ScreenShot
| Created | 2024.09.05 15:44 | Machine | s1_win7_x6403 |
| Filename | nothirdparty.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 13 detected (AIDetectMalware, Malicious, score, Unsafe, GenKryptik, HBCU, PWSX, Stealerc, TMnDwSQCAFN, Static AI, Suspicious PE, ZexaF, @t3@aC56ngfO, BScope, Stealc, confidence) | ||
| md5 | 06b14e682a491946aac19067e8a30d32 | ||
| sha256 | c1ad65f3412b70e4f5d5c1747cc45ae3d2f3eb86da88dff7ca530d1ddd76663d | ||
| ssdeep | 393216:/9IRqB1AuA1GAgM3tIJv2V514jC1CxVH1ZO8wsP:1IRqBBANdG2V5uj+Ajl7P | ||
| imphash | 3c33e8bcd37cc0559eb4b90aa9e2ed2e | ||
| impfuzzy | 48:AXUrALJwIpxfPYLZ1O5l16r0c0rFxpnxiHeqVPTf:AXUrALJwIpxfPYLLO5/6+p8+qVPTf | ||
Network IP location
Signature (26cnts)
| Level | Description |
|---|---|
| watch | Attempts to identify installed AV products by installation directory |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes a large number of files from the system indicative of ransomware |
| watch | File has been identified by 13 AntiVirus engines on VirusTotal as malicious |
| watch | Harvests credentials from local FTP client softwares |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (27cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| info | anti_dbg | Checks if being debugged | memory |
| info | bmp_file_format | bmp file format | binaries (download) |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (4cnts) ?
Suricata ids
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40f000 GetCurrentProcess
0x40f004 VirtualAlloc
0x40f008 VirtualFree
0x40f00c GetModuleHandleA
0x40f010 GetProcAddress
0x40f014 LoadResource
0x40f018 LockResource
0x40f01c SizeofResource
0x40f020 lstrlenA
0x40f024 FindResourceA
0x40f028 LCIDToLocaleName
0x40f02c VirtualQuery
0x40f030 GetModuleHandleExW
0x40f034 FreeLibrary
0x40f038 GetStartupInfoW
0x40f03c IsDebuggerPresent
0x40f040 InitializeSListHead
0x40f044 GetCurrentProcessId
0x40f048 IsProcessorFeaturePresent
0x40f04c TerminateProcess
0x40f050 SetUnhandledExceptionFilter
0x40f054 UnhandledExceptionFilter
0x40f058 GetLocaleInfoEx
0x40f05c LCMapStringEx
0x40f060 ExitProcess
0x40f064 WideCharToMultiByte
0x40f068 MultiByteToWideChar
0x40f06c DecodePointer
0x40f070 EncodePointer
0x40f074 GetModuleHandleW
0x40f078 GetSystemTimeAsFileTime
0x40f07c DeleteCriticalSection
0x40f080 InitializeCriticalSectionEx
0x40f084 LeaveCriticalSection
0x40f088 EnterCriticalSection
0x40f08c GetCurrentThreadId
0x40f090 Sleep
0x40f094 QueryPerformanceFrequency
0x40f098 QueryPerformanceCounter
ole32.dll
0x40f18c CoSetProxyBlanket
0x40f190 CoInitializeSecurity
0x40f194 CoInitializeEx
0x40f198 CoUninitialize
0x40f19c CoCreateInstance
OLEAUT32.dll
0x40f0a0 SysFreeString
0x40f0a4 SysAllocString
msvcrt.dll
0x40f0ac ?terminate@@YAXXZ
0x40f0b0 _XcptFilter
0x40f0b4 __set_app_type
0x40f0b8 __getmainargs
0x40f0bc _ismbblead
0x40f0c0 _acmdln
0x40f0c4 ?_set_new_mode@@YAHH@Z
0x40f0c8 _msize
0x40f0cc cos
0x40f0d0 sin
0x40f0d4 _isatty
0x40f0d8 _fileno
0x40f0dc _iob
0x40f0e0 ___lc_handle_func
0x40f0e4 _unlock
0x40f0e8 _lock
0x40f0ec sqrt
0x40f0f0 strcpy_s
