ScreenShot
Created | 2021.03.09 11:06 | Machine | s1_win7_x3201 |
Filename | Practical2.exe | ||
Type | PE32 executable (console) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 52 detected (AIDetect, malware2, malicious, high confidence, DownLoader36, Razy, Unsafe, AveMaria, confidence, 100%, Kryptik, Eldorado, Attribute, HighConfidence, HIDW, idremq, Gencirc, MortyStealer, njjtp, Artemis, ai score=88, score, R357891, GenericRXAA, BScope, GdSda, R002C0DBO21, CLOUD, Vjki3TH2T+g, RATX, HgIASPoA) | ||
md5 | 971a3320179e0494fdb70b138ada2446 | ||
sha256 | 9633d0564a2b8f1b4c6e718ae7ab48be921d435236a403cf5e7ddfbfd4283382 | ||
ssdeep | 12288:hkhSL4pH7FYiIiicuueTh9yeJWrpDz29Wa+QB1t6gMvlTpa6NYjHhtkaJN:h72Z/8VWrpn2ZF1Ea1jBH | ||
imphash | f396b39dbfa473ab2b7180d955fdc740 | ||
impfuzzy | 48:BV2gcYgZW+5mE2Ye2TNPtDSui3GTn1d1QU9vwt8tLuESECAC54voHlx0vG/1Szy7:BV2gclWqe2JPtDSeNN00zykPOQ7Qkm |
Network IP location
Signature (15cnts)
Level | Description |
---|---|
danger | File has been identified by 52 AntiVirus engines on VirusTotal as malicious |
danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
warning | Generates some ICMP traffic |
watch | Attempts to remove evidence of file being downloaded from the Internet |
watch | Communicates with host for which no DNS query was performed |
watch | Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) |
notice | A process attempted to delay the analysis task. |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Potentially malicious URLs were found in the process memory dump |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | One or more processes crashed |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | The executable uses a known packer |
info | This executable has a PDB path |
Rules (55cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | infoStealer_emailClients_Zero | email clients info stealer | memory |
notice | Str_Win32_Http_API | Match Windows Http API call | memory |
notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
info | anti_dbg | Checks if being debugged | memory |
info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
info | Check_Dlls | (no description) | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerCheck__RemoteAPI | (no description) | memory |
info | DebuggerException__ConsoleCtrl | (no description) | memory |
info | DebuggerException__SetConsoleCtrl | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
info | win_hook | Affect hook table | memory |
info | bitcoin | Perform crypto currency mining | memory |
info | create_com_service | Create a COM server | memory |
info | create_service | Create a windows service | memory |
info | cred_local | Steal credential | memory |
info | escalate_priv | Escalade priviledges | memory |
info | HasDebugData | DebugData Check | binaries (upload) |
info | HasRichSignature | Rich Signature Check | binaries (upload) |
info | hijack_network | Hijack network configuration | memory |
info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
info | IsConsole | (no description) | binaries (upload) |
info | keylogger | Run a keylogger | memory |
