ScreenShot
| Created | 2021.03.09 15:27 | Machine | s1_win7_x6402 |
| Filename | sinqqhd.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 50 detected (malicious, high confidence, Conjar, Artemis, Unsafe, TrojanPSW, Racealer, Attribute, HighConfidence, Scrop, adhc, hokqtz, Generic@ML, RDMK, YtBuFMVBqD0E6KZV59W4yw, Malware@#22era8uyc0f35, Siggen9, R011C0WGN20, ai score=88, Occamy, R346540, Themida, multiple detections, Eamt, InvalidSig, RiskTool) | ||
| md5 | f60b8a0c8976d51ad5f202431b968920 | ||
| sha256 | cefaabc3ea606b66a4efcf4c91acc94725c34f0eac566991c7684e6be26bc0fa | ||
| ssdeep | 393216:FBEfP9Hi5C/XnPxvcxJ6lH4gnT2UNQbo6P7SkL34X8geQgKgZ2Lr9fXB8DDgM8F4:7EfP9HBXP9wUHvy306P1LIX8hQzBLr9q | ||
| imphash | 7c2c71dfce9a27650634dc8b1ca03bf0 | ||
| impfuzzy | 48:aSgsvWoO1wQ2nr+t8Alt8tz4eOGLlla/5LRFpV74dT+45EQX/1EowSv0Qxly6U0D:tgEWo0wQ2i42fw4rtu | ||
Network IP location
Signature (25cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 50 AntiVirus engines on VirusTotal as malicious |
| watch | Checks for the presence of known devices from debuggers and forensic tools |
| watch | Checks for the presence of known windows from debuggers and forensic tools |
| watch | Checks the version of Bios |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects VMWare through the in instruction feature |
| watch | Installs itself for autorun at Windows startup |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Expresses interest in specific running processes |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (74cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | anti_dbgtools | Checks for the presence of known debug tools | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | Lnk_Format_Zero | LNK Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | vmdetect | Possibly employs anti-virtualization techniques | memory |
| info | win_hook | Affect hook table | memory |
| info | create_com_service | Create a COM server | memory |
| info | create_service | Create a windows service | memory |
| info | cred_local | Steal credential | memory |
| info | escalate_priv | Escalade priviledges | binaries (upload) |
| info | escalate_priv | Escalade priviledges | memory |
| info | HasDigitalSignature | DigitalSignature Check | binaries (download) |
| info | HasDigitalSignature | DigitalSignature Check | binaries (upload) |
| info | HasOverlay | Overlay Check | binaries (download) |
| info | HasOverlay | Overlay Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (download) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | hijack_network | Hijack network configuration | memory |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
| info | IsConsole | (no description) | binaries (download) |
| info | IsPacked | Entropy Check | binaries (download) |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (download) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | keylogger | Run a keylogger | memory |
| info | migrate_apc | APC queue tasks migration | memory |
| info | network_dga | Communication using dga | memory |
| info | network_dns | Communications use DNS | memory |
