ScreenShot
| Created | 2021.03.22 18:45 | Machine | s1_win7_x6402 |
| Filename | coohom.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 15 detected (Artemis, RemoteUtilities, MalwareX, Generic Reputation PUA, Wacatac, multiple detections) | ||
| md5 | 79143f8bb899f89ad0a244017e4934dd | ||
| sha256 | c1fe973ec51d405df053a593909e50a2f6929e95966557e0b5188861ca983c56 | ||
| ssdeep | 196608:5diWhHuOZ9gaOUTEX6Ln714t+zQotTA82laPYOSPQW5RznW:7iaEkCt+zQoG82lAL2QW5Ri | ||
| imphash | 2f38416762c94d29a8bc2c6865d1c9f2 | ||
| impfuzzy | 48:8cfp1rcQX0gebPCZr9ZSwldH9AOMpbGwt+Eu55T/lGB:8cfpdcqNebqZr3SQHWNV | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes executed files from disk |
| watch | File has been identified by 15 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
Rules (35cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | Lnk_Format_Zero | LNK Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | borland_delphi | Borland Delphi 2.0 - 7.0 / 2005 - 2007 | binaries (download) |
| info | borland_delphi | Borland Delphi 2.0 - 7.0 / 2005 - 2007 | binaries (upload) |
| info | escalate_priv | Escalade priviledges | binaries (download) |
| info | escalate_priv | Escalade priviledges | binaries (upload) |
| info | HasDigitalSignature | DigitalSignature Check | binaries (download) |
| info | HasDigitalSignature | DigitalSignature Check | binaries (upload) |
| info | HasOverlay | Overlay Check | binaries (download) |
| info | HasOverlay | Overlay Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (download) |
| info | IsConsole | (no description) | binaries (download) |
| info | IsPacked | Entropy Check | binaries (download) |
| info | IsPacked | Entropy Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (download) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | keylogger | Run a keylogger | binaries (download) |
| info | screenshot | Take screenshot | binaries (download) |
| info | spreading_file | Malware can spread east-west file | binaries (download) |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_mutex | Create or check mutex | binaries (download) |
| info | win_private_profile | Affect private profile | binaries (download) |
| info | win_registry | Affect system registries | binaries (download) |
| info | win_registry | Affect system registries | binaries (upload) |
| info | win_token | Affect system token | binaries (download) |
| info | win_token | Affect system token | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
kernel32.dll
0x4100b4 DeleteCriticalSection
0x4100b8 LeaveCriticalSection
0x4100bc EnterCriticalSection
0x4100c0 InitializeCriticalSection
0x4100c4 VirtualFree
0x4100c8 VirtualAlloc
0x4100cc LocalFree
0x4100d0 LocalAlloc
0x4100d4 WideCharToMultiByte
0x4100d8 TlsSetValue
0x4100dc TlsGetValue
0x4100e0 MultiByteToWideChar
0x4100e4 GetModuleHandleA
0x4100e8 GetLastError
0x4100ec GetCommandLineA
0x4100f0 WriteFile
0x4100f4 SetFilePointer
0x4100f8 SetEndOfFile
0x4100fc RtlUnwind
0x410100 ReadFile
0x410104 RaiseException
0x410108 GetStdHandle
0x41010c GetFileSize
0x410110 GetSystemTime
0x410114 GetFileType
0x410118 ExitProcess
0x41011c CreateFileA
0x410120 CloseHandle
user32.dll
0x410128 MessageBoxA
oleaut32.dll
0x410130 VariantChangeTypeEx
0x410134 VariantCopyInd
0x410138 VariantClear
0x41013c SysStringLen
0x410140 SysAllocStringLen
advapi32.dll
0x410148 RegQueryValueExA
0x41014c RegOpenKeyExA
0x410150 RegCloseKey
0x410154 OpenProcessToken
0x410158 LookupPrivilegeValueA
kernel32.dll
0x410160 WriteFile
0x410164 VirtualQuery
0x410168 VirtualProtect
0x41016c VirtualFree
0x410170 VirtualAlloc
0x410174 Sleep
0x410178 SizeofResource
0x41017c SetLastError
0x410180 SetFilePointer
0x410184 SetErrorMode
0x410188 SetEndOfFile
0x41018c RemoveDirectoryA
0x410190 ReadFile
0x410194 LockResource
