ScreenShot
| Created | 2024.09.19 10:27 | Machine | s1_win7_x6401 |
| Filename | 231.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 39 detected (AIDetectMalware, Penguish, Artemis, Vgbw, grayware, confidence, aaagcn, SECTOPRAT, YXEIDZ, Wacatac, S4JVPL@susp, MALICIOUS, FalseSign, Lcnw, susgen) | ||
| md5 | 4fa734db8e9f7ce5ecd217b34ecc6969 | ||
| sha256 | f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b | ||
| ssdeep | 196608:FfhVx6cyJczra+6msUjFD8rXPLJy5rRUlXmBPzLMAoUsJBK7iskeDqQ7poZ:FfrABJq2+6mnD8b9y9RU8zLMAoUsJBKK | ||
| imphash | 40ab50289f7ef5fae60801f88d4541fc | ||
| impfuzzy | 96:oQkHWhNbJj7t9X13bz9Yhr8X5alVNb73JFO:n0WXX9FrBCIkrNbbrO | ||
Network IP location
Signature (29cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 39 AntiVirus engines on VirusTotal as malicious |
| watch | A process attempted to delay the analysis task. |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates a windows hook that monitors keyboard input (keylogger) |
| watch | Detects the presence of Wine emulator |
| watch | Harvests credentials from local FTP client softwares |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (34cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| warning | NSIS_Installer | Null Soft Installer | binaries (download) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Javascript_Blob | use blob(Binary Large Objec) javascript | binaries (download) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | DllRegisterServer_Zero | execute regsvr32.exe | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | mzp_file_format | MZP(Delphi) file format | binaries (download) |
| info | mzp_file_format | MZP(Delphi) file format | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PNG_Format_Zero | PNG Format | binaries (download) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity
ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init
ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)
ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init
ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)
PE API
IAT(Import Address Table) Library
kernel32.dll
0x4b52d4 GetACP
0x4b52d8 GetExitCodeProcess
0x4b52dc CloseHandle
0x4b52e0 LocalFree
0x4b52e4 SizeofResource
0x4b52e8 VirtualProtect
0x4b52ec QueryPerformanceFrequency
0x4b52f0 VirtualFree
0x4b52f4 GetFullPathNameW
0x4b52f8 GetProcessHeap
0x4b52fc ExitProcess
0x4b5300 HeapAlloc
0x4b5304 GetCPInfoExW
0x4b5308 RtlUnwind
0x4b530c GetCPInfo
0x4b5310 GetStdHandle
0x4b5314 GetModuleHandleW
0x4b5318 FreeLibrary
0x4b531c HeapDestroy
0x4b5320 ReadFile
0x4b5324 CreateProcessW
0x4b5328 GetLastError
0x4b532c GetModuleFileNameW
0x4b5330 SetLastError
0x4b5334 FindResourceW
0x4b5338 CreateThread
0x4b533c CompareStringW
0x4b5340 LoadLibraryA
0x4b5344 ResetEvent
0x4b5348 GetVolumeInformationW
0x4b534c GetVersion
0x4b5350 GetDriveTypeW
0x4b5354 RaiseException
0x4b5358 FormatMessageW
0x4b535c SwitchToThread
0x4b5360 GetExitCodeThread
0x4b5364 GetCurrentThread
0x4b5368 LoadLibraryExW
0x4b536c LockResource
0x4b5370 GetCurrentThreadId
0x4b5374 UnhandledExceptionFilter
0x4b5378 VirtualQuery
0x4b537c VirtualQueryEx
0x4b5380 Sleep
0x4b5384 EnterCriticalSection
0x4b5388 SetFilePointer
0x4b538c LoadResource
