ScreenShot
| Created | 2021.03.21 18:45 | Machine | s1_win7_x6402 |
| Filename | winlog2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 29 detected (Cerbu, Artemis, Unsafe, Save, Eldorado, Attribute, HighConfidence, Malicious, FileRepMalware, Ipamor, Static AI, Suspicious PE, AGEN, SpyNoon, score, ai score=87, NSIS, CLOUD, EOWC, HoMASREA) | ||
| md5 | adbc8e8beb3f5318a520ba139e547b8a | ||
| sha256 | e773970b0c36095a1b84b1ae1492f5a83467bb8f0a0a870201747e5b57f863d0 | ||
| ssdeep | 3072:JPA6jXFN2Mc6c9edSAobbUaVuK7MRMxh0JFbnuJrIXzSdqck2IUx3S8RzWBhk7ig:JhjmicLfHUfK7MRAoFtXm8ckPbSyBC7n | ||
| imphash | b1a57b635b23ffd553b3fd1e0960b2bd | ||
| impfuzzy | 48:cB1SKpEtO6wiQzL8r+tAltSv54eObGLlo8t0Q7XEFpV74dT+4EQX/1Eowhxly6UZ:cjSKpiRwivJ81WAV5O8 | ||
Network IP location
Signature (24cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| warning | File has been identified by 29 AntiVirus engines on VirusTotal as malicious |
| warning | Generates some ICMP traffic |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | Putty Files |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Moves the original executable to a new location |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (62cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | create_com_service | Create a COM server | memory |
| info | create_service | Create a windows service | memory |
| info | cred_local | Steal credential | memory |
| info | escalate_priv | Escalade priviledges | binaries (upload) |
| info | escalate_priv | Escalade priviledges | memory |
| info | HasDebugData | DebugData Check | binaries (download) |
| info | HasOverlay | Overlay Check | binaries (download) |
| info | HasOverlay | Overlay Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
| info | IsConsole | (no description) | binaries (download) |
| info | IsPacked | Entropy Check | binaries (download) |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | keylogger | Run a keylogger | memory |
| info | migrate_apc | APC queue tasks migration | memory |
| info | network_dga | Communication using dga | memory |
| info | network_dns | Communications use DNS | memory |
| info | network_dropper | File downloader/dropper | memory |
| info | network_ftp | Communications over FTP | memory |
| info | network_http | Communications over HTTP | memory |
| info | network_p2p_win | Communications over P2P network | memory |
| info | network_tcp_listen | Listen for incoming communication | memory |
| info | network_tcp_socket | Communications over RAW socket | memory |
| info | network_udp_sock | Communications over UDP network | memory |
| info | screenshot | Take screenshot | binaries (upload) |
| info | screenshot | Take screenshot | memory |
| info | sniff_audio | Record Audio | memory |
| info | spreading_file | Malware can spread east-west file | memory |
| info | spreading_share | Malware can spread east-west using share drive | memory |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_files_operation | Affect private profile | memory |
| info | win_mutex | Create or check mutex | memory |
| info | win_private_profile | Affect private profile | binaries (upload) |
| info | win_private_profile | Affect private profile | memory |
| info | win_registry | Affect system registries | binaries (upload) |
| info | win_registry | Affect system registries | memory |
| info | win_token | Affect system token | binaries (upload) |
| info | win_token | Affect system token | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x407064 GetTickCount
0x407068 GetShortPathNameA
0x40706c GetFullPathNameA
0x407070 MoveFileA
0x407074 SetCurrentDirectoryA
