popup

Report - 1soft.exe

Generic Malware Malicious Packer UPX Malicious Library PE64 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.10.15 18:06 Machine s1_win7_x6401
Filename 1soft.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score
3
 Behavior Score
4.0
ZERO API file : malware
VT API (file) 28 detected (malicious, high confidence, Autoruns, GenericKDS, Artemis, Save, confidence, GenericS, GenCBL, Donut, MdeClass, Sabsik, Coinminer, 15OWS9, score, ai score=89, Outbreak, susgen, PossibleThreat)
md5 6084bf88a6d2c70c894614fc762244de
sha256 cb425063656b52bde063c94fafc99bb8c25eb6ee30a416bf2566b377b6072b62
ssdeep 49152:+LTWSBKkKYizmb9kP2UuOWCoHXcsZaCqaPwe9m9BaH0T1LZA5H:iTWSBKkKYizmb62j5jm9wcqB
imphash c2df290778c8af3affccea3ea32cbaa1
impfuzzy 6:HQ2aJctD4f/JLGDgJLgJtXIKFJQQZ/OIA+m1BJAEnERGDfA7VSNLAcPh/MKm:EmtEfZGoQtXJxZGb9AJcDfA5kLfP9m
  Network IP location

Signature (9cnts)

Level Description
warning File has been identified by 28 AntiVirus engines on VirusTotal as malicious
watch Allocates execute permission to another process indicative of possible code injection
watch Manipulates memory of a non-child process indicative of process injection
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The file contains an unknown PE resource name possibly indicative of a packer

Rules (6cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (7cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://raw.githubusercontent.com/UnamSanctam/SilentETHMiner/master/SilentETHMiner/Resources/ethminer.zip
whois
US FASTLY 185.199.110.133 malware
https://github.com/UnamSanctam/SilentETHMiner/raw/master/SilentETHMiner/Resources/ethminer.zip
whois
KR AMAZON-02 15.164.81.167 2610 mailcious
github.com
whois
KR AMAZON-02 52.78.231.108 mailcious
raw.githubusercontent.com
whois
US FASTLY 185.199.108.133 malware
sanctam.net
whois
Unknown mailcious
185.199.110.133
whois
US FASTLY 185.199.110.133 malware
15.164.81.167
whois
KR AMAZON-02 15.164.81.167 malware

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

msvcrt.dll
 0x6a3000 strlen
kernel32.dll
 0x6a3010 Sleep
ntdll.dll
 0x6a3020 NtAllocateVirtualMemory
kernel32.dll
 0x6a3030 LocalAlloc
 0x6a3038 LocalFree
 0x6a3040 GetModuleFileNameW
 0x6a3048 GetProcessAffinityMask
 0x6a3050 SetProcessAffinityMask
 0x6a3058 SetThreadAffinityMask
 0x6a3060 Sleep
 0x6a3068 ExitProcess
 0x6a3070 FreeLibrary
 0x6a3078 LoadLibraryA
 0x6a3080 GetModuleHandleA
 0x6a3088 GetProcAddress
USER32.dll
 0x6a3098 GetProcessWindowStation
 0x6a30a0 GetUserObjectInformationW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure