
0x43d068 VirtualAlloc
0x43d06c SetThreadContext
0x43d070 GetThreadContext
0x43d074 CreateProcessA
0x43d078 ResumeThread
0x43d07c K32GetModuleFileNameExA
0x43d080 GetLastError
0x43d084 K32EnumProcesses
0x43d088 OpenProcess
0x43d08c TerminateProcess
0x43d090 GetCurrentProcessId
0x43d094 CopyFileA
0x43d098 CloseHandle
0x43d09c SetEnvironmentVariableW
0x43d0a0 FreeEnvironmentStringsW
0x43d0a4 GetEnvironmentStringsW
0x43d0a8 GetOEMCP
0x43d0ac GetACP
0x43d0b0 IsValidCodePage
0x43d0b4 FindNextFileW
0x43d0b8 FindFirstFileExW
0x43d0bc FindClose
0x43d0c0 HeapReAlloc
0x43d0c4 ReadConsoleW
0x43d0c8 SetFilePointerEx
0x43d0cc GetFileSizeEx
0x43d0d0 ReadFile
0x43d0d4 GetConsoleMode
0x43d0d8 GetConsoleOutputCP
0x43d0dc FlushFileBuffers
0x43d0e0 GetFileType
0x43d0e4 GetCurrentThreadId
0x43d0e8 WideCharToMultiByte
0x43d0ec EnterCriticalSection
0x43d0f0 LeaveCriticalSection
0x43d0f4 InitializeCriticalSectionEx
0x43d0f8 DeleteCriticalSection
0x43d0fc EncodePointer
0x43d100 DecodePointer
0x43d104 MultiByteToWideChar
0x43d108 LCMapStringEx
0x43d10c CompareStringEx
0x43d110 GetCPInfo
0x43d114 QueryPerformanceCounter
0x43d118 GetSystemTimeAsFileTime
0x43d11c GetModuleHandleW
0x43d120 GetStringTypeW
0x43d124 IsProcessorFeaturePresent
0x43d128 InitializeSListHead
0x43d12c IsDebuggerPresent
0x43d130 UnhandledExceptionFilter
0x43d134 SetUnhandledExceptionFilter
0x43d138 GetStartupInfoW
0x43d13c GetCurrentProcess
0x43d140 RaiseException
0x43d144 RtlUnwind
0x43d148 SetLastError
0x43d14c InitializeCriticalSectionAndSpinCount
0x43d150 TlsAlloc
0x43d154 TlsGetValue
0x43d158 TlsSetValue
0x43d15c TlsFree
0x43d160 FreeLibrary
0x43d164 LoadLibraryExW
0x43d168 ExitProcess
0x43d16c GetModuleHandleExW
0x43d170 CreateThread
0x43d174 ExitThread
0x43d178 FreeLibraryAndExitThread
0x43d17c GetStdHandle
0x43d180 WriteFile
0x43d184 GetModuleFileNameW
0x43d188 GetCommandLineA
0x43d18c GetCommandLineW
0x43d190 HeapFree
0x43d194 HeapAlloc
0x43d198 CompareStringW
0x43d19c LCMapStringW
0x43d1a0 GetLocaleInfoW
0x43d1a4 IsValidLocale
0x43d1a8 GetUserDefaultLCID
0x43d1ac EnumSystemLocalesW
0x43d1b0 SetEndOfFile
ADVAPI32.dll
0x43d000 RegSetValueExA
0x43d004 RegQueryValueExA
0x43d008 RegOpenKeyExA
0x43d00c RegCloseKey
0x43d010 GetUserNameA
SHELL32.dll
0x43d1cc ShellExecuteA
ole32.dll
0x43d1e8 CoInitializeEx
0x43d1ec CoInitializeSecurity
0x43d1f0 CoSetProxyBlanket
0x43d1f4 CoCreateInstance
0x43d1f8 CoUninitialize
OLEAUT32.dll
0x43d1b8 SysAllocString
0x43d1bc SysFreeString
0x43d1c0 VariantInit
0x43d1c4 VariantClear
WININET.dll
0x43d1d4 InternetReadFile
0x43d1d8 InternetOpenW
0x43d1dc InternetOpenUrlA
0x43d1e0 InternetCloseHandle
EAT(Export Address Table) is none
KERNEL32.dll
0x43d018 ReadProcessMemory
0x43d01c WriteProcessMemory
0x43d020 GetModuleHandleA
0x43d024 GetProcAddress
0x43d028 GetEnvironmentVariableA
0x43d02c CreateDirectoryA
0x43d030 WaitForSingleObject
0x43d034 CreateMutexA
0x43d038 Sleep
