popup

Report - 111.exe

Malicious Packer Malicious Library PE64 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.10.11 10:06 Machine s1_win7_x6402
Filename 111.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score
7
 Behavior Score
3.4
ZERO API file : malware
VT API (file)
md5 9b164a8d1003a08d50d8d282da9cde81
sha256 0ed30d6e1917aacb4c153772048cee51355c4613d8f751f4a106c96bdbe87bb4
ssdeep 6144:P/kyeY0/04tb4JiXlH5eF/vCP+l15sTNxZaXi3mi5u:Psy0/fbCuZq/aWUHL3mD
imphash 27516fd8750f40bdecf52a1420a0296a
impfuzzy 6:HbJqX0pyxYJxSBS0H5sD4sIWvFoFUAliPEcJmJctD4tCcp4tWMB4:7Jq36Y58GaPXJmmtEvOb6
  Network IP location

Signature (7cnts)

Level Description
watch Allocates execute permission to another process indicative of possible code injection
watch Communicates with host for which no DNS query was performed
watch Manipulates memory of a non-child process indicative of process injection
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer

Rules (4cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (9cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://raw.githubusercontent.com/UnamSanctam/SilentETHMiner/master/SilentETHMiner/Resources/ethminer.zip
whois
US FASTLY 185.199.110.133 malware
https://github.com/UnamSanctam/SilentETHMiner/raw/master/SilentETHMiner/Resources/ethminer.zip
whois
KR AMAZON-02 52.78.231.108 2610 mailcious
github.com
whois
KR AMAZON-02 52.78.231.108 mailcious
raw.githubusercontent.com
whois
US FASTLY 185.199.108.133 malware
sanctam.net
whois
Unknown mailcious
52.78.231.108
whois
KR AMAZON-02 52.78.231.108 malware
185.199.110.133
whois
US FASTLY 185.199.110.133 malware
117.18.237.29
whois
TW EDGECAST 117.18.237.29 clean
208.95.112.1
whois
US TUT-AS 208.95.112.1 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

msvcrt.dll
 0x4109a0 strlen
 0x4109a8 malloc
 0x4109b0 memset
 0x4109b8 getenv
 0x4109c0 sprintf
 0x4109c8 printf
 0x4109d0 __argc
 0x4109d8 __argv
 0x4109e0 _environ
 0x4109e8 _XcptFilter
 0x4109f0 __set_app_type
 0x4109f8 _controlfp
 0x410a00 __getmainargs
 0x410a08 exit
kernel32.dll
 0x410a18 Sleep
 0x410a20 GetModuleFileNameA
 0x410a28 CreateProcessA
 0x410a30 CloseHandle
 0x410a38 SetUnhandledExceptionFilter
ntdll.dll
 0x410a48 NtAllocateVirtualMemory
 0x410a50 NtWriteVirtualMemory
 0x410a58 NtCreateThreadEx

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure