ScreenShot
| Created | 2024.08.09 16:48 | Machine | s1_win7_x6401 |
| Filename | 66ae9cc050ded_file0308.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 60 detected (AIDetectMalware, Stop, malicious, high confidence, score, Lockbit, Unsafe, GenericKD, Save, Attribute, HighConfidence, Kryptik, HXQM, Artemis, PWSX, Smokeloader, Redirector, InstaBot, kqpqfm, Mokes, zRLPcqYcSgN, oftur, Siggen29, PRIVATELOADER, YXEHDZ, Real Protect, high, Static AI, Malicious PE, Detected, ai score=87, Sabsik, Eldorado, R658943, ZexaF, Tq0@aiuO96kG, BScope, Chgt, Gencirc, susgen, confidence, 100%, GenKryptik) | ||
| md5 | d7528cd33b73718b5949277420681f90 | ||
| sha256 | 3b8d07693e296aee36e7607c71503d981396a21b367e169146afdd052cdcf4d1 | ||
| ssdeep | 12288:koywWrwlTyC9yR+xBP4wMpAuhjH8/Hl19KKjNgzqE0CM6EpJMwk:PlTX9Xj4w+hbM1/g2kM | ||
| imphash | 0e02f2783b58059fb828111a17212082 | ||
| impfuzzy | 24:vaPiuBrOovH99SSdEDRy36a/pbG2blC9E0lRta2cfmsYuOZyv4/J3IjSQjMFluod:vaPMs9ESdcyKlWlIt7cftEueMSdsEGkj | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 60 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| warning | Generates some ICMP traffic |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Installs itself for autorun at Windows startup |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
Rules (20cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Suspicious_Obfuscation_Script_2 | Suspicious obfuscation script (e.g. executable files) | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (6cnts) ?
Suricata ids
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x4a8000 GetFullPathNameA
0x4a8004 UnregisterWait
0x4a8008 GlobalDeleteAtom
0x4a800c TryEnterCriticalSection
0x4a8010 DebugActiveProcessStop
0x4a8014 GetLogicalDriveStringsW
0x4a8018 GetComputerNameW
0x4a801c GetModuleHandleW
0x4a8020 GetTickCount
0x4a8024 GetCommandLineA
0x4a8028 GetSystemTimes
0x4a802c Sleep
0x4a8030 FormatMessageW
0x4a8034 DeleteVolumeMountPointW
0x4a8038 HeapCreate
0x4a803c WriteConsoleW
0x4a8040 GetAtomNameW
0x4a8044 GetTimeZoneInformation
0x4a8048 VirtualUnlock
0x4a804c GetShortPathNameA
0x4a8050 InterlockedExchange
0x4a8054 GetProcAddress
0x4a8058 GetNumaHighestNodeNumber
0x4a805c LoadLibraryA
0x4a8060 OpenWaitableTimerW
0x4a8064 LocalAlloc
0x4a8068 OpenJobObjectW
0x4a806c SetCommMask
0x4a8070 FoldStringW
0x4a8074 GetDefaultCommConfigA
0x4a8078 EnumDateFormatsA
0x4a807c CreateWaitableTimerW
0x4a8080 lstrcatW
0x4a8084 FreeEnvironmentStringsW
0x4a8088 SetCalendarInfoA
0x4a808c SetFileShortNameA
0x4a8090 DebugBreak
0x4a8094 CloseHandle
0x4a8098 GetLastError
0x4a809c HeapFree
0x4a80a0 GetStartupInfoW
0x4a80a4 TerminateProcess
0x4a80a8 GetCurrentProcess
0x4a80ac UnhandledExceptionFilter
0x4a80b0 SetUnhandledExceptionFilter
0x4a80b4 IsDebuggerPresent
0x4a80b8 VirtualFree
0x4a80bc DeleteCriticalSection
0x4a80c0 LeaveCriticalSection
0x4a80c4 EnterCriticalSection
0x4a80c8 HeapAlloc
0x4a80cc VirtualAlloc
0x4a80d0 HeapReAlloc
0x4a80d4 ReadFile
0x4a80d8 ExitProcess
0x4a80dc WriteFile
0x4a80e0 GetStdHandle
0x4a80e4 GetModuleFileNameA
0x4a80e8 GetModuleFileNameW
0x4a80ec GetEnvironmentStringsW
0x4a80f0 GetCommandLineW
0x4a80f4 SetHandleCount
0x4a80f8 GetFileType
0x4a80fc GetStartupInfoA
0x4a8100 TlsGetValue
0x4a8104 TlsAlloc
0x4a8108 TlsSetValue
0x4a810c TlsFree
0x4a8110 InterlockedIncrement
