Report - SillyShelf.exe

Emotet Gen1 Generic Malware Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) PE32 PE File MZP Format PE64 DLL DllRegisterServer dll OS Processor Check
ScreenShot
Created 2024.11.22 15:16 Machine s1_win7_x6401
Filename SillyShelf.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
Behavior Score
4.0
ZERO API file : clean
VT API (file) 37 detected (Malicious, score, Unsafe, grayware, confidence, GenericKD, moderate confidence, Kryptik, FileRepMalware, Misc, CLOUD, krnss, AMADEY, YXEKUZ, Detected, Malgent, 8POPZL, ABTrojan, WVVK, Artemis, Chgt, Behavior)
md5 fecd099f9b8d9500d7199a1054397e3f
sha256 96a60b6cde63794b637bce219083e7905560c626e68c00af1d99be451c8c3700
ssdeep 49152:zUjKZGiyt7lO9kwWzJLPKeVMFZkYilgWRqadRRnqxD:iflWeOeV8ulCaLc
imphash 483f0c4259a9148c34961abbda6146c1
impfuzzy 96:oc94A5TNO0MHYIp1rLAS1GXg6ioDwPOQD:oc7NA/31wVsPOQD
  Network IP location

Signature (11cnts)

Level Description
danger File has been identified by 37 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Queries for potentially installed applications
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (20cnts)

Level Name Description Collection
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (upload)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info DllRegisterServer_Zero execute regsvr32.exe binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info mzp_file_format MZP(Delphi) file format binaries (download)
info mzp_file_format MZP(Delphi) file format binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

oleaut32.dll
 0x41e350 SysFreeString
 0x41e354 SysReAllocStringLen
 0x41e358 SysAllocStringLen
advapi32.dll
 0x41e360 RegQueryValueExW
 0x41e364 RegOpenKeyExW
 0x41e368 RegCloseKey
user32.dll
 0x41e370 GetKeyboardType
 0x41e374 LoadStringW
 0x41e378 MessageBoxA
 0x41e37c CharNextW
kernel32.dll
 0x41e384 GetACP
 0x41e388 Sleep
 0x41e38c VirtualFree
 0x41e390 VirtualAlloc
 0x41e394 GetSystemInfo
 0x41e398 GetTickCount
 0x41e39c QueryPerformanceCounter
 0x41e3a0 GetVersion
 0x41e3a4 GetCurrentThreadId
 0x41e3a8 VirtualQuery
 0x41e3ac WideCharToMultiByte
 0x41e3b0 MultiByteToWideChar
 0x41e3b4 lstrlenW
 0x41e3b8 lstrcpynW
 0x41e3bc LoadLibraryExW
 0x41e3c0 GetThreadLocale
 0x41e3c4 GetStartupInfoA
 0x41e3c8 GetProcAddress
 0x41e3cc GetModuleHandleW
 0x41e3d0 GetModuleFileNameW
 0x41e3d4 GetLocaleInfoW
 0x41e3d8 GetCommandLineW
 0x41e3dc FreeLibrary
 0x41e3e0 FindFirstFileW
 0x41e3e4 FindClose
 0x41e3e8 ExitProcess
 0x41e3ec WriteFile
 0x41e3f0 UnhandledExceptionFilter
 0x41e3f4 RtlUnwind
 0x41e3f8 RaiseException
 0x41e3fc GetStdHandle
 0x41e400 CloseHandle
kernel32.dll
 0x41e408 TlsSetValue
 0x41e40c TlsGetValue
 0x41e410 LocalAlloc
 0x41e414 GetModuleHandleW
user32.dll
 0x41e41c CreateWindowExW
 0x41e420 TranslateMessage
 0x41e424 SetWindowLongW
 0x41e428 PeekMessageW
 0x41e42c MsgWaitForMultipleObjects
 0x41e430 MessageBoxW
 0x41e434 LoadStringW
 0x41e438 GetSystemMetrics
 0x41e43c ExitWindowsEx
 0x41e440 DispatchMessageW
 0x41e444 DestroyWindow
 0x41e448 CharUpperBuffW
 0x41e44c CallWindowProcW
kernel32.dll
 0x41e454 WriteFile
 0x41e458 WideCharToMultiByte
 0x41e45c WaitForSingleObject
 0x41e460 VirtualQuery
 0x41e464 VirtualProtect
 0x41e468 VirtualFree
 0x41e46c VirtualAlloc
 0x41e470 SizeofResource
 0x41e474 SignalObjectAndWait
 0x41e478 SetLastError
 0x41e47c SetFilePointer
 0x41e480 SetEvent
 0x41e484 SetErrorMode
 0x41e488 SetEndOfFile
 0x41e48c ResetEvent
 0x41e490 RemoveDirectoryW
 0x41e494 ReadFile
 0x41e498 MultiByteToWideChar
 0x41e49c LockResource
 0x41e4a0 LoadResource
 0x41e4a4 LoadLibraryW
 0x41e4a8 LeaveCriticalSection
 0x41e4ac InitializeCriticalSection
 0x41e4b0 GetWindowsDirectoryW
 0x41e4b4 GetVersionExW
 0x41e4b8 GetUserDefaultLangID
 0x41e4bc GetThreadLocale
 0x41e4c0 GetSystemInfo
 0x41e4c4 GetStdHandle
 0x41e4c8 GetProcAddress
 0x41e4cc GetModuleHandleW
 0x41e4d0 GetModuleFileNameW
 0x41e4d4 GetLocaleInfoW
 0x41e4d8 GetLocalTime
 0x41e4dc GetLastError
 0x41e4e0 GetFullPathNameW
 0x41e4e4 GetFileSize
 0x41e4e8 GetFileAttributesW
 0x41e4ec GetExitCodeProcess
 0x41e4f0 GetEnvironmentVariableW
 0x41e4f4 GetDiskFreeSpaceW
 0x41e4f8 GetDateFormatW
 0x41e4fc GetCurrentProcess
 0x41e500 GetCommandLineW
 0x41e504 GetCPInfo
 0x41e508 InterlockedExchange
 0x41e50c InterlockedCompareExchange
 0x41e510 FreeLibrary
 0x41e514 FormatMessageW
 0x41e518 FindResourceW
 0x41e51c EnumCalendarInfoW
 0x41e520 EnterCriticalSection
 0x41e524 DeleteFileW
 0x41e528 DeleteCriticalSection
 0x41e52c CreateProcessW
 0x41e530 CreateFileW
 0x41e534 CreateEventW
 0x41e538 CreateDirectoryW
 0x41e53c CompareStringW
 0x41e540 CloseHandle
advapi32.dll
 0x41e548 RegQueryValueExW
 0x41e54c RegOpenKeyExW
 0x41e550 RegCloseKey
 0x41e554 OpenProcessToken
 0x41e558 LookupPrivilegeValueW
comctl32.dll
 0x41e560 InitCommonControls
kernel32.dll
 0x41e568 Sleep
advapi32.dll
 0x41e570 AdjustTokenPrivileges
oleaut32.dll
 0x41e578 SafeArrayPtrOfIndex
 0x41e57c SafeArrayGetUBound
 0x41e580 SafeArrayGetLBound
 0x41e584 SafeArrayCreate
 0x41e588 VariantChangeType
 0x41e58c VariantCopy
 0x41e590 VariantClear
 0x41e594 VariantInit

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure