ScreenShot
| Created | 2021.03.09 11:08 | Machine | s1_win7_x6401 |
| Filename | idman623build12_ws1032687615.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 60 detected (Sality, malicious, high confidence, confidence, 100%, gen2, beygb, SaliCode, CLASSIC, gen@1egj5j, Sector, R + Mal, Static AI, Suspicious PE, HLLP, Kuku, poly2, ai score=100, score, Kashu, bakc, TuTu, FileInfector) | ||
| md5 | 14ad7cf3de11bae58071e0e4cc2ab285 | ||
| sha256 | 7d0c6a122569bd9c1d9e7ce1027e46a8ccedf0a99d429bb2756e35b64c9274fd | ||
| ssdeep | 196608:K7k1cL5p/FkQTTGFm1V9xKqp0ALSk/qUPbSLnRARWZ6+riBG/FFU:Ck1GQQUm1V9AmT2kV2ARkHicFFU | ||
| imphash | bf33765b3ad3b105c0b29bcf6093d0c2 | ||
| impfuzzy | 48:nx0dcG7xX4CJgavm9jQ+5koKvKQ/uACX3GT3nB1q/yq:nrG7xX4qgQmNQ+554il | ||
Network IP location
Signature (35cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 60 AntiVirus engines on VirusTotal as malicious |
| danger | Disables Windows Security features |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to modify Explorer settings to prevent hidden files from being displayed |
| watch | Creates a thread using CreateRemoteThread in a non-child process indicative of process injection |
| watch | Deletes a large number of files from the system indicative of ransomware |
| watch | Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) |
| watch | Installs a Browser Helper Object to thwart the users browsing experience |
| watch | Installs itself for autorun at Windows startup |
| watch | Manipulates memory of a non-child process indicative of process injection |
| watch | Modifies security center warnings |
| watch | Operates on local firewall's policies and settings |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Checks whether any human activity is being performed by constantly checking whether the foreground window changed |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | One or more potentially interesting buffers were extracted |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (89cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_1_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Emotet_RL_Gen_Zero | Win32 Trojan Emotet | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | binaries (download) |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_antivirus | Disable AntiVirus | memory |
| info | disable_dep | Bypass DEP | memory |
| info | disable_firewall | Disable Firewall | memory |
| info | disable_registry | Disable Registry editor | memory |
| info | disable_taskmanager | Disable Task Manager | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | Lnk_Format_Zero | LNK Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | create_com_service | Create a COM server | memory |
| info | create_service | Create a windows service | memory |
| info | cred_local | Steal credential | memory |
| info | escalate_priv | Escalade priviledges | binaries (download) |
| info | escalate_priv | Escalade priviledges | memory |
| info | HasDebugData | DebugData Check | binaries (download) |
| info | HasDigitalSignature | DigitalSignature Check | binaries (download) |
| info | HasDigitalSignature | DigitalSignature Check | binaries (upload) |
| info | HasOverlay | Overlay Check | binaries (download) |
| info | HasOverlay | Overlay Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (download) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | hijack_network | Hijack network configuration | memory |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
| info | IsConsole | (no description) | binaries (download) |
| info | IsPacked | Entropy Check | binaries (download) |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (download) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | keylogger | Run a keylogger | binaries (download) |
| info | keylogger | Run a keylogger | memory |
| info | migrate_apc | APC queue tasks migration | memory |
| info | network_dga | Communication using dga | memory |
| info | network_dns | Communications use DNS | binaries (download) |
| info | network_dns | Communications use DNS | memory |
| info | network_dropper | File downloader/dropper | memory |
| info | network_ftp | Communications over FTP | memory |
| info | network_http | Communications over HTTP | memory |
| info | network_p2p_win | Communications over P2P network | memory |
| info | network_tcp_listen | Listen for incoming communication | binaries (download) |
| info | network_tcp_listen | Listen for incoming communication | memory |
| info | network_tcp_socket | Communications over RAW socket | binaries (download) |
| info | network_tcp_socket | Communications over RAW socket | memory |
| info | network_udp_sock | Communications over UDP network | memory |
| info | screenshot | Take screenshot | binaries (download) |
| info | screenshot | Take screenshot | memory |
| info | sniff_audio | Record Audio | memory |
