ScreenShot
| Created | 2024.10.21 14:16 | Machine | s1_win7_x6401 |
| Filename | Sniffthem.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 53 detected (AIDetectMalware, Androm, Malicious, score, Artemis, Zusy, Unsafe, V18v, confidence, Attribute, HighConfidence, high confidence, MalwareX, vssw, Tnaket, bHkt5PxagPF, Nekark, uifjw, Siggen29, moderate, Static AI, Malicious PE, Hosts2, Detected, ABTrojan, LQGG, GdSda, Gencirc, Tinukebot, A9OKG) | ||
| md5 | d0cce7870080bd889dba1f4cfd2b3b26 | ||
| sha256 | 8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a | ||
| ssdeep | 6144:imUMliX/k5k646sOcT86ISrQdoBX67Hgo2TWD:AMl6Y/fyQdWeHgo2a | ||
| imphash | 3b5abd4a8ffdd913a2af8b1254fe482f | ||
| impfuzzy | 48:oAzNsnML4bZlX6ZbKoih2OgJcpV6RBg/XR:oAzNsnML4bX6ZmoG2RJcpVMBg/XR | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 53 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Attempts to disable SPDY support in Firefox to improve web infostealing capability |
| watch | Attempts to modify Explorer settings to prevent hidden files from being displayed |
| watch | Installs itself for autorun at Windows startup |
| watch | Modifies the Firefox configuration file |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Creates hidden or system file |
| notice | One or more potentially interesting buffers were extracted |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
Rules (24cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE64 | (no description) | binaries (upload) |
| info | lnk_file_format | Microsoft Windows Shortcut File Format | binaries (download) |
| info | Lnk_Format_Zero | LNK Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | vmdetect_misc | Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names. | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
OLEAUT32.dll
0x1400223b0 VariantClear
KERNEL32.dll
0x140022000 LCMapStringEx
0x140022008 GetUserDefaultLocaleName
0x140022010 FreeEnvironmentStringsW
0x140022018 GetEnvironmentStringsW
0x140022020 GetTickCount64
0x140022028 QueryPerformanceCounter
0x140022030 IsValidLocaleName
0x140022038 FlsSetValue
0x140022040 FlsGetValue
0x140022048 FlsAlloc
0x140022050 SetUnhandledExceptionFilter
0x140022058 UnhandledExceptionFilter
0x140022060 RtlVirtualUnwind
0x140022068 RtlCaptureContext
0x140022070 GetConsoleMode
0x140022078 GetConsoleCP
0x140022080 EnumSystemLocalesEx
0x140022088 LoadLibraryExW
0x140022090 ReadConsoleW
0x140022098 SetStdHandle
0x1400220a0 WriteConsoleW
0x1400220a8 OutputDebugStringW
0x1400220b0 FlsFree
0x1400220b8 FlushFileBuffers
0x1400220c0 SetFilePointerEx
0x1400220c8 GetStartupInfoW
0x1400220d0 InitOnceExecuteOnce
0x1400220d8 GetThreadContext
0x1400220e0 GetTempFileNameW
0x1400220e8 GetFileSize
0x1400220f0 SetThreadContext
0x1400220f8 SetFilePointer
0x140022100 FreeLibrary
0x140022108 GetCurrentProcess
0x140022110 WaitForSingleObject
0x140022118 WriteFile
0x140022120 OpenProcess
0x140022128 GetSystemDirectoryW
0x140022130 LoadLibraryW
0x140022138 GetModuleFileNameW
0x140022140 CreateFileW
0x140022148 GetTempPathW
0x140022150 GetLastError
0x140022158 GetProcAddress
0x140022160 VirtualAllocEx
0x140022168 LoadLibraryA
0x140022170 GetModuleHandleA
0x140022178 lstrcatW
0x140022180 Wow64SetThreadContext
0x140022188 CloseHandle
0x140022190 WriteProcessMemory
0x140022198 ResumeThread
0x1400221a0 Wow64GetThreadContext
0x1400221a8 CreateThread
0x1400221b0 HeapAlloc
0x1400221b8 GetProcessHeap
0x1400221c0 Sleep
0x1400221c8 CreateRemoteThread
0x1400221d0 CreateToolhelp32Snapshot
0x1400221d8 VirtualProtectEx
0x1400221e0 VirtualProtect
0x1400221e8 ExitProcess
0x1400221f0 HeapReAlloc
0x1400221f8 CreateFileA
0x140022200 FindFirstFileW
0x140022208 MapViewOfFile
0x140022210 UnmapViewOfFile
0x140022218 SetEndOfFile
0x140022220 CompareFileTime
0x140022228 HeapFree
0x140022230 GetModuleHandleW
0x140022238 GetProcessTimes
0x140022240 GetFileAttributesA
0x140022248 TerminateProcess
0x140022250 ReadFile
0x140022258 lstrcatA
0x140022260 MultiByteToWideChar
0x140022268 CreateDirectoryA
0x140022270 CopyFileA
0x140022278 SetFileAttributesA
0x140022280 Process32FirstW
0x140022288 CreateFileMappingA
0x140022290 GetModuleFileNameA
0x140022298 Process32NextW
0x1400222a0 CreateMutexA
0x1400222a8 IsDebuggerPresent
0x1400222b0 FindNextFileW
