ScreenShot
| Created | 2024.08.11 15:16 | Machine | s1_win7_x6401 |
| Filename | random.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 59 detected (AIDetectMalware, Stealerc, tsCt, Windows, Threat, Malicious, score, Zusy, Unsafe, Vdff, TrojanPSW, Attribute, HighConfidence, Stealc, Artemis, ccmw, DQwxTsXk3kJ, mjdov, Real Protect, moderate, Static AI, Malicious PE, Detected, ai score=84, Malware@#3iqg7wwdr07a2, R660025, BScope, VIDAR, YXEHHZ, Gencirc, cL2tdKpcw, Meterpreter, GdSda, confidence, Cometer) | ||
| md5 | 278ee1426274818874556aa18fd02e3a | ||
| sha256 | 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb | ||
| ssdeep | 3072:/k9W0KFj5qj6o8KaxfE54HnnGqaKl+b2n8O43tIFmpKa:/kE/j5K62aOanGqCbAq3SFAKa | ||
| imphash | 75f38a281962eafd8c14d2b02cfcdab6 | ||
| impfuzzy | 24:j/8Wfb8J93qsQCTBlR1YzGWtU9fMyDkfjY/J3IQ:j/8Mb8r3qVCTBv1kGWtcfMzKj | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 59 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| info | Checks amount of memory in system |
| info | Queries for the computername |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x41e0ac strncpy
0x41e0b0 ??_V@YAXPAX@Z
0x41e0b4 memchr
0x41e0b8 ??_U@YAPAXI@Z
0x41e0bc strtok
0x41e0c0 strtok_s
0x41e0c4 strcpy_s
0x41e0c8 vsprintf_s
0x41e0cc memmove
0x41e0d0 strlen
0x41e0d4 malloc
0x41e0d8 free
0x41e0dc memcmp
0x41e0e0 ??2@YAPAXI@Z
0x41e0e4 memset
0x41e0e8 memcpy
0x41e0ec __CxxFrameHandler3
KERNEL32.dll
0x41e000 InitializeCriticalSectionAndSpinCount
0x41e004 WideCharToMultiByte
0x41e008 RaiseException
0x41e00c GetStringTypeW
0x41e010 MultiByteToWideChar
0x41e014 LCMapStringW
0x41e018 IsValidCodePage
0x41e01c lstrlenA
0x41e020 HeapAlloc
0x41e024 GetProcessHeap
0x41e028 VirtualProtect
0x41e02c VirtualQueryEx
0x41e030 OpenProcess
0x41e034 ReadProcessMemory
0x41e038 WriteFile
0x41e03c GetOEMCP
0x41e040 GetACP
0x41e044 UnhandledExceptionFilter
0x41e048 SetUnhandledExceptionFilter
0x41e04c IsDebuggerPresent
0x41e050 EncodePointer
0x41e054 DecodePointer
0x41e058 TerminateProcess
0x41e05c GetCurrentProcess
0x41e060 LeaveCriticalSection
0x41e064 EnterCriticalSection
0x41e068 RtlUnwind
0x41e06c GetProcAddress
0x41e070 GetModuleHandleW
0x41e074 ExitProcess
0x41e078 Sleep
0x41e07c GetStdHandle
0x41e080 GetModuleFileNameW
0x41e084 GetLastError
0x41e088 LoadLibraryW
0x41e08c TlsGetValue
0x41e090 TlsSetValue
0x41e094 InterlockedIncrement
0x41e098 SetLastError
0x41e09c GetCurrentThreadId
0x41e0a0 InterlockedDecrement
0x41e0a4 GetCPInfo
EAT(Export Address Table) is none
msvcrt.dll
0x41e0ac strncpy
0x41e0b0 ??_V@YAXPAX@Z
0x41e0b4 memchr
0x41e0b8 ??_U@YAPAXI@Z
0x41e0bc strtok
0x41e0c0 strtok_s
0x41e0c4 strcpy_s
0x41e0c8 vsprintf_s
0x41e0cc memmove
0x41e0d0 strlen
0x41e0d4 malloc
0x41e0d8 free
0x41e0dc memcmp
0x41e0e0 ??2@YAPAXI@Z
0x41e0e4 memset
0x41e0e8 memcpy
0x41e0ec __CxxFrameHandler3
KERNEL32.dll
0x41e000 InitializeCriticalSectionAndSpinCount
0x41e004 WideCharToMultiByte
0x41e008 RaiseException
0x41e00c GetStringTypeW
0x41e010 MultiByteToWideChar
0x41e014 LCMapStringW
0x41e018 IsValidCodePage
0x41e01c lstrlenA
0x41e020 HeapAlloc
0x41e024 GetProcessHeap
0x41e028 VirtualProtect
0x41e02c VirtualQueryEx
0x41e030 OpenProcess
0x41e034 ReadProcessMemory
0x41e038 WriteFile
0x41e03c GetOEMCP
0x41e040 GetACP
0x41e044 UnhandledExceptionFilter
0x41e048 SetUnhandledExceptionFilter
0x41e04c IsDebuggerPresent
0x41e050 EncodePointer
0x41e054 DecodePointer
0x41e058 TerminateProcess
0x41e05c GetCurrentProcess
0x41e060 LeaveCriticalSection
0x41e064 EnterCriticalSection
0x41e068 RtlUnwind
0x41e06c GetProcAddress
0x41e070 GetModuleHandleW
0x41e074 ExitProcess
0x41e078 Sleep
0x41e07c GetStdHandle
0x41e080 GetModuleFileNameW
0x41e084 GetLastError
0x41e088 LoadLibraryW
0x41e08c TlsGetValue
0x41e090 TlsSetValue
0x41e094 InterlockedIncrement
0x41e098 SetLastError
0x41e09c GetCurrentThreadId
0x41e0a0 InterlockedDecrement
0x41e0a4 GetCPInfo
EAT(Export Address Table) is none