ScreenShot
| Created | 2021.03.11 11:39 | Machine | s1_win7_x6402 |
| Filename | ADVER.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 50 detected (AIDetect, malware2, malicious, high confidence, Razy, GenericRXMR, PasswordStealer, Save, TrojanPSW, Racealer, ZexaF, KqW@aiQUTdo, R002C0DC321, PWSX, Ulise, iiqiyi, Gencirc, Static AI, Suspicious PE, Raccoon, Unsafe, Score, AGEN, ai score=85, R367564, CLOUD, zM6YjMts2xk, susgen, GdSda, confidence, HwoCqccA) | ||
| md5 | a279d96f54af8224316ca660be94fcd5 | ||
| sha256 | a101ff8cd05cdf00848430ee36006771df3e6b5fc6688d323cc027bc94eb9c1d | ||
| ssdeep | 12288:kJTOsgcsJlih46rVTAlhTEvOqpSTTkrfb8syBA/kj3uvtbwVqSBlmRtBjW:kNOosJli1rVTAltkNpSEryim2DBjW | ||
| imphash | 993ed15fcfd31e74e05f96ce220827ab | ||
| impfuzzy | 96:WFEznFEOqzXucGq8vXLigGcc+HBZOk4nlEHdkaJyElYo:tjFUzXuYyOPlAdkanYo | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 50 AntiVirus engines on VirusTotal as malicious |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Yara rule detected in process memory |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
Rules (58cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| notice | Str_Win32_Http_API | Match Windows Http API call | binaries (upload) |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | create_com_service | Create a COM server | memory |
| info | create_service | Create a windows service | memory |
| info | cred_local | Steal credential | binaries (upload) |
| info | cred_local | Steal credential | memory |
| info | escalate_priv | Escalade priviledges | memory |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | hijack_network | Hijack network configuration | memory |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | keylogger | Run a keylogger | memory |
| info | migrate_apc | APC queue tasks migration | memory |
| info | network_dga | Communication using dga | memory |
| info | network_dns | Communications use DNS | memory |
| info | network_dropper | File downloader/dropper | memory |
| info | network_ftp | Communications over FTP | memory |
| info | network_http | Communications over HTTP | memory |
| info | network_p2p_win | Communications over P2P network | memory |
| info | network_tcp_listen | Listen for incoming communication | memory |
| info | network_tcp_socket | Communications over RAW socket | memory |
| info | network_toredo | Communications over Toredo network | memory |
| info | network_udp_sock | Communications over UDP network | memory |
| info | screenshot | Take screenshot | binaries (upload) |
| info | screenshot | Take screenshot | memory |
| info | sniff_audio | Record Audio | memory |
| info | spreading_file | Malware can spread east-west file | memory |
| info | spreading_share | Malware can spread east-west using share drive | memory |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_files_operation | Affect private profile | memory |
| info | win_mutex | Create or check mutex | binaries (upload) |
