ScreenShot
| Created | 2024.08.18 14:19 | Machine | s1_win7_x6403 |
| Filename | Images.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 14 detected (Unsafe, V3yn, Malicious, Detected, Generic Reputation PUA, Wacatac, ZexaF, @J3@aKsopjyi) | ||
| md5 | 544fb98f86fbbbfe6adc50a62772df10 | ||
| sha256 | bbda63aecb68285514b2bfc91b843c2d17c1d71abc3bcf10c1902599f84bf0d7 | ||
| ssdeep | 196608:GrmtKFPLrGbAeZpyeW2idrsvA0qltC0R/6L0:GSOPvG8eZpyh28svWc0t6I | ||
| imphash | d67ee6607bbc19dbb5da771971f8b90a | ||
| impfuzzy | 24:Ifr/2O9YOD1Eu97hDqncLLPYu9denjIC5XGPxyQUXZu8N7d5oHqNKnZEw+:IfrZ93D1wcnNebJGpyQou8N7d5yqDH | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| watch | Attempts to identify installed AV products by installation directory |
| watch | File has been identified by 14 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
Rules (25cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_1_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | Network_Downloader | File Downloader | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DllRegisterServer_Zero | execute regsvr32.exe | binaries (download) |
| info | Is_DotNET_DLL | (no description) | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (7cnts) ?
Suricata ids
ET POLICY Python-urllib/ Suspicious User Agent
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41f220 CreateProcessW
0x41f224 DeleteCriticalSection
0x41f228 EnterCriticalSection
0x41f22c ExpandEnvironmentStringsW
0x41f230 FormatMessageA
0x41f234 GetCommandLineW
0x41f238 GetCurrentProcess
0x41f23c GetCurrentProcessId
0x41f240 GetCurrentThreadId
0x41f244 GetEnvironmentVariableW
0x41f248 GetExitCodeProcess
0x41f24c GetLastError
0x41f250 GetModuleFileNameW
0x41f254 GetModuleHandleA
0x41f258 GetProcAddress
0x41f25c GetShortPathNameW
0x41f260 GetStartupInfoW
0x41f264 GetSystemTimeAsFileTime
0x41f268 GetTempPathW
0x41f26c GetTickCount
0x41f270 InitializeCriticalSection
0x41f274 LeaveCriticalSection
0x41f278 LoadLibraryA
0x41f27c LoadLibraryExW
0x41f280 MultiByteToWideChar
0x41f284 QueryPerformanceCounter
0x41f288 SetDllDirectoryW
0x41f28c SetEnvironmentVariableW
0x41f290 SetUnhandledExceptionFilter
0x41f294 Sleep
0x41f298 TerminateProcess
0x41f29c TlsGetValue
0x41f2a0 UnhandledExceptionFilter
0x41f2a4 VirtualProtect
0x41f2a8 VirtualQuery
0x41f2ac WaitForSingleObject
0x41f2b0 WideCharToMultiByte
msvcrt.dll
0x41f2b8 __argc
0x41f2bc __dllonexit
0x41f2c0 __lconv_init
0x41f2c4 __set_app_type
0x41f2c8 __setusermatherr
0x41f2cc __wargv
0x41f2d0 __wgetmainargs
0x41f2d4 __winitenv
0x41f2d8 _amsg_exit
0x41f2dc _cexit
0x41f2e0 _findclose
0x41f2e4 _findfirst
0x41f2e8 _fileno
0x41f2ec _findnext
0x41f2f0 _fmode
0x41f2f4 _fullpath
0x41f2f8 _get_osfhandle
0x41f2fc _initterm
0x41f300 _iob
0x41f304 _lock
0x41f308 _getpid
0x41f30c _mkdir
0x41f310 _onexit
0x41f314 _rmdir
0x41f318 _setmode
0x41f31c _stat
0x41f320 _strdup
0x41f324 _tempnam
0x41f328 _unlock
0x41f32c _vsnprintf
0x41f330 _wcmdln
0x41f334 _wfopen
