ScreenShot
| Created | 2024.08.19 15:44 | Machine | s1_win7_x6403 |
| Filename | 66c1c5838f95f_file1808.exe#fileotr | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 26 detected (AIDetectMalware, malicious, high confidence, Lockbit, Unsafe, Hacktool, Attribute, HighConfidence, PWSX, score, Kryptik@AI, RDML, nmNzSMq8A, P7ki2v4pXUYw, Real Protect, high, Static AI, Malicious PE, Detected, Wacatac, R658943, ZexaF, Wq0@aOEuOijG, BScope, TrojanPSW, Convagent, Azorult, confidence, 100%) | ||
| md5 | 006edf0ac466164ddc9e0ac56474fe0a | ||
| sha256 | d343ea857cdf97aa0ccfd14970425c6888bd216d36ad7f6255a044bed36a4b2a | ||
| ssdeep | 24576:aG18MH/r+RAIFqLN7/uW/Nau09jMxrc5N:3aMD+RANBKIJ09j | ||
| imphash | 3f14e3b7aefb4fc1c763f1c17e499d8c | ||
| impfuzzy | 24:j4+2bG2SK/nHkrkR19/T1KcDoEdQBmvWTjDz2oBOovtte2cfLZ/J3KFBRzT42lue:Jp1AnYU9bFdRCSktvcfLbAc2sqrSm | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 26 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to create or modify system certificates |
| watch | Installs itself for autorun at Windows startup |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| watch | Uses suspicious command line tools or Windows utilities |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Foreign language identified in PE resource |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
Rules (20cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Suspicious_Obfuscation_Script_2 | Suspicious obfuscation script (e.g. executable files) | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (6cnts) ?
Suricata ids
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x4a5000 GetComputerNameA
0x4a5004 GetFullPathNameA
0x4a5008 TryEnterCriticalSection
0x4a500c GetDefaultCommConfigW
0x4a5010 InterlockedDecrement
0x4a5014 GetNamedPipeHandleStateA
0x4a5018 FindCloseChangeNotification
0x4a501c GetModuleHandleW
0x4a5020 GetConsoleAliasesLengthA
0x4a5024 FormatMessageA
0x4a5028 ReadConsoleOutputA
0x4a502c GetDateFormatA
0x4a5030 GetSystemTimes
0x4a5034 LocalShrink
0x4a5038 HeapDestroy
0x4a503c GlobalFlags
0x4a5040 GetFileAttributesW
0x4a5044 GetBinaryTypeA
0x4a5048 GetStartupInfoW
0x4a504c RaiseException
0x4a5050 FillConsoleOutputCharacterW
0x4a5054 GetLastError
0x4a5058 GetProcAddress
0x4a505c LoadLibraryA
0x4a5060 InterlockedExchangeAdd
0x4a5064 LocalAlloc
0x4a5068 GetFileType
0x4a506c FoldStringW
0x4a5070 EnumDateFormatsA
0x4a5074 lstrcatW
0x4a5078 FreeEnvironmentStringsW
0x4a507c VirtualProtect
0x4a5080 WaitForDebugEvent
0x4a5084 FindAtomW
0x4a5088 CloseHandle
0x4a508c DeleteAtom
0x4a5090 GetConsoleSelectionInfo
0x4a5094 HeapFree
0x4a5098 HeapAlloc
0x4a509c MultiByteToWideChar
0x4a50a0 GetCommandLineA
0x4a50a4 GetStartupInfoA
0x4a50a8 TerminateProcess
0x4a50ac GetCurrentProcess
0x4a50b0 UnhandledExceptionFilter
0x4a50b4 SetUnhandledExceptionFilter
0x4a50b8 IsDebuggerPresent
0x4a50bc HeapCreate
0x4a50c0 VirtualFree
0x4a50c4 DeleteCriticalSection
0x4a50c8 LeaveCriticalSection
0x4a50cc EnterCriticalSection
0x4a50d0 VirtualAlloc
0x4a50d4 HeapReAlloc
0x4a50d8 Sleep
0x4a50dc ExitProcess
0x4a50e0 WriteFile
0x4a50e4 GetStdHandle