| info | win_mutex | Create or check mutex | memory |
| info | win_private_profile | Affect private profile | memory |
| info | win_registry | Affect system registries | binaries (upload) |
| info | win_registry | Affect system registries | memory |
| info | win_token | Affect system token | binaries (upload) |
| info | win_token | Affect system token | memory |
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.top domain - Likely Hostile
ET DNS Query to a *.top domain - Likely Hostile
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x46c088 WaitForSingleObject
0x46c08c GetModuleHandleA
0x46c090 GetLocaleInfoA
0x46c094 Sleep
0x46c098 RemoveDirectoryTransactedA
0x46c09c GetUserDefaultLCID
0x46c0a0 CreateThread
0x46c0a4 lstrlenA
0x46c0a8 GetLastError
0x46c0ac DeleteFileA
0x46c0b0 HeapAlloc
0x46c0b4 lstrcpynA
0x46c0b8 lstrcmpiW
0x46c0bc GetModuleFileNameA
0x46c0c0 GetCurrentProcess
0x46c0c4 GetSystemPowerStatus
0x46c0c8 CreateMutexA
0x46c0cc OpenProcess
0x46c0d0 CreateToolhelp32Snapshot
0x46c0d4 MultiByteToWideChar
0x46c0d8 GetSystemWow64DirectoryW
0x46c0dc GetTimeZoneInformation
0x46c0e0 OpenMutexA
0x46c0e4 Process32NextW
0x46c0e8 GetEnvironmentVariableA
0x46c0ec lstrcpyA
0x46c0f0 Process32FirstW
0x46c0f4 GlobalFree
0x46c0f8 GetSystemInfo
0x46c0fc GetLogicalDriveStringsA
0x46c100 GlobalMemoryStatusEx
0x46c104 WideCharToMultiByte
0x46c108 CreateProcessA
0x46c10c GetComputerNameA
0x46c110 UnmapViewOfFile
0x46c114 CreateFileA
0x46c118 FileTimeToSystemTime
0x46c11c GetLocalTime
0x46c120 CreateFileMappingA
0x46c124 MapViewOfFile
0x46c128 GetTickCount
0x46c12c SetStdHandle
0x46c130 FreeEnvironmentStringsW
0x46c134 GetEnvironmentStringsW
0x46c138 GetOEMCP
0x46c13c GetACP
0x46c140 IsValidCodePage
0x46c144 HeapReAlloc
0x46c148 OutputDebugStringW
0x46c14c GetFileSize
0x46c150 lstrcpyW
0x46c154 LoadLibraryW
0x46c158 GetVersionExW
0x46c15c lstrlenW
0x46c160 CreateDirectoryA
0x46c164 SystemTimeToFileTime
0x46c168 GlobalAlloc
0x46c16c CloseHandle
0x46c170 GetFileAttributesA
0x46c174 LocalFileTimeToFileTime
0x46c178 SetCurrentDirectoryA
0x46c17c GetCurrentDirectoryA
0x46c180 SetFilePointer
0x46c184 SetFileTime
0x46c188 WriteFile
0x46c18c ReadFile
0x46c190 FindClose
0x46c194 GetDriveTypeA
0x46c198 CopyFileTransactedA
0x46c19c CreateDirectoryTransactedA
0x46c1a0 FreeLibrary
0x46c1a4 GetProcessHeap
0x46c1a8 LocalFree
0x46c1ac GetProcAddress
0x46c1b0 lstrcatW
0x46c1b4 LoadLibraryA
0x46c1b8 LocalAlloc
0x46c1bc SetEnvironmentVariableW
0x46c1c0 ReadConsoleW
0x46c1c4 EnumSystemLocalesW
0x46c1c8 IsValidLocale
0x46c1cc GetTimeFormatW
0x46c1d0 GetDateFormatW
0x46c1d4 GetConsoleMode
0x46c1d8 GetConsoleCP
0x46c1dc FlushFileBuffers
0x46c1e0 GetFileSizeEx
0x46c1e4 HeapSize
0x46c1e8 GetCommandLineW
0x46c1ec GetCommandLineA
0x46c1f0 WriteConsoleW
0x46c1f4 GetModuleFileNameW
0x46c1f8 GetFileType
0x46c1fc GetStdHandle
0x46c200 GetModuleHandleExW
0x46c204 ExitProcess
0x46c208 LoadLibraryExW
0x46c20c DeleteFileTransactedA