0x407078 GetFileAttributesA
0x40707c SetFileAttributesA
0x407080 CompareFileTime
0x407084 SearchPathA
0x407088 CreateFileA
0x40708c GetFileSize
0x407090 GetModuleFileNameA
0x407094 GetCurrentProcess
0x407098 CopyFileA
0x40709c ExitProcess
0x4070a0 GetWindowsDirectoryA
0x4070a4 Sleep
0x4070a8 lstrcmpiA
0x4070ac lstrlenA
0x4070b0 GetVersion
0x4070b4 SetErrorMode
0x4070b8 lstrcpynA
0x4070bc GetDiskFreeSpaceA
0x4070c0 GlobalUnlock
0x4070c4 GlobalLock
0x4070c8 CreateThread
0x4070cc GetLastError
0x4070d0 CreateDirectoryA
0x4070d4 CreateProcessA
0x4070d8 RemoveDirectoryA
0x4070dc GetTempFileNameA
0x4070e0 lstrcatA
0x4070e4 GetSystemDirectoryA
0x4070e8 WaitForSingleObject
0x4070ec SetFileTime
0x4070f0 CloseHandle
0x4070f4 GlobalFree
0x4070f8 lstrcmpA
0x4070fc ExpandEnvironmentStringsA
0x407100 GetExitCodeProcess
0x407104 GlobalAlloc
0x407108 GetCommandLineA
0x40710c GetTempPathA
0x407110 GetProcAddress
0x407114 FindFirstFileA
0x407118 FindNextFileA
0x40711c DeleteFileA
0x407120 SetFilePointer
0x407124 ReadFile
0x407128 FindClose
0x40712c GetPrivateProfileStringA
0x407130 WritePrivateProfileStringA
0x407134 WriteFile
0x407138 MulDiv
0x40713c MultiByteToWideChar
0x407140 LoadLibraryExA
0x407144 GetModuleHandleA
0x407148 FreeLibrary
USER32.dll
0x40716c SetCursor
0x407170 GetWindowRect
0x407174 EnableMenuItem
0x407178 GetSystemMenu
0x40717c SetClassLongA
0x407180 IsWindowEnabled
0x407184 SetWindowPos
0x407188 GetSysColor
0x40718c EndDialog
0x407190 ScreenToClient
0x407194 LoadCursorA
0x407198 CheckDlgButton
0x40719c GetMessagePos
0x4071a0 LoadBitmapA
0x4071a4 CallWindowProcA
0x4071a8 IsWindowVisible
0x4071ac CloseClipboard
0x4071b0 SetForegroundWindow
0x4071b4 GetWindowLongA
0x4071b8 RegisterClassA
0x4071bc TrackPopupMenu
0x4071c0 AppendMenuA
0x4071c4 CreatePopupMenu
0x4071c8 GetSystemMetrics
0x4071cc SetDlgItemTextA
0x4071d0 GetDlgItemTextA
0x4071d4 MessageBoxIndirectA
0x4071d8 CharPrevA
0x4071dc DispatchMessageA
0x4071e0 PeekMessageA
0x4071e4 GetDC
0x4071e8 EnableWindow
0x4071ec InvalidateRect
0x4071f0 SendMessageA
0x4071f4 DefWindowProcA
0x4071f8 BeginPaint
0x4071fc GetClientRect
0x407200 FillRect
0x407204 DrawTextA
0x407208 SystemParametersInfoA
0x40720c CreateWindowExA
0x407210 GetClassInfoA
0x407214 DialogBoxParamA
0x407218 CharNextA
0x40721c ExitWindowsEx
0x407220 SetTimer
0x407224 PostQuitMessage
0x407228 SetWindowLongA
0x40722c SendMessageTimeoutA
0x407230 LoadImageA
0x407234 wsprintfA
0x407238 GetDlgItem
0x40723c FindWindowExA
0x407240 IsWindow
0x407244 SetClipboardData
0x407248 EmptyClipboard
0x40724c OpenClipboard
0x407250 EndPaint
0x407254 CreateDialogParamA
0x407258 DestroyWindow
0x40725c ShowWindow
0x407260 SetWindowTextA
GDI32.dll
0x407040 SelectObject
0x407044 SetBkMode
0x407048 CreateFontIndirectA
0x40704c SetTextColor
0x407050 DeleteObject
0x407054 GetDeviceCaps
0x407058 CreateBrushIndirect
0x40705c SetBkColor
SHELL32.dll
0x407150 SHGetSpecialFolderLocation
0x407154 SHGetPathFromIDListA
0x407158 SHBrowseForFolderA
0x40715c SHGetFileInfoA
0x407160 SHFileOperationA
0x407164 ShellExecuteA
ADVAPI32.dll
0x407000 RegDeleteValueA
0x407004 SetFileSecurityA
0x407008 RegOpenKeyExA
0x40700c RegDeleteKeyA
0x407010 RegEnumValueA
0x407014 RegCloseKey
0x407018 RegCreateKeyExA
0x40701c RegSetValueExA
0x407020 RegQueryValueExA
0x407024 RegEnumKeyA
COMCTL32.dll
0x40702c ImageList_AddMasked
0x407030 ImageList_Destroy
0x407034 ImageList_Create
0x407038 None
ole32.dll
0x407268 OleUninitialize
0x40726c OleInitialize
0x407270 CoTaskMemFree
0x407274 CoCreateInstance
EAT(Export Address Table) is none
KERNEL32.dll
0x407064 GetTickCount
0x407068 GetShortPathNameA
