ScreenShot
| Created | 2025.03.30 14:04 | Machine | s1_win7_x6403 |
| Filename | build.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 48 detected (GenericML, Malicious, score, Lazy, Unsafe, Save, confidence, 100%, Attribute, HighConfidence, high confidence, Kryptik, MalwareX, CLOUD, bqrtq, moderate, Detected, Wacatac, ABTrojan, EIUQ, R687895, Artemis, R002H09CN25, Gencirc, susgen, xlgf) | ||
| md5 | bcca205d6c8b5fa229dac59542122a0d | ||
| sha256 | 68d0b02b31f5a6b51f8fdb02037242b4a6d754b3a258b18513159f5bb1be9352 | ||
| ssdeep | 49152:TzTGffNVFmJpUBEjCchyV62n+xarDmBNdgMUXjZOQEuxbACd84wxfjrQiG0TW6lP:KsOvHZGgo | ||
| imphash | cb896cc131f330cdee60d6baa952b83a | ||
| impfuzzy | 12:omRq1W9DbW8oARLAYPXJlCqAG7uMHKrbJqc9j9P:Fk1W9DbWyLVziMMtqc9JP | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Queries for the computername |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (4cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x1402f1178 RegCreateKeyExW
0x1402f1180 RegQueryValueExW
KERNEL32.dll
0x1402f1190 GetACP
0x1402f1198 GetComputerNameW
0x1402f11a0 GetProcAddress
0x1402f11a8 GetProfileStringW
0x1402f11b0 InitializeCriticalSection
0x1402f11b8 LoadLibraryA
0x1402f11c0 SetUnhandledExceptionFilter
0x1402f11c8 Sleep
0x1402f11d0 TlsAlloc
0x1402f11d8 TlsGetValue
0x1402f11e0 TlsSetValue
0x1402f11e8 VirtualFree
0x1402f11f0 VirtualProtect
0x1402f11f8 VirtualProtectEx
0x1402f1200 VirtualQuery
0x1402f1208 VirtualUnlock
msvcrt.dll
0x1402f1218 __C_specific_handler
0x1402f1220 atexit
0x1402f1228 calloc
0x1402f1230 exit
0x1402f1238 free
0x1402f1240 malloc
0x1402f1248 memcpy
0x1402f1250 memset
0x1402f1258 realloc
0x1402f1260 signal
USER32.dll
0x1402f1270 DispatchMessageW
0x1402f1278 SystemParametersInfoW
EAT(Export Address Table) is none
ADVAPI32.dll
0x1402f1178 RegCreateKeyExW
0x1402f1180 RegQueryValueExW
KERNEL32.dll
0x1402f1190 GetACP
0x1402f1198 GetComputerNameW
0x1402f11a0 GetProcAddress
0x1402f11a8 GetProfileStringW
0x1402f11b0 InitializeCriticalSection
0x1402f11b8 LoadLibraryA
0x1402f11c0 SetUnhandledExceptionFilter
0x1402f11c8 Sleep
0x1402f11d0 TlsAlloc
0x1402f11d8 TlsGetValue
0x1402f11e0 TlsSetValue
0x1402f11e8 VirtualFree
0x1402f11f0 VirtualProtect
0x1402f11f8 VirtualProtectEx
0x1402f1200 VirtualQuery
0x1402f1208 VirtualUnlock
msvcrt.dll
0x1402f1218 __C_specific_handler
0x1402f1220 atexit
0x1402f1228 calloc
0x1402f1230 exit
0x1402f1238 free
0x1402f1240 malloc
0x1402f1248 memcpy
0x1402f1250 memset
0x1402f1258 realloc
0x1402f1260 signal
USER32.dll
0x1402f1270 DispatchMessageW
0x1402f1278 SystemParametersInfoW
EAT(Export Address Table) is none