ScreenShot
| Created | 2024.10.15 14:29 | Machine | s1_win7_x6401 |
| Filename | persistance.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 46 detected (AIDetectMalware, Tasker, Malicious, score, GenericKD, Unsafe, Vh3u, confidence, Attribute, HighConfidence, MalwareX, bdsu, CLOUD, Nekark, dhhxc, MulDrop28, Detected, Wacatac, ABTrojan, ZWSC, Artemis, Chgt, Gencirc, susgen, PossibleThreat, PALLAS, bbmx) | ||
| md5 | fb79af307b85682b1133f775dafcab83 | ||
| sha256 | fa04b82bc420f171b60b70316bba828de05782a3fd946cce7169b3a431af909a | ||
| ssdeep | 24576:eBjUmQrt53UY/lREVrUgAGdVIO+feVZih+Ec0xMkl81sU3AoZ4MX/TYqDNB:eBjUmQrL3UY/lREEGdVsvC4MX/TYqDNB | ||
| imphash | 90e515923c3b276848e352c938e51804 | ||
| impfuzzy | 48:nlUMD9lmJeFxs4+2R4jxQ9bPXiX1PnvKlJJGZq5gi61vm/GhyqnJ6D:n2MD/mqi4HR4jxQ9bPXiX1PviJJGsyiH | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 46 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates a suspicious Powershell process |
| watch | Installs itself for autorun at Windows startup |
| watch | The process powershell.exe wrote an executable file to disk |
| watch | Uses Sysinternals tools in order to add additional command line functionality |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
Suricata ids
ET INFO Executable Download from dotted-quad Host
ET HUNTING curl User-Agent to Dotted Quad
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING curl User-Agent to Dotted Quad
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1400ee510 AddVectoredExceptionHandler
0x1400ee518 CloseHandle
0x1400ee520 CreateEventA
0x1400ee528 CreateSemaphoreA
0x1400ee530 DeleteCriticalSection
0x1400ee538 DuplicateHandle
0x1400ee540 EnterCriticalSection
0x1400ee548 FileTimeToSystemTime
0x1400ee550 FormatMessageA
0x1400ee558 GetCurrentProcess
0x1400ee560 GetCurrentProcessId
0x1400ee568 GetCurrentThread
0x1400ee570 GetCurrentThreadId
0x1400ee578 GetHandleInformation
0x1400ee580 GetLastError
0x1400ee588 GetModuleHandleA
0x1400ee590 GetModuleHandleW
0x1400ee598 GetProcAddress
0x1400ee5a0 GetProcessAffinityMask
0x1400ee5a8 GetProcessTimes
0x1400ee5b0 GetSystemTimeAdjustment
0x1400ee5b8 GetSystemTimeAsFileTime
0x1400ee5c0 GetThreadContext
0x1400ee5c8 GetThreadPriority
0x1400ee5d0 GetThreadTimes
0x1400ee5d8 GetTickCount64
0x1400ee5e0 InitializeCriticalSection
0x1400ee5e8 IsDBCSLeadByteEx
0x1400ee5f0 IsDebuggerPresent
0x1400ee5f8 LeaveCriticalSection
0x1400ee600 LoadLibraryW
0x1400ee608 LocalFree
0x1400ee610 MultiByteToWideChar
0x1400ee618 OpenProcess
0x1400ee620 OutputDebugStringA
0x1400ee628 QueryPerformanceCounter
0x1400ee630 QueryPerformanceFrequency
0x1400ee638 RaiseException
0x1400ee640 ReleaseSemaphore
0x1400ee648 RemoveVectoredExceptionHandler
0x1400ee650 ResetEvent
0x1400ee658 ResumeThread
0x1400ee660 RtlCaptureContext
0x1400ee668 RtlLookupFunctionEntry
0x1400ee670 RtlUnwindEx
0x1400ee678 RtlVirtualUnwind
0x1400ee680 SetEvent
0x1400ee688 SetLastError
0x1400ee690 SetProcessAffinityMask
0x1400ee698 SetSystemTime
