ScreenShot
| Created | 2024.08.23 09:52 | Machine | s1_win7_x6403 |
| Filename | Update.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 53 detected (AIDetectMalware, GenCBL, Malicious, score, ClipBanker, Obfuscated, Fragtor, Unsafe, Vby8, GenericKD, Attribute, HighConfidence, high confidence, Artemis, Nekark, kprhfw, CLOUD, wmtwr, MulDrop26, high, Detected, ai score=81, VMProtect, RisePro, Wacatac, ZexaF, @@1@ayxJigci, Chgt, R002H0CH724, Gencirc, susgen, PossibleThreat, PALLAS) | ||
| md5 | 679c3af5f25af03f0703263673e1bb15 | ||
| sha256 | bba61ab41bd0849e06196b8fdeb58128ce8bada11ea3543a236f3fffcd16a069 | ||
| ssdeep | 196608:yNtzYNTe09Axlh/+7e6CvlLb4QZDfNUjF82/mI67Ad/w9:y/zYNTX9AJ/+TCvRbtxNUXuz7Mk | ||
| imphash | 2909d554e6e6e25d655c57f70a384600 | ||
| impfuzzy | 48:CQjIYXpcM5QZ14ASXJ4Zcp+svZZZDat0+dTRYE:PjrXpcug1AXJ4Zcp+AjGt0+lRYE | ||
Network IP location
Signature (25cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 53 AntiVirus engines on VirusTotal as malicious |
| watch | Checks for the presence of known windows from debuggers and forensic tools |
| watch | Checks the version of Bios |
| watch | Detects Virtual Machines through their custom firmware |
| watch | Detects VirtualBox through the presence of a registry key |
| watch | Detects VMWare through the in instruction feature |
| watch | Installs itself for autorun at Windows startup |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (42cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | themida_packer | themida packer | binaries (download) |
| warning | themida_packer | themida packer | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x1012000 GetModuleHandleA
USER32.dll
0x1012008 SetClipboardData
ADVAPI32.dll
0x1012010 RegSetValueExA
SHELL32.dll
0x1012018 ShellExecuteExW
ole32.dll
0x1012020 CoTaskMemFree
kernel32.dll
0x1012028 LocalAlloc
0x101202c LocalFree
0x1012030 GetModuleFileNameW
0x1012034 GetProcessAffinityMask
0x1012038 SetProcessAffinityMask
0x101203c SetThreadAffinityMask
0x1012040 Sleep
0x1012044 ExitProcess
0x1012048 FreeLibrary
0x101204c LoadLibraryA
0x1012050 GetModuleHandleA
0x1012054 GetProcAddress
USER32.dll
0x101205c GetProcessWindowStation
0x1012060 GetUserObjectInformationW
kernel32.dll
0x1012068 GetSystemTimeAsFileTime
0x101206c CreateEventA
0x1012070 GetModuleHandleA
0x1012074 TerminateProcess
0x1012078 GetCurrentProcess
0x101207c CreateToolhelp32Snapshot
0x1012080 Thread32First
0x1012084 GetCurrentProcessId
0x1012088 GetCurrentThreadId
0x101208c OpenThread
0x1012090 Thread32Next
0x1012094 CloseHandle
0x1012098 SuspendThread
0x101209c ResumeThread
0x10120a0 WriteProcessMemory
0x10120a4 GetSystemInfo
0x10120a8 VirtualAlloc
0x10120ac VirtualProtect
0x10120b0 VirtualFree
0x10120b4 GetProcessAffinityMask
0x10120b8 SetProcessAffinityMask
