ScreenShot
| Created | 2024.11.29 13:33 | Machine | s1_win7_x6403 |
| Filename | TcMBq5M.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 4 detected (AIDetectMalware, malicious, confidence, Farfli) | ||
| md5 | 5f602a88eb5e8abb43c9035585f8dbef | ||
| sha256 | 95b586a973d1b82e0ab59cd1127466d11fdf7fd352e10b52daa3e9a43d02d1f0 | ||
| ssdeep | 393216:SlV2QFCou5oFWb7Z5+Tv5dPoen3vCiYBAnxVXdx:kV2QF/a5+TYiDF/ | ||
| imphash | 4d363d3b473a6c355539abd95921390d | ||
| impfuzzy | 48:JOUcSpvEdTsQYbRqoH9swUwrkrha9xvCrwYUrUvZk78:JHcSpvEdTsQYoMSPwrkrGxvo7UrWt | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| watch | Deletes executed files from disk |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | File has been identified by 4 AntiVirus engines on VirusTotal as malicious |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
Rules (21cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| warning | PDF_Suspicious_Link_Z | PDF Suspicious Link | binaries (download) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
ET INFO Browser Automation Toolkit in DNS Lookup (bablosoft .com)
ET MALWARE Observed DNS Query to bablosoft Domain (downloads .bablosoft .com)
ET INFO Browser Automation Toolkit in TLS SNI (bablosoft .com)
ET INFO Observed Bablosoft BAS Related SSL Cert (bablosoft .com)
ET MALWARE Observed DNS Query to bablosoft Domain (downloads .bablosoft .com)
ET INFO Browser Automation Toolkit in TLS SNI (bablosoft .com)
ET INFO Observed Bablosoft BAS Related SSL Cert (bablosoft .com)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x658000 CreateFileW
0x658004 CloseHandle
0x658008 WriteFile
0x65800c DeleteFileW
0x658010 HeapDestroy
0x658014 HeapSize
0x658018 HeapReAlloc
0x65801c HeapFree
0x658020 HeapAlloc
0x658024 GetProcessHeap
0x658028 SizeofResource
0x65802c LockResource
0x658030 LoadResource
0x658034 FindResourceW
0x658038 FindResourceExW
0x65803c CreateEventExW
0x658040 WaitForSingleObject
0x658044 CreateProcessW
0x658048 GetLastError
0x65804c GetExitCodeProcess
0x658050 SetEvent
0x658054 RemoveDirectoryW
0x658058 GetProcAddress
0x65805c GetModuleHandleW
0x658060 GetWindowsDirectoryW
0x658064 CreateDirectoryW
0x658068 GetTempPathW
0x65806c GetTempFileNameW
0x658070 MoveFileW
0x658074 EnterCriticalSection
0x658078 LeaveCriticalSection
0x65807c GetModuleFileNameW
0x658080 DeleteCriticalSection
0x658084 InitializeCriticalSectionAndSpinCount
0x658088 GetCurrentThreadId
0x65808c RaiseException
0x658090 SetLastError
0x658094 GlobalUnlock
0x658098 GlobalLock
0x65809c GlobalAlloc
0x6580a0 MulDiv
0x6580a4 lstrcmpW
0x6580a8 CreateEventW
0x6580ac FindClose
0x6580b0 FindFirstFileW
0x6580b4 GetFullPathNameW
0x6580b8 InitializeCriticalSection
0x6580bc lstrcpynW
0x6580c0 CreateThread
0x6580c4 LoadLibraryExW
0x6580c8 GetCurrentProcess
