ScreenShot
| Created | 2021.03.12 18:16 | Machine | s1_win7_x6401 |
| Filename | 1370132254.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 48 detected (AIDetect, malware2, malicious, high confidence, Dopping, Artemis, Unsafe, Save, EVRI, Attribute, HighConfidence, Edxu, Siggen2, Small, Score, ai score=100, Phonzy, ZexaF, qq3@aiYpnFi, RedLineStealer, R002H0CC921, CLOUD, Static AI, Malicious PE, Genetic, confidence, HwoCzCUA) | ||
| md5 | 8ca675896f6c9ad9fe8deb1cc63bf8f5 | ||
| sha256 | abf61356eb007bc0eb51c4208af46dd2ed3d8d94c10dffa7ff5a5c0a4a802a74 | ||
| ssdeep | 3072:qDKW1LgppLRHMY0TBfJvjcTp5X8XwYIaZW:qDKW1Lgbdl0TBBvjc/JaZ | ||
| imphash | bf5a4aa99e5b160f8521cadd6bfe73b8 | ||
| impfuzzy | 24:gdqnuDoDyBNYnb2JOovS2cfEt4UjMAH/J3KyvbaFQHOTqlnpCwuCAaTCEQ4EPM:gQ8NIbXQcfEt4ITbuWlpChaTHQ0 | ||
Network IP location
Signature (42cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 48 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | A process attempted to delay the analysis task. |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Attempts to remove evidence of file being downloaded from the Internet |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates a slightly modified copy of itself |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Queries for potentially installed applications |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (71cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | UltraVNC_Zero | UltraVNC | binaries (download) |
| warning | UltraVNC_Zero | UltraVNC | binaries (upload) |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | vmdetect | Possibly employs anti-virtualization techniques | memory |
| info | vmdetect_misc | Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names. | memory |
| info | win_hook | Affect hook table | memory |
| info | WMI_VM_Detect | Detection of Virtual Appliances through the use of WMI for use of evasion. | memory |
| info | create_com_service | Create a COM server | memory |
| info | create_service | Create a windows service | memory |
| info | cred_local | Steal credential | memory |
| info | escalate_priv | Escalade priviledges | memory |
| info | HasDebugData | DebugData Check | binaries (download) |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasOverlay | Overlay Check | binaries (download) |
| info | HasOverlay | Overlay Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (download) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | hijack_network | Hijack network configuration | memory |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
| info | IsNET_EXE | (no description) | binaries (download) |
| info | IsWindowsGUI | (no description) | binaries (download) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | keylogger | Run a keylogger | memory |
| info | ldpreload | (no description) | memory |
| info | migrate_apc | APC queue tasks migration | memory |
| info | network_dga | Communication using dga | memory |
| info | network_dns | Communications use DNS | memory |
| info | network_dropper | File downloader/dropper | memory |
| info | network_ftp | Communications over FTP | memory |
| info | network_http | Communications over HTTP | memory |
| info | network_p2p_win | Communications over P2P network | memory |
| info | network_smtp_dotNet | Communications smtp | memory |
| info | network_tcp_listen | Listen for incoming communication | memory |
| info | network_tcp_socket | Communications over RAW socket | memory |
| info | network_toredo | Communications over Toredo network | memory |
| info | network_udp_sock | Communications over UDP network | memory |
| info | screenshot | Take screenshot | memory |
| info | sniff_audio | Record Audio | memory |
| info | spreading_file | Malware can spread east-west file | memory |
| info | spreading_share | Malware can spread east-west using share drive | memory |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
| info | Win32_Trojan_PWS_Azorult_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (download) |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_files_operation | Affect private profile | memory |
| info | win_mutex | Create or check mutex | memory |
| info | win_private_profile | Affect private profile | memory |
| info | win_registry | Affect system registries | memory |
| info | win_token | Affect system token | memory |
Network (18cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
SURICATA HTTP unable to match response to request
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41b000 RaiseException
0x41b004 GetLastError
0x41b008 MultiByteToWideChar
0x41b00c lstrlenA
0x41b010 InterlockedDecrement
