ScreenShot
| Created | 2024.09.17 13:45 | Machine | s1_win7_x6403 |
| Filename | kg.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 61 detected (Common, Azorult, Malicious, score, VBObfus, Unsafe, Loki, Save, confidence, 100%, Attribute, HighConfidence, high confidence, EPVS, Raccoon, apuh, TrojanPSW, CLASSIC, AGEN, Siggen14, R002C0DIF24, Real Protect, high, Static AI, Suspicious PE, Detected, Malware@#30iocbwx7jvxt, Remcos, Fareit, R582735, GenericRXPO, BScope, Stelega, QQPass, QQRob, Najl, 5nf1S7vBJ2Y, susgen) | ||
| md5 | 1b2cab632cc4fb94652f4237b4f98342 | ||
| sha256 | 895100760e67763505b9cad311be16b533db48d1f2cb28424a98495406220a2f | ||
| ssdeep | 6144:6QkrHG1cslmmRFSBTJeeLGgJsebq9LMguD4M:YrHM/m23eLTzILSD4M | ||
| imphash | fb0fb8edc31fffe9bb05edbac608d5c5 | ||
| impfuzzy | 48:jnj/48q/1wzQwgbgRxl3Yl39piq9f4Tz2FNjWc4MipxmkS1wDDlxDTSwpw8:jnjc/1GQfbgRxluNpiq9fAz2FNjWc4MK | ||
Network IP location
Signature (21cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 61 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Executed a process and injected code into it |
| warning | Generates some ICMP traffic |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
Rules (21cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Raccoon_Stealer_1_Zero | Raccoon Stealer | binaries (download) |
| danger | Raccoon_Stealer_1_Zero | Raccoon Stealer | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vba | (no description) | memory |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (20cnts) ?
Suricata ids
ET INFO URL Shortener Service Domain in DNS Lookup (rebrand .ly)
ET INFO Referrer-Policy set to unsafe-url
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Referrer-Policy set to unsafe-url
ET DNS Query to a *.top domain - Likely Hostile
PE API
IAT(Import Address Table) Library
ADVAPI32.DLL
0x401000 RegOpenKeyExW
0x401004 CryptCreateHash
0x401008 CryptDecrypt
0x40100c RegCloseKey
0x401010 CryptAcquireContextW
0x401014 CryptDeriveKey
KERNEL32.DLL
0x40101c VirtualAlloc
0x401020 RtlMoveMemory
0x401024 CloseHandle
0x401028 GetTickCount
0x40102c WriteFile
0x401030 RtlFillMemory
MSVBVM60.DLL
0x401038 _CIcos
0x40103c _adj_fptan
0x401040 __vbaVarMove
0x401044 __vbaVarVargNofree
0x401048 __vbaFreeVar
0x40104c __vbaStrVarMove
0x401050 __vbaFreeVarList
0x401054 _adj_fdiv_m64
0x401058 None
0x40105c _adj_fprem1
0x401060 __vbaStrCat
0x401064 __vbaHresultCheckObj
0x401068 _adj_fdiv_m32
0x40106c __vbaAryDestruct
0x401070 None
0x401074 __vbaObjSet
0x401078 None
0x40107c _adj_fdiv_m16i
0x401080 __vbaObjSetAddref
0x401084 _adj_fdivr_m16i
0x401088 __vbaRefVarAry
0x40108c _CIsin
0x401090 __vbaErase
0x401094 None
0x401098 None
0x40109c __vbaVarZero
0x4010a0 __vbaChkstk
0x4010a4 None
