ScreenShot
| Created | 2024.09.03 08:57 | Machine | s1_win7_x6401 |
| Filename | gWsmPty.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | b7e1019218936fc5967b3b3845981231 | ||
| sha256 | ae14896e173be08c6c9ec88f41bf110c20ed9f57dc96a42807198638179e2183 | ||
| ssdeep | 49152:QarQHPJCx4x9MWvruVciMjjnH1LOUTXHOTtV1N+rS/9H60/mrDF2GGNZvHaVI7L:QMQQixuciSHhO8H4UK | ||
| imphash | 66475359b0c2416bb4244ad6de079b92 | ||
| impfuzzy | 24:FIXV41/1bfxOov1cDqcLV5X0Mf5XGe6Zpd:RdbfEic5aWJGewpd | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| watch | Harvests credentials from local FTP client softwares |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (3cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x14027b1a8 RegOpenKeyExW
0x14027b1b0 RegOpenKeyW
0x14027b1b8 RegQueryInfoKeyW
0x14027b1c0 RegQueryMultipleValuesW
0x14027b1c8 RegQueryValueA
0x14027b1d0 RegQueryValueExA
KERNEL32.dll
0x14027b1e0 DeleteCriticalSection
0x14027b1e8 EnterCriticalSection
0x14027b1f0 GetCommandLineA
0x14027b1f8 GetLastError
0x14027b200 GetProcAddress
0x14027b208 GetStartupInfoA
0x14027b210 InitializeCriticalSection
0x14027b218 LeaveCriticalSection
0x14027b220 LoadLibraryA
0x14027b228 SetUnhandledExceptionFilter
0x14027b230 Sleep
0x14027b238 TlsAlloc
0x14027b240 TlsGetValue
0x14027b248 TlsSetValue
0x14027b250 VirtualAlloc
0x14027b258 VirtualFree
0x14027b260 VirtualProtect
0x14027b268 VirtualQuery
msvcrt.dll
0x14027b278 __C_specific_handler
0x14027b280 __initenv
0x14027b288 __set_app_type
0x14027b290 __setusermatherr
0x14027b298 _acmdln
0x14027b2a0 _commode
0x14027b2a8 _fmode
0x14027b2b0 _initterm
0x14027b2b8 _ismbblead
0x14027b2c0 _onexit
0x14027b2c8 abort
0x14027b2d0 calloc
0x14027b2d8 free
0x14027b2e0 memcpy
0x14027b2e8 memset
0x14027b2f0 strncmp
EAT(Export Address Table) is none
ADVAPI32.dll
0x14027b1a8 RegOpenKeyExW
0x14027b1b0 RegOpenKeyW
0x14027b1b8 RegQueryInfoKeyW
0x14027b1c0 RegQueryMultipleValuesW
0x14027b1c8 RegQueryValueA
0x14027b1d0 RegQueryValueExA
KERNEL32.dll
0x14027b1e0 DeleteCriticalSection
0x14027b1e8 EnterCriticalSection
0x14027b1f0 GetCommandLineA
0x14027b1f8 GetLastError
0x14027b200 GetProcAddress
0x14027b208 GetStartupInfoA
0x14027b210 InitializeCriticalSection
0x14027b218 LeaveCriticalSection
0x14027b220 LoadLibraryA
0x14027b228 SetUnhandledExceptionFilter
0x14027b230 Sleep
0x14027b238 TlsAlloc
0x14027b240 TlsGetValue
0x14027b248 TlsSetValue
0x14027b250 VirtualAlloc
0x14027b258 VirtualFree
0x14027b260 VirtualProtect
0x14027b268 VirtualQuery
msvcrt.dll
0x14027b278 __C_specific_handler
0x14027b280 __initenv
0x14027b288 __set_app_type
0x14027b290 __setusermatherr
0x14027b298 _acmdln
0x14027b2a0 _commode
0x14027b2a8 _fmode
0x14027b2b0 _initterm
0x14027b2b8 _ismbblead
0x14027b2c0 _onexit
0x14027b2c8 abort
0x14027b2d0 calloc
0x14027b2d8 free
0x14027b2e0 memcpy
0x14027b2e8 memset
0x14027b2f0 strncmp
EAT(Export Address Table) is none