0x4b5390 SuspendThread
0x4b5394 GetTickCount
0x4b5398 GetFileSize
0x4b539c GetStartupInfoW
0x4b53a0 GetFileAttributesW
0x4b53a4 InitializeCriticalSection
0x4b53a8 GetSystemWindowsDirectoryW
0x4b53ac GetThreadPriority
0x4b53b0 SetThreadPriority
0x4b53b4 GetCurrentProcess
0x4b53b8 VirtualAlloc
0x4b53bc GetCommandLineW
0x4b53c0 GetSystemInfo
0x4b53c4 LeaveCriticalSection
0x4b53c8 GetProcAddress
0x4b53cc ResumeThread
0x4b53d0 GetVersionExW
0x4b53d4 VerifyVersionInfoW
0x4b53d8 HeapCreate
0x4b53dc GetWindowsDirectoryW
0x4b53e0 LCMapStringW
0x4b53e4 VerSetConditionMask
0x4b53e8 GetDiskFreeSpaceW
0x4b53ec FindFirstFileW
0x4b53f0 GetUserDefaultUILanguage
0x4b53f4 lstrlenW
0x4b53f8 QueryPerformanceCounter
0x4b53fc SetEndOfFile
0x4b5400 HeapFree
0x4b5404 WideCharToMultiByte
0x4b5408 FindClose
0x4b540c MultiByteToWideChar
0x4b5410 LoadLibraryW
0x4b5414 SetEvent
0x4b5418 CreateFileW
0x4b541c GetLocaleInfoW
0x4b5420 GetSystemDirectoryW
0x4b5424 DeleteFileW
0x4b5428 GetLocalTime
0x4b542c GetEnvironmentVariableW
0x4b5430 WaitForSingleObject
0x4b5434 WriteFile
0x4b5438 ExitThread
0x4b543c DeleteCriticalSection
0x4b5440 TlsGetValue
0x4b5444 GetDateFormatW
0x4b5448 SetErrorMode
0x4b544c IsValidLocale
0x4b5450 TlsSetValue
0x4b5454 CreateDirectoryW
0x4b5458 GetSystemDefaultUILanguage
0x4b545c EnumCalendarInfoW
0x4b5460 LocalAlloc
0x4b5464 GetUserDefaultLangID
0x4b5468 RemoveDirectoryW
0x4b546c CreateEventW
0x4b5470 SetThreadLocale
0x4b5474 GetThreadLocale
comctl32.dll
0x4b547c InitCommonControls
user32.dll
0x4b5484 CreateWindowExW
0x4b5488 TranslateMessage
0x4b548c CharLowerBuffW
0x4b5490 CallWindowProcW
0x4b5494 CharUpperW
0x4b5498 PeekMessageW
0x4b549c GetSystemMetrics
0x4b54a0 SetWindowLongW
0x4b54a4 MessageBoxW
0x4b54a8 DestroyWindow
0x4b54ac CharUpperBuffW
0x4b54b0 CharNextW
0x4b54b4 MsgWaitForMultipleObjects
0x4b54b8 LoadStringW
0x4b54bc ExitWindowsEx
0x4b54c0 DispatchMessageW
oleaut32.dll
0x4b54c8 SysAllocStringLen
0x4b54cc SafeArrayPtrOfIndex
0x4b54d0 VariantCopy
0x4b54d4 SafeArrayGetLBound
0x4b54d8 SafeArrayGetUBound
0x4b54dc VariantInit
0x4b54e0 VariantClear
0x4b54e4 SysFreeString
0x4b54e8 SysReAllocStringLen
0x4b54ec VariantChangeType
0x4b54f0 SafeArrayCreate
advapi32.dll
0x4b54f8 ConvertStringSecurityDescriptorToSecurityDescriptorW
0x4b54fc OpenThreadToken
0x4b5500 AdjustTokenPrivileges
0x4b5504 LookupPrivilegeValueW
0x4b5508 RegOpenKeyExW
0x4b550c OpenProcessToken
0x4b5510 FreeSid
0x4b5514 AllocateAndInitializeSid
0x4b5518 EqualSid
0x4b551c RegQueryValueExW
0x4b5520 GetTokenInformation
0x4b5524 ConvertSidToStringSidW
0x4b5528 RegCloseKey
EAT(Export Address Table) Library
0x40fc10 __dbk_fcall_wrapper
0x4b063c dbkFCallWrapperAddr
kernel32.dll
0x4b52d4 GetACP
0x4b52d8 GetExitCodeProcess
0x4b52dc CloseHandle
0x4b52e0 LocalFree
0x4b52e4 SizeofResource
0x4b52e8 VirtualProtect
0x4b52ec QueryPerformanceFrequency
0x4b52f0 VirtualFree
0x4b52f4 GetFullPathNameW
0x4b52f8 GetProcessHeap
0x4b52fc ExitProcess
0x4b5300 HeapAlloc
0x4b5304 GetCPInfoExW
0x4b5308 RtlUnwind
0x4b530c GetCPInfo
0x4b5310 GetStdHandle
0x4b5314 GetModuleHandleW
0x4b5318 FreeLibrary
0x4b531c HeapDestroy
0x4b5320 ReadFile
0x4b5324 CreateProcessW
0x4b5328 GetLastError
0x4b532c GetModuleFileNameW
0x4b5330 SetLastError
0x4b5334 FindResourceW
0x4b5338 CreateThread
0x4b533c CompareStringW
0x4b5340 LoadLibraryA
0x4b5344 ResetEvent
0x4b5348 GetVolumeInformationW
0x4b534c GetVersion
0x4b5350 GetDriveTypeW
0x4b5354 RaiseException
0x4b5358 FormatMessageW
0x4b535c SwitchToThread
0x4b5360 GetExitCodeThread
0x4b5364 GetCurrentThread
0x4b5368 LoadLibraryExW
0x4b536c LockResource
0x4b5370 GetCurrentThreadId
0x4b5374 UnhandledExceptionFilter
0x4b5378 VirtualQuery
0x4b537c VirtualQueryEx
0x4b5380 Sleep
0x4b5384 EnterCriticalSection
0x4b5388 SetFilePointer
0x4b538c LoadResource
0x4b5390 SuspendThread
0x4b5394 GetTickCount
0x4b5398 GetFileSize
0x4b539c GetStartupInfoW
0x4b53a0 GetFileAttributesW
0x4b53a4 InitializeCriticalSection
0x4b53a8 GetSystemWindowsDirectoryW
0x4b53ac GetThreadPriority
0x4b53b0 SetThreadPriority
0x4b53b4 GetCurrentProcess
0x4b53b8 VirtualAlloc
0x4b53bc GetCommandLineW
0x4b53c0 GetSystemInfo
0x4b53c4 LeaveCriticalSection
0x4b53c8 GetProcAddress
0x4b53cc ResumeThread
0x4b53d0 GetVersionExW
0x4b53d4 VerifyVersionInfoW
0x4b53d8 HeapCreate
0x4b53dc GetWindowsDirectoryW
0x4b53e0 LCMapStringW
0x4b53e4 VerSetConditionMask
0x4b53e8 GetDiskFreeSpaceW
0x4b53ec FindFirstFileW
0x4b53f0 GetUserDefaultUILanguage
0x4b53f4 lstrlenW
0x4b53f8 QueryPerformanceCounter
0x4b53fc SetEndOfFile
0x4b5400 HeapFree
0x4b5404 WideCharToMultiByte
0x4b5408 FindClose
0x4b540c MultiByteToWideChar
0x4b5410 LoadLibraryW
0x4b5414 SetEvent
0x4b5418 CreateFileW
0x4b541c GetLocaleInfoW
0x4b5420 GetSystemDirectoryW
0x4b5424 DeleteFileW
0x4b5428 GetLocalTime
0x4b542c GetEnvironmentVariableW
0x4b5430 WaitForSingleObject
0x4b5434 WriteFile
0x4b5438 ExitThread
0x4b543c DeleteCriticalSection
0x4b5440 TlsGetValue
0x4b5444 GetDateFormatW
0x4b5448 SetErrorMode
0x4b544c IsValidLocale
0x4b5450 TlsSetValue
0x4b5454 CreateDirectoryW
0x4b5458 GetSystemDefaultUILanguage
0x4b545c EnumCalendarInfoW
0x4b5460 LocalAlloc
0x4b5464 GetUserDefaultLangID
0x4b5468 RemoveDirectoryW
0x4b546c CreateEventW
0x4b5470 SetThreadLocale
0x4b5474 GetThreadLocale
comctl32.dll
0x4b547c InitCommonControls
user32.dll
0x4b5484 CreateWindowExW
0x4b5488 TranslateMessage
0x4b548c CharLowerBuffW
0x4b5490 CallWindowProcW
0x4b5494 CharUpperW
0x4b5498 PeekMessageW
0x4b549c GetSystemMetrics
0x4b54a0 SetWindowLongW
0x4b54a4 MessageBoxW
0x4b54a8 DestroyWindow
0x4b54ac CharUpperBuffW
0x4b54b0 CharNextW
0x4b54b4 MsgWaitForMultipleObjects
0x4b54b8 LoadStringW
0x4b54bc ExitWindowsEx
0x4b54c0 DispatchMessageW
oleaut32.dll
0x4b54c8 SysAllocStringLen
0x4b54cc SafeArrayPtrOfIndex
0x4b54d0 VariantCopy
0x4b54d4 SafeArrayGetLBound
0x4b54d8 SafeArrayGetUBound
0x4b54dc VariantInit
0x4b54e0 VariantClear
0x4b54e4 SysFreeString
0x4b54e8 SysReAllocStringLen
0x4b54ec VariantChangeType
0x4b54f0 SafeArrayCreate
advapi32.dll
0x4b54f8 ConvertStringSecurityDescriptorToSecurityDescriptorW
0x4b54fc OpenThreadToken
0x4b5500 AdjustTokenPrivileges
0x4b5504 LookupPrivilegeValueW
0x4b5508 RegOpenKeyExW
0x4b550c OpenProcessToken
0x4b5510 FreeSid
0x4b5514 AllocateAndInitializeSid
0x4b5518 EqualSid
0x4b551c RegQueryValueExW
0x4b5520 GetTokenInformation
0x4b5524 ConvertSidToStringSidW
0x4b5528 RegCloseKey
EAT(Export Address Table) Library
0x40fc10 __dbk_fcall_wrapper
0x4b063c dbkFCallWrapperAddr