ScreenShot
| Created | 2021.03.09 15:01 | Machine | s1_win7_x6401 |
| Filename | s.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 62 detected (AIDetect, malware1, malicious, high confidence, Mint, Dreidel, tq1@xGEUp5pO, Unsafe, Kryptik, Save, ZexaF, tq1@aGEUp5pO, Eldorado, Attribute, HighConfidence, MalwareX, Glupteba, Injuke, iefxfj, Auto, Malware@#2bf1lmy4xzorh, ojpyf, Siggen2, R002C0DL320, Static AI, Malicious PE, score, Smokeldr, R356963, Lockbit, FSUC, ai score=88, BScope, MulDrop, Bruteforce, HHVB, Zurgop, dGZlOgV1CI, Dea7miw, s1Aax9AxB6E, susgen, Ranumbot, GdSda, confidence) | ||
| md5 | d4fc4b0ef7de340b38e95a393a03c48c | ||
| sha256 | 6c89c2e9625de0f10c94193b0711df437070b997e017dc5c2ce5cf263cccfb7c | ||
| ssdeep | 6144:zmUORCzRM/AlswOjCdsWg8JdocBr7c8QOfvv4QwbeXr:SUORcyAi/Jl8bocB3hqbeXr | ||
| imphash | bf619d76c19cd1a95e5b7cbc638204ad | ||
| impfuzzy | 24:MbG24q+V4lhOiRt2V4WXK5r4kX+fcjldtAOovaM+8qDPJ3mvm1jFQHRz1ZA5lejD:vE2+rv+fcTtvvM+8gQqk1Zua | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 62 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Looks up the external IP address |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
Rules (56cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Trojan_Win32_Glupteba_1_Zero | Trojan Win32 Glupteba | binaries (upload) |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | create_com_service | Create a COM server | memory |
| info | create_service | Create a windows service | memory |
| info | cred_local | Steal credential | memory |
| info | escalate_priv | Escalade priviledges | memory |
| info | HasOverlay | Overlay Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | hijack_network | Hijack network configuration | memory |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | keylogger | Run a keylogger | memory |
| info | migrate_apc | APC queue tasks migration | memory |
| info | network_dga | Communication using dga | memory |
| info | network_dns | Communications use DNS | memory |
| info | network_dropper | File downloader/dropper | memory |
| info | network_ftp | Communications over FTP | memory |
| info | network_http | Communications over HTTP | memory |
| info | network_p2p_win | Communications over P2P network | memory |
| info | network_tcp_listen | Listen for incoming communication | memory |
| info | network_tcp_socket | Communications over RAW socket | memory |
| info | network_toredo | Communications over Toredo network | memory |
| info | network_udp_sock | Communications over UDP network | memory |
| info | screenshot | Take screenshot | memory |
| info | sniff_audio | Record Audio | memory |
| info | spreading_file | Malware can spread east-west file | memory |
| info | spreading_share | Malware can spread east-west using share drive | memory |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_files_operation | Affect private profile | memory |
| info | win_mutex | Create or check mutex | binaries (upload) |
| info | win_mutex | Create or check mutex | memory |
| info | win_private_profile | Affect private profile | binaries (upload) |
| info | win_private_profile | Affect private profile | memory |
| info | win_registry | Affect system registries | memory |
| info | win_token | Affect system token | memory |
Suricata ids
ET POLICY External IP Lookup (ipify .org)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x444008 SetDefaultCommConfigA
0x44400c SetPriorityClass
0x444010 SleepEx
0x444014 GetModuleHandleW
0x444018 GetTickCount
0x44401c GetSystemTimeAsFileTime
0x444020 WriteFile
0x444024 GetPrivateProfileIntA
0x444028 Sleep
0x44402c SizeofResource
0x444030 SetSystemTimeAdjustment
0x444034 TerminateProcess
0x444038 lstrlenW
0x44403c FreeLibraryAndExitThread
0x444040 SetVolumeLabelW
0x444044 GetThreadContext
0x444048 LoadLibraryA
0x44404c CreateSemaphoreW
0x444050 LocalAlloc
0x444054 SetConsoleDisplayMode
0x444058 PostQueuedCompletionStatus
0x44405c AddAtomA
0x444060 GetPrivateProfileStructA
0x444064 SetSystemTime
0x444068 _lread
0x44406c CreateMutexA
0x444070 EnumResourceNamesA
0x444074 BuildCommDCBA
0x444078 VirtualProtect
0x44407c CloseHandle
0x444080 GetSystemTime
0x444084 lstrcpyA
0x444088 GetSystemDefaultLangID
0x44408c InterlockedIncrement
0x444090 InterlockedDecrement
0x444094 InitializeCriticalSection
0x444098 DeleteCriticalSection
