ScreenShot
| Created | 2021.03.10 15:49 | Machine | s1_win7_x6401 |
| Filename | f4t4r.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 36 detected (AIDetect, malware2, malicious, high confidence, Johnnie, Attribute, HighConfidence, FileRepMalware, Siggen12, Artemis, a variant of Generik, CTFQJC, APTKitsune, wfhbz, Woreflint, Konus, score, ai score=86, R002H09C921, ET#83%, RDMK, cmRtazoNzm9aR7k3SCw0aai8276E, Static AI, Suspicious PE, PossibleThreat, ZexaF, huW@aGOIQnbi, HgIASQcA) | ||
| md5 | d7634d1df27b569aaf2dd52f8f310027 | ||
| sha256 | 592b2eeb513d11fa7ec4e840f2db9f810e2aee3b16114cbad882b2157adad356 | ||
| ssdeep | 3072:ICz5KYiGguiK6zwbFCo0ODRUWFZl/Z/VR8nX+7IGM7BcEv:JKYiGguiK6zwbFChLQDVGWEv | ||
| imphash | fc09259c73c533a0dad22a4920000c39 | ||
| impfuzzy | 24:azHMU1tdS1CM3JeDc+pl3eDoroEx0OovbOPZvvBP:GtdS1CM2c+ppXH35BP | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 36 AntiVirus engines on VirusTotal as malicious |
| warning | Generates some ICMP traffic |
| watch | Connects to an IRC server |
| notice | An executable file was downloaded by the process f4t4r.exe |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | This executable has a PDB path |
Rules (55cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | binaries (upload) |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | create_com_service | Create a COM server | memory |
| info | create_service | Create a windows service | memory |
| info | cred_local | Steal credential | memory |
| info | escalate_priv | Escalade priviledges | memory |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | hijack_network | Hijack network configuration | memory |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | keylogger | Run a keylogger | memory |
| info | migrate_apc | APC queue tasks migration | memory |
| info | network_dga | Communication using dga | memory |
| info | network_dns | Communications use DNS | memory |
| info | network_dropper | File downloader/dropper | memory |
| info | network_ftp | Communications over FTP | memory |
| info | network_http | Communications over HTTP | memory |
| info | network_p2p_win | Communications over P2P network | memory |
| info | network_tcp_listen | Listen for incoming communication | memory |
| info | network_tcp_socket | Communications over RAW socket | memory |
| info | network_toredo | Communications over Toredo network | memory |
| info | network_udp_sock | Communications over UDP network | memory |
| info | screenshot | Take screenshot | memory |
| info | sniff_audio | Record Audio | memory |
| info | spreading_file | Malware can spread east-west file | memory |
| info | spreading_share | Malware can spread east-west using share drive | memory |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | binaries (upload) |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_files_operation | Affect private profile | memory |
| info | win_mutex | Create or check mutex | binaries (upload) |
| info | win_mutex | Create or check mutex | memory |
| info | win_private_profile | Affect private profile | memory |
| info | win_registry | Affect system registries | memory |
| info | win_token | Affect system token | memory |
Suricata ids
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x415000 CreateMutexW
0x415004 Sleep
0x415008 GetLastError
0x41500c GetTickCount
0x415010 WriteConsoleW
0x415014 CloseHandle
0x415018 CreateFileW
0x41501c SetFilePointerEx