0x43d03c GetModuleFileNameA
0x43d040 VirtualProtectEx
0x43d044 CreateProcessW
0x43d048 GetVersion
0x43d04c GetComputerNameA
0x43d050 WriteConsoleW
0x43d054 HeapSize
0x43d058 CreateFileW
0x43d05c GetProcessHeap
0x43d060 SetStdHandle
0x43d064 VirtualAllocEx
0x43d068 VirtualAlloc
0x43d06c SetThreadContext
0x43d070 GetThreadContext
0x43d074 CreateProcessA
0x43d078 ResumeThread
0x43d07c K32GetModuleFileNameExA
0x43d080 GetLastError
0x43d084 K32EnumProcesses
0x43d088 OpenProcess
0x43d08c TerminateProcess
0x43d090 GetCurrentProcessId
0x43d094 CopyFileA
0x43d098 CloseHandle
0x43d09c SetEnvironmentVariableW
0x43d0a0 FreeEnvironmentStringsW
0x43d0a4 GetEnvironmentStringsW
0x43d0a8 GetOEMCP
0x43d0ac GetACP
0x43d0b0 IsValidCodePage
0x43d0b4 FindNextFileW
0x43d0b8 FindFirstFileExW
0x43d0bc FindClose
0x43d0c0 HeapReAlloc
0x43d0c4 ReadConsoleW
0x43d0c8 SetFilePointerEx
0x43d0cc GetFileSizeEx
0x43d0d0 ReadFile
0x43d0d4 GetConsoleMode
0x43d0d8 GetConsoleOutputCP
0x43d0dc FlushFileBuffers
0x43d0e0 GetFileType
0x43d0e4 GetCurrentThreadId
0x43d0e8 WideCharToMultiByte
0x43d0ec EnterCriticalSection
0x43d0f0 LeaveCriticalSection
0x43d0f4 InitializeCriticalSectionEx
0x43d0f8 DeleteCriticalSection
0x43d0fc EncodePointer
0x43d100 DecodePointer
0x43d104 MultiByteToWideChar
0x43d108 LCMapStringEx
0x43d10c CompareStringEx
0x43d110 GetCPInfo
0x43d114 QueryPerformanceCounter
0x43d118 GetSystemTimeAsFileTime
0x43d11c GetModuleHandleW
0x43d120 GetStringTypeW
0x43d124 IsProcessorFeaturePresent
0x43d128 InitializeSListHead
0x43d12c IsDebuggerPresent
0x43d130 UnhandledExceptionFilter
0x43d134 SetUnhandledExceptionFilter
0x43d138 GetStartupInfoW
0x43d13c GetCurrentProcess
0x43d140 RaiseException
0x43d144 RtlUnwind
0x43d148 SetLastError
0x43d14c InitializeCriticalSectionAndSpinCount
0x43d150 TlsAlloc
0x43d154 TlsGetValue
0x43d158 TlsSetValue
0x43d15c TlsFree
0x43d160 FreeLibrary
0x43d164 LoadLibraryExW
0x43d168 ExitProcess
0x43d16c GetModuleHandleExW
0x43d170 CreateThread
0x43d174 ExitThread
0x43d178 FreeLibraryAndExitThread
0x43d17c GetStdHandle
0x43d180 WriteFile
0x43d184 GetModuleFileNameW
0x43d188 GetCommandLineA
0x43d18c GetCommandLineW
0x43d190 HeapFree
0x43d194 HeapAlloc
0x43d198 CompareStringW
0x43d19c LCMapStringW
0x43d1a0 GetLocaleInfoW
0x43d1a4 IsValidLocale
0x43d1a8 GetUserDefaultLCID
0x43d1ac EnumSystemLocalesW
0x43d1b0 SetEndOfFile
ADVAPI32.dll
0x43d000 RegSetValueExA
0x43d004 RegQueryValueExA
0x43d008 RegOpenKeyExA
0x43d00c RegCloseKey
0x43d010 GetUserNameA
SHELL32.dll
0x43d1cc ShellExecuteA
ole32.dll
0x43d1e8 CoInitializeEx
0x43d1ec CoInitializeSecurity
0x43d1f0 CoSetProxyBlanket
0x43d1f4 CoCreateInstance
0x43d1f8 CoUninitialize
OLEAUT32.dll
0x43d1b8 SysAllocString
0x43d1bc SysFreeString
0x43d1c0 VariantInit
0x43d1c4 VariantClear
WININET.dll
0x43d1d4 InternetReadFile
0x43d1d8 InternetOpenW
0x43d1dc InternetOpenUrlA
0x43d1e0 InternetCloseHandle
EAT(Export Address Table) is none