0x46c210 GetFileInformationByHandle
0x46c214 HeapFree
0x46c218 RaiseException
0x46c21c RtlUnwind
0x46c220 TerminateProcess
0x46c224 InitializeSListHead
0x46c228 GetCurrentThreadId
0x46c22c GetCurrentProcessId
0x46c230 QueryPerformanceCounter
0x46c234 GetStartupInfoW
0x46c238 SetUnhandledExceptionFilter
0x46c23c UnhandledExceptionFilter
0x46c240 IsDebuggerPresent
0x46c244 IsProcessorFeaturePresent
0x46c248 GetCPInfo
0x46c24c GetStringTypeW
0x46c250 GetLocaleInfoW
0x46c254 LCMapStringW
0x46c258 CompareStringW
0x46c25c GetSystemTimeAsFileTime
0x46c260 TlsFree
0x46c264 TlsSetValue
0x46c268 TlsGetValue
0x46c26c TlsAlloc
0x46c270 FormatMessageA
0x46c274 SetCurrentDirectoryW
0x46c278 CreateDirectoryW
0x46c27c CreateFileW
0x46c280 FindFirstFileExW
0x46c284 FindNextFileW
0x46c288 GetFileAttributesExW
0x46c28c SetEndOfFile
0x46c290 SetFilePointerEx
0x46c294 AreFileApisANSI
0x46c298 SetLastError
0x46c29c GetModuleHandleW
0x46c2a0 CopyFileW
0x46c2a4 EnterCriticalSection
0x46c2a8 LeaveCriticalSection
0x46c2ac DeleteCriticalSection
0x46c2b0 EncodePointer
0x46c2b4 DecodePointer
0x46c2b8 InitializeCriticalSectionAndSpinCount
USER32.dll
0x46c2dc GetDesktopWindow
0x46c2e0 wsprintfW
0x46c2e4 wsprintfA
0x46c2e8 GetSystemMetrics
0x46c2ec EnumDisplayDevicesA
0x46c2f0 GetWindowDC
0x46c2f4 GetWindowRect
GDI32.dll
0x46c060 BitBlt
0x46c064 SaveDC
0x46c068 SelectObject
0x46c06c CreateDIBSection
0x46c070 CreateCompatibleDC
0x46c074 GetDeviceCaps
0x46c078 DeleteDC
0x46c07c RestoreDC
0x46c080 DeleteObject
ADVAPI32.dll
0x46c000 GetTokenInformation
0x46c004 CryptGetHashParam
0x46c008 CryptDestroyHash
0x46c00c RegQueryValueExA
0x46c010 GetUserNameA
0x46c014 CreateProcessWithTokenW
0x46c018 OpenProcessToken
0x46c01c RegOpenKeyExA
0x46c020 ConvertSidToStringSidW
0x46c024 DuplicateTokenEx
0x46c028 RegQueryValueExW
0x46c02c CryptReleaseContext
0x46c030 RegCloseKey
0x46c034 RegEnumKeyExW
0x46c038 RegOpenKeyExW
0x46c03c CryptAcquireContextA
0x46c040 CredEnumerateW
0x46c044 CredFree
0x46c048 CryptCreateHash
0x46c04c CryptHashData
SHELL32.dll
0x46c2c0 SHGetFolderPathA
0x46c2c4 ShellExecuteA
0x46c2c8 SHGetSpecialFolderPathW
ole32.dll
0x46c384 CoInitialize
0x46c388 CoUninitialize
0x46c38c CoTaskMemFree
0x46c390 CoCreateInstance
USERENV.dll
0x46c2fc GetUserProfileDirectoryA
ktmw32.dll
0x46c374 RollbackTransaction
0x46c378 CreateTransaction
0x46c37c CommitTransaction
crypt.dll
0x46c32c BCryptDecrypt
0x46c330 BCryptDestroyKey
0x46c334 BCryptGenerateSymmetricKey
0x46c338 BCryptOpenAlgorithmProvider
0x46c33c BCryptSetProperty
0x46c340 BCryptCloseAlgorithmProvider
CRYPT32.dll
0x46c054 CryptStringToBinaryA
0x46c058 CryptUnprotectData
SHLWAPI.dll
0x46c2d0 StrCmpNW
0x46c2d4 StrStrIW
WINHTTP.dll
0x46c304 WinHttpCloseHandle
0x46c308 WinHttpSendRequest
0x46c30c WinHttpConnect
0x46c310 WinHttpQueryDataAvailable
0x46c314 WinHttpSetOption
0x46c318 WinHttpOpen
0x46c31c WinHttpOpenRequest
0x46c320 WinHttpReceiveResponse
0x46c324 WinHttpReadData
gdiplus.dll
0x46c348 GdiplusStartup
