ScreenShot
| Created | 2024.09.22 17:45 | Machine | s1_win7_x6401 |
| Filename | Microsoft.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 39 detected (AIDetectMalware, Malicious, score, GenericKD, Unsafe, Vdo8, confidence, Attribute, HighConfidence, moderate confidence, MalwareX, CLOUD, zessz, Detected, Wacatac, R667674, Artemis, Ekjl, susgen) | ||
| md5 | 96f6cb8e78692f8bff528da76bfde919 | ||
| sha256 | 94b0cc15820061feae57ffc9e46f4c07f9023659b4ca2dfd105802d843b4c0d3 | ||
| ssdeep | 6144:omUZYwNIRcCdh4vVgCAoyXILAkAyQX+wWNsBUh5gzp00NRhMohYUia5QvjkeQW9:bUeDsyqy4c1XrGEjnCOIHQW9 | ||
| imphash | 6c12c5930132fe5d268e288ffe84a207 | ||
| impfuzzy | 48:mLsfCl19cQsXF4exRJGV6Jlkoqa6hhOhk:wsfCl19cQsXF4exRJGElRqayAhk | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 39 AntiVirus engines on VirusTotal as malicious |
| watch | Checks the CPU name from registry |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Creates a suspicious process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Starts servers listening |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (3cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x40a3d8 AllocateAndInitializeSid
0x40a3e0 CheckTokenMembership
0x40a3e8 FreeSid
0x40a3f0 RegCloseKey
0x40a3f8 RegOpenKeyExA
0x40a400 RegQueryValueExA
CRYPT32.dll
0x40a410 CryptBinaryToStringA
KERNEL32.dll
0x40a420 CloseHandle
0x40a428 CopyFileA
0x40a430 CreateThread
0x40a438 CreateToolhelp32Snapshot
0x40a440 DeleteCriticalSection
0x40a448 EnterCriticalSection
0x40a450 ExitProcess
0x40a458 GetComputerNameA
0x40a460 GetCurrentProcess
0x40a468 GetCurrentProcessId
0x40a470 GetCurrentThreadId
0x40a478 GetLastError
0x40a480 GetModuleFileNameA
0x40a488 GetModuleHandleW
0x40a490 GetProcAddress
0x40a498 GetStartupInfoA
0x40a4a0 GetSystemInfo
0x40a4a8 GetSystemTimeAsFileTime
0x40a4b0 GetTempPathA
0x40a4b8 GetTickCount
0x40a4c0 GlobalMemoryStatusEx
0x40a4c8 InitializeCriticalSection
0x40a4d0 LeaveCriticalSection
0x40a4d8 Process32First
0x40a4e0 Process32Next
0x40a4e8 QueryPerformanceCounter
0x40a4f0 RtlAddFunctionTable
0x40a4f8 RtlCaptureContext
0x40a500 RtlLookupFunctionEntry
0x40a508 RtlVirtualUnwind
0x40a510 SetConsoleCP
0x40a518 SetConsoleOutputCP
0x40a520 SetThreadExecutionState
0x40a528 SetUnhandledExceptionFilter
0x40a530 Sleep
0x40a538 TerminateProcess
0x40a540 TlsGetValue
0x40a548 UnhandledExceptionFilter
0x40a550 VirtualProtect
0x40a558 VirtualQuery
0x40a560 WaitForSingleObject
msvcrt.dll
0x40a570 __C_specific_handler
0x40a578 __getmainargs
0x40a580 __initenv
0x40a588 __iob_func
0x40a590 __lconv_init
0x40a598 __set_app_type
0x40a5a0 __setusermatherr
0x40a5a8 _acmdln
0x40a5b0 _amsg_exit
0x40a5b8 _cexit
0x40a5c0 _fmode
0x40a5c8 _initterm
0x40a5d0 _onexit
0x40a5d8 _stricmp
0x40a5e0 _vsnprintf
0x40a5e8 abort
0x40a5f0 atoi
0x40a5f8 calloc
0x40a600 exit
0x40a608 fprintf
0x40a610 free
0x40a618 fwrite
0x40a620 malloc
0x40a628 memcpy
0x40a630 memset