0x1400ee6a0 SetThreadContext
0x1400ee6a8 SetThreadPriority
0x1400ee6b0 SetUnhandledExceptionFilter
0x1400ee6b8 Sleep
0x1400ee6c0 SuspendThread
0x1400ee6c8 TlsAlloc
0x1400ee6d0 TlsGetValue
0x1400ee6d8 TlsSetValue
0x1400ee6e0 TryEnterCriticalSection
0x1400ee6e8 VirtualProtect
0x1400ee6f0 VirtualQuery
0x1400ee6f8 WaitForMultipleObjects
0x1400ee700 WaitForSingleObject
0x1400ee708 WideCharToMultiByte
0x1400ee710 __C_specific_handler
msvcrt.dll
0x1400ee720 ___lc_codepage_func
0x1400ee728 ___mb_cur_max_func
0x1400ee730 __getmainargs
0x1400ee738 __initenv
0x1400ee740 __iob_func
0x1400ee748 __set_app_type
0x1400ee750 __setusermatherr
0x1400ee758 _amsg_exit
0x1400ee760 _beginthreadex
0x1400ee768 _cexit
0x1400ee770 _commode
0x1400ee778 _errno
0x1400ee780 _endthreadex
0x1400ee788 _filelengthi64
0x1400ee790 _fileno
0x1400ee798 _fmode
0x1400ee7a0 _fstat64
0x1400ee7a8 _initterm
0x1400ee7b0 _lseeki64
0x1400ee7b8 fread
0x1400ee7c0 free
0x1400ee7c8 fsetpos
0x1400ee7d0 memchr
0x1400ee7d8 memcmp
0x1400ee7e0 memcpy
0x1400ee7e8 memmove
0x1400ee7f0 memset
0x1400ee7f8 printf
0x1400ee800 srand
0x1400ee808 _onexit
0x1400ee810 _time64
0x1400ee818 _ultoa
0x1400ee820 _setjmp
0x1400ee828 _wfopen
0x1400ee830 abort
0x1400ee838 calloc
0x1400ee840 exit
0x1400ee848 fclose
0x1400ee850 fflush
0x1400ee858 fgetpos
0x1400ee860 fopen
0x1400ee868 fprintf
0x1400ee870 fputc
0x1400ee878 fputs
0x1400ee880 fwrite
0x1400ee888 getc
0x1400ee890 getenv
0x1400ee898 getwc
0x1400ee8a0 iswctype
0x1400ee8a8 localeconv
0x1400ee8b0 longjmp
0x1400ee8b8 malloc
0x1400ee8c0 putc
0x1400ee8c8 putwc
0x1400ee8d0 rand
0x1400ee8d8 realloc
0x1400ee8e0 setlocale
0x1400ee8e8 setvbuf
0x1400ee8f0 signal
0x1400ee8f8 strchr
0x1400ee900 strcmp
0x1400ee908 strcoll
0x1400ee910 strerror
0x1400ee918 strftime
0x1400ee920 strlen
0x1400ee928 strncmp
0x1400ee930 strtoul
0x1400ee938 strxfrm
0x1400ee940 system
0x1400ee948 towlower
0x1400ee950 towupper
0x1400ee958 ungetc
0x1400ee960 ungetwc
0x1400ee968 vfprintf
0x1400ee970 wcscoll
0x1400ee978 wcsftime
0x1400ee980 wcslen
0x1400ee988 wcsxfrm
0x1400ee990 _write
0x1400ee998 _strdup
0x1400ee9a0 _read
0x1400ee9a8 _fileno
0x1400ee9b0 _fdopen
SHELL32.dll
0x1400ee9c0 ShellExecuteA
EAT(Export Address Table) is none
KERNEL32.dll
0x1400ee510 AddVectoredExceptionHandler
0x1400ee518 CloseHandle
0x1400ee520 CreateEventA
0x1400ee528 CreateSemaphoreA
0x1400ee530 DeleteCriticalSection
0x1400ee538 DuplicateHandle
0x1400ee540 EnterCriticalSection
0x1400ee548 FileTimeToSystemTime
0x1400ee550 FormatMessageA
0x1400ee558 GetCurrentProcess
0x1400ee560 GetCurrentProcessId
0x1400ee568 GetCurrentThread
0x1400ee570 GetCurrentThreadId
0x1400ee578 GetHandleInformation
0x1400ee580 GetLastError
0x1400ee588 GetModuleHandleA
0x1400ee590 GetModuleHandleW
0x1400ee598 GetProcAddress
0x1400ee5a0 GetProcessAffinityMask
0x1400ee5a8 GetProcessTimes
0x1400ee5b0 GetSystemTimeAdjustment
0x1400ee5b8 GetSystemTimeAsFileTime
0x1400ee5c0 GetThreadContext
0x1400ee5c8 GetThreadPriority
