ScreenShot
| Created | 2025.04.29 10:31 | Machine | s1_win7_x6401 |
| Filename | Finance.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 51 detected (AIDetectMalware, Malicious, score, Unsafe, Boxter, Save, confidence, Dnldr24, BBST, Attribute, HighConfidence, high confidence, a variant of Generik, KSCCFWO, Badur, PowerShell, MeterpreterShellCode, CLOUD, AGEN, SpyBot, Cometer, high, Static AI, Suspicious PE, cbdzv, Detected, SchoolBoy, Gandcrab, Wacatac, Kryptik, Artemis, R002H09DS25, GenAsa, VpprgU3GNoU, susgen) | ||
| md5 | 70dbf2129ad10943c505dfc8f75a0e12 | ||
| sha256 | 6f783fddc42681870d2a3184acff7a68833c212b7e8e34c5b92aee88f16d66f7 | ||
| ssdeep | 3072:Jpvb7RV/8hhb3dLUK94IgqHniOSyaZoc7QNPnP9TBfWSE6j:z9VkhhrdYK94IgqHniOSyaZoc7QNPnPD | ||
| imphash | 13c32f913271e5cf427548b785e74521 | ||
| impfuzzy | 48:Y/aG/qexWBCp51GN1OI4knlUYQOrSZ/gln6g/KAwEUEkE/1WSY+09AFXEvyAobFn:YCmqexYCp51GN1h4knlZk6FNwy | ||
Network IP location
Signature (32cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 51 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates a suspicious Powershell process |
| watch | Deletes executed files from disk |
| watch | Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe |
| watch | One or more non-whitelisted processes were created |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Poweshell is sending data to a remote host |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | URL downloaded by powershell script |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (18cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | Is_DotNET_DLL | (no description) | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x14001d6d8 memset
0x14001d6e0 wcsncmp
0x14001d6e8 memmove
0x14001d6f0 wcsncpy
0x14001d6f8 wcsstr
0x14001d700 _wcsnicmp
0x14001d708 _wcsicmp
0x14001d710 wcslen
0x14001d718 wcscpy
0x14001d720 wcscmp
0x14001d728 memcpy
0x14001d730 tolower
0x14001d738 wcscat
0x14001d740 malloc
0x14001d748 free
KERNEL32.dll
0x14001d758 GetModuleHandleW
0x14001d760 HeapCreate
0x14001d768 GetStdHandle
0x14001d770 HeapDestroy
0x14001d778 ExitProcess
0x14001d780 WriteFile
0x14001d788 LoadLibraryExW
0x14001d790 EnumResourceTypesW
0x14001d798 FreeLibrary
0x14001d7a0 RemoveDirectoryW
0x14001d7a8 GetExitCodeProcess
0x14001d7b0 EnumResourceNamesW
0x14001d7b8 GetCommandLineW
0x14001d7c0 LoadResource
0x14001d7c8 SizeofResource
0x14001d7d0 FreeResource
0x14001d7d8 FindResourceW
0x14001d7e0 GetShortPathNameW
0x14001d7e8 GetTempFileNameW
0x14001d7f0 EnterCriticalSection
0x14001d7f8 CloseHandle
0x14001d800 LeaveCriticalSection
0x14001d808 InitializeCriticalSection
0x14001d810 WaitForSingleObject
0x14001d818 TerminateThread
0x14001d820 CreateThread
0x14001d828 Sleep
0x14001d830 WideCharToMultiByte
0x14001d838 HeapAlloc
0x14001d840 HeapFree
0x14001d848 LoadLibraryW
0x14001d850 GetProcAddress
0x14001d858 GetCurrentProcessId
0x14001d860 GetCurrentThreadId
0x14001d868 GetModuleFileNameW
0x14001d870 GetEnvironmentVariableW
0x14001d878 SetEnvironmentVariableW
0x14001d880 GetCurrentProcess
0x14001d888 TerminateProcess
0x14001d890 RtlLookupFunctionEntry
0x14001d898 RtlVirtualUnwind
0x14001d8a0 RemoveVectoredExceptionHandler
0x14001d8a8 AddVectoredExceptionHandler
0x14001d8b0 HeapSize
0x14001d8b8 MultiByteToWideChar
0x14001d8c0 CreateDirectoryW
0x14001d8c8 SetFileAttributesW
0x14001d8d0 DeleteFileW
0x14001d8d8 GetCurrentDirectoryW
0x14001d8e0 SetCurrentDirectoryW
0x14001d8e8 GetTempPathW
0x14001d8f0 CreateFileW
0x14001d8f8 SetFilePointer
0x14001d900 TlsFree
0x14001d908 TlsGetValue
0x14001d910 TlsSetValue
0x14001d918 TlsAlloc
0x14001d920 HeapReAlloc
0x14001d928 DeleteCriticalSection
0x14001d930 GetLastError
0x14001d938 SetLastError
0x14001d940 UnregisterWait
0x14001d948 GetCurrentThread
0x14001d950 DuplicateHandle
0x14001d958 RegisterWaitForSingleObject
SHELL32.DLL
0x14001d968 ShellExecuteExW
0x14001d970 SHGetFolderLocation
0x14001d978 SHGetPathFromIDListW
WINMM.DLL
0x14001d988 timeBeginPeriod
OLE32.DLL
0x14001d998 CoInitialize
0x14001d9a0 CoTaskMemFree
SHLWAPI.DLL
0x14001d9b0 PathQuoteSpacesW
0x14001d9b8 PathAddBackslashW
0x14001d9c0 PathRemoveBackslashW
0x14001d9c8 PathRemoveArgsW
0x14001d9d0 PathRenameExtensionW
USER32.DLL
0x14001d9e0 CharUpperW
0x14001d9e8 CharLowerW
0x14001d9f0 MessageBoxW
0x14001d9f8 SendMessageW
0x14001da00 PostMessageW
0x14001da08 DefWindowProcW
0x14001da10 GetWindowLongPtrW
0x14001da18 GetWindowTextLengthW
0x14001da20 GetWindowTextW
0x14001da28 EnableWindow
0x14001da30 DestroyWindow
0x14001da38 UnregisterClassW
0x14001da40 LoadIconW
0x14001da48 LoadCursorW
0x14001da50 RegisterClassExW
0x14001da58 IsWindowEnabled
0x14001da60 GetSystemMetrics
0x14001da68 CreateWindowExW
0x14001da70 SetWindowLongPtrW
0x14001da78 SetFocus
0x14001da80 CreateAcceleratorTableW
0x14001da88 SetForegroundWindow
0x14001da90 BringWindowToTop
0x14001da98 GetMessageW
0x14001daa0 TranslateAcceleratorW
0x14001daa8 TranslateMessage
0x14001dab0 DispatchMessageW
0x14001dab8 DestroyAcceleratorTable
0x14001dac0 GetForegroundWindow
0x14001dac8 GetWindowThreadProcessId
0x14001dad0 IsWindowVisible
0x14001dad8 EnumWindows
0x14001dae0 SetWindowPos
GDI32.DLL
0x14001daf0 GetStockObject
COMCTL32.DLL
0x14001db00 InitCommonControlsEx
EAT(Export Address Table) is none
msvcrt.dll
0x14001d6d8 memset
0x14001d6e0 wcsncmp
0x14001d6e8 memmove
0x14001d6f0 wcsncpy
0x14001d6f8 wcsstr
0x14001d700 _wcsnicmp
0x14001d708 _wcsicmp
0x14001d710 wcslen
0x14001d718 wcscpy
0x14001d720 wcscmp
0x14001d728 memcpy
0x14001d730 tolower
0x14001d738 wcscat
0x14001d740 malloc
0x14001d748 free
KERNEL32.dll
0x14001d758 GetModuleHandleW
0x14001d760 HeapCreate
0x14001d768 GetStdHandle
0x14001d770 HeapDestroy
0x14001d778 ExitProcess
0x14001d780 WriteFile
0x14001d788 LoadLibraryExW
0x14001d790 EnumResourceTypesW
0x14001d798 FreeLibrary
0x14001d7a0 RemoveDirectoryW
0x14001d7a8 GetExitCodeProcess
0x14001d7b0 EnumResourceNamesW
