ScreenShot
| Created | 2024.08.25 19:05 | Machine | s1_win7_x6403 |
| Filename | 66ca202b71c36_HP.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 31 detected (AIDetectMalware, Malicious, score, Artemis, Unsafe, Attribute, HighConfidence, GenKryptik, HAKJ, MalwareX, Injuke, UEi0C1aODLJ, Fraud, Gen7, Real Protect, Static AI, Suspicious PE, Vidar, Wacatac, OVS9NP, FakeAlert, Eldorado, Outbreak, YXEHYZ, FalseSign, Gmnw, confidence) | ||
| md5 | 867a688580e309ccdbada474210871f1 | ||
| sha256 | dbbacaf728af45c13e7aa9538090d6795d4fa7ace887d6f0823007a55414a1a1 | ||
| ssdeep | 393216:T71DEo35RgtqHRk7G2KXFBFz5Rit0CzxsKoyCFS:T711352taCXKXFBF1U7v28 | ||
| imphash | 48ac2e6aa1adc6ed99ee5e9a09b7a06b | ||
| impfuzzy | 24:OcDW1mdeDgYALm18xLl35NBzIqbc0rUA4T5Wn:RMgYALm18xLl3jBzIqbc0rUT5Wn | ||
Network IP location
Signature (29cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 31 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to create or modify system certificates |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes a large number of files from the system indicative of ransomware |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | Network activity contains more than one unique useragent |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (25cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| info | anti_dbg | Checks if being debugged | memory |
| info | bmp_file_format | bmp file format | binaries (download) |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (6cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO TLS Handshake Failure
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x407000 GetCurrentProcess
0x407004 VirtualAlloc
0x407008 VirtualFree
0x40700c GetProcAddress
0x407010 LoadResource
0x407014 LockResource
0x407018 SizeofResource
0x40701c LoadLibraryA
0x407020 lstrlenA
0x407024 FindResourceA
0x407028 DecodePointer
0x40702c GetModuleHandleExW
0x407030 FreeLibrary
0x407034 ExitProcess
0x407038 VirtualQuery
0x40703c GetStartupInfoW
0x407040 IsDebuggerPresent
0x407044 InitializeSListHead
0x407048 GetCurrentProcessId
0x40704c IsProcessorFeaturePresent
0x407050 TerminateProcess
0x407054 SetUnhandledExceptionFilter
0x407058 UnhandledExceptionFilter
0x40705c DeleteCriticalSection
0x407060 GetModuleHandleW
0x407064 GetSystemTimeAsFileTime
0x407068 InitializeCriticalSectionEx
0x40706c QueryPerformanceCounter
0x407070 QueryPerformanceFrequency
0x407074 Sleep
0x407078 GetCurrentThreadId
msvcrt.dll
0x407080 sin
0x407084 cos
0x407088 _msize
0x40708c ?_set_new_mode@@YAHH@Z
0x407090 _acmdln
0x407094 _ismbblead
0x407098 __getmainargs
0x40709c __set_app_type
0x4070a0 _XcptFilter
0x4070a4 ?terminate@@YAXXZ
0x4070a8 sqrt
0x4070ac _errno
0x4070b0 malloc
0x4070b4 strcpy_s
0x4070b8 _controlfp_s
0x4070bc __p__commode
0x4070c0 _set_fmode
0x4070c4 _initterm_e
0x4070c8 _initterm
0x4070cc free
0x4070d0 rand_s
0x4070d4 _amsg_exit
0x4070d8 _except_handler4_common
0x4070dc memset
0x4070e0 _CxxThrowException
0x4070e4 memcpy
0x4070e8 realloc
0x4070ec __CxxFrameHandler3
EAT(Export Address Table) is none
KERNEL32.dll
0x407000 GetCurrentProcess
0x407004 VirtualAlloc
0x407008 VirtualFree
0x40700c GetProcAddress
0x407010 LoadResource
0x407014 LockResource
0x407018 SizeofResource
0x40701c LoadLibraryA
0x407020 lstrlenA
0x407024 FindResourceA
0x407028 DecodePointer
0x40702c GetModuleHandleExW
0x407030 FreeLibrary
0x407034 ExitProcess
0x407038 VirtualQuery
0x40703c GetStartupInfoW
0x407040 IsDebuggerPresent
0x407044 InitializeSListHead
0x407048 GetCurrentProcessId
0x40704c IsProcessorFeaturePresent
0x407050 TerminateProcess
0x407054 SetUnhandledExceptionFilter
0x407058 UnhandledExceptionFilter
0x40705c DeleteCriticalSection
0x407060 GetModuleHandleW
0x407064 GetSystemTimeAsFileTime
0x407068 InitializeCriticalSectionEx
0x40706c QueryPerformanceCounter
0x407070 QueryPerformanceFrequency
0x407074 Sleep
0x407078 GetCurrentThreadId
msvcrt.dll
0x407080 sin
0x407084 cos
0x407088 _msize
0x40708c ?_set_new_mode@@YAHH@Z
0x407090 _acmdln
0x407094 _ismbblead
0x407098 __getmainargs
0x40709c __set_app_type
0x4070a0 _XcptFilter
0x4070a4 ?terminate@@YAXXZ
0x4070a8 sqrt
0x4070ac _errno
0x4070b0 malloc
0x4070b4 strcpy_s
0x4070b8 _controlfp_s
0x4070bc __p__commode
0x4070c0 _set_fmode
0x4070c4 _initterm_e
0x4070c8 _initterm
0x4070cc free
0x4070d0 rand_s
0x4070d4 _amsg_exit
0x4070d8 _except_handler4_common
0x4070dc memset
0x4070e0 _CxxThrowException
0x4070e4 memcpy
0x4070e8 realloc
0x4070ec __CxxFrameHandler3
EAT(Export Address Table) is none