0x6580cc Sleep
0x6580d0 WideCharToMultiByte
0x6580d4 GetDiskFreeSpaceExW
0x6580d8 DecodePointer
0x6580dc GetExitCodeThread
0x6580e0 GetCurrentProcessId
0x6580e4 FreeLibrary
0x6580e8 GetSystemDirectoryW
0x6580ec lstrlenW
0x6580f0 VerifyVersionInfoW
0x6580f4 VerSetConditionMask
0x6580f8 lstrcmpiW
0x6580fc LoadLibraryW
0x658100 GetDriveTypeW
0x658104 CompareStringW
0x658108 FindNextFileW
0x65810c GetLogicalDriveStringsW
0x658110 GetFileSize
0x658114 GetFileAttributesW
0x658118 GetShortPathNameW
0x65811c SetFileAttributesW
0x658120 GetFileTime
0x658124 CopyFileW
0x658128 ReadFile
0x65812c SetFilePointer
0x658130 SetFileTime
0x658134 SystemTimeToFileTime
0x658138 MultiByteToWideChar
0x65813c GetSystemInfo
0x658140 WaitForMultipleObjects
0x658144 GetVersionExW
0x658148 VirtualProtect
0x65814c VirtualQuery
0x658150 LoadLibraryExA
0x658154 GetStringTypeW
0x658158 LocalFree
0x65815c LocalAlloc
0x658160 SetUnhandledExceptionFilter
0x658164 FileTimeToSystemTime
0x658168 GetEnvironmentVariableW
0x65816c GetSystemTime
0x658170 GetDateFormatW
0x658174 GetTimeFormatW
0x658178 GetLocaleInfoW
0x65817c CreateToolhelp32Snapshot
0x658180 Process32FirstW
0x658184 Process32NextW
0x658188 FormatMessageW
0x65818c GetEnvironmentStringsW
0x658190 InitializeCriticalSectionEx
0x658194 LoadLibraryA
0x658198 GetModuleFileNameA
0x65819c GetCurrentThread
0x6581a0 GetConsoleOutputCP
0x6581a4 FlushFileBuffers
0x6581a8 Wow64DisableWow64FsRedirection
0x6581ac Wow64RevertWow64FsRedirection
0x6581b0 IsWow64Process
0x6581b4 SetConsoleTextAttribute
0x6581b8 GetStdHandle
0x6581bc GetConsoleScreenBufferInfo
0x6581c0 OutputDebugStringW
0x6581c4 GetTickCount
0x6581c8 GetCommandLineW
0x6581cc SetCurrentDirectoryW
0x6581d0 SetEndOfFile
0x6581d4 EnumResourceLanguagesW
0x6581d8 GetSystemDefaultLangID
0x6581dc GetUserDefaultLangID
0x6581e0 GetLocalTime
0x6581e4 ResetEvent
0x6581e8 GlobalFree
0x6581ec GetPrivateProfileStringW
0x6581f0 GetPrivateProfileSectionNamesW
0x6581f4 WritePrivateProfileStringW
0x6581f8 CreateNamedPipeW
0x6581fc ConnectNamedPipe
0x658200 TerminateThread
0x658204 CompareFileTime
0x658208 CopyFileExW
0x65820c OpenEventW
0x658210 PeekNamedPipe
0x658214 WaitForSingleObjectEx
0x658218 QueryPerformanceCounter
0x65821c QueryPerformanceFrequency
0x658220 EncodePointer
0x658224 LCMapStringEx
0x658228 CompareStringEx
0x65822c GetCPInfo
0x658230 GetSystemTimeAsFileTime
0x658234 IsDebuggerPresent
0x658238 InitializeSListHead
0x65823c InterlockedPopEntrySList
0x658240 InterlockedPushEntrySList
0x658244 FlushInstructionCache
0x658248 IsProcessorFeaturePresent
0x65824c VirtualAlloc
0x658250 VirtualFree
0x658254 UnhandledExceptionFilter
0x658258 TerminateProcess
0x65825c GetStartupInfoW
0x658260 RtlUnwind
0x658264 TlsAlloc
0x658268 TlsGetValue
