ScreenShot
| Created | 2024.10.14 11:27 | Machine | s1_win7_x6403 |
| Filename | 7f3c2473d1e6.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | |||
| md5 | de2af610c33df4386b17ddc9b532bfd1 | ||
| sha256 | 1e6d17574f56e12daa9d1a02ccfe080fcdb851a2a3eeea76d6d70dce89b80a6e | ||
| ssdeep | 12288:krzauxmWmUztVmbX+b7ATG2I5iH0Q2M+CDfTJoLzQY5e74dEO:kPauxkUz/Rb0TGwHSM+CDfTJgzQY5UQt | ||
| imphash | b7ebfc2ac31d5223dc33b9386c1e726b | ||
| impfuzzy | 24:1sajTcpVWZlKAWjeD2teDGhlJBl39WuPiDZMv5GMA+pOovbOPZa:y6cpVezWjrteDGnpnEZGw3M | ||
Network IP location
Signature (34cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to create or modify system certificates |
| watch | Checks the CPU name from registry |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes executed files from disk |
| watch | Harvests credentials from local FTP client softwares |
| watch | Network activity contains more than one unique useragent |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Queries for potentially installed applications |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (31cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Client_SW_User_Data_Stealer | Client_SW_User_Data_Stealer | memory |
| danger | Win32_PWS_Loki_m_Zero | Win32 PWS Loki | memory |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| warning | infoStealer_ftpClients_Zero | ftp clients info stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (6cnts) ?
Suricata ids
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
USER32.dll
0x421150 ShowWindow
KERNEL32.dll
0x421000 GetStartupInfoW
0x421004 CreateFileW
0x421008 CloseHandle
0x42100c GetConsoleWindow
0x421010 MultiByteToWideChar
0x421014 GetStringTypeW
0x421018 WideCharToMultiByte
0x42101c GetCurrentThreadId
0x421020 WaitForSingleObjectEx
0x421024 GetExitCodeThread
0x421028 EnterCriticalSection
0x42102c LeaveCriticalSection
0x421030 InitializeCriticalSectionEx
0x421034 DeleteCriticalSection
0x421038 EncodePointer
0x42103c DecodePointer
0x421040 LCMapStringEx
0x421044 ReleaseSRWLockExclusive
0x421048 AcquireSRWLockExclusive
0x42104c TryAcquireSRWLockExclusive
0x421050 WakeAllConditionVariable
0x421054 QueryPerformanceCounter
0x421058 GetSystemTimeAsFileTime
0x42105c GetModuleHandleW
0x421060 GetProcAddress
0x421064 GetCPInfo
0x421068 IsProcessorFeaturePresent
0x42106c UnhandledExceptionFilter
0x421070 SetUnhandledExceptionFilter
0x421074 GetCurrentProcess
0x421078 TerminateProcess
0x42107c GetCurrentProcessId
0x421080 InitializeSListHead
0x421084 IsDebuggerPresent
0x421088 WriteConsoleW
0x42108c HeapSize
0x421090 RaiseException
0x421094 RtlUnwind
0x421098 GetLastError
0x42109c SetLastError
0x4210a0 InitializeCriticalSectionAndSpinCount
0x4210a4 TlsAlloc
0x4210a8 TlsGetValue
0x4210ac TlsSetValue
0x4210b0 TlsFree
0x4210b4 FreeLibrary
0x4210b8 LoadLibraryExW
0x4210bc CreateThread
0x4210c0 ExitThread
0x4210c4 FreeLibraryAndExitThread
0x4210c8 GetModuleHandleExW
0x4210cc GetStdHandle
