ScreenShot
| Created | 2021.09.13 09:32 | Machine | s1_win7_x6401 |
| Filename | task.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 14 detected (malicious, high confidence, confidence, Genome, CoinminerX, Srwq, Static AI, Malicious PE, Bingoml, Unsafe, Score, susgen) | ||
| md5 | 5120630343cdfdc8698f7ce9d9991894 | ||
| sha256 | 9831ce1230a68322d442ae5732a4974846e7c9ab7318c41d7382a986428fcb8e | ||
| ssdeep | 3072:u7lm+ZrvtFckqaGuI5x5puWpMoSFQ9oToqMrdhHI3IIad69/N:uEIrZBIPfp7Sq9tdZI3IIw6dN | ||
| imphash | 6b9c23a9a3b4c46610e49aa6cdf719fa | ||
| impfuzzy | 3:oTE4ps0JWBJAEPw1MO/OywS9KTXzhAXwEQaxRegp3:oTaBJAEoZ/OEGDzyRzd | ||
Network IP location
Signature (12cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | Created a service where a service was also not started |
| watch | File has been identified by 14 AntiVirus engines on VirusTotal as malicious |
| watch | Installs itself for autorun at Windows startup |
| notice | Creates executable files on the filesystem |
| notice | Foreign language identified in PE resource |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| info | Checks if process is being debugged by a debugger |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
ET POLICY Cryptocurrency Miner Checkin
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x14004727c OpenServiceW
KERNEL32.DLL
0x14004728c LoadLibraryA
0x140047294 ExitProcess
0x14004729c GetProcAddress
0x1400472a4 VirtualProtect
USER32.dll
0x1400472b4 GetMessageW
EAT(Export Address Table) is none
ADVAPI32.dll
0x14004727c OpenServiceW
KERNEL32.DLL
0x14004728c LoadLibraryA
0x140047294 ExitProcess
0x14004729c GetProcAddress
0x1400472a4 VirtualProtect
USER32.dll
0x1400472b4 GetMessageW
EAT(Export Address Table) is none