ScreenShot
| Created | 2022.05.13 11:15 | Machine | s1_win7_x6401 |
| Filename | KHieqeOsagkmlGIuXc56 | ||
| Type | PE32+ executable (DLL) (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 18 detected (malicious, high confidence, score, GenKryptik, FUMO, Emotet, clos, CrypterX, Generic ML PUA, Obfuscated, based, Nekark, eaknt, Wacatac, GenericRXAA, susgen, Kryptik) | ||
| md5 | 17405af200d73c164f1cc2fbee421f0b | ||
| sha256 | d2ca9798cc615221a1a435df9ec413ed27c3796bf255870b7235b8538c019175 | ||
| ssdeep | 12288:e1NKDzZKRpnBlD7MGVrdjF3hRcTsApSvHQdOzyK7zjwOjmStjNwgraKRT61cKGNx:S4DzZKnH4ERGY61WN+ | ||
| imphash | 6cc0be0d01417a15b61c3b6a580e87ed | ||
| impfuzzy | 48:BHEmX/KA/JS5QFQ+jnB095OKzGFdQo5x36m48HZxpXzOhGy7s0:j3OUQo5ImPxhzOhGy7s0 | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| warning | Generates some ICMP traffic |
| watch | Attempts to remove evidence of file being downloaded from the Internet |
| watch | Communicates with host for which no DNS query was performed |
| watch | Created a service where a service was also not started |
| watch | File has been identified by 18 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Expresses interest in specific running processes |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (13cnts) ?
Suricata ids
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 6
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 19
ET CNC Feodo Tracker Reported CnC Server group 6
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 19
PE API
IAT(Import Address Table) Library
GDI32.dll
0x18006a4f0 CreatePen
0x18006a4f8 DeleteObject
0x18006a500 LineTo
0x18006a508 MoveToEx
0x18006a510 Polyline
0x18006a518 SelectObject
USER32.dll
0x18006a528 BeginPaint
0x18006a530 CloseGestureInfoHandle
0x18006a538 CreateWindowExW
0x18006a540 DefWindowProcW
0x18006a548 DestroyWindow
0x18006a550 DispatchMessageW
0x18006a558 EndPaint
0x18006a560 GetGestureInfo
0x18006a568 GetMessageW
0x18006a570 InvalidateRect
0x18006a578 LoadCursorW
0x18006a580 LoadStringW
0x18006a588 PostQuitMessage
0x18006a590 RegisterClassExW
0x18006a598 ScreenToClient
0x18006a5a0 SetGestureConfig
0x18006a5a8 ShowWindow
0x18006a5b0 TranslateAcceleratorW
0x18006a5b8 TranslateMessage
0x18006a5c0 UpdateWindow
KERNEL32.dll
0x18006a5d0 CloseHandle
0x18006a5d8 CompareStringW
0x18006a5e0 CreateFileW
0x18006a5e8 DeleteCriticalSection
0x18006a5f0 EncodePointer
0x18006a5f8 EnterCriticalSection
0x18006a600 EnumSystemLocalesW
0x18006a608 ExitProcess
0x18006a610 FindClose
0x18006a618 FindFirstFileExW
0x18006a620 FindNextFileW
0x18006a628 FlsAlloc
0x18006a630 FlsFree
0x18006a638 FlsGetValue
0x18006a640 FlsSetValue
0x18006a648 FlushFileBuffers
0x18006a650 FreeEnvironmentStringsW
0x18006a658 FreeLibrary