0x10120bc GetCurrentThread
0x10120c0 SetThreadAffinityMask
0x10120c4 Sleep
0x10120c8 LoadLibraryA
0x10120cc FreeLibrary
0x10120d0 GetTickCount
0x10120d4 SystemTimeToFileTime
0x10120d8 FileTimeToSystemTime
0x10120dc GlobalFree
0x10120e0 HeapAlloc
0x10120e4 HeapFree
0x10120e8 GetProcAddress
0x10120ec ExitProcess
0x10120f0 EnterCriticalSection
0x10120f4 LeaveCriticalSection
0x10120f8 InitializeCriticalSection
0x10120fc DeleteCriticalSection
0x1012100 MultiByteToWideChar
0x1012104 GetModuleHandleW
0x1012108 LoadResource
0x101210c FindResourceExW
0x1012110 FindResourceExA
0x1012114 WideCharToMultiByte
0x1012118 GetThreadLocale
0x101211c GetUserDefaultLCID
0x1012120 GetSystemDefaultLCID
0x1012124 EnumResourceNamesA
0x1012128 EnumResourceNamesW
0x101212c EnumResourceLanguagesA
0x1012130 EnumResourceLanguagesW
0x1012134 EnumResourceTypesA
0x1012138 EnumResourceTypesW
0x101213c CreateFileW
0x1012140 LoadLibraryW
0x1012144 GetLastError
0x1012148 GetCommandLineA
0x101214c GetCPInfo
0x1012150 InterlockedIncrement
0x1012154 InterlockedDecrement
0x1012158 GetACP
0x101215c GetOEMCP
0x1012160 IsValidCodePage
0x1012164 TlsGetValue
0x1012168 TlsAlloc
0x101216c TlsSetValue
0x1012170 TlsFree
0x1012174 SetLastError
0x1012178 UnhandledExceptionFilter
0x101217c SetUnhandledExceptionFilter
0x1012180 IsDebuggerPresent
0x1012184 RaiseException
0x1012188 LCMapStringA
0x101218c LCMapStringW
0x1012190 SetHandleCount
0x1012194 GetStdHandle
0x1012198 GetFileType
0x101219c GetStartupInfoA
0x10121a0 GetModuleFileNameA
0x10121a4 FreeEnvironmentStringsA
0x10121a8 GetEnvironmentStrings
0x10121ac FreeEnvironmentStringsW
0x10121b0 GetEnvironmentStringsW
0x10121b4 HeapCreate
0x10121b8 HeapDestroy
0x10121bc QueryPerformanceCounter
0x10121c0 HeapReAlloc
0x10121c4 GetStringTypeA
0x10121c8 GetStringTypeW
0x10121cc GetLocaleInfoA
0x10121d0 HeapSize
0x10121d4 WriteFile
0x10121d8 RtlUnwind
0x10121dc SetFilePointer
0x10121e0 GetConsoleCP
0x10121e4 GetConsoleMode
0x10121e8 InitializeCriticalSectionAndSpinCount
0x10121ec SetStdHandle
0x10121f0 WriteConsoleA
0x10121f4 GetConsoleOutputCP
0x10121f8 WriteConsoleW
0x10121fc CreateFileA
0x1012200 FlushFileBuffers
0x1012204 VirtualQuery
EAT(Export Address Table) is none
kernel32.dll
0x1012000 GetModuleHandleA
USER32.dll
0x1012008 SetClipboardData
ADVAPI32.dll
0x1012010 RegSetValueExA
SHELL32.dll
0x1012018 ShellExecuteExW
ole32.dll
0x1012020 CoTaskMemFree
kernel32.dll
0x1012028 LocalAlloc
0x101202c LocalFree
0x1012030 GetModuleFileNameW
0x1012034 GetProcessAffinityMask
0x1012038 SetProcessAffinityMask
0x101203c SetThreadAffinityMask
0x1012040 Sleep
0x1012044 ExitProcess
0x1012048 FreeLibrary
0x101204c LoadLibraryA
0x1012050 GetModuleHandleA
0x1012054 GetProcAddress
USER32.dll
0x101205c GetProcessWindowStation
0x1012060 GetUserObjectInformationW