info | migrate_apc | APC queue tasks migration | memory |
info | network_dga | Communication using dga | memory |
info | network_dns | Communications use DNS | memory |
info | network_dropper | File downloader/dropper | memory |
info | network_ftp | Communications over FTP | memory |
info | network_http | Communications over HTTP | memory |
info | network_p2p_win | Communications over P2P network | memory |
info | network_tcp_listen | Listen for incoming communication | memory |
info | network_tcp_socket | Communications over RAW socket | memory |
info | network_udp_sock | Communications over UDP network | memory |
info | screenshot | Take screenshot | binaries (upload) |
info | screenshot | Take screenshot | memory |
info | sniff_audio | Record Audio | memory |
info | spreading_file | Malware can spread east-west file | memory |
info | spreading_share | Malware can spread east-west using share drive | memory |
info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
info | win_files_operation | Affect private profile | binaries (upload) |
info | win_files_operation | Affect private profile | memory |
info | win_mutex | Create or check mutex | memory |
info | win_private_profile | Affect private profile | memory |
info | win_registry | Affect system registries | binaries (upload) |
info | win_registry | Affect system registries | memory |
info | win_token | Affect system token | memory |
Network (4cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x55f070 HeapReAlloc
0x55f074 HeapFree
0x55f078 HeapSize
0x55f07c GetProcessHeap
0x55f080 InitializeCriticalSectionEx
0x55f084 DeleteCriticalSection
0x55f088 SetEvent
0x55f08c WaitForSingleObject
0x55f090 CreateEventA
0x55f094 Sleep
0x55f098 CreateThread
0x55f09c GetCurrentThreadId
0x55f0a0 VirtualAlloc
0x55f0a4 VirtualProtect
0x55f0a8 GetModuleFileNameA
0x55f0ac GetModuleHandleA
0x55f0b0 GetModuleHandleW
0x55f0b4 GetProcAddress
0x55f0b8 MultiByteToWideChar
0x55f0bc WideCharToMultiByte
0x55f0c0 FreeConsole
0x55f0c4 EnterCriticalSection
0x55f0c8 LeaveCriticalSection
0x55f0cc ReadConsoleW
0x55f0d0 ReadFile
0x55f0d4 HeapAlloc
0x55f0d8 GetConsoleMode
0x55f0dc GetConsoleCP
0x55f0e0 SetFilePointerEx
0x55f0e4 GetFileSizeEx
0x55f0e8 GetStringTypeW
0x55f0ec SetStdHandle
0x55f0f0 HeapQueryInformation
0x55f0f4 SetEnvironmentVariableW
0x55f0f8 FreeEnvironmentStringsW
0x55f0fc GetEnvironmentStringsW
0x55f100 GetCPInfo
0x55f104 GetOEMCP
0x55f108 GetACP
0x55f10c IsValidCodePage
0x55f110 FindNextFileW
0x55f114 FindFirstFileExW
0x55f118 FindClose
0x55f11c GetCurrentThread
0x55f120 SetConsoleCtrlHandler
0x55f124 WriteConsoleW
0x55f128 GetFileType
0x55f12c EnumSystemLocalesW
0x55f130 GetUserDefaultLCID
0x55f134 IsValidLocale
0x55f138 GetLocaleInfoW
0x55f13c LCMapStringW
0x55f140 HeapDestroy
0x55f144 GetLastError
0x55f148 SetLastError
0x55f14c RaiseException
0x55f150 CloseHandle
0x55f154 DecodePointer
0x55f158 FlushFileBuffers
0x55f15c GetCommandLineA
0x55f160 CompareStringW
0x55f164 GetTimeFormatW
0x55f168 GetDateFormatW
0x55f16c GetCommandLineW
0x55f170 WriteFile
0x55f174 GetStdHandle
0x55f178 HeapValidate
0x55f17c ExitProcess
