ScreenShot
Created | 2024.09.30 17:16 | Machine | s1_win7_x6401 |
Filename | num.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 41 detected (AIDetectMalware, Malicious, score, TrojanAitInject, Tedy, Unsafe, Save, confidence, Attribute, HighConfidence, Windows, Threat, Stealc, PWSX, Stealerc, ccmw, DQwxTsXk3kJ, Real Protect, high, Detected, 1Y8LYHX, BScope, PasswordStealer, GdSda, Meterpreter, susgen, Themida) | ||
md5 | 791fcee57312d4a20cc86ae1cea8dfc4 | ||
sha256 | 27e4a3627d7df2b22189dd4bebc559ae1986d49a8f4e35980b428fadb66cf23d | ||
ssdeep | 6144:BMi8gYtUokCulxMfpbSGePV0l0F1nE7w+Uw3NKR9hU/W9:2tUoH3IGgVRF14wx8KRF9 | ||
imphash | 8e9e6de8c6aa184371108e1074479bb3 | ||
impfuzzy | 24:j/8yfb8J93qsQCTY3BjlzGbtUqlSfMyDkfjY/J3IS:j/8ob8r3qVCTY3LGbt38fMzK1 |
Network IP location
Signature (16cnts)
Level | Description |
---|---|
danger | File has been identified by 41 AntiVirus engines on VirusTotal as malicious |
watch | Checks the CPU name from registry |
watch | Collects information about installed applications |
watch | Communicates with host for which no DNS query was performed |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | An executable file was downloaded by the process num.exe |
notice | Creates executable files on the filesystem |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Performs some HTTP requests |
notice | Queries for potentially installed applications |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | Sends data using the HTTP POST Method |
notice | Steals private information from local Internet browsers |
info | Checks amount of memory in system |
info | Queries for the computername |
info | Tries to locate where the browsers are installed |
Rules (7cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
watch | Antivirus | Contains references to security software | binaries (upload) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (10cnts) ?
Suricata ids
ET DROP Spamhaus DROP Listed Traffic Inbound group 32
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x41e0b8 strncpy
0x41e0bc ??_V@YAXPAX@Z
0x41e0c0 memchr
0x41e0c4 ??_U@YAPAXI@Z
0x41e0c8 strtok
0x41e0cc atexit
0x41e0d0 strtok_s
0x41e0d4 strcpy_s
0x41e0d8 vsprintf_s
0x41e0dc memmove
0x41e0e0 strlen
0x41e0e4 malloc
0x41e0e8 free
0x41e0ec memcmp
0x41e0f0 ??2@YAPAXI@Z
0x41e0f4 memset
0x41e0f8 memcpy
0x41e0fc __CxxFrameHandler3
KERNEL32.dll
0x41e000 GetCurrentProcess
0x41e004 RaiseException
0x41e008 GetStringTypeW
0x41e00c MultiByteToWideChar
0x41e010 LCMapStringW
0x41e014 IsValidCodePage
0x41e018 GetOEMCP
0x41e01c lstrlenA
0x41e020 HeapAlloc
0x41e024 GetProcessHeap
0x41e028 VirtualProtect
0x41e02c WaitForSingleObject
0x41e030 CreateProcessA
0x41e034 lstrcatA
0x41e038 VirtualQueryEx
0x41e03c OpenProcess
0x41e040 ReadProcessMemory
0x41e044 WriteFile
0x41e048 GetACP
0x41e04c GetCPInfo
0x41e050 UnhandledExceptionFilter
0x41e054 SetUnhandledExceptionFilter
0x41e058 IsDebuggerPresent
0x41e05c EncodePointer
0x41e060 DecodePointer
0x41e064 TerminateProcess
0x41e068 InitializeCriticalSectionAndSpinCount
0x41e06c LeaveCriticalSection
0x41e070 EnterCriticalSection
0x41e074 RtlUnwind
0x41e078 GetProcAddress
0x41e07c GetModuleHandleW
0x41e080 ExitProcess
0x41e084 Sleep
0x41e088 GetStdHandle
0x41e08c GetModuleFileNameW
0x41e090 GetLastError
0x41e094 LoadLibraryW
0x41e098 TlsGetValue
0x41e09c TlsSetValue
0x41e0a0 InterlockedIncrement
0x41e0a4 SetLastError
0x41e0a8 GetCurrentThreadId
0x41e0ac InterlockedDecrement
0x41e0b0 WideCharToMultiByte
EAT(Export Address Table) is none
msvcrt.dll
0x41e0b8 strncpy
0x41e0bc ??_V@YAXPAX@Z
0x41e0c0 memchr
0x41e0c4 ??_U@YAPAXI@Z
0x41e0c8 strtok
0x41e0cc atexit
0x41e0d0 strtok_s
0x41e0d4 strcpy_s
0x41e0d8 vsprintf_s
0x41e0dc memmove
0x41e0e0 strlen
0x41e0e4 malloc
0x41e0e8 free
0x41e0ec memcmp
0x41e0f0 ??2@YAPAXI@Z
0x41e0f4 memset
0x41e0f8 memcpy
0x41e0fc __CxxFrameHandler3
KERNEL32.dll
0x41e000 GetCurrentProcess
0x41e004 RaiseException
0x41e008 GetStringTypeW
0x41e00c MultiByteToWideChar
0x41e010 LCMapStringW
0x41e014 IsValidCodePage
0x41e018 GetOEMCP
0x41e01c lstrlenA
0x41e020 HeapAlloc
0x41e024 GetProcessHeap
0x41e028 VirtualProtect
0x41e02c WaitForSingleObject
0x41e030 CreateProcessA
0x41e034 lstrcatA
0x41e038 VirtualQueryEx
0x41e03c OpenProcess
0x41e040 ReadProcessMemory
0x41e044 WriteFile
0x41e048 GetACP
0x41e04c GetCPInfo
0x41e050 UnhandledExceptionFilter
0x41e054 SetUnhandledExceptionFilter
0x41e058 IsDebuggerPresent
0x41e05c EncodePointer
0x41e060 DecodePointer
0x41e064 TerminateProcess
0x41e068 InitializeCriticalSectionAndSpinCount
0x41e06c LeaveCriticalSection
0x41e070 EnterCriticalSection
0x41e074 RtlUnwind
0x41e078 GetProcAddress
0x41e07c GetModuleHandleW
0x41e080 ExitProcess
0x41e084 Sleep
0x41e088 GetStdHandle
0x41e08c GetModuleFileNameW
0x41e090 GetLastError
0x41e094 LoadLibraryW
0x41e098 TlsGetValue
0x41e09c TlsSetValue
0x41e0a0 InterlockedIncrement
0x41e0a4 SetLastError
0x41e0a8 GetCurrentThreadId
0x41e0ac InterlockedDecrement
0x41e0b0 WideCharToMultiByte
EAT(Export Address Table) is none