ScreenShot
| Created | 2024.09.17 14:04 | Machine | s1_win7_x6401 |
| Filename | freedom.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 59 detected (AIDetectMalware, Danabot, Malicious, score, Barys, Unsafe, Vdkh, confidence, 100%, GenericKD, DelphGen, Zombie, Windows, Threat, SpywareX, TrojanPSW, krfcbd, Znyonm, 8kNuGtRwuPR, ATRAPS, YXEHYZ, moderate, Static AI, Suspicious PE, Detected, Malware@#drwmldh7j666, ABTrojan, MUQN, R643525, Artemis, GdSda, Gencirc) | ||
| md5 | d6b80519cb7c625d200d2899c345c8c6 | ||
| sha256 | 9b31ce85872a2d41ea6e3181066790e56d4fb29d593ba9a156e12133490799ca | ||
| ssdeep | 49152:RNBYHNB+FpvtioVlIhjVocyP1T8C89G89io3LZWMcuEyhtxUssFaTIQ0IHZTQ5:RNKtwFtDVlIhpnyO966LZ0iOblQ0IC | ||
| imphash | 3515998abe0aea14ac46a446bebe93d1 | ||
| impfuzzy | 96:ocOvXVR0MYg2cfprtEjkX19IFbDd3cv1p+TDwPOQqB:occFcCFgDd3U1jPOQqB | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 59 AntiVirus engines on VirusTotal as malicious |
| warning | Generates some ICMP traffic |
| watch | A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. |
| watch | Checks the CPU name from registry |
| watch | Communicates with host for which no DNS query was performed |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | mzp_file_format | MZP(Delphi) file format | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
oleaut32.dll
0x776404 SysFreeString
0x776408 SysReAllocStringLen
0x77640c SysAllocStringLen
advapi32.dll
0x776414 RegQueryValueExW
0x776418 RegOpenKeyExW
0x77641c RegCloseKey
user32.dll
0x776424 CharNextW
0x776428 LoadStringW
kernel32.dll
0x776430 Sleep
0x776434 VirtualFree
0x776438 VirtualAlloc
0x77643c lstrlenW
0x776440 VirtualQuery
0x776444 QueryPerformanceCounter
0x776448 GetTickCount
0x77644c GetSystemInfo
0x776450 GetVersion
0x776454 CompareStringW
0x776458 IsValidLocale
0x77645c SetThreadLocale
0x776460 GetSystemDefaultUILanguage
0x776464 GetUserDefaultUILanguage
0x776468 GetLocaleInfoW
0x77646c WideCharToMultiByte
0x776470 MultiByteToWideChar
0x776474 GetACP
0x776478 LoadLibraryExW
0x77647c GetStartupInfoW
0x776480 GetProcAddress
0x776484 GetModuleHandleW
0x776488 GetModuleFileNameW
0x77648c GetCommandLineW
0x776490 FreeLibrary
0x776494 GetLastError
0x776498 UnhandledExceptionFilter
0x77649c RtlUnwind
0x7764a0 RaiseException
0x7764a4 ExitProcess
0x7764a8 ExitThread
0x7764ac SwitchToThread
0x7764b0 GetCurrentThreadId
0x7764b4 CreateThread
0x7764b8 DeleteCriticalSection
0x7764bc LeaveCriticalSection
0x7764c0 EnterCriticalSection
0x7764c4 InitializeCriticalSection
0x7764c8 FindFirstFileW
0x7764cc FindClose
0x7764d0 WriteFile
0x7764d4 GetStdHandle
0x7764d8 CloseHandle
kernel32.dll
0x7764e0 GetProcAddress
0x7764e4 RaiseException
0x7764e8 LoadLibraryA
0x7764ec GetLastError
0x7764f0 TlsSetValue
0x7764f4 TlsGetValue
0x7764f8 LocalFree
0x7764fc LocalAlloc
0x776500 GetModuleHandleW
0x776504 FreeLibrary
user32.dll
0x77650c PeekMessageW
0x776510 MsgWaitForMultipleObjects
0x776514 MessageBoxW
0x776518 LoadStringW
0x77651c GetSystemMetrics
0x776520 CharUpperBuffW
0x776524 CharUpperW
0x776528 CharLowerBuffW
version.dll
0x776530 VerQueryValueW
0x776534 GetFileVersionInfoSizeW
0x776538 GetFileVersionInfoW
kernel32.dll
0x776540 WriteFile
0x776544 WideCharToMultiByte
0x776548 WaitForSingleObject
0x77654c VirtualQueryEx
0x776550 VirtualQuery
0x776554 VirtualProtect
0x776558 VirtualFree
0x77655c VerSetConditionMask
0x776560 VerifyVersionInfoW
0x776564 UnmapViewOfFile
0x776568 SwitchToThread