0x18006a660 GetACP
0x18006a668 GetCPInfo
0x18006a670 GetCommandLineA
0x18006a678 GetCommandLineW
0x18006a680 GetConsoleMode
0x18006a688 GetConsoleOutputCP
0x18006a690 GetCurrentProcess
0x18006a698 GetCurrentProcessId
0x18006a6a0 GetCurrentThread
0x18006a6a8 GetCurrentThreadId
0x18006a6b0 GetDateFormatW
0x18006a6b8 GetEnvironmentStringsW
0x18006a6c0 GetFileSizeEx
0x18006a6c8 GetFileType
0x18006a6d0 GetLastError
0x18006a6d8 GetLocaleInfoW
0x18006a6e0 GetModuleFileNameW
0x18006a6e8 GetModuleHandleExW
0x18006a6f0 GetModuleHandleW
0x18006a6f8 GetOEMCP
0x18006a700 GetProcAddress
0x18006a708 GetProcessHeap
0x18006a710 GetStartupInfoW
0x18006a718 GetStdHandle
0x18006a720 GetStringTypeW
0x18006a728 GetSystemTimeAsFileTime
0x18006a730 GetTimeFormatW
0x18006a738 GetUserDefaultLCID
0x18006a740 HeapAlloc
0x18006a748 HeapFree
0x18006a750 HeapReAlloc
0x18006a758 HeapSize
0x18006a760 InitializeCriticalSectionAndSpinCount
0x18006a768 InitializeSListHead
0x18006a770 InterlockedFlushSList
0x18006a778 InterlockedPushEntrySList
0x18006a780 IsDebuggerPresent
0x18006a788 IsProcessorFeaturePresent
0x18006a790 IsValidCodePage
0x18006a798 IsValidLocale
0x18006a7a0 LCMapStringW
0x18006a7a8 LeaveCriticalSection
0x18006a7b0 LoadLibraryExW
0x18006a7b8 MultiByteToWideChar
0x18006a7c0 OutputDebugStringW
0x18006a7c8 QueryPerformanceCounter
0x18006a7d0 RaiseException
0x18006a7d8 ReadConsoleW
0x18006a7e0 ReadFile
0x18006a7e8 RtlCaptureContext
0x18006a7f0 RtlLookupFunctionEntry
0x18006a7f8 RtlPcToFileHeader
0x18006a800 RtlUnwind
0x18006a808 RtlUnwindEx
0x18006a810 RtlVirtualUnwind
0x18006a818 SetConsoleCtrlHandler
0x18006a820 SetEnvironmentVariableW
0x18006a828 SetFilePointerEx
0x18006a830 SetLastError
0x18006a838 SetStdHandle
0x18006a840 SetUnhandledExceptionFilter
0x18006a848 TerminateProcess
0x18006a850 TlsAlloc
0x18006a858 TlsFree
0x18006a860 TlsGetValue
0x18006a868 TlsSetValue
0x18006a870 UnhandledExceptionFilter
0x18006a878 VirtualAlloc
0x18006a880 WideCharToMultiByte
0x18006a888 WriteConsoleW
0x18006a890 WriteFile
EAT(Export Address Table) Library
0x180002260 DllRegisterServer
0x1800022c0 LOvvDZSqwIIv77gTR
0x180002290 LvDZSWWUQUvbGZFR
GDI32.dll
0x18006a4f0 CreatePen
0x18006a4f8 DeleteObject
0x18006a500 LineTo
0x18006a508 MoveToEx
0x18006a510 Polyline
0x18006a518 SelectObject
USER32.dll
0x18006a528 BeginPaint
0x18006a530 CloseGestureInfoHandle
0x18006a538 CreateWindowExW
0x18006a540 DefWindowProcW
0x18006a548 DestroyWindow
0x18006a550 DispatchMessageW
0x18006a558 EndPaint
0x18006a560 GetGestureInfo
0x18006a568 GetMessageW
0x18006a570 InvalidateRect
0x18006a578 LoadCursorW
0x18006a580 LoadStringW
0x18006a588 PostQuitMessage
0x18006a590 RegisterClassExW
0x18006a598 ScreenToClient
0x18006a5a0 SetGestureConfig
