ScreenShot
Created | 2024.10.16 17:37 | Machine | s1_win7_x6401 |
Filename | niceworkingprojectforeveryone.hta | ||
Type | HTML document, ASCII text, with very long lines, with CRLF line terminators | ||
AI Score | Not founds | Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 27 detected (Asthma, Kryptik, gen80, SNAKEKEYLOGGER, YXEJOZ, iacgm, Runner, CLASSIC, PowerShell, Detected, ABTrojan, RBKL, Probably Heur, HTMLUnescape) | ||
md5 | 44ad3c49b38f4f6f1739baf86d528fd3 | ||
sha256 | 4e7237c56ca769460022e46e7585b630f9918be1cf427c180facd3edd22e6368 | ||
ssdeep | 96:Ea+n7bJh/qUh/qoR3hH+TJoAj/h/q9+SAT:Ea+7bJ5/pLA78WT | ||
imphash | |||
impfuzzy |
Network IP location
Signature (40cnts)
Level | Description |
---|---|
danger | A potential heapspray has been detected. 2152 megabytes was sprayed onto the heap of the taskhostw.exe process |
warning | File has been identified by 27 AntiVirus engines on VirusTotal as malicious |
watch | An executable file was downloaded by the process powershell.exe |
watch | Attempts to identify installed AV products by installation directory |
watch | Communicates with host for which no DNS query was performed |
watch | Creates a suspicious Powershell process |
watch | Drops a binary and executes it |
watch | Harvests credentials from local email clients |
watch | Harvests credentials from local FTP client softwares |
watch | Harvests information related to installed instant messenger clients |
watch | Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe |
watch | One or more non-whitelisted processes were created |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | The process powershell.exe wrote an executable file to disk |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Connects to a Dynamic DNS Domain |
notice | Creates a shortcut to an executable file |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Looks up the external IP address |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Poweshell is sending data to a remote host |
notice | Steals private information from local Internet browsers |
notice | URL downloaded by powershell script |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Collects information to fingerprint the system (MachineGuid |
info | One or more processes crashed |
info | Queries for the computername |
info | Uses Windows APIs to generate a cryptographic key |
Rules (19cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
watch | Antivirus | Contains references to security software | binaries (download) |
watch | Antivirus | Contains references to security software | binaries (upload) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (download) |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | Is_DotNET_DLL | (no description) | binaries (download) |
info | IsDLL | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PowerShell | PowerShell script | scripts |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Network (8cnts) ?
Suricata ids
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check