ScreenShot
| Created | 2021.03.09 11:39 | Machine | s1_win7_x6401 |
| Filename | a.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 51 detected (AIDetect, malware2, malicious, high confidence, DownLoader36, Zusy, Bingoml, GenericRXAA, Amadey, Save, confidence, ZexaF, luW@aun5h7ai, HJCW, Attribute, HighConfidence, BotX, AGEN, Deyma, ai score=84, Glupteba, score, R370729, MB7JTjGmRzO, 4L+unjoQ, Static AI, Malicious PE, Unsafe, GdSda, HgIASP8A) | ||
| md5 | b9bf7278d38a66f52bad2055b361de4a | ||
| sha256 | c81f27a34af933278aa36efc16e1665526a00d5b8913ab2530b4556173b475be | ||
| ssdeep | 3072:yX7J2E72CpkZU3tjGUSyty8j2aTbOTuVWFlIncZB8lyc:yX7Jf/pkZ+ihytaa2uVWIDyc | ||
| imphash | 37feaa2c735711635bed71303ba0b945 | ||
| impfuzzy | 48:csUxPXAzwtoS1CM2c+pE5cgTU3IAOIP7v:uPXdtoS1CM2c+pE5t0hT | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 51 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| watch | Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | This executable has a PDB path |
Rules (69cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| notice | Str_Win32_Http_API | Match Windows Http API call | binaries (download) |
| notice | Str_Win32_Http_API | Match Windows Http API call | binaries (upload) |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | binaries (download) |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | binaries (upload) |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | create_com_service | Create a COM server | memory |
| info | create_service | Create a windows service | memory |
| info | cred_local | Steal credential | memory |
| info | escalate_priv | Escalade priviledges | memory |
| info | HasDebugData | DebugData Check | binaries (download) |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (download) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | hijack_network | Hijack network configuration | memory |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
| info | IsWindowsGUI | (no description) | binaries (download) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | keylogger | Run a keylogger | memory |
| info | migrate_apc | APC queue tasks migration | memory |
| info | network_dga | Communication using dga | memory |
| info | network_dns | Communications use DNS | memory |
| info | network_dropper | File downloader/dropper | memory |
| info | network_ftp | Communications over FTP | memory |
| info | network_http | Communications over HTTP | binaries (download) |
| info | network_http | Communications over HTTP | binaries (upload) |
| info | network_http | Communications over HTTP | memory |
| info | network_p2p_win | Communications over P2P network | memory |
| info | network_tcp_listen | Listen for incoming communication | memory |
| info | network_tcp_socket | Communications over RAW socket | memory |
| info | network_toredo | Communications over Toredo network | memory |
| info | network_udp_sock | Communications over UDP network | memory |
| info | screenshot | Take screenshot | memory |
| info | sniff_audio | Record Audio | memory |
| info | spreading_file | Malware can spread east-west file | memory |
| info | spreading_share | Malware can spread east-west using share drive | memory |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | binaries (download) |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | binaries (upload) |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