0x4a50e8 GetModuleFileNameA
0x4a50ec TlsGetValue
0x4a50f0 TlsAlloc
0x4a50f4 TlsSetValue
0x4a50f8 TlsFree
0x4a50fc InterlockedIncrement
0x4a5100 SetLastError
0x4a5104 GetCurrentThreadId
0x4a5108 HeapSize
0x4a510c GetCPInfo
0x4a5110 GetACP
0x4a5114 GetOEMCP
0x4a5118 IsValidCodePage
0x4a511c FreeEnvironmentStringsA
0x4a5120 GetEnvironmentStrings
0x4a5124 WideCharToMultiByte
0x4a5128 GetEnvironmentStringsW
0x4a512c SetHandleCount
0x4a5130 QueryPerformanceCounter
0x4a5134 GetTickCount
0x4a5138 GetCurrentProcessId
0x4a513c GetSystemTimeAsFileTime
0x4a5140 InitializeCriticalSectionAndSpinCount
0x4a5144 RtlUnwind
0x4a5148 LCMapStringA
0x4a514c LCMapStringW
0x4a5150 GetStringTypeA
0x4a5154 GetStringTypeW
0x4a5158 GetLocaleInfoA
USER32.dll
0x4a5160 LoadIconW
EAT(Export Address Table) is none
KERNEL32.dll
0x4a5000 GetComputerNameA
0x4a5004 GetFullPathNameA
0x4a5008 TryEnterCriticalSection
0x4a500c GetDefaultCommConfigW
0x4a5010 InterlockedDecrement
0x4a5014 GetNamedPipeHandleStateA
0x4a5018 FindCloseChangeNotification
0x4a501c GetModuleHandleW
0x4a5020 GetConsoleAliasesLengthA
0x4a5024 FormatMessageA
0x4a5028 ReadConsoleOutputA
0x4a502c GetDateFormatA
0x4a5030 GetSystemTimes
0x4a5034 LocalShrink
0x4a5038 HeapDestroy
0x4a503c GlobalFlags
0x4a5040 GetFileAttributesW
0x4a5044 GetBinaryTypeA
0x4a5048 GetStartupInfoW
0x4a504c RaiseException
0x4a5050 FillConsoleOutputCharacterW
0x4a5054 GetLastError
0x4a5058 GetProcAddress
0x4a505c LoadLibraryA
0x4a5060 InterlockedExchangeAdd
0x4a5064 LocalAlloc
0x4a5068 GetFileType
0x4a506c FoldStringW
0x4a5070 EnumDateFormatsA
0x4a5074 lstrcatW
0x4a5078 FreeEnvironmentStringsW
0x4a507c VirtualProtect
0x4a5080 WaitForDebugEvent
0x4a5084 FindAtomW
0x4a5088 CloseHandle
0x4a508c DeleteAtom
0x4a5090 GetConsoleSelectionInfo
0x4a5094 HeapFree
0x4a5098 HeapAlloc
0x4a509c MultiByteToWideChar
0x4a50a0 GetCommandLineA
0x4a50a4 GetStartupInfoA
0x4a50a8 TerminateProcess
0x4a50ac GetCurrentProcess
0x4a50b0 UnhandledExceptionFilter
0x4a50b4 SetUnhandledExceptionFilter
0x4a50b8 IsDebuggerPresent
0x4a50bc HeapCreate
0x4a50c0 VirtualFree
0x4a50c4 DeleteCriticalSection
0x4a50c8 LeaveCriticalSection
0x4a50cc EnterCriticalSection
0x4a50d0 VirtualAlloc
0x4a50d4 HeapReAlloc
0x4a50d8 Sleep
0x4a50dc ExitProcess
0x4a50e0 WriteFile
0x4a50e4 GetStdHandle
0x4a50e8 GetModuleFileNameA
0x4a50ec TlsGetValue
0x4a50f0 TlsAlloc
0x4a50f4 TlsSetValue
0x4a50f8 TlsFree
0x4a50fc InterlockedIncrement
0x4a5100 SetLastError
0x4a5104 GetCurrentThreadId
0x4a5108 HeapSize
0x4a510c GetCPInfo
0x4a5110 GetACP
0x4a5114 GetOEMCP
0x4a5118 IsValidCodePage
0x4a511c FreeEnvironmentStringsA
0x4a5120 GetEnvironmentStrings
0x4a5124 WideCharToMultiByte
0x4a5128 GetEnvironmentStringsW
0x4a512c SetHandleCount
0x4a5130 QueryPerformanceCounter
0x4a5134 GetTickCount
0x4a5138 GetCurrentProcessId
0x4a513c GetSystemTimeAsFileTime
0x4a5140 InitializeCriticalSectionAndSpinCount
0x4a5144 RtlUnwind
0x4a5148 LCMapStringA
0x4a514c LCMapStringW
0x4a5150 GetStringTypeA
0x4a5154 GetStringTypeW
0x4a5158 GetLocaleInfoA
USER32.dll
0x4a5160 LoadIconW
EAT(Export Address Table) is none