ScreenShot
| Created | 2024.08.11 15:08 | Machine | s1_win7_x6403 |
| Filename | request.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 31 detected (AIDetectMalware, malicious, high confidence, Mint, Sneaky, Unsafe, Save, Attribute, HighConfidence, score, Dorifel, Hijacker, Real Protect, ai score=80, Amadey, BScope, Wacatac, MalBehav, confidence, 100%) | ||
| md5 | ef8320eace6f753231666c61104bdd49 | ||
| sha256 | 8e2fa428fa5e7092d117dadf10529a35f415a0b8fa27cd17607e23dd913ffcdc | ||
| ssdeep | 6144:hh9fH2l34HigA2/BDBaBL7cpnBZVCBQrfYQSlyItcJ2+QmmaeIBqk3biuFo480AL:s9jtaeIBqmu | ||
| imphash | 015966a997659caed7ef58f6ab2e8bde | ||
| impfuzzy | 48:UPXsBtZ0TcpV5CrztmS1IG7pZi3Rojlg25Yu:0Xw8cpV5oztmS1IG7pZ5u2n | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 31 AntiVirus engines on VirusTotal as malicious |
| watch | Harvests credentials from local email clients |
| watch | Installs itself for autorun at Windows startup |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Creates a suspicious process |
| notice | Executes one or more WMI queries |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ip-api .io) in DNS Lookup
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (ip-api .io) in DNS Lookup
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x43b018 GetModuleHandleA
0x43b01c Sleep
0x43b020 CopyFileA
0x43b024 GetLastError
0x43b028 CloseHandle
0x43b02c VirtualProtectEx
0x43b030 ResumeThread
0x43b034 GetProcAddress
0x43b038 VirtualAllocEx
0x43b03c ReadProcessMemory
0x43b040 CreateProcessA
0x43b044 SetThreadContext
0x43b048 GetComputerNameA
0x43b04c WriteConsoleW
0x43b050 WaitForSingleObject
0x43b054 CreateMutexA
0x43b058 VirtualAlloc
0x43b05c WriteProcessMemory
0x43b060 GetThreadContext
0x43b064 GetModuleFileNameA
0x43b068 HeapSize
0x43b06c CreateFileW
0x43b070 SetStdHandle
0x43b074 GetProcessHeap
0x43b078 SetEnvironmentVariableW
0x43b07c FreeEnvironmentStringsW
0x43b080 GetEnvironmentStringsW
0x43b084 GetOEMCP
0x43b088 GetACP
0x43b08c IsValidCodePage
0x43b090 FindNextFileW
0x43b094 FindFirstFileExW
0x43b098 FindClose
0x43b09c HeapReAlloc
0x43b0a0 ReadConsoleW
0x43b0a4 ReadFile
0x43b0a8 EnumSystemLocalesW
0x43b0ac GetUserDefaultLCID
0x43b0b0 IsValidLocale
0x43b0b4 GetLocaleInfoW
0x43b0b8 LCMapStringW
0x43b0bc CompareStringW
0x43b0c0 HeapAlloc
0x43b0c4 HeapFree
0x43b0c8 WideCharToMultiByte
0x43b0cc EnterCriticalSection
0x43b0d0 LeaveCriticalSection
0x43b0d4 InitializeCriticalSectionEx
0x43b0d8 DeleteCriticalSection
0x43b0dc EncodePointer
0x43b0e0 DecodePointer
0x43b0e4 MultiByteToWideChar
0x43b0e8 LCMapStringEx
0x43b0ec CompareStringEx
0x43b0f0 GetCPInfo
0x43b0f4 GetStringTypeW
0x43b0f8 IsProcessorFeaturePresent
0x43b0fc IsDebuggerPresent
0x43b100 UnhandledExceptionFilter
0x43b104 SetUnhandledExceptionFilter
0x43b108 GetStartupInfoW
0x43b10c GetModuleHandleW
0x43b110 QueryPerformanceCounter
0x43b114 GetCurrentProcessId
0x43b118 GetCurrentThreadId
0x43b11c GetSystemTimeAsFileTime
0x43b120 InitializeSListHead
0x43b124 GetCurrentProcess
0x43b128 TerminateProcess
0x43b12c RaiseException
0x43b130 RtlUnwind
0x43b134 SetLastError
0x43b138 InitializeCriticalSectionAndSpinCount
0x43b13c TlsAlloc
0x43b140 TlsGetValue
0x43b144 TlsSetValue
0x43b148 TlsFree
0x43b14c FreeLibrary
0x43b150 LoadLibraryExW
0x43b154 ExitProcess
0x43b158 GetModuleHandleExW
0x43b15c GetModuleFileNameW
0x43b160 GetStdHandle
0x43b164 WriteFile
0x43b168 GetCommandLineA
0x43b16c GetCommandLineW
0x43b170 GetFileSizeEx
0x43b174 SetFilePointerEx
0x43b178 GetFileType
0x43b17c FlushFileBuffers
0x43b180 GetConsoleOutputCP
0x43b184 GetConsoleMode
0x43b188 SetEndOfFile
ADVAPI32.dll
0x43b000 RegQueryValueExA
0x43b004 RegSetValueExA
0x43b008 RegOpenKeyExA
0x43b00c GetUserNameA