| info | network_dropper | File downloader/dropper | memory |
| info | network_ftp | Communications over FTP | memory |
| info | network_http | Communications over HTTP | memory |
| info | network_p2p_win | Communications over P2P network | memory |
| info | network_tcp_listen | Listen for incoming communication | memory |
| info | network_tcp_socket | Communications over RAW socket | memory |
| info | network_toredo | Communications over Toredo network | memory |
| info | network_udp_sock | Communications over UDP network | memory |
| info | screenshot | Take screenshot | binaries (upload) |
| info | screenshot | Take screenshot | memory |
| info | sniff_audio | Record Audio | memory |
| info | spreading_file | Malware can spread east-west file | memory |
| info | spreading_share | Malware can spread east-west using share drive | memory |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
| info | win_files_operation | Affect private profile | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_files_operation | Affect private profile | memory |
| info | win_mutex | Create or check mutex | binaries (download) |
| info | win_mutex | Create or check mutex | memory |
| info | win_private_profile | Affect private profile | binaries (upload) |
| info | win_private_profile | Affect private profile | memory |
| info | win_registry | Affect system registries | binaries (upload) |
| info | win_registry | Affect system registries | memory |
| info | win_token | Affect system token | binaries (upload) |
| info | win_token | Affect system token | memory |
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x408070 SetEnvironmentVariableA
0x408074 CreateFileA
0x408078 GetFileSize
0x40807c GetModuleFileNameA
0x408080 ReadFile
0x408084 GetCurrentProcess
0x408088 CopyFileA
0x40808c Sleep
0x408090 GetTickCount
0x408094 GetWindowsDirectoryA
0x408098 GetTempPathA
0x40809c GetCommandLineA
0x4080a0 lstrlenA
0x4080a4 GetVersion
0x4080a8 SetErrorMode
0x4080ac lstrcpynA
0x4080b0 ExitProcess
0x4080b4 SetFileAttributesA
0x4080b8 GlobalLock
0x4080bc CreateThread
0x4080c0 GetLastError
0x4080c4 CreateDirectoryA
0x4080c8 CreateProcessA
0x4080cc RemoveDirectoryA
0x4080d0 GetTempFileNameA
0x4080d4 WriteFile
0x4080d8 lstrcpyA
0x4080dc MoveFileExA
0x4080e0 lstrcatA
0x4080e4 GetSystemDirectoryA
0x4080e8 GetProcAddress
0x4080ec GetExitCodeProcess
0x4080f0 WaitForSingleObject
0x4080f4 CompareFileTime
0x4080f8 SetFileTime
0x4080fc GetFileAttributesA
0x408100 SetCurrentDirectoryA
0x408104 MoveFileA
0x408108 GetFullPathNameA
0x40810c GetShortPathNameA
0x408110 SearchPathA
0x408114 CloseHandle
0x408118 lstrcmpiA
0x40811c GlobalUnlock
0x408120 GetDiskFreeSpaceA
0x408124 lstrcmpA
0x408128 DeleteFileA
0x40812c FindFirstFileA
0x408130 FindNextFileA
0x408134 FindClose
0x408138 SetFilePointer
0x40813c GetPrivateProfileStringA
0x408140 WritePrivateProfileStringA
0x408144 MulDiv
0x408148 MultiByteToWideChar
0x40814c FreeLibrary
0x408150 LoadLibraryExA
0x408154 GetModuleHandleA
0x408158 GlobalAlloc
0x40815c GlobalFree
0x408160 ExpandEnvironmentStringsA
USER32.dll
0x408184 GetSystemMenu