0x65826c TlsSetValue
0x658270 TlsFree
0x658274 ExitThread
0x658278 FreeLibraryAndExitThread
0x65827c GetModuleHandleExW
0x658280 ExitProcess
0x658284 GetFileType
0x658288 LCMapStringW
0x65828c IsValidLocale
0x658290 GetUserDefaultLCID
0x658294 EnumSystemLocalesW
0x658298 GetTimeZoneInformation
0x65829c GetConsoleMode
0x6582a0 GetFileSizeEx
0x6582a4 SetFilePointerEx
0x6582a8 FindFirstFileExW
0x6582ac IsValidCodePage
0x6582b0 GetACP
0x6582b4 GetOEMCP
0x6582b8 GetCommandLineA
0x6582bc FreeEnvironmentStringsW
0x6582c0 SetEnvironmentVariableW
0x6582c4 SetStdHandle
0x6582c8 ReadConsoleW
0x6582cc WriteConsoleW
0x6582d0 GetProcessAffinityMask
0x6582d4 GetModuleHandleA
0x6582d8 GlobalMemoryStatus
0x6582dc ReleaseSemaphore
0x6582e0 CreateSemaphoreW
EAT(Export Address Table) is none
KERNEL32.dll
0x658000 CreateFileW
0x658004 CloseHandle
0x658008 WriteFile
0x65800c DeleteFileW
0x658010 HeapDestroy
0x658014 HeapSize
0x658018 HeapReAlloc
0x65801c HeapFree
0x658020 HeapAlloc
0x658024 GetProcessHeap
0x658028 SizeofResource
0x65802c LockResource
0x658030 LoadResource
0x658034 FindResourceW
0x658038 FindResourceExW
0x65803c CreateEventExW
0x658040 WaitForSingleObject
0x658044 CreateProcessW
0x658048 GetLastError
0x65804c GetExitCodeProcess
0x658050 SetEvent
0x658054 RemoveDirectoryW
0x658058 GetProcAddress
0x65805c GetModuleHandleW
0x658060 GetWindowsDirectoryW
0x658064 CreateDirectoryW
0x658068 GetTempPathW
0x65806c GetTempFileNameW
0x658070 MoveFileW
0x658074 EnterCriticalSection
0x658078 LeaveCriticalSection
0x65807c GetModuleFileNameW
0x658080 DeleteCriticalSection
0x658084 InitializeCriticalSectionAndSpinCount
0x658088 GetCurrentThreadId
0x65808c RaiseException
0x658090 SetLastError
0x658094 GlobalUnlock
0x658098 GlobalLock
0x65809c GlobalAlloc
0x6580a0 MulDiv
0x6580a4 lstrcmpW
0x6580a8 CreateEventW
0x6580ac FindClose
0x6580b0 FindFirstFileW
0x6580b4 GetFullPathNameW
0x6580b8 InitializeCriticalSection
0x6580bc lstrcpynW
0x6580c0 CreateThread
0x6580c4 LoadLibraryExW
0x6580c8 GetCurrentProcess
0x6580cc Sleep
0x6580d0 WideCharToMultiByte
0x6580d4 GetDiskFreeSpaceExW
0x6580d8 DecodePointer
0x6580dc GetExitCodeThread
0x6580e0 GetCurrentProcessId
0x6580e4 FreeLibrary
0x6580e8 GetSystemDirectoryW
0x6580ec lstrlenW
0x6580f0 VerifyVersionInfoW
0x6580f4 VerSetConditionMask
0x6580f8 lstrcmpiW
0x6580fc LoadLibraryW
0x658100 GetDriveTypeW
0x658104 CompareStringW
0x658108 FindNextFileW
0x65810c GetLogicalDriveStringsW
0x658110 GetFileSize
0x658114 GetFileAttributesW
0x658118 GetShortPathNameW
0x65811c SetFileAttributesW
0x658120 GetFileTime
0x658124 CopyFileW
0x658128 ReadFile
0x65812c SetFilePointer
0x658130 SetFileTime
0x658134 SystemTimeToFileTime
0x658138 MultiByteToWideChar
0x65813c GetSystemInfo
0x658140 WaitForMultipleObjects
0x658144 GetVersionExW