0x40a638 printf
0x40a640 puts
0x40a648 setlocale
0x40a650 signal
0x40a658 sprintf
0x40a660 strlen
0x40a668 strncmp
0x40a670 strncpy
0x40a678 strstr
0x40a680 swprintf_s
0x40a688 vfprintf
0x40a690 wprintf
SHELL32.dll
0x40a6a0 ShellExecuteA
0x40a6a8 ShellExecuteExA
SHLWAPI.dll
0x40a6b8 PathAppendA
WINHTTP.dll
0x40a6c8 WinHttpCloseHandle
0x40a6d0 WinHttpConnect
0x40a6d8 WinHttpOpen
0x40a6e0 WinHttpOpenRequest
0x40a6e8 WinHttpQueryDataAvailable
0x40a6f0 WinHttpReadData
0x40a6f8 WinHttpReceiveResponse
0x40a700 WinHttpSendRequest
EAT(Export Address Table) is none
ADVAPI32.dll
0x40a3d8 AllocateAndInitializeSid
0x40a3e0 CheckTokenMembership
0x40a3e8 FreeSid
0x40a3f0 RegCloseKey
0x40a3f8 RegOpenKeyExA
0x40a400 RegQueryValueExA
CRYPT32.dll
0x40a410 CryptBinaryToStringA
KERNEL32.dll
0x40a420 CloseHandle
0x40a428 CopyFileA
0x40a430 CreateThread
0x40a438 CreateToolhelp32Snapshot
0x40a440 DeleteCriticalSection
0x40a448 EnterCriticalSection
0x40a450 ExitProcess
0x40a458 GetComputerNameA
0x40a460 GetCurrentProcess
0x40a468 GetCurrentProcessId
0x40a470 GetCurrentThreadId
0x40a478 GetLastError
0x40a480 GetModuleFileNameA
0x40a488 GetModuleHandleW
0x40a490 GetProcAddress
0x40a498 GetStartupInfoA
0x40a4a0 GetSystemInfo
0x40a4a8 GetSystemTimeAsFileTime
0x40a4b0 GetTempPathA
0x40a4b8 GetTickCount
0x40a4c0 GlobalMemoryStatusEx
0x40a4c8 InitializeCriticalSection
0x40a4d0 LeaveCriticalSection
0x40a4d8 Process32First
0x40a4e0 Process32Next
0x40a4e8 QueryPerformanceCounter
0x40a4f0 RtlAddFunctionTable
0x40a4f8 RtlCaptureContext
0x40a500 RtlLookupFunctionEntry
0x40a508 RtlVirtualUnwind
0x40a510 SetConsoleCP
0x40a518 SetConsoleOutputCP
0x40a520 SetThreadExecutionState
0x40a528 SetUnhandledExceptionFilter
0x40a530 Sleep
0x40a538 TerminateProcess
0x40a540 TlsGetValue
0x40a548 UnhandledExceptionFilter
0x40a550 VirtualProtect
0x40a558 VirtualQuery
0x40a560 WaitForSingleObject
msvcrt.dll
0x40a570 __C_specific_handler
0x40a578 __getmainargs
0x40a580 __initenv
0x40a588 __iob_func
0x40a590 __lconv_init
0x40a598 __set_app_type
0x40a5a0 __setusermatherr
0x40a5a8 _acmdln
0x40a5b0 _amsg_exit
0x40a5b8 _cexit
0x40a5c0 _fmode
0x40a5c8 _initterm
0x40a5d0 _onexit
0x40a5d8 _stricmp
0x40a5e0 _vsnprintf
0x40a5e8 abort
0x40a5f0 atoi
0x40a5f8 calloc
0x40a600 exit
0x40a608 fprintf
0x40a610 free
0x40a618 fwrite
0x40a620 malloc
0x40a628 memcpy
0x40a630 memset
0x40a638 printf
0x40a640 puts
0x40a648 setlocale
0x40a650 signal
0x40a658 sprintf
0x40a660 strlen
0x40a668 strncmp
0x40a670 strncpy
0x40a678 strstr
0x40a680 swprintf_s
0x40a688 vfprintf
0x40a690 wprintf
SHELL32.dll
0x40a6a0 ShellExecuteA
0x40a6a8 ShellExecuteExA
SHLWAPI.dll
0x40a6b8 PathAppendA
WINHTTP.dll
0x40a6c8 WinHttpCloseHandle
0x40a6d0 WinHttpConnect
0x40a6d8 WinHttpOpen
0x40a6e0 WinHttpOpenRequest
0x40a6e8 WinHttpQueryDataAvailable
0x40a6f0 WinHttpReadData
0x40a6f8 WinHttpReceiveResponse
0x40a700 WinHttpSendRequest
EAT(Export Address Table) is none