ScreenShot
| Created | 2021.04.23 10:12 | Machine | s1_win7_x6401 |
| Filename | fw3.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 42 detected (malicious, high confidence, Cerbu, Unsafe, confidence, Miner, CoinMiner, CoinminerX, auule, vzceh, kcloud, ai score=81, BitCoinMiner, R06CH0DDJ21, CLOUD, cjUei5v96G4, Static AI, Suspicious PE) | ||
| md5 | c3d59d08b1f437df8fd17ec4c7e5ce6c | ||
| sha256 | 051ee98c921d915df85f4afee0e6ed40cf210dc9bd70c32ab446a1596f6b6aab | ||
| ssdeep | 3072:2XAERwJKi9bijvOzTdG9DZHTFpTjM9q529aP:DxJNb64TdGhtDT8s | ||
| imphash | 1e6c6c0fef00f13f737d59db8cd89a72 | ||
| impfuzzy | 24:jV/tXEEEjMUlv0HuOGOovr02tyS17BgdlJnc+pl3eDoGouCWuKmbiZMkkh+TAVV4:jV/tXtE9EBetyS17Bg9c+pp60KZakINw | ||
Network IP location
Signature (3cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 42 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (12cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| notice | Str_Win32_Http_API | Match Windows Http API call | binaries (upload) |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | network_http | Communications over HTTP | binaries (upload) |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | binaries (upload) |
| info | win_files_operation | Affect private profile | binaries (upload) |
| info | win_registry | Affect system registries | binaries (upload) |
Network (5cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140011020 GetSystemDirectoryW
0x140011028 ResumeThread
0x140011030 CloseHandle
0x140011038 GetThreadContext
0x140011040 VirtualAllocEx
0x140011048 ReadProcessMemory
0x140011050 CreateProcessW
0x140011058 CopyFileW
0x140011060 SetThreadContext
0x140011068 ReadFile
0x140011070 GetModuleFileNameW
0x140011078 SetFilePointer
0x140011080 CreateFileW
0x140011088 MultiByteToWideChar
0x140011090 LocalFileTimeToFileTime
0x140011098 GetCurrentDirectoryW
0x1400110a0 SystemTimeToFileTime
0x1400110a8 WideCharToMultiByte
0x1400110b0 SetFilePointerEx
0x1400110b8 TerminateProcess
0x1400110c0 lstrlenW
0x1400110c8 WriteFile
0x1400110d0 WriteProcessMemory
0x1400110d8 GetConsoleMode
0x1400110e0 GetConsoleCP
0x1400110e8 FlushFileBuffers
0x1400110f0 HeapSize
0x1400110f8 GetProcessHeap
0x140011100 GetStringTypeW
0x140011108 GetFileType
0x140011110 SetStdHandle
0x140011118 FreeEnvironmentStringsW
0x140011120 GetEnvironmentStringsW
0x140011128 GetCommandLineW
0x140011130 GetCommandLineA
0x140011138 GetCPInfo
0x140011140 GetOEMCP
0x140011148 GetACP
0x140011150 RtlCaptureContext
0x140011158 RtlLookupFunctionEntry
0x140011160 RtlVirtualUnwind
0x140011168 UnhandledExceptionFilter
0x140011170 SetUnhandledExceptionFilter
0x140011178 GetCurrentProcess
0x140011180 IsProcessorFeaturePresent
0x140011188 QueryPerformanceCounter
0x140011190 GetCurrentProcessId
0x140011198 GetCurrentThreadId
0x1400111a0 GetSystemTimeAsFileTime
0x1400111a8 InitializeSListHead
0x1400111b0 IsDebuggerPresent
0x1400111b8 GetStartupInfoW
0x1400111c0 GetModuleHandleW
0x1400111c8 RtlUnwindEx
0x1400111d0 RtlPcToFileHeader
0x1400111d8 RaiseException
0x1400111e0 GetLastError
0x1400111e8 SetLastError
0x1400111f0 EnterCriticalSection
0x1400111f8 LeaveCriticalSection
0x140011200 DeleteCriticalSection
0x140011208 InitializeCriticalSectionAndSpinCount
0x140011210 TlsAlloc
0x140011218 TlsGetValue
0x140011220 TlsSetValue
0x140011228 TlsFree
0x140011230 FreeLibrary
0x140011238 GetProcAddress
0x140011240 LoadLibraryExW
0x140011248 GetStdHandle
0x140011250 ExitProcess
0x140011258 GetModuleHandleExW
0x140011260 HeapFree
0x140011268 HeapAlloc
0x140011270 HeapReAlloc
0x140011278 LCMapStringW
0x140011280 FindClose
0x140011288 FindFirstFileExW
0x140011290 FindNextFileW
0x140011298 IsValidCodePage
0x1400112a0 WriteConsoleW
ADVAPI32.dll
0x140011000 RegSetValueExW
0x140011008 RegCreateKeyW
0x140011010 RegCloseKey
SHELL32.dll
0x1400112b0 SHGetFolderPathW
SHLWAPI.dll
0x1400112c0 PathCombineW
0x1400112c8 wnsprintfW
WININET.dll
0x1400112d8 InternetCrackUrlW
0x1400112e0 HttpSendRequestW
0x1400112e8 InternetQueryDataAvailable
0x1400112f0 InternetQueryOptionW
0x1400112f8 HttpOpenRequestW
0x140011300 InternetCloseHandle
0x140011308 InternetConnectW
0x140011310 InternetSetOptionW
0x140011318 InternetReadFile
0x140011320 InternetOpenW
ntdll.dll
0x140011330 NtUnmapViewOfSection
EAT(Export Address Table) is none
KERNEL32.dll
0x140011020 GetSystemDirectoryW
0x140011028 ResumeThread
0x140011030 CloseHandle
0x140011038 GetThreadContext
0x140011040 VirtualAllocEx
0x140011048 ReadProcessMemory
0x140011050 CreateProcessW
0x140011058 CopyFileW
0x140011060 SetThreadContext
0x140011068 ReadFile
0x140011070 GetModuleFileNameW
0x140011078 SetFilePointer
0x140011080 CreateFileW
0x140011088 MultiByteToWideChar
0x140011090 LocalFileTimeToFileTime
0x140011098 GetCurrentDirectoryW
0x1400110a0 SystemTimeToFileTime
0x1400110a8 WideCharToMultiByte
0x1400110b0 SetFilePointerEx
0x1400110b8 TerminateProcess
0x1400110c0 lstrlenW
0x1400110c8 WriteFile
0x1400110d0 WriteProcessMemory
0x1400110d8 GetConsoleMode
0x1400110e0 GetConsoleCP
0x1400110e8 FlushFileBuffers
0x1400110f0 HeapSize
0x1400110f8 GetProcessHeap
0x140011100 GetStringTypeW
0x140011108 GetFileType
0x140011110 SetStdHandle
0x140011118 FreeEnvironmentStringsW
0x140011120 GetEnvironmentStringsW
0x140011128 GetCommandLineW
0x140011130 GetCommandLineA
0x140011138 GetCPInfo
0x140011140 GetOEMCP
0x140011148 GetACP
0x140011150 RtlCaptureContext
0x140011158 RtlLookupFunctionEntry
0x140011160 RtlVirtualUnwind
0x140011168 UnhandledExceptionFilter
0x140011170 SetUnhandledExceptionFilter
0x140011178 GetCurrentProcess
0x140011180 IsProcessorFeaturePresent
0x140011188 QueryPerformanceCounter
0x140011190 GetCurrentProcessId
0x140011198 GetCurrentThreadId
0x1400111a0 GetSystemTimeAsFileTime
0x1400111a8 InitializeSListHead
0x1400111b0 IsDebuggerPresent
0x1400111b8 GetStartupInfoW
0x1400111c0 GetModuleHandleW
0x1400111c8 RtlUnwindEx
0x1400111d0 RtlPcToFileHeader
0x1400111d8 RaiseException
0x1400111e0 GetLastError
0x1400111e8 SetLastError
0x1400111f0 EnterCriticalSection
0x1400111f8 LeaveCriticalSection
0x140011200 DeleteCriticalSection
0x140011208 InitializeCriticalSectionAndSpinCount
0x140011210 TlsAlloc
0x140011218 TlsGetValue
0x140011220 TlsSetValue
0x140011228 TlsFree
0x140011230 FreeLibrary
0x140011238 GetProcAddress
0x140011240 LoadLibraryExW
0x140011248 GetStdHandle
0x140011250 ExitProcess
0x140011258 GetModuleHandleExW
0x140011260 HeapFree
0x140011268 HeapAlloc
0x140011270 HeapReAlloc
0x140011278 LCMapStringW
0x140011280 FindClose
0x140011288 FindFirstFileExW
0x140011290 FindNextFileW
0x140011298 IsValidCodePage
0x1400112a0 WriteConsoleW
ADVAPI32.dll
0x140011000 RegSetValueExW
0x140011008 RegCreateKeyW
0x140011010 RegCloseKey
SHELL32.dll
0x1400112b0 SHGetFolderPathW
SHLWAPI.dll
0x1400112c0 PathCombineW
0x1400112c8 wnsprintfW
WININET.dll
0x1400112d8 InternetCrackUrlW
0x1400112e0 HttpSendRequestW
0x1400112e8 InternetQueryDataAvailable
0x1400112f0 InternetQueryOptionW
0x1400112f8 HttpOpenRequestW
0x140011300 InternetCloseHandle
0x140011308 InternetConnectW
0x140011310 InternetSetOptionW
0x140011318 InternetReadFile
0x140011320 InternetOpenW
ntdll.dll
0x140011330 NtUnmapViewOfSection
EAT(Export Address Table) is none