0x4010a8 EVENT_SINK_AddRef
0x4010ac None
0x4010b0 __vbaVarTstEq
0x4010b4 _adj_fpatan
0x4010b8 __vbaRedim
0x4010bc EVENT_SINK_Release
0x4010c0 _CIsqrt
0x4010c4 EVENT_SINK_QueryInterface
0x4010c8 __vbaExceptHandler
0x4010cc _adj_fprem
0x4010d0 _adj_fdivr_m64
0x4010d4 None
0x4010d8 None
0x4010dc __vbaFPException
0x4010e0 None
0x4010e4 __vbaStrVarVal
0x4010e8 __vbaUbound
0x4010ec __vbaVarCat
0x4010f0 None
0x4010f4 _CIlog
0x4010f8 __vbaR8Str
0x4010fc _adj_fdiv_m32i
0x401100 _adj_fdivr_m32i
0x401104 __vbaStrCopy
0x401108 _adj_fdivr_m32
0x40110c _adj_fdiv_r
0x401110 None
0x401114 __vbaI4Var
0x401118 __vbaAryLock
0x40111c __vbaVarDup
0x401120 __vbaVarCopy
0x401124 None
0x401128 None
0x40112c _CIatan
0x401130 __vbaCastObj
0x401134 __vbaStrMove
0x401138 _allmul
0x40113c _CItan
0x401140 None
0x401144 __vbaAryUnlock
0x401148 _CIexp
0x40114c __vbaFreeStr
0x401150 __vbaFreeObj
EAT(Export Address Table) is none
ADVAPI32.DLL
0x401000 RegOpenKeyExW
0x401004 CryptCreateHash
0x401008 CryptDecrypt
0x40100c RegCloseKey
0x401010 CryptAcquireContextW
0x401014 CryptDeriveKey
KERNEL32.DLL
0x40101c VirtualAlloc
0x401020 RtlMoveMemory
0x401024 CloseHandle
0x401028 GetTickCount
0x40102c WriteFile
0x401030 RtlFillMemory
MSVBVM60.DLL
0x401038 _CIcos
0x40103c _adj_fptan
0x401040 __vbaVarMove
0x401044 __vbaVarVargNofree
0x401048 __vbaFreeVar
0x40104c __vbaStrVarMove
0x401050 __vbaFreeVarList
0x401054 _adj_fdiv_m64
0x401058 None
0x40105c _adj_fprem1
0x401060 __vbaStrCat
0x401064 __vbaHresultCheckObj
0x401068 _adj_fdiv_m32
0x40106c __vbaAryDestruct
0x401070 None
0x401074 __vbaObjSet
0x401078 None
0x40107c _adj_fdiv_m16i
0x401080 __vbaObjSetAddref
0x401084 _adj_fdivr_m16i
0x401088 __vbaRefVarAry
0x40108c _CIsin
0x401090 __vbaErase
0x401094 None
0x401098 None
0x40109c __vbaVarZero
0x4010a0 __vbaChkstk
0x4010a4 None
0x4010a8 EVENT_SINK_AddRef
0x4010ac None
0x4010b0 __vbaVarTstEq
0x4010b4 _adj_fpatan
0x4010b8 __vbaRedim
0x4010bc EVENT_SINK_Release
0x4010c0 _CIsqrt
0x4010c4 EVENT_SINK_QueryInterface
0x4010c8 __vbaExceptHandler
0x4010cc _adj_fprem
0x4010d0 _adj_fdivr_m64
0x4010d4 None
0x4010d8 None
0x4010dc __vbaFPException
0x4010e0 None
0x4010e4 __vbaStrVarVal
0x4010e8 __vbaUbound
0x4010ec __vbaVarCat
0x4010f0 None
0x4010f4 _CIlog
0x4010f8 __vbaR8Str
0x4010fc _adj_fdiv_m32i
0x401100 _adj_fdivr_m32i
0x401104 __vbaStrCopy
0x401108 _adj_fdivr_m32
0x40110c _adj_fdiv_r
0x401110 None
0x401114 __vbaI4Var
0x401118 __vbaAryLock
0x40111c __vbaVarDup
0x401120 __vbaVarCopy
0x401124 None
0x401128 None
0x40112c _CIatan
0x401130 __vbaCastObj
0x401134 __vbaStrMove
0x401138 _allmul
0x40113c _CItan
0x401140 None
0x401144 __vbaAryUnlock
0x401148 _CIexp
0x40114c __vbaFreeStr
0x401150 __vbaFreeObj
EAT(Export Address Table) is none