ScreenShot
| Created | 2021.11.10 08:21 | Machine | s1_win7_x6403 |
| Filename | prof-xmr.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 12 detected (malicious, high confidence, VMProtect, BadFile, Static AI, Suspicious PE, Sabsik, score, susgen) | ||
| md5 | fea27ec625bc1404776fd452be4d52f9 | ||
| sha256 | b23fb46fbb5d1d9d97ff697e1666b417e545610b8a5fc17c4e91887a6e007ba7 | ||
| ssdeep | 98304:ALweZEPQxF425ffUytPje9DOHT1WD7FSAYfyy7cwwLTiSu4Wcq3lYB:WEP4np8yti9SfyyIwwLTiSu4X0lYB | ||
| imphash | 2e94efa8721780d16bef6f247a11963d | ||
| impfuzzy | 12:sJbwfP9qZGoQtXJxZGb9AJcDfA5kLfP9m:okaQtXJHc9NDI5Q8 | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| watch | File has been identified by 12 AntiVirus engines on VirusTotal as malicious |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
msvcrt.dll
0xb6e000 malloc
kernel32.dll
0xb6e010 Sleep
WTSAPI32.dll
0xb6e020 WTSSendMessageW
kernel32.dll
0xb6e030 GetSystemTimeAsFileTime
USER32.dll
0xb6e040 GetUserObjectInformationW
kernel32.dll
0xb6e050 LocalAlloc
0xb6e058 LocalFree
0xb6e060 GetModuleFileNameW
0xb6e068 GetProcessAffinityMask
0xb6e070 SetProcessAffinityMask
0xb6e078 SetThreadAffinityMask
0xb6e080 Sleep
0xb6e088 ExitProcess
0xb6e090 FreeLibrary
0xb6e098 LoadLibraryA
0xb6e0a0 GetModuleHandleA
0xb6e0a8 GetProcAddress
USER32.dll
0xb6e0b8 GetProcessWindowStation
0xb6e0c0 GetUserObjectInformationW
EAT(Export Address Table) Library
msvcrt.dll
0xb6e000 malloc
kernel32.dll
0xb6e010 Sleep
WTSAPI32.dll
0xb6e020 WTSSendMessageW
kernel32.dll
0xb6e030 GetSystemTimeAsFileTime
USER32.dll
0xb6e040 GetUserObjectInformationW
kernel32.dll
0xb6e050 LocalAlloc
0xb6e058 LocalFree
0xb6e060 GetModuleFileNameW
0xb6e068 GetProcessAffinityMask
0xb6e070 SetProcessAffinityMask
0xb6e078 SetThreadAffinityMask
0xb6e080 Sleep
0xb6e088 ExitProcess
0xb6e090 FreeLibrary
0xb6e098 LoadLibraryA
0xb6e0a0 GetModuleHandleA
0xb6e0a8 GetProcAddress
USER32.dll
0xb6e0b8 GetProcessWindowStation
0xb6e0c0 GetUserObjectInformationW
EAT(Export Address Table) Library