0x18006a5a8 ShowWindow
0x18006a5b0 TranslateAcceleratorW
0x18006a5b8 TranslateMessage
0x18006a5c0 UpdateWindow
KERNEL32.dll
0x18006a5d0 CloseHandle
0x18006a5d8 CompareStringW
0x18006a5e0 CreateFileW
0x18006a5e8 DeleteCriticalSection
0x18006a5f0 EncodePointer
0x18006a5f8 EnterCriticalSection
0x18006a600 EnumSystemLocalesW
0x18006a608 ExitProcess
0x18006a610 FindClose
0x18006a618 FindFirstFileExW
0x18006a620 FindNextFileW
0x18006a628 FlsAlloc
0x18006a630 FlsFree
0x18006a638 FlsGetValue
0x18006a640 FlsSetValue
0x18006a648 FlushFileBuffers
0x18006a650 FreeEnvironmentStringsW
0x18006a658 FreeLibrary
0x18006a660 GetACP
0x18006a668 GetCPInfo
0x18006a670 GetCommandLineA
0x18006a678 GetCommandLineW
0x18006a680 GetConsoleMode
0x18006a688 GetConsoleOutputCP
0x18006a690 GetCurrentProcess
0x18006a698 GetCurrentProcessId
0x18006a6a0 GetCurrentThread
0x18006a6a8 GetCurrentThreadId
0x18006a6b0 GetDateFormatW
0x18006a6b8 GetEnvironmentStringsW
0x18006a6c0 GetFileSizeEx
0x18006a6c8 GetFileType
0x18006a6d0 GetLastError
0x18006a6d8 GetLocaleInfoW
0x18006a6e0 GetModuleFileNameW
0x18006a6e8 GetModuleHandleExW
0x18006a6f0 GetModuleHandleW
0x18006a6f8 GetOEMCP
0x18006a700 GetProcAddress
0x18006a708 GetProcessHeap
0x18006a710 GetStartupInfoW
0x18006a718 GetStdHandle
0x18006a720 GetStringTypeW
0x18006a728 GetSystemTimeAsFileTime
0x18006a730 GetTimeFormatW
0x18006a738 GetUserDefaultLCID
0x18006a740 HeapAlloc
0x18006a748 HeapFree
0x18006a750 HeapReAlloc
0x18006a758 HeapSize
0x18006a760 InitializeCriticalSectionAndSpinCount
0x18006a768 InitializeSListHead
0x18006a770 InterlockedFlushSList
0x18006a778 InterlockedPushEntrySList
0x18006a780 IsDebuggerPresent
0x18006a788 IsProcessorFeaturePresent
0x18006a790 IsValidCodePage
0x18006a798 IsValidLocale
0x18006a7a0 LCMapStringW
0x18006a7a8 LeaveCriticalSection
0x18006a7b0 LoadLibraryExW
0x18006a7b8 MultiByteToWideChar
0x18006a7c0 OutputDebugStringW
0x18006a7c8 QueryPerformanceCounter
0x18006a7d0 RaiseException
0x18006a7d8 ReadConsoleW
0x18006a7e0 ReadFile
0x18006a7e8 RtlCaptureContext
0x18006a7f0 RtlLookupFunctionEntry
0x18006a7f8 RtlPcToFileHeader
0x18006a800 RtlUnwind
0x18006a808 RtlUnwindEx
0x18006a810 RtlVirtualUnwind
0x18006a818 SetConsoleCtrlHandler
0x18006a820 SetEnvironmentVariableW
0x18006a828 SetFilePointerEx
0x18006a830 SetLastError
0x18006a838 SetStdHandle
0x18006a840 SetUnhandledExceptionFilter
0x18006a848 TerminateProcess
0x18006a850 TlsAlloc
0x18006a858 TlsFree
0x18006a860 TlsGetValue
0x18006a868 TlsSetValue
0x18006a870 UnhandledExceptionFilter
0x18006a878 VirtualAlloc
0x18006a880 WideCharToMultiByte
0x18006a888 WriteConsoleW
0x18006a890 WriteFile
EAT(Export Address Table) Library
0x180002260 DllRegisterServer
0x1800022c0 LOvvDZSqwIIv77gTR
0x180002290 LvDZSWWUQUvbGZFR