0x410198 LoadResource
0x41019c LoadLibraryA
0x4101a0 IsDBCSLeadByte
0x4101a4 GetWindowsDirectoryA
0x4101a8 GetVersionExA
0x4101ac GetVersion
0x4101b0 GetUserDefaultLangID
0x4101b4 GetSystemInfo
0x4101b8 GetSystemDirectoryA
0x4101bc GetSystemDefaultLCID
0x4101c0 GetProcAddress
0x4101c4 GetModuleHandleA
0x4101c8 GetModuleFileNameA
0x4101cc GetLocaleInfoA
0x4101d0 GetLastError
0x4101d4 GetFullPathNameA
0x4101d8 GetFileSize
0x4101dc GetFileAttributesA
0x4101e0 GetExitCodeProcess
0x4101e4 GetEnvironmentVariableA
0x4101e8 GetCurrentThreadId
0x4101ec GetCurrentProcess
0x4101f0 GetCommandLineA
0x4101f4 GetACP
0x4101f8 InterlockedExchange
0x4101fc FormatMessageA
0x410200 FindResourceA
0x410204 DeleteFileA
0x410208 CreateProcessA
0x41020c CreateFileA
0x410210 CreateDirectoryA
0x410214 CompareStringA
0x410218 CloseHandle
user32.dll
0x410220 TranslateMessage
0x410224 SetWindowLongA
0x410228 PeekMessageA
0x41022c MsgWaitForMultipleObjects
0x410230 MessageBoxA
0x410234 LoadStringA
0x410238 ExitWindowsEx
0x41023c DispatchMessageA
0x410240 DestroyWindow
0x410244 CreateWindowExA
0x410248 CallWindowProcA
0x41024c CharPrevA
comctl32.dll
0x410254 InitCommonControls
advapi32.dll
0x41025c AdjustTokenPrivileges
EAT(Export Address Table) is none
kernel32.dll
0x4100b4 DeleteCriticalSection
0x4100b8 LeaveCriticalSection
0x4100bc EnterCriticalSection
0x4100c0 InitializeCriticalSection
0x4100c4 VirtualFree
0x4100c8 VirtualAlloc
0x4100cc LocalFree
0x4100d0 LocalAlloc
0x4100d4 WideCharToMultiByte
0x4100d8 TlsSetValue
0x4100dc TlsGetValue
0x4100e0 MultiByteToWideChar
0x4100e4 GetModuleHandleA
0x4100e8 GetLastError
0x4100ec GetCommandLineA
0x4100f0 WriteFile
0x4100f4 SetFilePointer
0x4100f8 SetEndOfFile
0x4100fc RtlUnwind
0x410100 ReadFile
0x410104 RaiseException
0x410108 GetStdHandle
0x41010c GetFileSize
0x410110 GetSystemTime
0x410114 GetFileType
0x410118 ExitProcess
0x41011c CreateFileA
0x410120 CloseHandle
user32.dll
0x410128 MessageBoxA
oleaut32.dll
0x410130 VariantChangeTypeEx
0x410134 VariantCopyInd
0x410138 VariantClear
0x41013c SysStringLen
0x410140 SysAllocStringLen
advapi32.dll
0x410148 RegQueryValueExA
0x41014c RegOpenKeyExA
0x410150 RegCloseKey
0x410154 OpenProcessToken
0x410158 LookupPrivilegeValueA
kernel32.dll
0x410160 WriteFile
0x410164 VirtualQuery
0x410168 VirtualProtect
0x41016c VirtualFree
0x410170 VirtualAlloc
0x410174 Sleep
0x410178 SizeofResource
0x41017c SetLastError
0x410180 SetFilePointer
0x410184 SetErrorMode
0x410188 SetEndOfFile
0x41018c RemoveDirectoryA
0x410190 ReadFile
0x410194 LockResource
0x410198 LoadResource
0x41019c LoadLibraryA
0x4101a0 IsDBCSLeadByte
0x4101a4 GetWindowsDirectoryA
0x4101a8 GetVersionExA
0x4101ac GetVersion
0x4101b0 GetUserDefaultLangID
0x4101b4 GetSystemInfo
0x4101b8 GetSystemDirectoryA
0x4101bc GetSystemDefaultLCID
0x4101c0 GetProcAddress
0x4101c4 GetModuleHandleA
0x4101c8 GetModuleFileNameA
0x4101cc GetLocaleInfoA
0x4101d0 GetLastError
0x4101d4 GetFullPathNameA
0x4101d8 GetFileSize
0x4101dc GetFileAttributesA
0x4101e0 GetExitCodeProcess
0x4101e4 GetEnvironmentVariableA
0x4101e8 GetCurrentThreadId
0x4101ec GetCurrentProcess
0x4101f0 GetCommandLineA
0x4101f4 GetACP
0x4101f8 InterlockedExchange
0x4101fc FormatMessageA
0x410200 FindResourceA
0x410204 DeleteFileA
0x410208 CreateProcessA
0x41020c CreateFileA
0x410210 CreateDirectoryA
0x410214 CompareStringA
0x410218 CloseHandle
user32.dll
0x410220 TranslateMessage
0x410224 SetWindowLongA
0x410228 PeekMessageA
0x41022c MsgWaitForMultipleObjects
0x410230 MessageBoxA
0x410234 LoadStringA
0x410238 ExitWindowsEx
0x41023c DispatchMessageA
0x410240 DestroyWindow
0x410244 CreateWindowExA
0x410248 CallWindowProcA
0x41024c CharPrevA
comctl32.dll
0x410254 InitCommonControls
advapi32.dll
0x41025c AdjustTokenPrivileges
EAT(Export Address Table) is none