0x4210d0 WriteFile
0x4210d4 GetModuleFileNameW
0x4210d8 ExitProcess
0x4210dc HeapAlloc
0x4210e0 HeapFree
0x4210e4 LCMapStringW
0x4210e8 GetLocaleInfoW
0x4210ec IsValidLocale
0x4210f0 GetUserDefaultLCID
0x4210f4 EnumSystemLocalesW
0x4210f8 GetFileType
0x4210fc GetFileSizeEx
0x421100 SetFilePointerEx
0x421104 FlushFileBuffers
0x421108 GetConsoleOutputCP
0x42110c GetConsoleMode
0x421110 ReadFile
0x421114 HeapReAlloc
0x421118 FindClose
0x42111c FindFirstFileExW
0x421120 FindNextFileW
0x421124 IsValidCodePage
0x421128 GetACP
0x42112c GetOEMCP
0x421130 GetCommandLineA
0x421134 GetCommandLineW
0x421138 GetEnvironmentStringsW
0x42113c FreeEnvironmentStringsW
0x421140 SetStdHandle
0x421144 GetProcessHeap
0x421148 ReadConsoleW
EAT(Export Address Table) is none
USER32.dll
0x421150 ShowWindow
KERNEL32.dll
0x421000 GetStartupInfoW
0x421004 CreateFileW
0x421008 CloseHandle
0x42100c GetConsoleWindow
0x421010 MultiByteToWideChar
0x421014 GetStringTypeW
0x421018 WideCharToMultiByte
0x42101c GetCurrentThreadId
0x421020 WaitForSingleObjectEx
0x421024 GetExitCodeThread
0x421028 EnterCriticalSection
0x42102c LeaveCriticalSection
0x421030 InitializeCriticalSectionEx
0x421034 DeleteCriticalSection
0x421038 EncodePointer
0x42103c DecodePointer
0x421040 LCMapStringEx
0x421044 ReleaseSRWLockExclusive
0x421048 AcquireSRWLockExclusive
0x42104c TryAcquireSRWLockExclusive
0x421050 WakeAllConditionVariable
0x421054 QueryPerformanceCounter
0x421058 GetSystemTimeAsFileTime
0x42105c GetModuleHandleW
0x421060 GetProcAddress
0x421064 GetCPInfo
0x421068 IsProcessorFeaturePresent
0x42106c UnhandledExceptionFilter
0x421070 SetUnhandledExceptionFilter
0x421074 GetCurrentProcess
0x421078 TerminateProcess
0x42107c GetCurrentProcessId
0x421080 InitializeSListHead
0x421084 IsDebuggerPresent
0x421088 WriteConsoleW
0x42108c HeapSize
0x421090 RaiseException
0x421094 RtlUnwind
0x421098 GetLastError
0x42109c SetLastError
0x4210a0 InitializeCriticalSectionAndSpinCount
0x4210a4 TlsAlloc
0x4210a8 TlsGetValue
0x4210ac TlsSetValue
0x4210b0 TlsFree
0x4210b4 FreeLibrary
0x4210b8 LoadLibraryExW
0x4210bc CreateThread
0x4210c0 ExitThread
0x4210c4 FreeLibraryAndExitThread
0x4210c8 GetModuleHandleExW
0x4210cc GetStdHandle
0x4210d0 WriteFile
0x4210d4 GetModuleFileNameW
0x4210d8 ExitProcess
0x4210dc HeapAlloc
0x4210e0 HeapFree
0x4210e4 LCMapStringW
0x4210e8 GetLocaleInfoW
0x4210ec IsValidLocale
0x4210f0 GetUserDefaultLCID
0x4210f4 EnumSystemLocalesW
0x4210f8 GetFileType
0x4210fc GetFileSizeEx
0x421100 SetFilePointerEx
0x421104 FlushFileBuffers
0x421108 GetConsoleOutputCP
0x42110c GetConsoleMode
0x421110 ReadFile
0x421114 HeapReAlloc
0x421118 FindClose
0x42111c FindFirstFileExW
0x421120 FindNextFileW
0x421124 IsValidCodePage
0x421128 GetACP
0x42112c GetOEMCP
0x421130 GetCommandLineA
0x421134 GetCommandLineW
0x421138 GetEnvironmentStringsW
0x42113c FreeEnvironmentStringsW
0x421140 SetStdHandle
0x421144 GetProcessHeap
0x421148 ReadConsoleW
EAT(Export Address Table) is none