| info | spreading_file | Malware can spread east-west file | memory |
| info | spreading_share | Malware can spread east-west using share drive | memory |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | binaries (download) |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | binaries (download) |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_files_operation | Affect private profile | memory |
| info | win_mutex | Create or check mutex | binaries (download) |
| info | win_mutex | Create or check mutex | binaries (upload) |
| info | win_mutex | Create or check mutex | memory |
| info | win_private_profile | Affect private profile | binaries (download) |
| info | win_private_profile | Affect private profile | memory |
| info | win_registry | Affect system registries | binaries (download) |
| info | win_registry | Affect system registries | binaries (upload) |
| info | win_registry | Affect system registries | memory |
| info | win_token | Affect system token | binaries (download) |
| info | win_token | Affect system token | memory |
PE API
IAT(Import Address Table) Library
MSVCRT.dll
0x401098 _controlfp
0x40109c __set_app_type
0x4010a0 __p__fmode
0x4010a4 __p__commode
0x4010a8 _adjust_fdiv
0x4010ac _wsplitpath
0x4010b0 __setusermatherr
0x4010b4 _initterm
0x4010b8 __getmainargs
0x4010bc _acmdln
0x4010c0 exit
0x4010c4 _XcptFilter
0x4010c8 _exit
0x4010cc free
0x4010d0 calloc
0x4010d4 memcpy
0x4010d8 _except_handler3
0x4010dc memchr
0x4010e0 memcmp
0x4010e4 _itoa
0x4010e8 strlen
0x4010ec ??2@YAPAXI@Z
0x4010f0 ??3@YAXPAX@Z
0x4010f4 wcsstr
0x4010f8 strstr
0x4010fc wcschr
0x401100 wcslen
0x401104 wcscat
0x401108 memset
0x40110c wcsncpy
0x401110 __CxxFrameHandler
0x401114 wcscpy
KERNEL32.dll
0x401014 GetStartupInfoA
0x401018 GetFileSize
0x40101c CreateFileMappingA
0x401020 GetFileTime
0x401024 SetFileTime
0x401028 MapViewOfFile
0x40102c ExitThread
0x401030 UnmapViewOfFile
0x401034 FormatMessageA
0x401038 CreateFileW
0x40103c SetFilePointer
0x401040 WriteFile
0x401044 lstrlenA
0x401048 LocalFree
0x40104c GetCurrentProcess
0x401050 WaitForSingleObject
0x401054 GetExitCodeThread
0x401058 GetModuleFileNameW
0x40105c CreateProcessW
0x401060 CloseHandle
0x401064 CreateMutexA
0x401068 ExitProcess
0x40106c GetTempPathW
0x401070 GetFileAttributesW
0x401074 CreateDirectoryW
0x401078 CreateThread
0x40107c LoadLibraryA
0x401080 FreeLibrary
0x401084 GetModuleHandleA
0x401088 GetDiskFreeSpaceW
0x40108c GetProcAddress
0x401090 GetLastError
USER32.dll
0x401128 SetForegroundWindow
0x40112c ShowWindow
0x401130 FindWindowA
0x401134 wsprintfA
0x401138 DestroyWindow
0x40113c MessageBoxA
0x401140 SetWindowTextA
0x401144 SendMessageA
0x401148 GetMessageA
0x40114c TranslateMessage
0x401150 DispatchMessageA
0x401154 wsprintfW
0x401158 PostQuitMessage
0x40115c CreateDialogParamA
ADVAPI32.dll
0x401000 RegDeleteValueW
0x401004 RegQueryValueExW
0x401008 RegOpenKeyExA
0x40100c RegCloseKey
SHELL32.dll
0x40111c SHGetPathFromIDListW
0x401120 SHBrowseForFolderW
EAT(Export Address Table) is none
MSVCRT.dll
0x401098 _controlfp
0x40109c __set_app_type
0x4010a0 __p__fmode
0x4010a4 __p__commode
0x4010a8 _adjust_fdiv
0x4010ac _wsplitpath
0x4010b0 __setusermatherr
0x4010b4 _initterm
0x4010b8 __getmainargs
0x4010bc _acmdln
0x4010c0 exit
0x4010c4 _XcptFilter
0x4010c8 _exit
0x4010cc free
0x4010d0 calloc
0x4010d4 memcpy
0x4010d8 _except_handler3
0x4010dc memchr
0x4010e0 memcmp
0x4010e4 _itoa
0x4010e8 strlen
0x4010ec ??2@YAPAXI@Z
0x4010f0 ??3@YAXPAX@Z
0x4010f4 wcsstr
0x4010f8 strstr
0x4010fc wcschr
0x401100 wcslen
0x401104 wcscat
0x401108 memset
0x40110c wcsncpy
0x401110 __CxxFrameHandler
0x401114 wcscpy
KERNEL32.dll
0x401014 GetStartupInfoA
0x401018 GetFileSize
0x40101c CreateFileMappingA
0x401020 GetFileTime
0x401024 SetFileTime
0x401028 MapViewOfFile
0x40102c ExitThread
0x401030 UnmapViewOfFile
0x401034 FormatMessageA
0x401038 CreateFileW
0x40103c SetFilePointer
0x401040 WriteFile
0x401044 lstrlenA
0x401048 LocalFree
0x40104c GetCurrentProcess
0x401050 WaitForSingleObject
0x401054 GetExitCodeThread
0x401058 GetModuleFileNameW
0x40105c CreateProcessW
0x401060 CloseHandle
0x401064 CreateMutexA
0x401068 ExitProcess
0x40106c GetTempPathW
0x401070 GetFileAttributesW
0x401074 CreateDirectoryW
0x401078 CreateThread
0x40107c LoadLibraryA
0x401080 FreeLibrary
0x401084 GetModuleHandleA
0x401088 GetDiskFreeSpaceW
0x40108c GetProcAddress
0x401090 GetLastError
USER32.dll
0x401128 SetForegroundWindow
0x40112c ShowWindow
0x401130 FindWindowA
0x401134 wsprintfA
0x401138 DestroyWindow
0x40113c MessageBoxA
0x401140 SetWindowTextA
0x401144 SendMessageA
0x401148 GetMessageA
0x40114c TranslateMessage
0x401150 DispatchMessageA
0x401154 wsprintfW
0x401158 PostQuitMessage
0x40115c CreateDialogParamA
ADVAPI32.dll
0x401000 RegDeleteValueW
0x401004 RegQueryValueExW
0x401008 RegOpenKeyExA
0x40100c RegCloseKey
SHELL32.dll
0x40111c SHGetPathFromIDListW
0x401120 SHBrowseForFolderW
EAT(Export Address Table) is none