0x40706c GetFullPathNameA
0x407070 MoveFileA
0x407074 SetCurrentDirectoryA
0x407078 GetFileAttributesA
0x40707c SetFileAttributesA
0x407080 CompareFileTime
0x407084 SearchPathA
0x407088 CreateFileA
0x40708c GetFileSize
0x407090 GetModuleFileNameA
0x407094 GetCurrentProcess
0x407098 CopyFileA
0x40709c ExitProcess
0x4070a0 GetWindowsDirectoryA
0x4070a4 Sleep
0x4070a8 lstrcmpiA
0x4070ac lstrlenA
0x4070b0 GetVersion
0x4070b4 SetErrorMode
0x4070b8 lstrcpynA
0x4070bc GetDiskFreeSpaceA
0x4070c0 GlobalUnlock
0x4070c4 GlobalLock
0x4070c8 CreateThread
0x4070cc GetLastError
0x4070d0 CreateDirectoryA
0x4070d4 CreateProcessA
0x4070d8 RemoveDirectoryA
0x4070dc GetTempFileNameA
0x4070e0 lstrcatA
0x4070e4 GetSystemDirectoryA
0x4070e8 WaitForSingleObject
0x4070ec SetFileTime
0x4070f0 CloseHandle
0x4070f4 GlobalFree
0x4070f8 lstrcmpA
0x4070fc ExpandEnvironmentStringsA
0x407100 GetExitCodeProcess
0x407104 GlobalAlloc
0x407108 GetCommandLineA
0x40710c GetTempPathA
0x407110 GetProcAddress
0x407114 FindFirstFileA
0x407118 FindNextFileA
0x40711c DeleteFileA
0x407120 SetFilePointer
0x407124 ReadFile
0x407128 FindClose
0x40712c GetPrivateProfileStringA
0x407130 WritePrivateProfileStringA
0x407134 WriteFile
0x407138 MulDiv
0x40713c MultiByteToWideChar
0x407140 LoadLibraryExA
0x407144 GetModuleHandleA
0x407148 FreeLibrary
USER32.dll
0x40716c SetCursor
0x407170 GetWindowRect
0x407174 EnableMenuItem
0x407178 GetSystemMenu
0x40717c SetClassLongA
0x407180 IsWindowEnabled
0x407184 SetWindowPos
0x407188 GetSysColor
0x40718c EndDialog
0x407190 ScreenToClient
0x407194 LoadCursorA
0x407198 CheckDlgButton
0x40719c GetMessagePos
0x4071a0 LoadBitmapA
0x4071a4 CallWindowProcA
0x4071a8 IsWindowVisible
0x4071ac CloseClipboard
0x4071b0 SetForegroundWindow
0x4071b4 GetWindowLongA
0x4071b8 RegisterClassA
0x4071bc TrackPopupMenu
0x4071c0 AppendMenuA
0x4071c4 CreatePopupMenu
0x4071c8 GetSystemMetrics
0x4071cc SetDlgItemTextA
0x4071d0 GetDlgItemTextA
0x4071d4 MessageBoxIndirectA
0x4071d8 CharPrevA
0x4071dc DispatchMessageA
0x4071e0 PeekMessageA
0x4071e4 GetDC
0x4071e8 EnableWindow
0x4071ec InvalidateRect
0x4071f0 SendMessageA
0x4071f4 DefWindowProcA
0x4071f8 BeginPaint
0x4071fc GetClientRect
0x407200 FillRect
0x407204 DrawTextA
0x407208 SystemParametersInfoA
0x40720c CreateWindowExA
0x407210 GetClassInfoA
0x407214 DialogBoxParamA
0x407218 CharNextA
0x40721c ExitWindowsEx
0x407220 SetTimer
0x407224 PostQuitMessage
0x407228 SetWindowLongA
0x40722c SendMessageTimeoutA
0x407230 LoadImageA
0x407234 wsprintfA
0x407238 GetDlgItem
0x40723c FindWindowExA
0x407240 IsWindow
0x407244 SetClipboardData
0x407248 EmptyClipboard
0x40724c OpenClipboard
0x407250 EndPaint
0x407254 CreateDialogParamA
0x407258 DestroyWindow
0x40725c ShowWindow
0x407260 SetWindowTextA
GDI32.dll
0x407040 SelectObject
0x407044 SetBkMode
0x407048 CreateFontIndirectA
0x40704c SetTextColor
0x407050 DeleteObject
0x407054 GetDeviceCaps
0x407058 CreateBrushIndirect
0x40705c SetBkColor
SHELL32.dll
0x407150 SHGetSpecialFolderLocation
0x407154 SHGetPathFromIDListA
0x407158 SHBrowseForFolderA
0x40715c SHGetFileInfoA
0x407160 SHFileOperationA
0x407164 ShellExecuteA
ADVAPI32.dll
0x407000 RegDeleteValueA
0x407004 SetFileSecurityA
0x407008 RegOpenKeyExA
0x40700c RegDeleteKeyA
0x407010 RegEnumValueA
0x407014 RegCloseKey
0x407018 RegCreateKeyExA
0x40701c RegSetValueExA
0x407020 RegQueryValueExA
0x407024 RegEnumKeyA
COMCTL32.dll
0x40702c ImageList_AddMasked
0x407030 ImageList_Destroy
0x407034 ImageList_Create
0x407038 None
ole32.dll
0x407268 OleUninitialize
0x40726c OleInitialize
0x407270 CoTaskMemFree
0x407274 CoCreateInstance
EAT(Export Address Table) is none