ScreenShot
Created | 2021.04.10 09:23 | Machine | s1_win7_x6402 |
Filename | lolMiner.exe | ||
Type | PE32+ executable (console) x86-64, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 40 detected (malicious, high confidence, Coinminer, Unsafe, QDFS, Miner, Bitcoinminer, FileRepMalware, HackTool, CLOUD, ApplicUnwnt@#35as3iiatmqs8, VSNTBN21, Artemis, Static AI, Suspicious PE, RiskTool, ai score=99, score, Miner3) | ||
md5 | 3c9dcc91e05dc05a01fff739e40474d7 | ||
sha256 | 6dd7b3d944595429136366b908fd18d3cac315c6f1453dd4cb5bcafa9e9a95a6 | ||
ssdeep | 98304:o9qZFSd9o31ZlZP9ybmBCTauIejZc3j20L8ghQLj9INDwhPBlsR2Yv1sTFt:o8yS1LxQbmkVjZczjL8ghQxIBwhPBlso | ||
imphash | 46c33c2ddb9269495943f4bbe9ce669d | ||
impfuzzy | 6:omRg/GVKXKBJAEoZ/OEGDzyRkNTaYDML1KcA5PJ:omRg/WdABZG/DzDZ5PJ |
Network IP location
Signature (7cnts)
Level | Description |
---|---|
danger | File has been identified by 40 AntiVirus engines on VirusTotal as malicious |
watch | Communicates with host for which no DNS query was performed |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Performs some HTTP requests |
notice | Sends data using the HTTP POST Method |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | The executable is compressed using UPX |
Rules (9cnts)
Level | Name | Description | Collection |
---|---|---|---|
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | IsPE64 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
info | HasOverlay | Overlay Check | binaries (upload) |
info | HasRichSignature | Rich Signature Check | binaries (upload) |
info | IsConsole | (no description) | binaries (upload) |
info | IsPacked | Entropy Check | binaries (upload) |
info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | binaries (upload) |
info | win_registry | Affect system registries | binaries (upload) |
Network (6cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x141e1f2a4 RegCloseKey
crypt.dll
0x141e1f2b4 BCryptGenRandom
CRYPT32.dll
0x141e1f2c4 CertOpenStore
KERNEL32.DLL
0x141e1f2d4 LoadLibraryA
0x141e1f2dc ExitProcess
0x141e1f2e4 GetProcAddress
0x141e1f2ec VirtualProtect
MSWSOCK.dll
0x141e1f2fc AcceptEx
OpenCL.dll
0x141e1f30c clRetainEvent
SETUPAPI.dll
0x141e1f31c SetupDiGetClassDevsA
USER32.dll
0x141e1f32c ShowWindow
WS2_32.dll
0x141e1f33c ntohl
EAT(Export Address Table) is none
ADVAPI32.dll
0x141e1f2a4 RegCloseKey
crypt.dll
0x141e1f2b4 BCryptGenRandom
CRYPT32.dll
0x141e1f2c4 CertOpenStore
KERNEL32.DLL
0x141e1f2d4 LoadLibraryA
0x141e1f2dc ExitProcess
0x141e1f2e4 GetProcAddress
0x141e1f2ec VirtualProtect
MSWSOCK.dll
0x141e1f2fc AcceptEx
OpenCL.dll
0x141e1f30c clRetainEvent
SETUPAPI.dll
0x141e1f31c SetupDiGetClassDevsA
USER32.dll
0x141e1f32c ShowWindow
WS2_32.dll
0x141e1f33c ntohl
EAT(Export Address Table) is none