0x77656c SuspendThread
0x776570 Sleep
0x776574 SetThreadPriority
0x776578 SetLastError
0x77657c SetFileTime
0x776580 SetFilePointer
0x776584 SetEvent
0x776588 SetEndOfFile
0x77658c ResumeThread
0x776590 ResetEvent
0x776594 ReleaseSemaphore
0x776598 ReadFile
0x77659c RaiseException
0x7765a0 QueryDosDeviceW
0x7765a4 IsDebuggerPresent
0x7765a8 MapViewOfFile
0x7765ac LocalFree
0x7765b0 LoadLibraryA
0x7765b4 LoadLibraryW
0x7765b8 LeaveCriticalSection
0x7765bc IsValidLocale
0x7765c0 InitializeCriticalSection
0x7765c4 HeapSize
0x7765c8 HeapFree
0x7765cc HeapDestroy
0x7765d0 HeapCreate
0x7765d4 HeapAlloc
0x7765d8 GetVolumeInformationW
0x7765dc GetVersionExW
0x7765e0 GetTimeZoneInformation
0x7765e4 GetTickCount
0x7765e8 GetThreadPriority
0x7765ec GetThreadLocale
0x7765f0 GetStdHandle
0x7765f4 GetProcAddress
0x7765f8 GetModuleHandleW
0x7765fc GetModuleFileNameW
0x776600 GetLogicalDrives
0x776604 GetLogicalDriveStringsW
0x776608 GetLocaleInfoW
0x77660c GetLocalTime
0x776610 GetLastError
0x776614 GetFullPathNameW
0x776618 GetFileSize
0x77661c GetFileAttributesExW
0x776620 GetFileAttributesW
0x776624 GetExitCodeThread
0x776628 GetDriveTypeW
0x77662c GetDiskFreeSpaceW
0x776630 GetDateFormatW
0x776634 GetCurrentThreadId
0x776638 GetCurrentThread
0x77663c GetCurrentProcess
0x776640 GetCPInfoExW
0x776644 GetCPInfo
0x776648 GetACP
0x77664c FreeLibrary
0x776650 FormatMessageW
0x776654 FindNextFileW
0x776658 FindFirstFileW
0x77665c FindClose
0x776660 FileTimeToSystemTime
0x776664 FileTimeToLocalFileTime
0x776668 FileTimeToDosDateTime
0x77666c EnumSystemLocalesW
0x776670 EnumCalendarInfoW
0x776674 EnterCriticalSection
0x776678 DeleteCriticalSection
0x77667c CreateSemaphoreA
0x776680 CreateFileMappingW
0x776684 CreateFileW
0x776688 CreateEventA
0x77668c CreateEventW
0x776690 CreateDirectoryW
0x776694 CompareStringW
0x776698 CloseHandle
kernel32.dll
0x7766a0 Sleep
netapi32.dll
0x7766a8 NetApiBufferFree
0x7766ac NetWkstaGetInfo
oleaut32.dll
0x7766b4 SafeArrayPtrOfIndex
0x7766b8 SafeArrayGetUBound
0x7766bc SafeArrayGetLBound
0x7766c0 SafeArrayCreate
0x7766c4 VariantChangeType
0x7766c8 VariantCopy
0x7766cc VariantClear
0x7766d0 VariantInit
msvcrt.dll
0x7766d8 memset
0x7766dc memmove
0x7766e0 memcpy
msvcrt.dll
0x7766e8 _beginthreadex
EAT(Export Address Table) Library
0x7026b8 TMethodImplementationIntercept
0x410248 __dbk_fcall_wrapper
0x77362c dbkFCallWrapperAddr
oleaut32.dll
0x776404 SysFreeString
0x776408 SysReAllocStringLen
0x77640c SysAllocStringLen
advapi32.dll
0x776414 RegQueryValueExW
0x776418 RegOpenKeyExW
0x77641c RegCloseKey
user32.dll
0x776424 CharNextW
0x776428 LoadStringW
kernel32.dll
0x776430 Sleep
0x776434 VirtualFree
0x776438 VirtualAlloc
0x77643c lstrlenW
0x776440 VirtualQuery
0x776444 QueryPerformanceCounter
0x776448 GetTickCount
0x77644c GetSystemInfo
0x776450 GetVersion
0x776454 CompareStringW
0x776458 IsValidLocale
0x77645c SetThreadLocale
0x776460 GetSystemDefaultUILanguage
0x776464 GetUserDefaultUILanguage
0x776468 GetLocaleInfoW
0x77646c WideCharToMultiByte
0x776470 MultiByteToWideChar
0x776474 GetACP
0x776478 LoadLibraryExW
0x77647c GetStartupInfoW
0x776480 GetProcAddress
0x776484 GetModuleHandleW
0x776488 GetModuleFileNameW
0x77648c GetCommandLineW
0x776490 FreeLibrary
0x776494 GetLastError
0x776498 UnhandledExceptionFilter
0x77649c RtlUnwind
0x7764a0 RaiseException
0x7764a4 ExitProcess
0x7764a8 ExitThread
0x7764ac SwitchToThread
0x7764b0 GetCurrentThreadId
0x7764b4 CreateThread