0x46c34c GdipGetImageEncodersSize
0x46c350 GdipFree
0x46c354 GdipDisposeImage
0x46c358 GdipCreateBitmapFromHBITMAP
0x46c35c GdipAlloc
0x46c360 GdipCloneImage
0x46c364 GdipGetImageEncoders
0x46c368 GdiplusShutdown
0x46c36c GdipSaveImageToFile
EAT(Export Address Table) is none
KERNEL32.dll
0x46c088 WaitForSingleObject
0x46c08c GetModuleHandleA
0x46c090 GetLocaleInfoA
0x46c094 Sleep
0x46c098 RemoveDirectoryTransactedA
0x46c09c GetUserDefaultLCID
0x46c0a0 CreateThread
0x46c0a4 lstrlenA
0x46c0a8 GetLastError
0x46c0ac DeleteFileA
0x46c0b0 HeapAlloc
0x46c0b4 lstrcpynA
0x46c0b8 lstrcmpiW
0x46c0bc GetModuleFileNameA
0x46c0c0 GetCurrentProcess
0x46c0c4 GetSystemPowerStatus
0x46c0c8 CreateMutexA
0x46c0cc OpenProcess
0x46c0d0 CreateToolhelp32Snapshot
0x46c0d4 MultiByteToWideChar
0x46c0d8 GetSystemWow64DirectoryW
0x46c0dc GetTimeZoneInformation
0x46c0e0 OpenMutexA
0x46c0e4 Process32NextW
0x46c0e8 GetEnvironmentVariableA
0x46c0ec lstrcpyA
0x46c0f0 Process32FirstW
0x46c0f4 GlobalFree
0x46c0f8 GetSystemInfo
0x46c0fc GetLogicalDriveStringsA
0x46c100 GlobalMemoryStatusEx
0x46c104 WideCharToMultiByte
0x46c108 CreateProcessA
0x46c10c GetComputerNameA
0x46c110 UnmapViewOfFile
0x46c114 CreateFileA
0x46c118 FileTimeToSystemTime
0x46c11c GetLocalTime
0x46c120 CreateFileMappingA
0x46c124 MapViewOfFile
0x46c128 GetTickCount
0x46c12c SetStdHandle
0x46c130 FreeEnvironmentStringsW
0x46c134 GetEnvironmentStringsW
0x46c138 GetOEMCP
0x46c13c GetACP
0x46c140 IsValidCodePage
0x46c144 HeapReAlloc
0x46c148 OutputDebugStringW
0x46c14c GetFileSize
0x46c150 lstrcpyW
0x46c154 LoadLibraryW
0x46c158 GetVersionExW
0x46c15c lstrlenW
0x46c160 CreateDirectoryA
0x46c164 SystemTimeToFileTime
0x46c168 GlobalAlloc
0x46c16c CloseHandle
0x46c170 GetFileAttributesA
0x46c174 LocalFileTimeToFileTime
0x46c178 SetCurrentDirectoryA
0x46c17c GetCurrentDirectoryA
0x46c180 SetFilePointer
0x46c184 SetFileTime
0x46c188 WriteFile
0x46c18c ReadFile
0x46c190 FindClose
0x46c194 GetDriveTypeA
0x46c198 CopyFileTransactedA
0x46c19c CreateDirectoryTransactedA
0x46c1a0 FreeLibrary
0x46c1a4 GetProcessHeap
0x46c1a8 LocalFree
0x46c1ac GetProcAddress
0x46c1b0 lstrcatW
0x46c1b4 LoadLibraryA
0x46c1b8 LocalAlloc
0x46c1bc SetEnvironmentVariableW
0x46c1c0 ReadConsoleW
0x46c1c4 EnumSystemLocalesW
0x46c1c8 IsValidLocale
0x46c1cc GetTimeFormatW
0x46c1d0 GetDateFormatW
0x46c1d4 GetConsoleMode
0x46c1d8 GetConsoleCP
0x46c1dc FlushFileBuffers
0x46c1e0 GetFileSizeEx
0x46c1e4 HeapSize
0x46c1e8 GetCommandLineW
0x46c1ec GetCommandLineA
0x46c1f0 WriteConsoleW
0x46c1f4 GetModuleFileNameW
0x46c1f8 GetFileType
0x46c1fc GetStdHandle
0x46c200 GetModuleHandleExW
0x46c204 ExitProcess
0x46c208 LoadLibraryExW
0x46c20c DeleteFileTransactedA
0x46c210 GetFileInformationByHandle
0x46c214 HeapFree
0x46c218 RaiseException
0x46c21c RtlUnwind
0x46c220 TerminateProcess
0x46c224 InitializeSListHead
0x46c228 GetCurrentThreadId
0x46c22c GetCurrentProcessId
0x46c230 QueryPerformanceCounter
0x46c234 GetStartupInfoW