0x4a8114 SetLastError
0x4a8118 GetCurrentThreadId
0x4a811c InterlockedDecrement
0x4a8120 QueryPerformanceCounter
0x4a8124 GetCurrentProcessId
0x4a8128 GetSystemTimeAsFileTime
0x4a812c SetFilePointer
0x4a8130 WideCharToMultiByte
0x4a8134 GetConsoleCP
0x4a8138 GetConsoleMode
0x4a813c GetCPInfo
0x4a8140 GetACP
0x4a8144 GetOEMCP
0x4a8148 IsValidCodePage
0x4a814c InitializeCriticalSectionAndSpinCount
0x4a8150 RtlUnwind
0x4a8154 MultiByteToWideChar
0x4a8158 SetStdHandle
0x4a815c WriteConsoleA
0x4a8160 GetConsoleOutputCP
0x4a8164 LCMapStringA
0x4a8168 LCMapStringW
0x4a816c GetStringTypeA
0x4a8170 GetStringTypeW
0x4a8174 GetLocaleInfoA
0x4a8178 FlushFileBuffers
0x4a817c HeapSize
0x4a8180 CreateFileA
USER32.dll
0x4a8188 CopyRect
0x4a818c SetActiveWindow
EAT(Export Address Table) is none
KERNEL32.dll
0x4a8000 GetFullPathNameA
0x4a8004 UnregisterWait
0x4a8008 GlobalDeleteAtom
0x4a800c TryEnterCriticalSection
0x4a8010 DebugActiveProcessStop
0x4a8014 GetLogicalDriveStringsW
0x4a8018 GetComputerNameW
0x4a801c GetModuleHandleW
0x4a8020 GetTickCount
0x4a8024 GetCommandLineA
0x4a8028 GetSystemTimes
0x4a802c Sleep
0x4a8030 FormatMessageW
0x4a8034 DeleteVolumeMountPointW
0x4a8038 HeapCreate
0x4a803c WriteConsoleW
0x4a8040 GetAtomNameW
0x4a8044 GetTimeZoneInformation
0x4a8048 VirtualUnlock
0x4a804c GetShortPathNameA
0x4a8050 InterlockedExchange
0x4a8054 GetProcAddress
0x4a8058 GetNumaHighestNodeNumber
0x4a805c LoadLibraryA
0x4a8060 OpenWaitableTimerW
0x4a8064 LocalAlloc
0x4a8068 OpenJobObjectW
0x4a806c SetCommMask
0x4a8070 FoldStringW
0x4a8074 GetDefaultCommConfigA
0x4a8078 EnumDateFormatsA
0x4a807c CreateWaitableTimerW
0x4a8080 lstrcatW
0x4a8084 FreeEnvironmentStringsW
0x4a8088 SetCalendarInfoA
0x4a808c SetFileShortNameA
0x4a8090 DebugBreak
0x4a8094 CloseHandle
0x4a8098 GetLastError
0x4a809c HeapFree
0x4a80a0 GetStartupInfoW
0x4a80a4 TerminateProcess
0x4a80a8 GetCurrentProcess
0x4a80ac UnhandledExceptionFilter
0x4a80b0 SetUnhandledExceptionFilter
0x4a80b4 IsDebuggerPresent
0x4a80b8 VirtualFree
0x4a80bc DeleteCriticalSection
0x4a80c0 LeaveCriticalSection
0x4a80c4 EnterCriticalSection
0x4a80c8 HeapAlloc
0x4a80cc VirtualAlloc
0x4a80d0 HeapReAlloc
0x4a80d4 ReadFile
0x4a80d8 ExitProcess
0x4a80dc WriteFile
0x4a80e0 GetStdHandle
0x4a80e4 GetModuleFileNameA
0x4a80e8 GetModuleFileNameW
0x4a80ec GetEnvironmentStringsW
0x4a80f0 GetCommandLineW
0x4a80f4 SetHandleCount
0x4a80f8 GetFileType
0x4a80fc GetStartupInfoA
0x4a8100 TlsGetValue
0x4a8104 TlsAlloc
0x4a8108 TlsSetValue
0x4a810c TlsFree
0x4a8110 InterlockedIncrement
0x4a8114 SetLastError
0x4a8118 GetCurrentThreadId
0x4a811c InterlockedDecrement
0x4a8120 QueryPerformanceCounter
0x4a8124 GetCurrentProcessId
0x4a8128 GetSystemTimeAsFileTime
0x4a812c SetFilePointer
0x4a8130 WideCharToMultiByte
0x4a8134 GetConsoleCP
0x4a8138 GetConsoleMode
0x4a813c GetCPInfo
0x4a8140 GetACP
0x4a8144 GetOEMCP
0x4a8148 IsValidCodePage
0x4a814c InitializeCriticalSectionAndSpinCount
0x4a8150 RtlUnwind
0x4a8154 MultiByteToWideChar
0x4a8158 SetStdHandle
0x4a815c WriteConsoleA
0x4a8160 GetConsoleOutputCP
0x4a8164 LCMapStringA
0x4a8168 LCMapStringW
0x4a816c GetStringTypeA
0x4a8170 GetStringTypeW
0x4a8174 GetLocaleInfoA
0x4a8178 FlushFileBuffers
0x4a817c HeapSize
0x4a8180 CreateFileA
USER32.dll
0x4a8188 CopyRect
0x4a818c SetActiveWindow
EAT(Export Address Table) is none