0x7764b8 DeleteCriticalSection
0x7764bc LeaveCriticalSection
0x7764c0 EnterCriticalSection
0x7764c4 InitializeCriticalSection
0x7764c8 FindFirstFileW
0x7764cc FindClose
0x7764d0 WriteFile
0x7764d4 GetStdHandle
0x7764d8 CloseHandle
kernel32.dll
0x7764e0 GetProcAddress
0x7764e4 RaiseException
0x7764e8 LoadLibraryA
0x7764ec GetLastError
0x7764f0 TlsSetValue
0x7764f4 TlsGetValue
0x7764f8 LocalFree
0x7764fc LocalAlloc
0x776500 GetModuleHandleW
0x776504 FreeLibrary
user32.dll
0x77650c PeekMessageW
0x776510 MsgWaitForMultipleObjects
0x776514 MessageBoxW
0x776518 LoadStringW
0x77651c GetSystemMetrics
0x776520 CharUpperBuffW
0x776524 CharUpperW
0x776528 CharLowerBuffW
version.dll
0x776530 VerQueryValueW
0x776534 GetFileVersionInfoSizeW
0x776538 GetFileVersionInfoW
kernel32.dll
0x776540 WriteFile
0x776544 WideCharToMultiByte
0x776548 WaitForSingleObject
0x77654c VirtualQueryEx
0x776550 VirtualQuery
0x776554 VirtualProtect
0x776558 VirtualFree
0x77655c VerSetConditionMask
0x776560 VerifyVersionInfoW
0x776564 UnmapViewOfFile
0x776568 SwitchToThread
0x77656c SuspendThread
0x776570 Sleep
0x776574 SetThreadPriority
0x776578 SetLastError
0x77657c SetFileTime
0x776580 SetFilePointer
0x776584 SetEvent
0x776588 SetEndOfFile
0x77658c ResumeThread
0x776590 ResetEvent
0x776594 ReleaseSemaphore
0x776598 ReadFile
0x77659c RaiseException
0x7765a0 QueryDosDeviceW
0x7765a4 IsDebuggerPresent
0x7765a8 MapViewOfFile
0x7765ac LocalFree
0x7765b0 LoadLibraryA
0x7765b4 LoadLibraryW
0x7765b8 LeaveCriticalSection
0x7765bc IsValidLocale
0x7765c0 InitializeCriticalSection
0x7765c4 HeapSize
0x7765c8 HeapFree
0x7765cc HeapDestroy
0x7765d0 HeapCreate
0x7765d4 HeapAlloc
0x7765d8 GetVolumeInformationW
0x7765dc GetVersionExW
0x7765e0 GetTimeZoneInformation
0x7765e4 GetTickCount
0x7765e8 GetThreadPriority
0x7765ec GetThreadLocale
0x7765f0 GetStdHandle
0x7765f4 GetProcAddress
0x7765f8 GetModuleHandleW
0x7765fc GetModuleFileNameW
0x776600 GetLogicalDrives
0x776604 GetLogicalDriveStringsW
0x776608 GetLocaleInfoW
0x77660c GetLocalTime
0x776610 GetLastError
0x776614 GetFullPathNameW
0x776618 GetFileSize
0x77661c GetFileAttributesExW
0x776620 GetFileAttributesW
0x776624 GetExitCodeThread
0x776628 GetDriveTypeW
0x77662c GetDiskFreeSpaceW
0x776630 GetDateFormatW
0x776634 GetCurrentThreadId
0x776638 GetCurrentThread
0x77663c GetCurrentProcess
0x776640 GetCPInfoExW
0x776644 GetCPInfo
0x776648 GetACP
0x77664c FreeLibrary
0x776650 FormatMessageW
0x776654 FindNextFileW
0x776658 FindFirstFileW
0x77665c FindClose
0x776660 FileTimeToSystemTime
0x776664 FileTimeToLocalFileTime
0x776668 FileTimeToDosDateTime
0x77666c EnumSystemLocalesW
0x776670 EnumCalendarInfoW
0x776674 EnterCriticalSection
0x776678 DeleteCriticalSection
0x77667c CreateSemaphoreA
0x776680 CreateFileMappingW
0x776684 CreateFileW
0x776688 CreateEventA
0x77668c CreateEventW
0x776690 CreateDirectoryW
0x776694 CompareStringW
0x776698 CloseHandle
kernel32.dll
0x7766a0 Sleep
netapi32.dll
0x7766a8 NetApiBufferFree
0x7766ac NetWkstaGetInfo
oleaut32.dll
0x7766b4 SafeArrayPtrOfIndex
0x7766b8 SafeArrayGetUBound
0x7766bc SafeArrayGetLBound
0x7766c0 SafeArrayCreate
0x7766c4 VariantChangeType
0x7766c8 VariantCopy
0x7766cc VariantClear
0x7766d0 VariantInit
msvcrt.dll
0x7766d8 memset
0x7766dc memmove
0x7766e0 memcpy
msvcrt.dll
0x7766e8 _beginthreadex
EAT(Export Address Table) Library
0x7026b8 TMethodImplementationIntercept
0x410248 __dbk_fcall_wrapper
0x77362c dbkFCallWrapperAddr