0x43b010 RegCloseKey
SHELL32.dll
0x43b1a4 ShellExecuteA
ole32.dll
0x43b1ec CoUninitialize
0x43b1f0 CoSetProxyBlanket
0x43b1f4 CoInitializeSecurity
0x43b1f8 CoInitializeEx
0x43b1fc CoCreateInstance
OLEAUT32.dll
0x43b190 VariantInit
0x43b194 SysFreeString
0x43b198 VariantClear
0x43b19c SysAllocString
WININET.dll
0x43b1ac InternetOpenUrlA
0x43b1b0 InternetOpenW
0x43b1b4 InternetCloseHandle
0x43b1b8 InternetReadFile
WS2_32.dll
0x43b1c0 sendto
0x43b1c4 htons
0x43b1c8 recv
0x43b1cc connect
0x43b1d0 socket
0x43b1d4 send
0x43b1d8 inet_addr
0x43b1dc WSACleanup
0x43b1e0 closesocket
0x43b1e4 WSAStartup
EAT(Export Address Table) is none
KERNEL32.dll
0x43b018 GetModuleHandleA
0x43b01c Sleep
0x43b020 CopyFileA
0x43b024 GetLastError
0x43b028 CloseHandle
0x43b02c VirtualProtectEx
0x43b030 ResumeThread
0x43b034 GetProcAddress
0x43b038 VirtualAllocEx
0x43b03c ReadProcessMemory
0x43b040 CreateProcessA
0x43b044 SetThreadContext
0x43b048 GetComputerNameA
0x43b04c WriteConsoleW
0x43b050 WaitForSingleObject
0x43b054 CreateMutexA
0x43b058 VirtualAlloc
0x43b05c WriteProcessMemory
0x43b060 GetThreadContext
0x43b064 GetModuleFileNameA
0x43b068 HeapSize
0x43b06c CreateFileW
0x43b070 SetStdHandle
0x43b074 GetProcessHeap
0x43b078 SetEnvironmentVariableW
0x43b07c FreeEnvironmentStringsW
0x43b080 GetEnvironmentStringsW
0x43b084 GetOEMCP
0x43b088 GetACP
0x43b08c IsValidCodePage
0x43b090 FindNextFileW
0x43b094 FindFirstFileExW
0x43b098 FindClose
0x43b09c HeapReAlloc
0x43b0a0 ReadConsoleW
0x43b0a4 ReadFile
0x43b0a8 EnumSystemLocalesW
0x43b0ac GetUserDefaultLCID
0x43b0b0 IsValidLocale
0x43b0b4 GetLocaleInfoW
0x43b0b8 LCMapStringW
0x43b0bc CompareStringW
0x43b0c0 HeapAlloc
0x43b0c4 HeapFree
0x43b0c8 WideCharToMultiByte
0x43b0cc EnterCriticalSection
0x43b0d0 LeaveCriticalSection
0x43b0d4 InitializeCriticalSectionEx
0x43b0d8 DeleteCriticalSection
0x43b0dc EncodePointer
0x43b0e0 DecodePointer
0x43b0e4 MultiByteToWideChar
0x43b0e8 LCMapStringEx
0x43b0ec CompareStringEx
0x43b0f0 GetCPInfo
0x43b0f4 GetStringTypeW
0x43b0f8 IsProcessorFeaturePresent
0x43b0fc IsDebuggerPresent
0x43b100 UnhandledExceptionFilter
0x43b104 SetUnhandledExceptionFilter
0x43b108 GetStartupInfoW
0x43b10c GetModuleHandleW
0x43b110 QueryPerformanceCounter
0x43b114 GetCurrentProcessId
0x43b118 GetCurrentThreadId
0x43b11c GetSystemTimeAsFileTime
0x43b120 InitializeSListHead
0x43b124 GetCurrentProcess
0x43b128 TerminateProcess
0x43b12c RaiseException
0x43b130 RtlUnwind
0x43b134 SetLastError
0x43b138 InitializeCriticalSectionAndSpinCount
0x43b13c TlsAlloc
0x43b140 TlsGetValue
0x43b144 TlsSetValue
0x43b148 TlsFree
0x43b14c FreeLibrary
0x43b150 LoadLibraryExW
0x43b154 ExitProcess
0x43b158 GetModuleHandleExW
0x43b15c GetModuleFileNameW
0x43b160 GetStdHandle
0x43b164 WriteFile
0x43b168 GetCommandLineA
0x43b16c GetCommandLineW
0x43b170 GetFileSizeEx
0x43b174 SetFilePointerEx
0x43b178 GetFileType
0x43b17c FlushFileBuffers
0x43b180 GetConsoleOutputCP
0x43b184 GetConsoleMode
0x43b188 SetEndOfFile
ADVAPI32.dll
0x43b000 RegQueryValueExA
0x43b004 RegSetValueExA
0x43b008 RegOpenKeyExA
0x43b00c GetUserNameA
0x43b010 RegCloseKey
SHELL32.dll
0x43b1a4 ShellExecuteA
ole32.dll
0x43b1ec CoUninitialize
0x43b1f0 CoSetProxyBlanket
0x43b1f4 CoInitializeSecurity
0x43b1f8 CoInitializeEx
0x43b1fc CoCreateInstance
OLEAUT32.dll
0x43b190 VariantInit
0x43b194 SysFreeString
0x43b198 VariantClear
0x43b19c SysAllocString
WININET.dll
0x43b1ac InternetOpenUrlA
0x43b1b0 InternetOpenW
0x43b1b4 InternetCloseHandle
0x43b1b8 InternetReadFile
WS2_32.dll
0x43b1c0 sendto
0x43b1c4 htons
0x43b1c8 recv
0x43b1cc connect
0x43b1d0 socket
0x43b1d4 send
0x43b1d8 inet_addr
0x43b1dc WSACleanup
0x43b1e0 closesocket
0x43b1e4 WSAStartup
EAT(Export Address Table) is none