ScreenShot
| Created | 2021.06.17 15:26 | Machine | s1_win7_x6401 |
| Filename | service.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 56 detected (W32/CoinMiner.65CA!tr, Trojan.Win32.Generic!BT, HEUR:Trojan.Win32.Generic, win/malicious_confidence_90% (W), BScope.Trojan.Miner, Generic.mg.e8fb243e4a198c6d, malicious.e4a198, not-a-virus:HEUR:RiskTool.Win32.BitMiner.gen, malicious (high confidence), TROJ_GEN.R06CC0DCS21, Trojan.Malware.12132254.susgen, ML.Attribute.HighConfidence, W32/MadoMiner.A.gen!Eldorado, Trojan.CoinMiner.Win32.31357, Trojan:Win32/BitMiner.1c0d38b9, TR/CoinMiner.uazxc, Trojan ( 0054661c1 ), BehavesLike.Win32.Generic.wc, Trojan.GenericKD.46001838 (B), Trojan/Win32.Agent.C2467469, malware (ai score=81), Gen:NN.ZexaF.34688.JpKfa44!cuab, GenericRXMB-TZ!E8FB243E4A19, FileRepMalware, Malicious, Trojan.GenericRI.S8512615, Trojan.Win32.Save.a, Packed.Win32.MUPX.Gen@24tbus, Trj/GdSda.A, Trojan.Win32.BitMiner.itilmx, Trojan.Win32.CoinMiner, Trojan:Win32/CoinMiner!MTB, Trojan.GenAsa!TzM5OlroTMI, HackTool.XMRMiner!1.C2EC (CLOUD), W32.Malware.Gen, Win.Malware.Temr-7070541-0, a variant of Win32/CoinMiner.BVC, Trojan.BitCoinMiner, Trojan.GenericKD.46001838, Tool.Nssm.2, W32.EmotetR335G.Trojan, Win32.Trojan.PSE.1QVDXLB, Win32.Troj.Undef.(kcloud), Mal/Generic-S, generic.ml, Unsafe, Malicious (score: 100), Static AI - Malicious PE, RiskTool.BitMiner.bzyu) | ||
| md5 | e8fb243e4a198c6d940b9f829ef0b79a | ||
| sha256 | 925335818fa1846826e0ee4c25e8d34f7604af08614cf9a907133dd64d87751a | ||
| ssdeep | 98304:GY2PVsHr4g3uzvw61pEtFvKem1Ncv5+ay/KnsO1YWlP:J2NIPCv1+ttKF1ev5ZyCVlJ | ||
| imphash | f61687272ede04042da2ed03fc12db7b | ||
| impfuzzy | 6:omRgsyIBM9IVA7ZBJAEoZ/OEGDzyRPLMKJAmzRjLbtuISXmJJcJOl:omRghIBAIVOABZG/DzA+m9xutX+mOl | ||
Network IP location
Signature (10cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| watch | Communicates with host for which no DNS query was performed |
| watch | File has been identified by 15 AntiVirus engines on VirusTotal as malicious |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An application raised an exception which may be indicative of an exploit crash |
| notice | Performs some HTTP requests |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | One or more processes crashed |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO TLS Handshake Failure
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0xfa13f8 RegCloseKey
COMCTL32.dll
0xfa1400 None
comdlg32.dll
0xfa1408 ChooseColorA
GDI32.dll
0xfa1410 PatBlt
KERNEL32.DLL
0xfa1418 LoadLibraryA
0xfa141c ExitProcess
0xfa1420 GetProcAddress
0xfa1424 VirtualProtect
ole32.dll
0xfa142c OleInitialize
OLEAUT32.dll
0xfa1434 LoadTypeLib
SHELL32.dll
0xfa143c ShellExecuteA
USER32.dll
0xfa1444 GetDC
WINMM.dll
0xfa144c waveOutOpen
WINSPOOL.DRV
0xfa1454 ClosePrinter
WS2_32.dll
0xfa145c inet_ntoa
EAT(Export Address Table) is none
ADVAPI32.dll
0xfa13f8 RegCloseKey
COMCTL32.dll
0xfa1400 None
comdlg32.dll
0xfa1408 ChooseColorA
GDI32.dll
0xfa1410 PatBlt
KERNEL32.DLL
0xfa1418 LoadLibraryA
0xfa141c ExitProcess
0xfa1420 GetProcAddress
0xfa1424 VirtualProtect
ole32.dll
0xfa142c OleInitialize
OLEAUT32.dll
0xfa1434 LoadTypeLib
SHELL32.dll
0xfa143c ShellExecuteA
USER32.dll
0xfa1444 GetDC
WINMM.dll
0xfa144c waveOutOpen
WINSPOOL.DRV
0xfa1454 ClosePrinter
WS2_32.dll
0xfa145c inet_ntoa
EAT(Export Address Table) is none