0x41b014 GetProcAddress
0x41b018 LoadLibraryA
0x41b01c FreeResource
0x41b020 SizeofResource
0x41b024 LockResource
0x41b028 LoadResource
0x41b02c FindResourceA
0x41b030 GetModuleHandleA
0x41b034 Module32Next
0x41b038 CloseHandle
0x41b03c Module32First
0x41b040 CreateToolhelp32Snapshot
0x41b044 GetCurrentProcessId
0x41b048 SetEndOfFile
0x41b04c GetStringTypeW
0x41b050 GetStringTypeA
0x41b054 LCMapStringW
0x41b058 LCMapStringA
0x41b05c GetLocaleInfoA
0x41b060 HeapFree
0x41b064 GetProcessHeap
0x41b068 HeapAlloc
0x41b06c GetCommandLineA
0x41b070 HeapCreate
0x41b074 VirtualFree
0x41b078 DeleteCriticalSection
0x41b07c LeaveCriticalSection
0x41b080 EnterCriticalSection
0x41b084 VirtualAlloc
0x41b088 HeapReAlloc
0x41b08c HeapSize
0x41b090 TerminateProcess
0x41b094 GetCurrentProcess
0x41b098 UnhandledExceptionFilter
0x41b09c SetUnhandledExceptionFilter
0x41b0a0 IsDebuggerPresent
0x41b0a4 GetModuleHandleW
0x41b0a8 Sleep
0x41b0ac ExitProcess
0x41b0b0 WriteFile
0x41b0b4 GetStdHandle
0x41b0b8 GetModuleFileNameA
0x41b0bc WideCharToMultiByte
0x41b0c0 GetConsoleCP
0x41b0c4 GetConsoleMode
0x41b0c8 ReadFile
0x41b0cc TlsGetValue
0x41b0d0 TlsAlloc
0x41b0d4 TlsSetValue
0x41b0d8 TlsFree
0x41b0dc InterlockedIncrement
0x41b0e0 SetLastError
0x41b0e4 GetCurrentThreadId
0x41b0e8 FlushFileBuffers
0x41b0ec SetFilePointer
0x41b0f0 SetHandleCount
0x41b0f4 GetFileType
0x41b0f8 GetStartupInfoA
0x41b0fc RtlUnwind
0x41b100 FreeEnvironmentStringsA
0x41b104 GetEnvironmentStrings
0x41b108 FreeEnvironmentStringsW
0x41b10c GetEnvironmentStringsW
0x41b110 QueryPerformanceCounter
0x41b114 GetTickCount
0x41b118 GetSystemTimeAsFileTime
0x41b11c InitializeCriticalSectionAndSpinCount
0x41b120 GetCPInfo
0x41b124 GetACP
0x41b128 GetOEMCP
0x41b12c IsValidCodePage
0x41b130 CompareStringA
0x41b134 CompareStringW
0x41b138 SetEnvironmentVariableA
0x41b13c WriteConsoleA
0x41b140 GetConsoleOutputCP
0x41b144 WriteConsoleW
0x41b148 SetStdHandle
0x41b14c CreateFileA
ole32.dll
0x41b17c OleInitialize
OLEAUT32.dll
0x41b154 SafeArrayCreate
0x41b158 SafeArrayAccessData
0x41b15c SafeArrayUnaccessData
0x41b160 SafeArrayDestroy
0x41b164 SafeArrayCreateVector
0x41b168 VariantClear
0x41b16c VariantInit
0x41b170 SysFreeString
0x41b174 SysAllocString
EAT(Export Address Table) is none
KERNEL32.dll
0x41b000 RaiseException
0x41b004 GetLastError
0x41b008 MultiByteToWideChar
0x41b00c lstrlenA
0x41b010 InterlockedDecrement
0x41b014 GetProcAddress
0x41b018 LoadLibraryA
0x41b01c FreeResource
0x41b020 SizeofResource
0x41b024 LockResource
0x41b028 LoadResource
0x41b02c FindResourceA
0x41b030 GetModuleHandleA
0x41b034 Module32Next
0x41b038 CloseHandle
0x41b03c Module32First
0x41b040 CreateToolhelp32Snapshot
0x41b044 GetCurrentProcessId
0x41b048 SetEndOfFile
0x41b04c GetStringTypeW
0x41b050 GetStringTypeA
0x41b054 LCMapStringW
0x41b058 LCMapStringA
0x41b05c GetLocaleInfoA
0x41b060 HeapFree
0x41b064 GetProcessHeap
0x41b068 HeapAlloc
0x41b06c GetCommandLineA
0x41b070 HeapCreate
0x41b074 VirtualFree
0x41b078 DeleteCriticalSection
0x41b07c LeaveCriticalSection
0x41b080 EnterCriticalSection
0x41b084 VirtualAlloc
0x41b088 HeapReAlloc
0x41b08c HeapSize
0x41b090 TerminateProcess
0x41b094 GetCurrentProcess
0x41b098 UnhandledExceptionFilter
0x41b09c SetUnhandledExceptionFilter
0x41b0a0 IsDebuggerPresent
0x41b0a4 GetModuleHandleW
0x41b0a8 Sleep
0x41b0ac ExitProcess
0x41b0b0 WriteFile
0x41b0b4 GetStdHandle
0x41b0b8 GetModuleFileNameA
0x41b0bc WideCharToMultiByte
0x41b0c0 GetConsoleCP
0x41b0c4 GetConsoleMode
0x41b0c8 ReadFile
0x41b0cc TlsGetValue
0x41b0d0 TlsAlloc
0x41b0d4 TlsSetValue
0x41b0d8 TlsFree
0x41b0dc InterlockedIncrement
0x41b0e0 SetLastError
0x41b0e4 GetCurrentThreadId
0x41b0e8 FlushFileBuffers
0x41b0ec SetFilePointer
0x41b0f0 SetHandleCount
0x41b0f4 GetFileType
0x41b0f8 GetStartupInfoA
0x41b0fc RtlUnwind
0x41b100 FreeEnvironmentStringsA
0x41b104 GetEnvironmentStrings
0x41b108 FreeEnvironmentStringsW
0x41b10c GetEnvironmentStringsW
0x41b110 QueryPerformanceCounter
0x41b114 GetTickCount
0x41b118 GetSystemTimeAsFileTime
0x41b11c InitializeCriticalSectionAndSpinCount
0x41b120 GetCPInfo
0x41b124 GetACP
0x41b128 GetOEMCP
0x41b12c IsValidCodePage
0x41b130 CompareStringA
0x41b134 CompareStringW
0x41b138 SetEnvironmentVariableA
0x41b13c WriteConsoleA
0x41b140 GetConsoleOutputCP
0x41b144 WriteConsoleW
0x41b148 SetStdHandle
0x41b14c CreateFileA
ole32.dll
0x41b17c OleInitialize
OLEAUT32.dll
0x41b154 SafeArrayCreate
0x41b158 SafeArrayAccessData
0x41b15c SafeArrayUnaccessData
0x41b160 SafeArrayDestroy
0x41b164 SafeArrayCreateVector
0x41b168 VariantClear
0x41b16c VariantInit
0x41b170 SysFreeString
0x41b174 SysAllocString
EAT(Export Address Table) is none