0x658148 VirtualProtect
0x65814c VirtualQuery
0x658150 LoadLibraryExA
0x658154 GetStringTypeW
0x658158 LocalFree
0x65815c LocalAlloc
0x658160 SetUnhandledExceptionFilter
0x658164 FileTimeToSystemTime
0x658168 GetEnvironmentVariableW
0x65816c GetSystemTime
0x658170 GetDateFormatW
0x658174 GetTimeFormatW
0x658178 GetLocaleInfoW
0x65817c CreateToolhelp32Snapshot
0x658180 Process32FirstW
0x658184 Process32NextW
0x658188 FormatMessageW
0x65818c GetEnvironmentStringsW
0x658190 InitializeCriticalSectionEx
0x658194 LoadLibraryA
0x658198 GetModuleFileNameA
0x65819c GetCurrentThread
0x6581a0 GetConsoleOutputCP
0x6581a4 FlushFileBuffers
0x6581a8 Wow64DisableWow64FsRedirection
0x6581ac Wow64RevertWow64FsRedirection
0x6581b0 IsWow64Process
0x6581b4 SetConsoleTextAttribute
0x6581b8 GetStdHandle
0x6581bc GetConsoleScreenBufferInfo
0x6581c0 OutputDebugStringW
0x6581c4 GetTickCount
0x6581c8 GetCommandLineW
0x6581cc SetCurrentDirectoryW
0x6581d0 SetEndOfFile
0x6581d4 EnumResourceLanguagesW
0x6581d8 GetSystemDefaultLangID
0x6581dc GetUserDefaultLangID
0x6581e0 GetLocalTime
0x6581e4 ResetEvent
0x6581e8 GlobalFree
0x6581ec GetPrivateProfileStringW
0x6581f0 GetPrivateProfileSectionNamesW
0x6581f4 WritePrivateProfileStringW
0x6581f8 CreateNamedPipeW
0x6581fc ConnectNamedPipe
0x658200 TerminateThread
0x658204 CompareFileTime
0x658208 CopyFileExW
0x65820c OpenEventW
0x658210 PeekNamedPipe
0x658214 WaitForSingleObjectEx
0x658218 QueryPerformanceCounter
0x65821c QueryPerformanceFrequency
0x658220 EncodePointer
0x658224 LCMapStringEx
0x658228 CompareStringEx
0x65822c GetCPInfo
0x658230 GetSystemTimeAsFileTime
0x658234 IsDebuggerPresent
0x658238 InitializeSListHead
0x65823c InterlockedPopEntrySList
0x658240 InterlockedPushEntrySList
0x658244 FlushInstructionCache
0x658248 IsProcessorFeaturePresent
0x65824c VirtualAlloc
0x658250 VirtualFree
0x658254 UnhandledExceptionFilter
0x658258 TerminateProcess
0x65825c GetStartupInfoW
0x658260 RtlUnwind
0x658264 TlsAlloc
0x658268 TlsGetValue
0x65826c TlsSetValue
0x658270 TlsFree
0x658274 ExitThread
0x658278 FreeLibraryAndExitThread
0x65827c GetModuleHandleExW
0x658280 ExitProcess
0x658284 GetFileType
0x658288 LCMapStringW
0x65828c IsValidLocale
0x658290 GetUserDefaultLCID
0x658294 EnumSystemLocalesW
0x658298 GetTimeZoneInformation
0x65829c GetConsoleMode
0x6582a0 GetFileSizeEx
0x6582a4 SetFilePointerEx
0x6582a8 FindFirstFileExW
0x6582ac IsValidCodePage
0x6582b0 GetACP
0x6582b4 GetOEMCP
0x6582b8 GetCommandLineA
0x6582bc FreeEnvironmentStringsW
0x6582c0 SetEnvironmentVariableW
0x6582c4 SetStdHandle
0x6582c8 ReadConsoleW
0x6582cc WriteConsoleW
0x6582d0 GetProcessAffinityMask
0x6582d4 GetModuleHandleA
0x6582d8 GlobalMemoryStatus
0x6582dc ReleaseSemaphore
0x6582e0 CreateSemaphoreW
EAT(Export Address Table) is none