0x41f338 abort
0x41f33c calloc
0x41f340 clearerr
0x41f344 exit
0x41f348 fclose
0x41f34c feof
0x41f350 ferror
0x41f354 fflush
0x41f358 fprintf
0x41f35c fread
0x41f360 free
0x41f364 fseek
0x41f368 ftell
0x41f36c fwrite
0x41f370 getenv
0x41f374 malloc
0x41f378 mbstowcs
0x41f37c memcpy
0x41f380 memset
0x41f384 remove
0x41f388 setbuf
0x41f38c setlocale
0x41f390 signal
0x41f394 sprintf
0x41f398 strcat
0x41f39c strchr
0x41f3a0 strcmp
0x41f3a4 strcpy
0x41f3a8 strlen
0x41f3ac strncat
0x41f3b0 strncmp
0x41f3b4 strncpy
0x41f3b8 strrchr
0x41f3bc strtok
0x41f3c0 vfprintf
0x41f3c4 wcslen
USER32.dll
0x41f3cc MessageBoxA
WS2_32.dll
0x41f3d4 ntohl
EAT(Export Address Table) is none
KERNEL32.dll
0x41f220 CreateProcessW
0x41f224 DeleteCriticalSection
0x41f228 EnterCriticalSection
0x41f22c ExpandEnvironmentStringsW
0x41f230 FormatMessageA
0x41f234 GetCommandLineW
0x41f238 GetCurrentProcess
0x41f23c GetCurrentProcessId
0x41f240 GetCurrentThreadId
0x41f244 GetEnvironmentVariableW
0x41f248 GetExitCodeProcess
0x41f24c GetLastError
0x41f250 GetModuleFileNameW
0x41f254 GetModuleHandleA
0x41f258 GetProcAddress
0x41f25c GetShortPathNameW
0x41f260 GetStartupInfoW
0x41f264 GetSystemTimeAsFileTime
0x41f268 GetTempPathW
0x41f26c GetTickCount
0x41f270 InitializeCriticalSection
0x41f274 LeaveCriticalSection
0x41f278 LoadLibraryA
0x41f27c LoadLibraryExW
0x41f280 MultiByteToWideChar
0x41f284 QueryPerformanceCounter
0x41f288 SetDllDirectoryW
0x41f28c SetEnvironmentVariableW
0x41f290 SetUnhandledExceptionFilter
0x41f294 Sleep
0x41f298 TerminateProcess
0x41f29c TlsGetValue
0x41f2a0 UnhandledExceptionFilter
0x41f2a4 VirtualProtect
0x41f2a8 VirtualQuery
0x41f2ac WaitForSingleObject
0x41f2b0 WideCharToMultiByte
msvcrt.dll
0x41f2b8 __argc
0x41f2bc __dllonexit
0x41f2c0 __lconv_init
0x41f2c4 __set_app_type
0x41f2c8 __setusermatherr
0x41f2cc __wargv
0x41f2d0 __wgetmainargs
0x41f2d4 __winitenv
0x41f2d8 _amsg_exit
0x41f2dc _cexit
0x41f2e0 _findclose
0x41f2e4 _findfirst
0x41f2e8 _fileno
0x41f2ec _findnext
0x41f2f0 _fmode
0x41f2f4 _fullpath
0x41f2f8 _get_osfhandle
0x41f2fc _initterm
0x41f300 _iob
0x41f304 _lock
0x41f308 _getpid
0x41f30c _mkdir
0x41f310 _onexit
0x41f314 _rmdir
0x41f318 _setmode
0x41f31c _stat
0x41f320 _strdup
0x41f324 _tempnam
0x41f328 _unlock
0x41f32c _vsnprintf
0x41f330 _wcmdln
0x41f334 _wfopen
0x41f338 abort
0x41f33c calloc
0x41f340 clearerr
0x41f344 exit
0x41f348 fclose
0x41f34c feof
0x41f350 ferror
0x41f354 fflush
0x41f358 fprintf
0x41f35c fread
0x41f360 free
0x41f364 fseek
0x41f368 ftell
0x41f36c fwrite
0x41f370 getenv
0x41f374 malloc
0x41f378 mbstowcs
0x41f37c memcpy
0x41f380 memset
0x41f384 remove
0x41f388 setbuf
0x41f38c setlocale
0x41f390 signal
0x41f394 sprintf
0x41f398 strcat
0x41f39c strchr
0x41f3a0 strcmp
0x41f3a4 strcpy
0x41f3a8 strlen
0x41f3ac strncat
0x41f3b0 strncmp
0x41f3b4 strncpy
0x41f3b8 strrchr
0x41f3bc strtok
0x41f3c0 vfprintf
0x41f3c4 wcslen
USER32.dll
0x41f3cc MessageBoxA
WS2_32.dll
0x41f3d4 ntohl
EAT(Export Address Table) is none