ScreenShot
| Created | 2021.10.14 18:10 | Machine | s1_win7_x6401 |
| Filename | monero-bandit.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 41 detected (malicious, high confidence, InjectNET, GenericKDZ, Unsafe, Donut, confidence, 100%, Eldorado, AGen, TrojanX, Lhdm, Artemis, Redcap, llrgw, ai score=100, Sabsik, score, R444169, R002C0WJ821, KcD8mNL7U4c, AgentAGen) | ||
| md5 | 342ef4f2941187bdc7f66d148be0ff75 | ||
| sha256 | 046976da5783b0425976084bc16ababee1094e98a1f0648fc10c91dcf49bc395 | ||
| ssdeep | 49152:4HXeSvsEQ2JZpmwDIqg45PHXsjKkms5Z3z3Yu0E2tElJHhU9VWOZH+aM:4jvsW/lDZ5P3sju63p2tERU9VT | ||
| imphash | 27516fd8750f40bdecf52a1420a0296a | ||
| impfuzzy | 6:HbJqX0pyxYJxSBS0H5sD4sIWvFoFUAliPEcJmJctD4tCcp4tWMB4:7Jq36Y58GaPXJmmtEvOb6 | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 41 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Manipulates memory of a non-child process indicative of process injection |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x60d5a0 strlen
0x60d5a8 malloc
0x60d5b0 memset
0x60d5b8 getenv
0x60d5c0 sprintf
0x60d5c8 printf
0x60d5d0 __argc
0x60d5d8 __argv
0x60d5e0 _environ
0x60d5e8 _XcptFilter
0x60d5f0 __set_app_type
0x60d5f8 _controlfp
0x60d600 __getmainargs
0x60d608 exit
kernel32.dll
0x60d618 Sleep
0x60d620 GetModuleFileNameA
0x60d628 CreateProcessA
0x60d630 CloseHandle
0x60d638 SetUnhandledExceptionFilter
ntdll.dll
0x60d648 NtAllocateVirtualMemory
0x60d650 NtWriteVirtualMemory
0x60d658 NtCreateThreadEx
EAT(Export Address Table) is none
msvcrt.dll
0x60d5a0 strlen
0x60d5a8 malloc
0x60d5b0 memset
0x60d5b8 getenv
0x60d5c0 sprintf
0x60d5c8 printf
0x60d5d0 __argc
0x60d5d8 __argv
0x60d5e0 _environ
0x60d5e8 _XcptFilter
0x60d5f0 __set_app_type
0x60d5f8 _controlfp
0x60d600 __getmainargs
0x60d608 exit
kernel32.dll
0x60d618 Sleep
0x60d620 GetModuleFileNameA
0x60d628 CreateProcessA
0x60d630 CloseHandle
0x60d638 SetUnhandledExceptionFilter
ntdll.dll
0x60d648 NtAllocateVirtualMemory
0x60d650 NtWriteVirtualMemory
0x60d658 NtCreateThreadEx
EAT(Export Address Table) is none