| info | win_files_operation | Affect private profile | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_files_operation | Affect private profile | memory |
| info | win_mutex | Create or check mutex | binaries (download) |
| info | win_mutex | Create or check mutex | binaries (upload) |
| info | win_mutex | Create or check mutex | memory |
| info | win_private_profile | Affect private profile | memory |
| info | win_registry | Affect system registries | memory |
| info | win_token | Affect system token | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x423010 GetTempPathW
0x423014 CreateMutexW
0x423018 WaitForSingleObject
0x42301c CreateFileW
0x423020 GetVersionExW
0x423024 SuspendThread
0x423028 GetComputerNameExW
0x42302c ResumeThread
0x423030 GetModuleHandleA
0x423034 Sleep
0x423038 GetLastError
0x42303c GetFileAttributesA
0x423040 CreateFileA
0x423044 CloseHandle
0x423048 GetSystemInfo
0x42304c LoadLibraryW
0x423050 GetModuleFileNameW
0x423054 HeapAlloc
0x423058 GetThreadContext
0x42305c GetProcAddress
0x423060 VirtualAllocEx
0x423064 LocalFree
0x423068 ReadProcessMemory
0x42306c GetComputerNameW
0x423070 GetProcessHeap
0x423074 GetModuleHandleW
0x423078 FreeLibrary
0x42307c CreateProcessA
0x423080 CreateDirectoryA
0x423084 SetThreadContext
0x423088 WriteConsoleW
0x42308c SetEndOfFile
0x423090 HeapReAlloc
0x423094 VirtualAlloc
0x423098 WriteFile
0x42309c VirtualFree
0x4230a0 HeapFree
0x4230a4 WriteProcessMemory
0x4230a8 CreateThread
0x4230ac GetModuleFileNameA
0x4230b0 HeapSize
0x4230b4 GetTimeZoneInformation
0x4230b8 FlushFileBuffers
0x4230bc GetStringTypeW
0x4230c0 SetEnvironmentVariableW
0x4230c4 FreeEnvironmentStringsW
0x4230c8 GetEnvironmentStringsW
0x4230cc WideCharToMultiByte
0x4230d0 GetCPInfo
0x4230d4 UnhandledExceptionFilter
0x4230d8 SetUnhandledExceptionFilter
0x4230dc GetCurrentProcess
0x4230e0 TerminateProcess
0x4230e4 IsProcessorFeaturePresent
0x4230e8 IsDebuggerPresent
0x4230ec GetStartupInfoW
0x4230f0 QueryPerformanceCounter
0x4230f4 GetCurrentProcessId
0x4230f8 GetCurrentThreadId
0x4230fc GetSystemTimeAsFileTime
0x423100 InitializeSListHead
0x423104 RtlUnwind
0x423108 RaiseException
0x42310c SetLastError
0x423110 EncodePointer
0x423114 EnterCriticalSection
0x423118 LeaveCriticalSection
0x42311c DeleteCriticalSection
0x423120 InitializeCriticalSectionAndSpinCount
0x423124 TlsAlloc
0x423128 TlsGetValue
0x42312c TlsSetValue
0x423130 TlsFree
0x423134 LoadLibraryExW
0x423138 ExitProcess
0x42313c GetModuleHandleExW
0x423140 GetDriveTypeW
0x423144 GetFileInformationByHandle
0x423148 GetFileType
0x42314c PeekNamedPipe
0x423150 SystemTimeToTzSpecificLocalTime
0x423154 FileTimeToSystemTime
0x423158 GetStdHandle
0x42315c GetCommandLineA
0x423160 GetCommandLineW
0x423164 MultiByteToWideChar
0x423168 CompareStringW
0x42316c LCMapStringW
0x423170 DeleteFileW
0x423174 GetCurrentDirectoryW
0x423178 GetFullPathNameW
0x42317c SetStdHandle
0x423180 GetConsoleCP
0x423184 GetConsoleMode
0x423188 GetFileSizeEx
0x42318c SetFilePointerEx
0x423190 ReadFile
0x423194 ReadConsoleW
0x423198 FindClose
0x42319c FindFirstFileExW
0x4231a0 FindNextFileW
0x4231a4 IsValidCodePage
0x4231a8 GetACP
0x4231ac GetOEMCP
0x4231b0 DecodePointer
USER32.dll
0x4231c4 GetSystemMetrics
ADVAPI32.dll
0x423000 ConvertSidToStringSidW
0x423004 GetUserNameW