0x40f0f4 _controlfp_s
0x40f0f8 __p__commode
0x40f0fc _set_fmode
0x40f100 _initterm_e
0x40f104 _initterm
0x40f108 _callnewh
0x40f10c __strncnt
0x40f110 _errno
0x40f114 realloc
0x40f118 abort
0x40f11c ungetc
0x40f120 setvbuf
0x40f124 _fseeki64
0x40f128 fsetpos
0x40f12c fread
0x40f130 fgetpos
0x40f134 fgetc
0x40f138 fflush
0x40f13c fclose
0x40f140 rand_s
0x40f144 islower
0x40f148 _wcsdup
0x40f14c calloc
0x40f150 ___lc_codepage_func
0x40f154 isupper
0x40f158 __pctype_func
0x40f15c malloc
0x40f160 free
0x40f164 _amsg_exit
0x40f168 _except_handler4_common
0x40f16c memset
0x40f170 memmove
0x40f174 memcpy
0x40f178 __CxxFrameHandler3
0x40f17c _CxxThrowException
0x40f180 strchr
0x40f184 wcsrchr
EAT(Export Address Table) is none
KERNEL32.dll
0x40f000 GetCurrentProcess
0x40f004 VirtualAlloc
0x40f008 VirtualFree
0x40f00c GetModuleHandleA
0x40f010 GetProcAddress
0x40f014 LoadResource
0x40f018 LockResource
0x40f01c SizeofResource
0x40f020 lstrlenA
0x40f024 FindResourceA
0x40f028 LCIDToLocaleName
0x40f02c VirtualQuery
0x40f030 GetModuleHandleExW
0x40f034 FreeLibrary
0x40f038 GetStartupInfoW
0x40f03c IsDebuggerPresent
0x40f040 InitializeSListHead
0x40f044 GetCurrentProcessId
0x40f048 IsProcessorFeaturePresent
0x40f04c TerminateProcess
0x40f050 SetUnhandledExceptionFilter
0x40f054 UnhandledExceptionFilter
0x40f058 GetLocaleInfoEx
0x40f05c LCMapStringEx
0x40f060 ExitProcess
0x40f064 WideCharToMultiByte
0x40f068 MultiByteToWideChar
0x40f06c DecodePointer
0x40f070 EncodePointer
0x40f074 GetModuleHandleW
0x40f078 GetSystemTimeAsFileTime
0x40f07c DeleteCriticalSection
0x40f080 InitializeCriticalSectionEx
0x40f084 LeaveCriticalSection
0x40f088 EnterCriticalSection
0x40f08c GetCurrentThreadId
0x40f090 Sleep
0x40f094 QueryPerformanceFrequency
0x40f098 QueryPerformanceCounter
ole32.dll
0x40f18c CoSetProxyBlanket
0x40f190 CoInitializeSecurity
0x40f194 CoInitializeEx
0x40f198 CoUninitialize
0x40f19c CoCreateInstance
OLEAUT32.dll
0x40f0a0 SysFreeString
0x40f0a4 SysAllocString
msvcrt.dll
0x40f0ac ?terminate@@YAXXZ
0x40f0b0 _XcptFilter
0x40f0b4 __set_app_type
0x40f0b8 __getmainargs
0x40f0bc _ismbblead
0x40f0c0 _acmdln
0x40f0c4 ?_set_new_mode@@YAHH@Z
0x40f0c8 _msize
0x40f0cc cos
0x40f0d0 sin
0x40f0d4 _isatty
0x40f0d8 _fileno
0x40f0dc _iob
0x40f0e0 ___lc_handle_func
0x40f0e4 _unlock
0x40f0e8 _lock
0x40f0ec sqrt
0x40f0f0 strcpy_s
0x40f0f4 _controlfp_s
0x40f0f8 __p__commode
0x40f0fc _set_fmode
0x40f100 _initterm_e
0x40f104 _initterm
0x40f108 _callnewh
0x40f10c __strncnt
0x40f110 _errno
0x40f114 realloc
0x40f118 abort
0x40f11c ungetc
0x40f120 setvbuf
0x40f124 _fseeki64
0x40f128 fsetpos
0x40f12c fread
0x40f130 fgetpos
0x40f134 fgetc
0x40f138 fflush
0x40f13c fclose
0x40f140 rand_s
0x40f144 islower
0x40f148 _wcsdup
0x40f14c calloc
0x40f150 ___lc_codepage_func
0x40f154 isupper
0x40f158 __pctype_func
0x40f15c malloc
0x40f160 free
0x40f164 _amsg_exit
0x40f168 _except_handler4_common
0x40f16c memset
0x40f170 memmove
0x40f174 memcpy
0x40f178 __CxxFrameHandler3
0x40f17c _CxxThrowException
0x40f180 strchr
0x40f184 wcsrchr
EAT(Export Address Table) is none