0x55f180 GetModuleHandleExW
0x55f184 GetModuleFileNameW
0x55f188 GetSystemInfo
0x55f18c LoadLibraryExW
0x55f190 FreeLibrary
0x55f194 CreateFileW
0x55f198 TlsFree
0x55f19c TlsSetValue
0x55f1a0 TlsGetValue
0x55f1a4 TlsAlloc
0x55f1a8 VirtualQuery
0x55f1ac InterlockedFlushSList
0x55f1b0 RtlUnwind
0x55f1b4 TerminateProcess
0x55f1b8 IsDebuggerPresent
0x55f1bc OutputDebugStringW
0x55f1c0 EncodePointer
0x55f1c4 InitializeSListHead
0x55f1c8 InterlockedPopEntrySList
0x55f1cc InterlockedPushEntrySList
0x55f1d0 GetCurrentProcess
0x55f1d4 FlushInstructionCache
0x55f1d8 IsProcessorFeaturePresent
0x55f1dc VirtualFree
0x55f1e0 LoadLibraryExA
0x55f1e4 InitializeCriticalSectionAndSpinCount
0x55f1e8 ResetEvent
0x55f1ec WaitForSingleObjectEx
0x55f1f0 CreateEventW
0x55f1f4 UnhandledExceptionFilter
0x55f1f8 SetUnhandledExceptionFilter
0x55f1fc GetStartupInfoW
0x55f200 QueryPerformanceCounter
0x55f204 GetCurrentProcessId
0x55f208 GetSystemTimeAsFileTime
USER32.dll
0x55f2e8 MoveWindow
0x55f2ec GetMessageA
0x55f2f0 TranslateMessage
0x55f2f4 DispatchMessageA
0x55f2f8 PostThreadMessageA
0x55f2fc UnregisterClassA
0x55f300 CharUpperA
0x55f304 CharNextA
0x55f308 CharNextW
0x55f30c SetWindowLongA
0x55f310 GetWindowLongA
0x55f314 GetWindowRect
0x55f318 MessageBoxA
0x55f31c GetWindowTextLengthA
0x55f320 GetWindowTextA
0x55f324 SetWindowTextA
0x55f328 ReleaseDC
0x55f32c GetDC
0x55f330 SetFocus
0x55f334 GetClientRect
0x55f338 IsWindow
0x55f33c CreateWindowExA
0x55f340 GetClassInfoExA
0x55f344 RegisterClassExA
0x55f348 CallWindowProcA
0x55f34c DefWindowProcA
0x55f350 SendMessageA
GDI32.dll
0x55f03c SelectObject
0x55f040 GetTextMetricsA
ADVAPI32.dll
0x55f000 RegOpenKeyExA
0x55f004 RegDeleteKeyA
0x55f008 RegCloseKey
0x55f00c RegQueryInfoKeyA
ole32.dll
0x55f394 CoInitialize
0x55f398 CoUninitialize
0x55f39c CoRegisterClassObject
0x55f3a0 CoRevokeClassObject
0x55f3a4 CoResumeClassObjects
0x55f3a8 CoAddRefServerProcess
0x55f3ac CoReleaseServerProcess
0x55f3b0 CoCreateInstance
0x55f3b4 StringFromGUID2
OLEAUT32.dll
0x55f288 VariantChangeType
0x55f28c VariantCopy
0x55f290 VariantClear
0x55f294 VariantInit
0x55f298 SysAllocStringLen
0x55f29c UnRegisterTypeLib
0x55f2a0 RegisterTypeLib
0x55f2a4 SysStringLen
0x55f2a8 SysFreeString
0x55f2ac SysAllocString
0x55f2b0 LoadTypeLib
EAT(Export Address Table) is none
KERNEL32.dll
0x55f070 HeapReAlloc
0x55f074 HeapFree
0x55f078 HeapSize
0x55f07c GetProcessHeap
0x55f080 InitializeCriticalSectionEx
0x55f084 DeleteCriticalSection
0x55f088 SetEvent
0x55f08c WaitForSingleObject
0x55f090 CreateEventA
0x55f094 Sleep
0x55f098 CreateThread
0x55f09c GetCurrentThreadId
0x55f0a0 VirtualAlloc
0x55f0a4 VirtualProtect
0x55f0a8 GetModuleFileNameA
0x55f0ac GetModuleHandleA
0x55f0b0 GetModuleHandleW
0x55f0b4 GetProcAddress
0x55f0b8 MultiByteToWideChar
0x55f0bc WideCharToMultiByte
0x55f0c0 FreeConsole
0x55f0c4 EnterCriticalSection
0x55f0c8 LeaveCriticalSection
0x55f0cc ReadConsoleW
0x55f0d0 ReadFile
0x55f0d4 HeapAlloc
0x55f0d8 GetConsoleMode
0x55f0dc GetConsoleCP
0x55f0e0 SetFilePointerEx
0x55f0e4 GetFileSizeEx
0x55f0e8 GetStringTypeW
0x55f0ec SetStdHandle
0x55f0f0 HeapQueryInformation
