ScreenShot
Created | 2024.09.03 09:06 | Machine | s1_win7_x6403 |
Filename | sWsmPty.exe | ||
Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 48 detected (AIDetectMalware, SleepObf, malicious, high confidence, score, Qakbot, GenericKD, Unsafe, Kryptik, Vyf6, Attribute, HighConfidence, Artemis, CrypterX, CLOUD, gnqru, GenKD, Detected, ai score=81, Wacatac, Casdet, R664519, Outbreak, Bdhl, confidence, B9nj) | ||
md5 | 478124644da5f82d2c803238a413cd96 | ||
sha256 | 33083ee177bd4115c68c1ef987ab692855fbd1b621a852239a125a32a8775d1f | ||
ssdeep | 49152:HbbLnamXhOeAUFyHeZNIsx/h8MZlzYJON6mnsoi874bNO5t7J:mUnZHz | ||
imphash | 45139a94dafe252fbbb16ac605dbb6f7 | ||
impfuzzy | 12:omhRmhR9EZ1ORJRxOovLJcDn5ARZqRLAYPXJDCqV0MH/5XGXgEG6eGJNJmo:FG41+fxOov1cDqcLV5X0Mf5XGe6Zpd |
Network IP location
Signature (9cnts)
Level | Description |
---|---|
danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
watch | Harvests credentials from local FTP client softwares |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Sends data using the HTTP POST Method |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
info | Checks amount of memory in system |
Rules (4cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
info | IsPE64 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (3cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x140262190 RegQueryMultipleValuesA
0x140262198 RegQueryMultipleValuesW
0x1402621a0 RegQueryValueA
KERNEL32.dll
0x1402621b0 DeleteCriticalSection
0x1402621b8 EnterCriticalSection
0x1402621c0 GetCommandLineA
0x1402621c8 GetLastError
0x1402621d0 GetProcAddress
0x1402621d8 GetStartupInfoA
0x1402621e0 InitializeCriticalSection
0x1402621e8 LeaveCriticalSection
0x1402621f0 LoadLibraryA
0x1402621f8 SetUnhandledExceptionFilter
0x140262200 Sleep
0x140262208 TlsAlloc
0x140262210 TlsGetValue
0x140262218 TlsSetValue
0x140262220 VirtualAlloc
0x140262228 VirtualFree
0x140262230 VirtualProtect
0x140262238 VirtualQuery
msvcrt.dll
0x140262248 __C_specific_handler
0x140262250 __initenv
0x140262258 __set_app_type
0x140262260 __setusermatherr
0x140262268 _acmdln
0x140262270 _commode
0x140262278 _fmode
0x140262280 _initterm
0x140262288 _ismbblead
0x140262290 _onexit
0x140262298 abort
0x1402622a0 calloc
0x1402622a8 free
0x1402622b0 memcpy
0x1402622b8 memset
0x1402622c0 strncmp
EAT(Export Address Table) is none
ADVAPI32.dll
0x140262190 RegQueryMultipleValuesA
0x140262198 RegQueryMultipleValuesW
0x1402621a0 RegQueryValueA
KERNEL32.dll
0x1402621b0 DeleteCriticalSection
0x1402621b8 EnterCriticalSection
0x1402621c0 GetCommandLineA
0x1402621c8 GetLastError
0x1402621d0 GetProcAddress
0x1402621d8 GetStartupInfoA
0x1402621e0 InitializeCriticalSection
0x1402621e8 LeaveCriticalSection
0x1402621f0 LoadLibraryA
0x1402621f8 SetUnhandledExceptionFilter
0x140262200 Sleep
0x140262208 TlsAlloc
0x140262210 TlsGetValue
0x140262218 TlsSetValue
0x140262220 VirtualAlloc
0x140262228 VirtualFree
0x140262230 VirtualProtect
0x140262238 VirtualQuery
msvcrt.dll
0x140262248 __C_specific_handler
0x140262250 __initenv
0x140262258 __set_app_type
0x140262260 __setusermatherr
0x140262268 _acmdln
0x140262270 _commode
0x140262278 _fmode
0x140262280 _initterm
0x140262288 _ismbblead
0x140262290 _onexit
0x140262298 abort
0x1402622a0 calloc
0x1402622a8 free
0x1402622b0 memcpy
0x1402622b8 memset
0x1402622c0 strncmp
EAT(Export Address Table) is none