0x44409c EnterCriticalSection
0x4440a0 LeaveCriticalSection
0x4440a4 GetLastError
0x4440a8 HeapFree
0x4440ac GetCurrentProcess
0x4440b0 UnhandledExceptionFilter
0x4440b4 SetUnhandledExceptionFilter
0x4440b8 IsDebuggerPresent
0x4440bc HeapReAlloc
0x4440c0 HeapAlloc
0x4440c4 GetCommandLineA
0x4440c8 GetStartupInfoA
0x4440cc RtlUnwind
0x4440d0 RaiseException
0x4440d4 LCMapStringA
0x4440d8 WideCharToMultiByte
0x4440dc MultiByteToWideChar
0x4440e0 LCMapStringW
0x4440e4 GetCPInfo
0x4440e8 GetCurrentProcessId
0x4440ec GetProcAddress
0x4440f0 TlsGetValue
0x4440f4 TlsAlloc
0x4440f8 TlsSetValue
0x4440fc TlsFree
0x444100 SetLastError
0x444104 GetCurrentThreadId
0x444108 GetFileType
0x44410c CreateFileA
0x444110 HeapCreate
0x444114 VirtualFree
0x444118 VirtualAlloc
0x44411c HeapSize
0x444120 ExitProcess
0x444124 GetStdHandle
0x444128 GetModuleFileNameA
0x44412c FreeEnvironmentStringsA
0x444130 GetEnvironmentStrings
0x444134 FreeEnvironmentStringsW
0x444138 GetEnvironmentStringsW
0x44413c SetHandleCount
0x444140 QueryPerformanceCounter
0x444144 GetACP
0x444148 GetOEMCP
0x44414c IsValidCodePage
0x444150 GetUserDefaultLCID
0x444154 GetLocaleInfoA
0x444158 EnumSystemLocalesA
0x44415c IsValidLocale
0x444160 GetStringTypeA
0x444164 GetStringTypeW
0x444168 InitializeCriticalSectionAndSpinCount
0x44416c SetStdHandle
0x444170 GetConsoleCP
0x444174 GetConsoleMode
0x444178 SetFilePointer
0x44417c SetEndOfFile
0x444180 GetProcessHeap
0x444184 ReadFile
0x444188 GetLocaleInfoW
0x44418c FlushFileBuffers
0x444190 WriteConsoleA
0x444194 GetConsoleOutputCP
0x444198 WriteConsoleW
0x44419c GetModuleHandleA
GDI32.dll
0x444000 GetCharWidthA
EAT(Export Address Table) is none
KERNEL32.dll
0x444008 SetDefaultCommConfigA
0x44400c SetPriorityClass
0x444010 SleepEx
0x444014 GetModuleHandleW
0x444018 GetTickCount
0x44401c GetSystemTimeAsFileTime
0x444020 WriteFile
0x444024 GetPrivateProfileIntA
0x444028 Sleep
0x44402c SizeofResource
0x444030 SetSystemTimeAdjustment
0x444034 TerminateProcess
0x444038 lstrlenW
0x44403c FreeLibraryAndExitThread
0x444040 SetVolumeLabelW
0x444044 GetThreadContext
0x444048 LoadLibraryA
0x44404c CreateSemaphoreW
0x444050 LocalAlloc
0x444054 SetConsoleDisplayMode
0x444058 PostQueuedCompletionStatus
0x44405c AddAtomA
0x444060 GetPrivateProfileStructA
0x444064 SetSystemTime
0x444068 _lread
0x44406c CreateMutexA
0x444070 EnumResourceNamesA
0x444074 BuildCommDCBA
0x444078 VirtualProtect
0x44407c CloseHandle
0x444080 GetSystemTime
0x444084 lstrcpyA
0x444088 GetSystemDefaultLangID
0x44408c InterlockedIncrement
0x444090 InterlockedDecrement
0x444094 InitializeCriticalSection
0x444098 DeleteCriticalSection
0x44409c EnterCriticalSection
0x4440a0 LeaveCriticalSection
0x4440a4 GetLastError
0x4440a8 HeapFree
0x4440ac GetCurrentProcess
0x4440b0 UnhandledExceptionFilter
0x4440b4 SetUnhandledExceptionFilter
0x4440b8 IsDebuggerPresent
0x4440bc HeapReAlloc
0x4440c0 HeapAlloc
0x4440c4 GetCommandLineA
0x4440c8 GetStartupInfoA
0x4440cc RtlUnwind
0x4440d0 RaiseException
0x4440d4 LCMapStringA
0x4440d8 WideCharToMultiByte
0x4440dc MultiByteToWideChar
0x4440e0 LCMapStringW
0x4440e4 GetCPInfo
0x4440e8 GetCurrentProcessId
0x4440ec GetProcAddress
0x4440f0 TlsGetValue
0x4440f4 TlsAlloc
0x4440f8 TlsSetValue
0x4440fc TlsFree
0x444100 SetLastError
0x444104 GetCurrentThreadId
0x444108 GetFileType
0x44410c CreateFileA
0x444110 HeapCreate
0x444114 VirtualFree
0x444118 VirtualAlloc
0x44411c HeapSize
0x444120 ExitProcess
0x444124 GetStdHandle
0x444128 GetModuleFileNameA
0x44412c FreeEnvironmentStringsA
0x444130 GetEnvironmentStrings
0x444134 FreeEnvironmentStringsW
0x444138 GetEnvironmentStringsW
0x44413c SetHandleCount
0x444140 QueryPerformanceCounter
0x444144 GetACP
0x444148 GetOEMCP
0x44414c IsValidCodePage
0x444150 GetUserDefaultLCID
0x444154 GetLocaleInfoA
0x444158 EnumSystemLocalesA
0x44415c IsValidLocale
0x444160 GetStringTypeA
0x444164 GetStringTypeW
0x444168 InitializeCriticalSectionAndSpinCount
0x44416c SetStdHandle
0x444170 GetConsoleCP
0x444174 GetConsoleMode
0x444178 SetFilePointer
0x44417c SetEndOfFile
0x444180 GetProcessHeap
0x444184 ReadFile
0x444188 GetLocaleInfoW
0x44418c FlushFileBuffers
0x444190 WriteConsoleA
0x444194 GetConsoleOutputCP
0x444198 WriteConsoleW
0x44419c GetModuleHandleA
GDI32.dll
0x444000 GetCharWidthA
EAT(Export Address Table) is none