0x408188 SetClassLongA
0x40818c EnableMenuItem
0x408190 IsWindowEnabled
0x408194 SetWindowPos
0x408198 GetSysColor
0x40819c GetWindowLongA
0x4081a0 SetCursor
0x4081a4 LoadCursorA
0x4081a8 CheckDlgButton
0x4081ac GetMessagePos
0x4081b0 CallWindowProcA
0x4081b4 IsWindowVisible
0x4081b8 CloseClipboard
0x4081bc SetClipboardData
0x4081c0 EmptyClipboard
0x4081c4 OpenClipboard
0x4081c8 ScreenToClient
0x4081cc GetWindowRect
0x4081d0 GetDlgItem
0x4081d4 GetSystemMetrics
0x4081d8 SetDlgItemTextA
0x4081dc GetDlgItemTextA
0x4081e0 MessageBoxIndirectA
0x4081e4 CharPrevA
0x4081e8 DispatchMessageA
0x4081ec PeekMessageA
0x4081f0 GetDC
0x4081f4 ReleaseDC
0x4081f8 EnableWindow
0x4081fc InvalidateRect
0x408200 SendMessageA
0x408204 DefWindowProcA
0x408208 BeginPaint
0x40820c GetClientRect
0x408210 FillRect
0x408214 EndDialog
0x408218 RegisterClassA
0x40821c SystemParametersInfoA
0x408220 CreateWindowExA
0x408224 GetClassInfoA
0x408228 DialogBoxParamA
0x40822c CharNextA
0x408230 ExitWindowsEx
0x408234 LoadImageA
0x408238 CreateDialogParamA
0x40823c SetTimer
0x408240 SetWindowTextA
0x408244 SetForegroundWindow
0x408248 ShowWindow
0x40824c SetWindowLongA
0x408250 SendMessageTimeoutA
0x408254 FindWindowExA
0x408258 IsWindow
0x40825c AppendMenuA
0x408260 TrackPopupMenu
0x408264 CreatePopupMenu
0x408268 DrawTextA
0x40826c EndPaint
0x408270 DestroyWindow
0x408274 wsprintfA
0x408278 PostQuitMessage
GDI32.dll
0x40804c SelectObject
0x408050 SetTextColor
0x408054 SetBkMode
0x408058 CreateFontIndirectA
0x40805c CreateBrushIndirect
0x408060 DeleteObject
0x408064 GetDeviceCaps
0x408068 SetBkColor
SHELL32.dll
0x408168 SHGetSpecialFolderLocation
0x40816c ShellExecuteExA
0x408170 SHGetPathFromIDListA
0x408174 SHBrowseForFolderA
0x408178 SHGetFileInfoA
0x40817c SHFileOperationA
ADVAPI32.dll
0x408000 AdjustTokenPrivileges
0x408004 RegCreateKeyExA
0x408008 RegOpenKeyExA
0x40800c SetFileSecurityA
0x408010 OpenProcessToken
0x408014 LookupPrivilegeValueA
0x408018 RegEnumValueA
0x40801c RegDeleteKeyA
0x408020 RegDeleteValueA
0x408024 RegCloseKey
0x408028 RegSetValueExA
0x40802c RegQueryValueExA
0x408030 RegEnumKeyA
COMCTL32.dll
0x408038 ImageList_Create
0x40803c ImageList_AddMasked
0x408040 None
0x408044 ImageList_Destroy
ole32.dll
0x408280 OleUninitialize
0x408284 OleInitialize
0x408288 CoTaskMemFree
0x40828c CoCreateInstance
EAT(Export Address Table) is none
KERNEL32.dll
0x408070 SetEnvironmentVariableA
0x408074 CreateFileA
0x408078 GetFileSize
0x40807c GetModuleFileNameA
0x408080 ReadFile
0x408084 GetCurrentProcess
0x408088 CopyFileA
0x40808c Sleep
0x408090 GetTickCount
0x408094 GetWindowsDirectoryA
0x408098 GetTempPathA
0x40809c GetCommandLineA
0x4080a0 lstrlenA
0x4080a4 GetVersion
0x4080a8 SetErrorMode
0x4080ac lstrcpynA
0x4080b0 ExitProcess
0x4080b4 SetFileAttributesA
0x4080b8 GlobalLock
0x4080bc CreateThread
0x4080c0 GetLastError
0x4080c4 CreateDirectoryA
0x4080c8 CreateProcessA
0x4080cc RemoveDirectoryA
0x4080d0 GetTempFileNameA
0x4080d4 WriteFile
0x4080d8 lstrcpyA
0x4080dc MoveFileExA
0x4080e0 lstrcatA
0x4080e4 GetSystemDirectoryA
0x4080e8 GetProcAddress
0x4080ec GetExitCodeProcess
