ScreenShot
| Created | 2021.03.10 16:08 | Machine | s1_win7_x6402 |
| Filename | gonu.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 15 detected (Bulz, a variant of WinGo, GoCLR, Malicious, score, ai score=81, Unsafe, 100%, confidence) | ||
| md5 | 3bc1e07e2f912ff37550fbfcf2696081 | ||
| sha256 | 58e1370fdd747d652f4c8e0dc59188f3dfabb6dfcd3491c6fe4b81c3305d5a46 | ||
| ssdeep | 49152:4X45IjX6BQZsiONZglv5OLRvSguk1xIn2jsrJIb5UgtvL11jIbt8Q0ev/zZEl4U1:qX6BQZOwFq | ||
| imphash | 4035d2883e01d64f3e7a9dccb1d63af5 | ||
| impfuzzy | 24:UbVjhN5O+VuT2oLtXOr6kwmDruMztxdEr6UP:K5O+VAXOmGx0nP | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| watch | Detects the presence of Wine emulator |
| watch | File has been identified by 15 AntiVirus engines on VirusTotal as malicious |
| notice | Yara rule detected in process memory |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (57cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (upload) |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | vmdetect | Possibly employs anti-virtualization techniques | memory |
| info | win_hook | Affect hook table | memory |
| info | create_service | Create a windows service | binaries (upload) |
| info | create_service | Create a windows service | memory |
| info | cred_local | Steal credential | memory |
| info | escalate_priv | Escalade priviledges | binaries (upload) |
| info | escalate_priv | Escalade priviledges | memory |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | keylogger | Run a keylogger | memory |
| info | migrate_apc | APC queue tasks migration | memory |
| info | network_dga | Communication using dga | memory |
| info | network_dns | Communications use DNS | binaries (upload) |
| info | network_dns | Communications use DNS | memory |
| info | network_dropper | File downloader/dropper | memory |
| info | network_ftp | Communications over FTP | memory |
| info | network_http | Communications over HTTP | memory |
| info | network_p2p_win | Communications over P2P network | memory |
| info | network_tcp_listen | Listen for incoming communication | binaries (upload) |
| info | network_tcp_listen | Listen for incoming communication | memory |
| info | network_tcp_socket | Communications over RAW socket | binaries (upload) |
| info | network_tcp_socket | Communications over RAW socket | memory |
| info | network_udp_sock | Communications over UDP network | binaries (upload) |
| info | network_udp_sock | Communications over UDP network | memory |
| info | screenshot | Take screenshot | memory |
| info | sniff_audio | Record Audio | memory |
| info | spreading_share | Malware can spread east-west using share drive | memory |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | binaries (upload) |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_files_operation | Affect private profile | memory |
| info | win_mutex | Create or check mutex | binaries (upload) |
| info | win_mutex | Create or check mutex | memory |
| info | win_private_profile | Affect private profile | memory |
| info | win_registry | Affect system registries | binaries (upload) |
| info | win_registry | Affect system registries | memory |
| info | win_token | Affect system token | binaries (upload) |
| info | win_token | Affect system token | memory |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x9ee020 WriteFile
0x9ee028 WriteConsoleW
0x9ee030 WaitForMultipleObjects
0x9ee038 WaitForSingleObject
0x9ee040 VirtualQuery
0x9ee048 VirtualFree
0x9ee050 VirtualAlloc
0x9ee058 SwitchToThread
0x9ee060 SuspendThread
0x9ee068 Sleep
0x9ee070 SetWaitableTimer
0x9ee078 SetUnhandledExceptionFilter
0x9ee080 SetProcessPriorityBoost
0x9ee088 SetEvent
0x9ee090 SetErrorMode
0x9ee098 SetConsoleCtrlHandler
0x9ee0a0 ResumeThread
0x9ee0a8 PostQueuedCompletionStatus
0x9ee0b0 LoadLibraryA
0x9ee0b8 LoadLibraryW
0x9ee0c0 SetThreadContext
0x9ee0c8 GetThreadContext
0x9ee0d0 GetSystemInfo
0x9ee0d8 GetSystemDirectoryA
0x9ee0e0 GetStdHandle
0x9ee0e8 GetQueuedCompletionStatusEx
0x9ee0f0 GetProcessAffinityMask
0x9ee0f8 GetProcAddress
0x9ee100 GetEnvironmentStringsW
0x9ee108 GetConsoleMode
0x9ee110 FreeEnvironmentStringsW
0x9ee118 ExitProcess
0x9ee120 DuplicateHandle
0x9ee128 CreateWaitableTimerExW
0x9ee130 CreateThread
0x9ee138 CreateIoCompletionPort
0x9ee140 CreateEventA
0x9ee148 CloseHandle
0x9ee150 AddVectoredExceptionHandler
EAT(Export Address Table) is none
kernel32.dll
0x9ee020 WriteFile
0x9ee028 WriteConsoleW
0x9ee030 WaitForMultipleObjects
0x9ee038 WaitForSingleObject
0x9ee040 VirtualQuery
0x9ee048 VirtualFree
0x9ee050 VirtualAlloc
0x9ee058 SwitchToThread
0x9ee060 SuspendThread
0x9ee068 Sleep
0x9ee070 SetWaitableTimer
0x9ee078 SetUnhandledExceptionFilter
0x9ee080 SetProcessPriorityBoost
0x9ee088 SetEvent
0x9ee090 SetErrorMode
0x9ee098 SetConsoleCtrlHandler
0x9ee0a0 ResumeThread
0x9ee0a8 PostQueuedCompletionStatus
0x9ee0b0 LoadLibraryA
0x9ee0b8 LoadLibraryW
0x9ee0c0 SetThreadContext
0x9ee0c8 GetThreadContext
0x9ee0d0 GetSystemInfo
0x9ee0d8 GetSystemDirectoryA
0x9ee0e0 GetStdHandle
0x9ee0e8 GetQueuedCompletionStatusEx
0x9ee0f0 GetProcessAffinityMask
0x9ee0f8 GetProcAddress
0x9ee100 GetEnvironmentStringsW
0x9ee108 GetConsoleMode
0x9ee110 FreeEnvironmentStringsW
0x9ee118 ExitProcess
0x9ee120 DuplicateHandle
0x9ee128 CreateWaitableTimerExW
0x9ee130 CreateThread
0x9ee138 CreateIoCompletionPort
0x9ee140 CreateEventA
0x9ee148 CloseHandle
0x9ee150 AddVectoredExceptionHandler
EAT(Export Address Table) is none