0x1400222b8 DeleteFileW
0x1400222c0 ExpandEnvironmentStringsW
0x1400222c8 WideCharToMultiByte
0x1400222d0 LocalFree
0x1400222d8 GetStringTypeW
0x1400222e0 EncodePointer
0x1400222e8 DecodePointer
0x1400222f0 EnterCriticalSection
0x1400222f8 LeaveCriticalSection
0x140022300 InitializeCriticalSectionEx
0x140022308 DeleteCriticalSection
0x140022310 GetLocaleInfoEx
0x140022318 GetCPInfo
0x140022320 IsProcessorFeaturePresent
0x140022328 GetSystemTimeAsFileTime
0x140022330 GetCommandLineW
0x140022338 RtlLookupFunctionEntry
0x140022340 RtlUnwindEx
0x140022348 RtlPcToFileHeader
0x140022350 RaiseException
0x140022358 InitializeCriticalSectionAndSpinCount
0x140022360 IsValidCodePage
0x140022368 GetACP
0x140022370 GetOEMCP
0x140022378 SetLastError
0x140022380 GetCurrentThreadId
0x140022388 GetModuleHandleExW
0x140022390 HeapSize
0x140022398 GetStdHandle
0x1400223a0 GetFileType
EAT(Export Address Table) is none
OLEAUT32.dll
0x1400223b0 VariantClear
KERNEL32.dll
0x140022000 LCMapStringEx
0x140022008 GetUserDefaultLocaleName
0x140022010 FreeEnvironmentStringsW
0x140022018 GetEnvironmentStringsW
0x140022020 GetTickCount64
0x140022028 QueryPerformanceCounter
0x140022030 IsValidLocaleName
0x140022038 FlsSetValue
0x140022040 FlsGetValue
0x140022048 FlsAlloc
0x140022050 SetUnhandledExceptionFilter
0x140022058 UnhandledExceptionFilter
0x140022060 RtlVirtualUnwind
0x140022068 RtlCaptureContext
0x140022070 GetConsoleMode
0x140022078 GetConsoleCP
0x140022080 EnumSystemLocalesEx
0x140022088 LoadLibraryExW
0x140022090 ReadConsoleW
0x140022098 SetStdHandle
0x1400220a0 WriteConsoleW
0x1400220a8 OutputDebugStringW
0x1400220b0 FlsFree
0x1400220b8 FlushFileBuffers
0x1400220c0 SetFilePointerEx
0x1400220c8 GetStartupInfoW
0x1400220d0 InitOnceExecuteOnce
0x1400220d8 GetThreadContext
0x1400220e0 GetTempFileNameW
0x1400220e8 GetFileSize
0x1400220f0 SetThreadContext
0x1400220f8 SetFilePointer
0x140022100 FreeLibrary
0x140022108 GetCurrentProcess
0x140022110 WaitForSingleObject
0x140022118 WriteFile
0x140022120 OpenProcess
0x140022128 GetSystemDirectoryW
0x140022130 LoadLibraryW
0x140022138 GetModuleFileNameW
0x140022140 CreateFileW
0x140022148 GetTempPathW
0x140022150 GetLastError
0x140022158 GetProcAddress
0x140022160 VirtualAllocEx
0x140022168 LoadLibraryA
0x140022170 GetModuleHandleA
0x140022178 lstrcatW
0x140022180 Wow64SetThreadContext
0x140022188 CloseHandle
0x140022190 WriteProcessMemory
0x140022198 ResumeThread
0x1400221a0 Wow64GetThreadContext
0x1400221a8 CreateThread
0x1400221b0 HeapAlloc
0x1400221b8 GetProcessHeap
0x1400221c0 Sleep
0x1400221c8 CreateRemoteThread
0x1400221d0 CreateToolhelp32Snapshot
0x1400221d8 VirtualProtectEx
0x1400221e0 VirtualProtect
0x1400221e8 ExitProcess
0x1400221f0 HeapReAlloc
0x1400221f8 CreateFileA
0x140022200 FindFirstFileW
0x140022208 MapViewOfFile
0x140022210 UnmapViewOfFile
0x140022218 SetEndOfFile
0x140022220 CompareFileTime
0x140022228 HeapFree
0x140022230 GetModuleHandleW
0x140022238 GetProcessTimes
0x140022240 GetFileAttributesA
0x140022248 TerminateProcess
0x140022250 ReadFile
0x140022258 lstrcatA
0x140022260 MultiByteToWideChar
0x140022268 CreateDirectoryA
0x140022270 CopyFileA
0x140022278 SetFileAttributesA
0x140022280 Process32FirstW
0x140022288 CreateFileMappingA
0x140022290 GetModuleFileNameA
0x140022298 Process32NextW
0x1400222a0 CreateMutexA
0x1400222a8 IsDebuggerPresent
0x1400222b0 FindNextFileW
0x1400222b8 DeleteFileW
0x1400222c0 ExpandEnvironmentStringsW
0x1400222c8 WideCharToMultiByte
0x1400222d0 LocalFree
0x1400222d8 GetStringTypeW
0x1400222e0 EncodePointer
0x1400222e8 DecodePointer
0x1400222f0 EnterCriticalSection
0x1400222f8 LeaveCriticalSection
0x140022300 InitializeCriticalSectionEx
0x140022308 DeleteCriticalSection
0x140022310 GetLocaleInfoEx
0x140022318 GetCPInfo
0x140022320 IsProcessorFeaturePresent
0x140022328 GetSystemTimeAsFileTime
0x140022330 GetCommandLineW
0x140022338 RtlLookupFunctionEntry
0x140022340 RtlUnwindEx
0x140022348 RtlPcToFileHeader
0x140022350 RaiseException
0x140022358 InitializeCriticalSectionAndSpinCount
0x140022360 IsValidCodePage
0x140022368 GetACP
0x140022370 GetOEMCP
0x140022378 SetLastError
0x140022380 GetCurrentThreadId
0x140022388 GetModuleHandleExW
0x140022390 HeapSize
0x140022398 GetStdHandle
0x1400223a0 GetFileType
EAT(Export Address Table) is none