0x423008 LookupAccountNameW
SHELL32.dll
0x4231b8 ShellExecuteA
0x4231bc ShellExecuteExW
WININET.dll
0x4231cc InternetConnectW
0x4231d0 HttpSendRequestW
0x4231d4 InternetCloseHandle
0x4231d8 InternetOpenW
0x4231dc InternetReadFile
0x4231e0 InternetOpenUrlW
0x4231e4 HttpOpenRequestW
EAT(Export Address Table) is none
KERNEL32.dll
0x423010 GetTempPathW
0x423014 CreateMutexW
0x423018 WaitForSingleObject
0x42301c CreateFileW
0x423020 GetVersionExW
0x423024 SuspendThread
0x423028 GetComputerNameExW
0x42302c ResumeThread
0x423030 GetModuleHandleA
0x423034 Sleep
0x423038 GetLastError
0x42303c GetFileAttributesA
0x423040 CreateFileA
0x423044 CloseHandle
0x423048 GetSystemInfo
0x42304c LoadLibraryW
0x423050 GetModuleFileNameW
0x423054 HeapAlloc
0x423058 GetThreadContext
0x42305c GetProcAddress
0x423060 VirtualAllocEx
0x423064 LocalFree
0x423068 ReadProcessMemory
0x42306c GetComputerNameW
0x423070 GetProcessHeap
0x423074 GetModuleHandleW
0x423078 FreeLibrary
0x42307c CreateProcessA
0x423080 CreateDirectoryA
0x423084 SetThreadContext
0x423088 WriteConsoleW
0x42308c SetEndOfFile
0x423090 HeapReAlloc
0x423094 VirtualAlloc
0x423098 WriteFile
0x42309c VirtualFree
0x4230a0 HeapFree
0x4230a4 WriteProcessMemory
0x4230a8 CreateThread
0x4230ac GetModuleFileNameA
0x4230b0 HeapSize
0x4230b4 GetTimeZoneInformation
0x4230b8 FlushFileBuffers
0x4230bc GetStringTypeW
0x4230c0 SetEnvironmentVariableW
0x4230c4 FreeEnvironmentStringsW
0x4230c8 GetEnvironmentStringsW
0x4230cc WideCharToMultiByte
0x4230d0 GetCPInfo
0x4230d4 UnhandledExceptionFilter
0x4230d8 SetUnhandledExceptionFilter
0x4230dc GetCurrentProcess
0x4230e0 TerminateProcess
0x4230e4 IsProcessorFeaturePresent
0x4230e8 IsDebuggerPresent
0x4230ec GetStartupInfoW
0x4230f0 QueryPerformanceCounter
0x4230f4 GetCurrentProcessId
0x4230f8 GetCurrentThreadId
0x4230fc GetSystemTimeAsFileTime
0x423100 InitializeSListHead
0x423104 RtlUnwind
0x423108 RaiseException
0x42310c SetLastError
0x423110 EncodePointer
0x423114 EnterCriticalSection
0x423118 LeaveCriticalSection
0x42311c DeleteCriticalSection
0x423120 InitializeCriticalSectionAndSpinCount
0x423124 TlsAlloc
0x423128 TlsGetValue
0x42312c TlsSetValue
0x423130 TlsFree
0x423134 LoadLibraryExW
0x423138 ExitProcess
0x42313c GetModuleHandleExW
0x423140 GetDriveTypeW
0x423144 GetFileInformationByHandle
0x423148 GetFileType
0x42314c PeekNamedPipe
0x423150 SystemTimeToTzSpecificLocalTime
0x423154 FileTimeToSystemTime
0x423158 GetStdHandle
0x42315c GetCommandLineA
0x423160 GetCommandLineW
0x423164 MultiByteToWideChar
0x423168 CompareStringW
0x42316c LCMapStringW
0x423170 DeleteFileW
0x423174 GetCurrentDirectoryW
0x423178 GetFullPathNameW
0x42317c SetStdHandle
0x423180 GetConsoleCP
0x423184 GetConsoleMode
0x423188 GetFileSizeEx
0x42318c SetFilePointerEx
0x423190 ReadFile
0x423194 ReadConsoleW
0x423198 FindClose
0x42319c FindFirstFileExW
0x4231a0 FindNextFileW
0x4231a4 IsValidCodePage
0x4231a8 GetACP
0x4231ac GetOEMCP
0x4231b0 DecodePointer
USER32.dll
0x4231c4 GetSystemMetrics
ADVAPI32.dll
0x423000 ConvertSidToStringSidW
0x423004 GetUserNameW
0x423008 LookupAccountNameW
SHELL32.dll
0x4231b8 ShellExecuteA
0x4231bc ShellExecuteExW
WININET.dll
0x4231cc InternetConnectW
0x4231d0 HttpSendRequestW
0x4231d4 InternetCloseHandle
0x4231d8 InternetOpenW
0x4231dc InternetReadFile
0x4231e0 InternetOpenUrlW
0x4231e4 HttpOpenRequestW
EAT(Export Address Table) is none