0x1400ee5d0 GetThreadTimes
0x1400ee5d8 GetTickCount64
0x1400ee5e0 InitializeCriticalSection
0x1400ee5e8 IsDBCSLeadByteEx
0x1400ee5f0 IsDebuggerPresent
0x1400ee5f8 LeaveCriticalSection
0x1400ee600 LoadLibraryW
0x1400ee608 LocalFree
0x1400ee610 MultiByteToWideChar
0x1400ee618 OpenProcess
0x1400ee620 OutputDebugStringA
0x1400ee628 QueryPerformanceCounter
0x1400ee630 QueryPerformanceFrequency
0x1400ee638 RaiseException
0x1400ee640 ReleaseSemaphore
0x1400ee648 RemoveVectoredExceptionHandler
0x1400ee650 ResetEvent
0x1400ee658 ResumeThread
0x1400ee660 RtlCaptureContext
0x1400ee668 RtlLookupFunctionEntry
0x1400ee670 RtlUnwindEx
0x1400ee678 RtlVirtualUnwind
0x1400ee680 SetEvent
0x1400ee688 SetLastError
0x1400ee690 SetProcessAffinityMask
0x1400ee698 SetSystemTime
0x1400ee6a0 SetThreadContext
0x1400ee6a8 SetThreadPriority
0x1400ee6b0 SetUnhandledExceptionFilter
0x1400ee6b8 Sleep
0x1400ee6c0 SuspendThread
0x1400ee6c8 TlsAlloc
0x1400ee6d0 TlsGetValue
0x1400ee6d8 TlsSetValue
0x1400ee6e0 TryEnterCriticalSection
0x1400ee6e8 VirtualProtect
0x1400ee6f0 VirtualQuery
0x1400ee6f8 WaitForMultipleObjects
0x1400ee700 WaitForSingleObject
0x1400ee708 WideCharToMultiByte
0x1400ee710 __C_specific_handler
msvcrt.dll
0x1400ee720 ___lc_codepage_func
0x1400ee728 ___mb_cur_max_func
0x1400ee730 __getmainargs
0x1400ee738 __initenv
0x1400ee740 __iob_func
0x1400ee748 __set_app_type
0x1400ee750 __setusermatherr
0x1400ee758 _amsg_exit
0x1400ee760 _beginthreadex
0x1400ee768 _cexit
0x1400ee770 _commode
0x1400ee778 _errno
0x1400ee780 _endthreadex
0x1400ee788 _filelengthi64
0x1400ee790 _fileno
0x1400ee798 _fmode
0x1400ee7a0 _fstat64
0x1400ee7a8 _initterm
0x1400ee7b0 _lseeki64
0x1400ee7b8 fread
0x1400ee7c0 free
0x1400ee7c8 fsetpos
0x1400ee7d0 memchr
0x1400ee7d8 memcmp
0x1400ee7e0 memcpy
0x1400ee7e8 memmove
0x1400ee7f0 memset
0x1400ee7f8 printf
0x1400ee800 srand
0x1400ee808 _onexit
0x1400ee810 _time64
0x1400ee818 _ultoa
0x1400ee820 _setjmp
0x1400ee828 _wfopen
0x1400ee830 abort
0x1400ee838 calloc
0x1400ee840 exit
0x1400ee848 fclose
0x1400ee850 fflush
0x1400ee858 fgetpos
0x1400ee860 fopen
0x1400ee868 fprintf
0x1400ee870 fputc
0x1400ee878 fputs
0x1400ee880 fwrite
0x1400ee888 getc
0x1400ee890 getenv
0x1400ee898 getwc
0x1400ee8a0 iswctype
0x1400ee8a8 localeconv
0x1400ee8b0 longjmp
0x1400ee8b8 malloc
0x1400ee8c0 putc
0x1400ee8c8 putwc
0x1400ee8d0 rand
0x1400ee8d8 realloc
0x1400ee8e0 setlocale
0x1400ee8e8 setvbuf
0x1400ee8f0 signal
0x1400ee8f8 strchr
0x1400ee900 strcmp
0x1400ee908 strcoll
0x1400ee910 strerror
0x1400ee918 strftime
0x1400ee920 strlen
0x1400ee928 strncmp
0x1400ee930 strtoul
0x1400ee938 strxfrm
0x1400ee940 system
0x1400ee948 towlower
0x1400ee950 towupper
0x1400ee958 ungetc
0x1400ee960 ungetwc
0x1400ee968 vfprintf
0x1400ee970 wcscoll
0x1400ee978 wcsftime
0x1400ee980 wcslen
0x1400ee988 wcsxfrm
0x1400ee990 _write
0x1400ee998 _strdup
0x1400ee9a0 _read
0x1400ee9a8 _fileno
0x1400ee9b0 _fdopen
SHELL32.dll
0x1400ee9c0 ShellExecuteA
EAT(Export Address Table) is none