ScreenShot
| Created | 2024.10.05 11:38 | Machine | s1_win7_x6403 |
| Filename | 9dd06d870941.exe#d15 | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | |||
| md5 | 7d729c310433884df470d36f612398f3 | ||
| sha256 | e4f5e023ea22484f3f198dfac42bbae45c151da07085d20f25618e1680f90c1d | ||
| ssdeep | 12288:ROD3oZTCvgjYdazaf7A1v2C0zv+rBbS5ekkxqGXfvgkVS5R06usP:RgCcwaf7A1v2zv+lugxqGP4kV80o | ||
| imphash | 76c28592e04b2b2bb1f52b3aac6a5c55 | ||
| impfuzzy | 24:jkcpVWZttlS1wGhlJBl3eDoLouDZVv5GMAkpOovbOPZG:AcpVettlS1wGnpXlZdk3w | ||
Network IP location
Signature (26cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Checks the CPU name from registry |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Collects information about installed applications |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process msbuild.exe |
| notice | Executes one or more WMI queries |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Queries for potentially installed applications |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (26cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Client_SW_User_Data_Stealer | Client_SW_User_Data_Stealer | memory |
| danger | Win32_PWS_Loki_m_Zero | Win32 PWS Loki | memory |
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| warning | infoStealer_ftpClients_Zero | ftp clients info stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41e000 GetConsoleWindow
0x41e004 MultiByteToWideChar
0x41e008 GetStringTypeW
0x41e00c WideCharToMultiByte
0x41e010 EnterCriticalSection
0x41e014 LeaveCriticalSection
0x41e018 InitializeCriticalSectionEx
0x41e01c DeleteCriticalSection
0x41e020 EncodePointer
0x41e024 DecodePointer
0x41e028 LCMapStringEx
0x41e02c GetCPInfo
0x41e030 IsProcessorFeaturePresent
0x41e034 UnhandledExceptionFilter
0x41e038 SetUnhandledExceptionFilter
0x41e03c GetCurrentProcess
0x41e040 TerminateProcess
0x41e044 QueryPerformanceCounter
0x41e048 GetCurrentProcessId
0x41e04c GetCurrentThreadId
0x41e050 GetSystemTimeAsFileTime
0x41e054 InitializeSListHead
0x41e058 IsDebuggerPresent
0x41e05c GetStartupInfoW
0x41e060 GetModuleHandleW
0x41e064 CreateFileW
0x41e068 RaiseException
0x41e06c RtlUnwind
0x41e070 GetLastError
0x41e074 SetLastError
0x41e078 InitializeCriticalSectionAndSpinCount
0x41e07c TlsAlloc
0x41e080 TlsGetValue
0x41e084 TlsSetValue
0x41e088 TlsFree
0x41e08c FreeLibrary
0x41e090 GetProcAddress
0x41e094 LoadLibraryExW
0x41e098 GetStdHandle
0x41e09c WriteFile
0x41e0a0 GetModuleFileNameW
0x41e0a4 ExitProcess
0x41e0a8 GetModuleHandleExW
0x41e0ac HeapFree
0x41e0b0 LCMapStringW
0x41e0b4 GetLocaleInfoW
0x41e0b8 IsValidLocale
0x41e0bc GetUserDefaultLCID
0x41e0c0 EnumSystemLocalesW
0x41e0c4 HeapAlloc
0x41e0c8 GetFileType
0x41e0cc CloseHandle
0x41e0d0 FlushFileBuffers
0x41e0d4 GetConsoleOutputCP
0x41e0d8 GetConsoleMode
0x41e0dc ReadFile
0x41e0e0 GetFileSizeEx
0x41e0e4 SetFilePointerEx
0x41e0e8 ReadConsoleW
0x41e0ec HeapReAlloc
0x41e0f0 FindClose
0x41e0f4 FindFirstFileExW
0x41e0f8 FindNextFileW
0x41e0fc IsValidCodePage
0x41e100 GetACP
0x41e104 GetOEMCP
0x41e108 GetCommandLineA
0x41e10c GetCommandLineW
0x41e110 GetEnvironmentStringsW
0x41e114 FreeEnvironmentStringsW
0x41e118 SetStdHandle
0x41e11c GetProcessHeap
0x41e120 HeapSize
0x41e124 WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x41e000 GetConsoleWindow
0x41e004 MultiByteToWideChar
0x41e008 GetStringTypeW
0x41e00c WideCharToMultiByte
0x41e010 EnterCriticalSection
0x41e014 LeaveCriticalSection
0x41e018 InitializeCriticalSectionEx
0x41e01c DeleteCriticalSection
0x41e020 EncodePointer
0x41e024 DecodePointer
0x41e028 LCMapStringEx
0x41e02c GetCPInfo
0x41e030 IsProcessorFeaturePresent
0x41e034 UnhandledExceptionFilter
0x41e038 SetUnhandledExceptionFilter
0x41e03c GetCurrentProcess
0x41e040 TerminateProcess
0x41e044 QueryPerformanceCounter
0x41e048 GetCurrentProcessId
0x41e04c GetCurrentThreadId
0x41e050 GetSystemTimeAsFileTime
0x41e054 InitializeSListHead
0x41e058 IsDebuggerPresent
0x41e05c GetStartupInfoW
0x41e060 GetModuleHandleW
0x41e064 CreateFileW
0x41e068 RaiseException
0x41e06c RtlUnwind
0x41e070 GetLastError
0x41e074 SetLastError
0x41e078 InitializeCriticalSectionAndSpinCount
0x41e07c TlsAlloc
0x41e080 TlsGetValue
0x41e084 TlsSetValue
0x41e088 TlsFree
0x41e08c FreeLibrary
0x41e090 GetProcAddress
0x41e094 LoadLibraryExW
0x41e098 GetStdHandle
0x41e09c WriteFile
0x41e0a0 GetModuleFileNameW
0x41e0a4 ExitProcess
0x41e0a8 GetModuleHandleExW
0x41e0ac HeapFree
0x41e0b0 LCMapStringW
0x41e0b4 GetLocaleInfoW
0x41e0b8 IsValidLocale
0x41e0bc GetUserDefaultLCID
0x41e0c0 EnumSystemLocalesW
0x41e0c4 HeapAlloc
0x41e0c8 GetFileType
0x41e0cc CloseHandle
0x41e0d0 FlushFileBuffers
0x41e0d4 GetConsoleOutputCP
0x41e0d8 GetConsoleMode
0x41e0dc ReadFile
0x41e0e0 GetFileSizeEx
0x41e0e4 SetFilePointerEx
0x41e0e8 ReadConsoleW
0x41e0ec HeapReAlloc
0x41e0f0 FindClose
0x41e0f4 FindFirstFileExW
0x41e0f8 FindNextFileW
0x41e0fc IsValidCodePage
0x41e100 GetACP
0x41e104 GetOEMCP
0x41e108 GetCommandLineA
0x41e10c GetCommandLineW
0x41e110 GetEnvironmentStringsW
0x41e114 FreeEnvironmentStringsW
0x41e118 SetStdHandle
0x41e11c GetProcessHeap
0x41e120 HeapSize
0x41e124 WriteConsoleW
EAT(Export Address Table) is none