kernel32.dll
0x1012068 GetSystemTimeAsFileTime
0x101206c CreateEventA
0x1012070 GetModuleHandleA
0x1012074 TerminateProcess
0x1012078 GetCurrentProcess
0x101207c CreateToolhelp32Snapshot
0x1012080 Thread32First
0x1012084 GetCurrentProcessId
0x1012088 GetCurrentThreadId
0x101208c OpenThread
0x1012090 Thread32Next
0x1012094 CloseHandle
0x1012098 SuspendThread
0x101209c ResumeThread
0x10120a0 WriteProcessMemory
0x10120a4 GetSystemInfo
0x10120a8 VirtualAlloc
0x10120ac VirtualProtect
0x10120b0 VirtualFree
0x10120b4 GetProcessAffinityMask
0x10120b8 SetProcessAffinityMask
0x10120bc GetCurrentThread
0x10120c0 SetThreadAffinityMask
0x10120c4 Sleep
0x10120c8 LoadLibraryA
0x10120cc FreeLibrary
0x10120d0 GetTickCount
0x10120d4 SystemTimeToFileTime
0x10120d8 FileTimeToSystemTime
0x10120dc GlobalFree
0x10120e0 HeapAlloc
0x10120e4 HeapFree
0x10120e8 GetProcAddress
0x10120ec ExitProcess
0x10120f0 EnterCriticalSection
0x10120f4 LeaveCriticalSection
0x10120f8 InitializeCriticalSection
0x10120fc DeleteCriticalSection
0x1012100 MultiByteToWideChar
0x1012104 GetModuleHandleW
0x1012108 LoadResource
0x101210c FindResourceExW
0x1012110 FindResourceExA
0x1012114 WideCharToMultiByte
0x1012118 GetThreadLocale
0x101211c GetUserDefaultLCID
0x1012120 GetSystemDefaultLCID
0x1012124 EnumResourceNamesA
0x1012128 EnumResourceNamesW
0x101212c EnumResourceLanguagesA
0x1012130 EnumResourceLanguagesW
0x1012134 EnumResourceTypesA
0x1012138 EnumResourceTypesW
0x101213c CreateFileW
0x1012140 LoadLibraryW
0x1012144 GetLastError
0x1012148 GetCommandLineA
0x101214c GetCPInfo
0x1012150 InterlockedIncrement
0x1012154 InterlockedDecrement
0x1012158 GetACP
0x101215c GetOEMCP
0x1012160 IsValidCodePage
0x1012164 TlsGetValue
0x1012168 TlsAlloc
0x101216c TlsSetValue
0x1012170 TlsFree
0x1012174 SetLastError
0x1012178 UnhandledExceptionFilter
0x101217c SetUnhandledExceptionFilter
0x1012180 IsDebuggerPresent
0x1012184 RaiseException
0x1012188 LCMapStringA
0x101218c LCMapStringW
0x1012190 SetHandleCount
0x1012194 GetStdHandle
0x1012198 GetFileType
0x101219c GetStartupInfoA
0x10121a0 GetModuleFileNameA
0x10121a4 FreeEnvironmentStringsA
0x10121a8 GetEnvironmentStrings
0x10121ac FreeEnvironmentStringsW
0x10121b0 GetEnvironmentStringsW
0x10121b4 HeapCreate
0x10121b8 HeapDestroy
0x10121bc QueryPerformanceCounter
0x10121c0 HeapReAlloc
0x10121c4 GetStringTypeA
0x10121c8 GetStringTypeW
0x10121cc GetLocaleInfoA
0x10121d0 HeapSize
0x10121d4 WriteFile
0x10121d8 RtlUnwind
0x10121dc SetFilePointer
0x10121e0 GetConsoleCP
0x10121e4 GetConsoleMode
0x10121e8 InitializeCriticalSectionAndSpinCount
0x10121ec SetStdHandle
0x10121f0 WriteConsoleA
0x10121f4 GetConsoleOutputCP
0x10121f8 WriteConsoleW
0x10121fc CreateFileA
0x1012200 FlushFileBuffers
0x1012204 VirtualQuery
EAT(Export Address Table) is none