0x415020 GetConsoleMode
0x415024 GetConsoleCP
0x415028 UnhandledExceptionFilter
0x41502c SetUnhandledExceptionFilter
0x415030 GetCurrentProcess
0x415034 TerminateProcess
0x415038 IsProcessorFeaturePresent
0x41503c IsDebuggerPresent
0x415040 GetStartupInfoW
0x415044 GetModuleHandleW
0x415048 QueryPerformanceCounter
0x41504c GetCurrentProcessId
0x415050 GetCurrentThreadId
0x415054 GetSystemTimeAsFileTime
0x415058 InitializeSListHead
0x41505c RtlUnwind
0x415060 RaiseException
0x415064 SetLastError
0x415068 EncodePointer
0x41506c EnterCriticalSection
0x415070 LeaveCriticalSection
0x415074 DeleteCriticalSection
0x415078 InitializeCriticalSectionAndSpinCount
0x41507c TlsAlloc
0x415080 TlsGetValue
0x415084 TlsSetValue
0x415088 TlsFree
0x41508c FreeLibrary
0x415090 GetProcAddress
0x415094 LoadLibraryExW
0x415098 ExitProcess
0x41509c GetModuleHandleExW
0x4150a0 GetModuleFileNameA
0x4150a4 MultiByteToWideChar
0x4150a8 WideCharToMultiByte
0x4150ac GetStdHandle
0x4150b0 WriteFile
0x4150b4 GetACP
0x4150b8 HeapFree
0x4150bc HeapAlloc
0x4150c0 HeapReAlloc
0x4150c4 FindClose
0x4150c8 FindFirstFileExA
0x4150cc FindNextFileA
0x4150d0 IsValidCodePage
0x4150d4 GetOEMCP
0x4150d8 GetCPInfo
0x4150dc GetCommandLineA
0x4150e0 GetCommandLineW
0x4150e4 GetEnvironmentStringsW
0x4150e8 FreeEnvironmentStringsW
0x4150ec LCMapStringW
0x4150f0 GetProcessHeap
0x4150f4 GetFileType
0x4150f8 SetStdHandle
0x4150fc GetStringTypeW
0x415100 HeapSize
0x415104 FlushFileBuffers
0x415108 DecodePointer
WININET.dll
0x415110 InternetOpenW
0x415114 InternetOpenUrlA
0x415118 InternetCloseHandle
0x41511c InternetReadFile
EAT(Export Address Table) is none
KERNEL32.dll
0x415000 CreateMutexW
0x415004 Sleep
0x415008 GetLastError
0x41500c GetTickCount
0x415010 WriteConsoleW
0x415014 CloseHandle
0x415018 CreateFileW
0x41501c SetFilePointerEx
0x415020 GetConsoleMode
0x415024 GetConsoleCP
0x415028 UnhandledExceptionFilter
0x41502c SetUnhandledExceptionFilter
0x415030 GetCurrentProcess
0x415034 TerminateProcess
0x415038 IsProcessorFeaturePresent
0x41503c IsDebuggerPresent
0x415040 GetStartupInfoW
0x415044 GetModuleHandleW
0x415048 QueryPerformanceCounter
0x41504c GetCurrentProcessId
0x415050 GetCurrentThreadId
0x415054 GetSystemTimeAsFileTime
0x415058 InitializeSListHead
0x41505c RtlUnwind
0x415060 RaiseException
0x415064 SetLastError
0x415068 EncodePointer
0x41506c EnterCriticalSection
0x415070 LeaveCriticalSection
0x415074 DeleteCriticalSection
0x415078 InitializeCriticalSectionAndSpinCount
0x41507c TlsAlloc
0x415080 TlsGetValue
0x415084 TlsSetValue
0x415088 TlsFree
0x41508c FreeLibrary
0x415090 GetProcAddress
0x415094 LoadLibraryExW
0x415098 ExitProcess
0x41509c GetModuleHandleExW
0x4150a0 GetModuleFileNameA
0x4150a4 MultiByteToWideChar
0x4150a8 WideCharToMultiByte
0x4150ac GetStdHandle
0x4150b0 WriteFile
0x4150b4 GetACP
0x4150b8 HeapFree
0x4150bc HeapAlloc
0x4150c0 HeapReAlloc
0x4150c4 FindClose
0x4150c8 FindFirstFileExA
0x4150cc FindNextFileA
0x4150d0 IsValidCodePage
0x4150d4 GetOEMCP
0x4150d8 GetCPInfo
0x4150dc GetCommandLineA
0x4150e0 GetCommandLineW
0x4150e4 GetEnvironmentStringsW
0x4150e8 FreeEnvironmentStringsW
0x4150ec LCMapStringW
0x4150f0 GetProcessHeap
0x4150f4 GetFileType
0x4150f8 SetStdHandle
0x4150fc GetStringTypeW
0x415100 HeapSize
0x415104 FlushFileBuffers
0x415108 DecodePointer
WININET.dll
0x415110 InternetOpenW
0x415114 InternetOpenUrlA
0x415118 InternetCloseHandle
0x41511c InternetReadFile
EAT(Export Address Table) is none