0x55f0f4 SetEnvironmentVariableW
0x55f0f8 FreeEnvironmentStringsW
0x55f0fc GetEnvironmentStringsW
0x55f100 GetCPInfo
0x55f104 GetOEMCP
0x55f108 GetACP
0x55f10c IsValidCodePage
0x55f110 FindNextFileW
0x55f114 FindFirstFileExW
0x55f118 FindClose
0x55f11c GetCurrentThread
0x55f120 SetConsoleCtrlHandler
0x55f124 WriteConsoleW
0x55f128 GetFileType
0x55f12c EnumSystemLocalesW
0x55f130 GetUserDefaultLCID
0x55f134 IsValidLocale
0x55f138 GetLocaleInfoW
0x55f13c LCMapStringW
0x55f140 HeapDestroy
0x55f144 GetLastError
0x55f148 SetLastError
0x55f14c RaiseException
0x55f150 CloseHandle
0x55f154 DecodePointer
0x55f158 FlushFileBuffers
0x55f15c GetCommandLineA
0x55f160 CompareStringW
0x55f164 GetTimeFormatW
0x55f168 GetDateFormatW
0x55f16c GetCommandLineW
0x55f170 WriteFile
0x55f174 GetStdHandle
0x55f178 HeapValidate
0x55f17c ExitProcess
0x55f180 GetModuleHandleExW
0x55f184 GetModuleFileNameW
0x55f188 GetSystemInfo
0x55f18c LoadLibraryExW
0x55f190 FreeLibrary
0x55f194 CreateFileW
0x55f198 TlsFree
0x55f19c TlsSetValue
0x55f1a0 TlsGetValue
0x55f1a4 TlsAlloc
0x55f1a8 VirtualQuery
0x55f1ac InterlockedFlushSList
0x55f1b0 RtlUnwind
0x55f1b4 TerminateProcess
0x55f1b8 IsDebuggerPresent
0x55f1bc OutputDebugStringW
0x55f1c0 EncodePointer
0x55f1c4 InitializeSListHead
0x55f1c8 InterlockedPopEntrySList
0x55f1cc InterlockedPushEntrySList
0x55f1d0 GetCurrentProcess
0x55f1d4 FlushInstructionCache
0x55f1d8 IsProcessorFeaturePresent
0x55f1dc VirtualFree
0x55f1e0 LoadLibraryExA
0x55f1e4 InitializeCriticalSectionAndSpinCount
0x55f1e8 ResetEvent
0x55f1ec WaitForSingleObjectEx
0x55f1f0 CreateEventW
0x55f1f4 UnhandledExceptionFilter
0x55f1f8 SetUnhandledExceptionFilter
0x55f1fc GetStartupInfoW
0x55f200 QueryPerformanceCounter
0x55f204 GetCurrentProcessId
0x55f208 GetSystemTimeAsFileTime
USER32.dll
0x55f2e8 MoveWindow
0x55f2ec GetMessageA
0x55f2f0 TranslateMessage
0x55f2f4 DispatchMessageA
0x55f2f8 PostThreadMessageA
0x55f2fc UnregisterClassA
0x55f300 CharUpperA
0x55f304 CharNextA
0x55f308 CharNextW
0x55f30c SetWindowLongA
0x55f310 GetWindowLongA
0x55f314 GetWindowRect
0x55f318 MessageBoxA
0x55f31c GetWindowTextLengthA
0x55f320 GetWindowTextA
0x55f324 SetWindowTextA
0x55f328 ReleaseDC
0x55f32c GetDC
0x55f330 SetFocus
0x55f334 GetClientRect
0x55f338 IsWindow
0x55f33c CreateWindowExA
0x55f340 GetClassInfoExA
0x55f344 RegisterClassExA
0x55f348 CallWindowProcA
0x55f34c DefWindowProcA
0x55f350 SendMessageA
GDI32.dll
0x55f03c SelectObject
0x55f040 GetTextMetricsA
ADVAPI32.dll
0x55f000 RegOpenKeyExA
0x55f004 RegDeleteKeyA
0x55f008 RegCloseKey
0x55f00c RegQueryInfoKeyA
ole32.dll
0x55f394 CoInitialize
0x55f398 CoUninitialize
0x55f39c CoRegisterClassObject
0x55f3a0 CoRevokeClassObject
0x55f3a4 CoResumeClassObjects
0x55f3a8 CoAddRefServerProcess
0x55f3ac CoReleaseServerProcess
0x55f3b0 CoCreateInstance
0x55f3b4 StringFromGUID2
OLEAUT32.dll
0x55f288 VariantChangeType
0x55f28c VariantCopy
0x55f290 VariantClear
0x55f294 VariantInit
0x55f298 SysAllocStringLen
0x55f29c UnRegisterTypeLib
0x55f2a0 RegisterTypeLib
0x55f2a4 SysStringLen
0x55f2a8 SysFreeString
0x55f2ac SysAllocString
0x55f2b0 LoadTypeLib
EAT(Export Address Table) is none