0x46c238 SetUnhandledExceptionFilter
0x46c23c UnhandledExceptionFilter
0x46c240 IsDebuggerPresent
0x46c244 IsProcessorFeaturePresent
0x46c248 GetCPInfo
0x46c24c GetStringTypeW
0x46c250 GetLocaleInfoW
0x46c254 LCMapStringW
0x46c258 CompareStringW
0x46c25c GetSystemTimeAsFileTime
0x46c260 TlsFree
0x46c264 TlsSetValue
0x46c268 TlsGetValue
0x46c26c TlsAlloc
0x46c270 FormatMessageA
0x46c274 SetCurrentDirectoryW
0x46c278 CreateDirectoryW
0x46c27c CreateFileW
0x46c280 FindFirstFileExW
0x46c284 FindNextFileW
0x46c288 GetFileAttributesExW
0x46c28c SetEndOfFile
0x46c290 SetFilePointerEx
0x46c294 AreFileApisANSI
0x46c298 SetLastError
0x46c29c GetModuleHandleW
0x46c2a0 CopyFileW
0x46c2a4 EnterCriticalSection
0x46c2a8 LeaveCriticalSection
0x46c2ac DeleteCriticalSection
0x46c2b0 EncodePointer
0x46c2b4 DecodePointer
0x46c2b8 InitializeCriticalSectionAndSpinCount
USER32.dll
0x46c2dc GetDesktopWindow
0x46c2e0 wsprintfW
0x46c2e4 wsprintfA
0x46c2e8 GetSystemMetrics
0x46c2ec EnumDisplayDevicesA
0x46c2f0 GetWindowDC
0x46c2f4 GetWindowRect
GDI32.dll
0x46c060 BitBlt
0x46c064 SaveDC
0x46c068 SelectObject
0x46c06c CreateDIBSection
0x46c070 CreateCompatibleDC
0x46c074 GetDeviceCaps
0x46c078 DeleteDC
0x46c07c RestoreDC
0x46c080 DeleteObject
ADVAPI32.dll
0x46c000 GetTokenInformation
0x46c004 CryptGetHashParam
0x46c008 CryptDestroyHash
0x46c00c RegQueryValueExA
0x46c010 GetUserNameA
0x46c014 CreateProcessWithTokenW
0x46c018 OpenProcessToken
0x46c01c RegOpenKeyExA
0x46c020 ConvertSidToStringSidW
0x46c024 DuplicateTokenEx
0x46c028 RegQueryValueExW
0x46c02c CryptReleaseContext
0x46c030 RegCloseKey
0x46c034 RegEnumKeyExW
0x46c038 RegOpenKeyExW
0x46c03c CryptAcquireContextA
0x46c040 CredEnumerateW
0x46c044 CredFree
0x46c048 CryptCreateHash
0x46c04c CryptHashData
SHELL32.dll
0x46c2c0 SHGetFolderPathA
0x46c2c4 ShellExecuteA
0x46c2c8 SHGetSpecialFolderPathW
ole32.dll
0x46c384 CoInitialize
0x46c388 CoUninitialize
0x46c38c CoTaskMemFree
0x46c390 CoCreateInstance
USERENV.dll
0x46c2fc GetUserProfileDirectoryA
ktmw32.dll
0x46c374 RollbackTransaction
0x46c378 CreateTransaction
0x46c37c CommitTransaction
crypt.dll
0x46c32c BCryptDecrypt
0x46c330 BCryptDestroyKey
0x46c334 BCryptGenerateSymmetricKey
0x46c338 BCryptOpenAlgorithmProvider
0x46c33c BCryptSetProperty
0x46c340 BCryptCloseAlgorithmProvider
CRYPT32.dll
0x46c054 CryptStringToBinaryA
0x46c058 CryptUnprotectData
SHLWAPI.dll
0x46c2d0 StrCmpNW
0x46c2d4 StrStrIW
WINHTTP.dll
0x46c304 WinHttpCloseHandle
0x46c308 WinHttpSendRequest
0x46c30c WinHttpConnect
0x46c310 WinHttpQueryDataAvailable
0x46c314 WinHttpSetOption
0x46c318 WinHttpOpen
0x46c31c WinHttpOpenRequest
0x46c320 WinHttpReceiveResponse
0x46c324 WinHttpReadData
gdiplus.dll
0x46c348 GdiplusStartup
0x46c34c GdipGetImageEncodersSize
0x46c350 GdipFree
0x46c354 GdipDisposeImage
0x46c358 GdipCreateBitmapFromHBITMAP
0x46c35c GdipAlloc
0x46c360 GdipCloneImage
0x46c364 GdipGetImageEncoders
0x46c368 GdiplusShutdown
0x46c36c GdipSaveImageToFile
EAT(Export Address Table) is none