0x4080f0 WaitForSingleObject
0x4080f4 CompareFileTime
0x4080f8 SetFileTime
0x4080fc GetFileAttributesA
0x408100 SetCurrentDirectoryA
0x408104 MoveFileA
0x408108 GetFullPathNameA
0x40810c GetShortPathNameA
0x408110 SearchPathA
0x408114 CloseHandle
0x408118 lstrcmpiA
0x40811c GlobalUnlock
0x408120 GetDiskFreeSpaceA
0x408124 lstrcmpA
0x408128 DeleteFileA
0x40812c FindFirstFileA
0x408130 FindNextFileA
0x408134 FindClose
0x408138 SetFilePointer
0x40813c GetPrivateProfileStringA
0x408140 WritePrivateProfileStringA
0x408144 MulDiv
0x408148 MultiByteToWideChar
0x40814c FreeLibrary
0x408150 LoadLibraryExA
0x408154 GetModuleHandleA
0x408158 GlobalAlloc
0x40815c GlobalFree
0x408160 ExpandEnvironmentStringsA
USER32.dll
0x408184 GetSystemMenu
0x408188 SetClassLongA
0x40818c EnableMenuItem
0x408190 IsWindowEnabled
0x408194 SetWindowPos
0x408198 GetSysColor
0x40819c GetWindowLongA
0x4081a0 SetCursor
0x4081a4 LoadCursorA
0x4081a8 CheckDlgButton
0x4081ac GetMessagePos
0x4081b0 CallWindowProcA
0x4081b4 IsWindowVisible
0x4081b8 CloseClipboard
0x4081bc SetClipboardData
0x4081c0 EmptyClipboard
0x4081c4 OpenClipboard
0x4081c8 ScreenToClient
0x4081cc GetWindowRect
0x4081d0 GetDlgItem
0x4081d4 GetSystemMetrics
0x4081d8 SetDlgItemTextA
0x4081dc GetDlgItemTextA
0x4081e0 MessageBoxIndirectA
0x4081e4 CharPrevA
0x4081e8 DispatchMessageA
0x4081ec PeekMessageA
0x4081f0 GetDC
0x4081f4 ReleaseDC
0x4081f8 EnableWindow
0x4081fc InvalidateRect
0x408200 SendMessageA
0x408204 DefWindowProcA
0x408208 BeginPaint
0x40820c GetClientRect
0x408210 FillRect
0x408214 EndDialog
0x408218 RegisterClassA
0x40821c SystemParametersInfoA
0x408220 CreateWindowExA
0x408224 GetClassInfoA
0x408228 DialogBoxParamA
0x40822c CharNextA
0x408230 ExitWindowsEx
0x408234 LoadImageA
0x408238 CreateDialogParamA
0x40823c SetTimer
0x408240 SetWindowTextA
0x408244 SetForegroundWindow
0x408248 ShowWindow
0x40824c SetWindowLongA
0x408250 SendMessageTimeoutA
0x408254 FindWindowExA
0x408258 IsWindow
0x40825c AppendMenuA
0x408260 TrackPopupMenu
0x408264 CreatePopupMenu
0x408268 DrawTextA
0x40826c EndPaint
0x408270 DestroyWindow
0x408274 wsprintfA
0x408278 PostQuitMessage
GDI32.dll
0x40804c SelectObject
0x408050 SetTextColor
0x408054 SetBkMode
0x408058 CreateFontIndirectA
0x40805c CreateBrushIndirect
0x408060 DeleteObject
0x408064 GetDeviceCaps
0x408068 SetBkColor
SHELL32.dll
0x408168 SHGetSpecialFolderLocation
0x40816c ShellExecuteExA
0x408170 SHGetPathFromIDListA
0x408174 SHBrowseForFolderA
0x408178 SHGetFileInfoA
0x40817c SHFileOperationA
ADVAPI32.dll
0x408000 AdjustTokenPrivileges
0x408004 RegCreateKeyExA
0x408008 RegOpenKeyExA
0x40800c SetFileSecurityA
0x408010 OpenProcessToken
0x408014 LookupPrivilegeValueA
0x408018 RegEnumValueA
0x40801c RegDeleteKeyA
0x408020 RegDeleteValueA
0x408024 RegCloseKey
0x408028 RegSetValueExA
0x40802c RegQueryValueExA
0x408030 RegEnumKeyA
COMCTL32.dll
0x408038 ImageList_Create
0x40803c ImageList_AddMasked
0x408040 None
0x408044 ImageList_Destroy
ole32.dll
0x408280 OleUninitialize
0x408284 OleInitialize
0x408288 CoTaskMemFree
0x40828c CoCreateInstance
EAT(Export Address Table) is none