0x14001d7b8 GetCommandLineW
0x14001d7c0 LoadResource
0x14001d7c8 SizeofResource
0x14001d7d0 FreeResource
0x14001d7d8 FindResourceW
0x14001d7e0 GetShortPathNameW
0x14001d7e8 GetTempFileNameW
0x14001d7f0 EnterCriticalSection
0x14001d7f8 CloseHandle
0x14001d800 LeaveCriticalSection
0x14001d808 InitializeCriticalSection
0x14001d810 WaitForSingleObject
0x14001d818 TerminateThread
0x14001d820 CreateThread
0x14001d828 Sleep
0x14001d830 WideCharToMultiByte
0x14001d838 HeapAlloc
0x14001d840 HeapFree
0x14001d848 LoadLibraryW
0x14001d850 GetProcAddress
0x14001d858 GetCurrentProcessId
0x14001d860 GetCurrentThreadId
0x14001d868 GetModuleFileNameW
0x14001d870 GetEnvironmentVariableW
0x14001d878 SetEnvironmentVariableW
0x14001d880 GetCurrentProcess
0x14001d888 TerminateProcess
0x14001d890 RtlLookupFunctionEntry
0x14001d898 RtlVirtualUnwind
0x14001d8a0 RemoveVectoredExceptionHandler
0x14001d8a8 AddVectoredExceptionHandler
0x14001d8b0 HeapSize
0x14001d8b8 MultiByteToWideChar
0x14001d8c0 CreateDirectoryW
0x14001d8c8 SetFileAttributesW
0x14001d8d0 DeleteFileW
0x14001d8d8 GetCurrentDirectoryW
0x14001d8e0 SetCurrentDirectoryW
0x14001d8e8 GetTempPathW
0x14001d8f0 CreateFileW
0x14001d8f8 SetFilePointer
0x14001d900 TlsFree
0x14001d908 TlsGetValue
0x14001d910 TlsSetValue
0x14001d918 TlsAlloc
0x14001d920 HeapReAlloc
0x14001d928 DeleteCriticalSection
0x14001d930 GetLastError
0x14001d938 SetLastError
0x14001d940 UnregisterWait
0x14001d948 GetCurrentThread
0x14001d950 DuplicateHandle
0x14001d958 RegisterWaitForSingleObject
SHELL32.DLL
0x14001d968 ShellExecuteExW
0x14001d970 SHGetFolderLocation
0x14001d978 SHGetPathFromIDListW
WINMM.DLL
0x14001d988 timeBeginPeriod
OLE32.DLL
0x14001d998 CoInitialize
0x14001d9a0 CoTaskMemFree
SHLWAPI.DLL
0x14001d9b0 PathQuoteSpacesW
0x14001d9b8 PathAddBackslashW
0x14001d9c0 PathRemoveBackslashW
0x14001d9c8 PathRemoveArgsW
0x14001d9d0 PathRenameExtensionW
USER32.DLL
0x14001d9e0 CharUpperW
0x14001d9e8 CharLowerW
0x14001d9f0 MessageBoxW
0x14001d9f8 SendMessageW
0x14001da00 PostMessageW
0x14001da08 DefWindowProcW
0x14001da10 GetWindowLongPtrW
0x14001da18 GetWindowTextLengthW
0x14001da20 GetWindowTextW
0x14001da28 EnableWindow
0x14001da30 DestroyWindow
0x14001da38 UnregisterClassW
0x14001da40 LoadIconW
0x14001da48 LoadCursorW
0x14001da50 RegisterClassExW
0x14001da58 IsWindowEnabled
0x14001da60 GetSystemMetrics
0x14001da68 CreateWindowExW
0x14001da70 SetWindowLongPtrW
0x14001da78 SetFocus
0x14001da80 CreateAcceleratorTableW
0x14001da88 SetForegroundWindow
0x14001da90 BringWindowToTop
0x14001da98 GetMessageW
0x14001daa0 TranslateAcceleratorW
0x14001daa8 TranslateMessage
0x14001dab0 DispatchMessageW
0x14001dab8 DestroyAcceleratorTable
0x14001dac0 GetForegroundWindow
0x14001dac8 GetWindowThreadProcessId
0x14001dad0 IsWindowVisible
0x14001dad8 EnumWindows
0x14001dae0 SetWindowPos
GDI32.DLL
0x14001daf0 GetStockObject
COMCTL32.DLL
0x14001db00 InitCommonControlsEx
EAT(Export Address Table) is none