ScreenShot
| Created | 2023.03.11 10:43 | Machine | s1_win7_x6403 |
| Filename | Aztec.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 20 detected (Tedy, unsafe, malicious, confidence, Attribute, HighConfidence, Kryptik, CoinMiner, Agen, Bgow, Siggen20, Generic ML PUA, ai score=86, Detected, R541225, mJL08voCrEL) | ||
| md5 | 679f7bb9c60003a65a6a98d474f3fb0e | ||
| sha256 | fe0c2c6438a5ed2dd338a52678b1d5be0a63de608bd360437129976ae19ee1c1 | ||
| ssdeep | 98304:4emYRF9KAR+oj+kQf4KnqI8VV4xqxVT9111UoQDKBfcxTgb8pg:pCARpj+11MqedFMDTAx | ||
| imphash | c24ea937b2b0d62e829e8a8faeff5a8d | ||
| impfuzzy | 24:Dfjz+kQYJd1j9Mblif5XGTqqXZPFkomtcqcxvZJF:DfH+kXHslEJGTqqJdk1uqcxLF | ||
Network IP location
Signature (2cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 20 AntiVirus engines on VirusTotal as malicious |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140393254 CreateSemaphoreW
0x14039325c DeleteCriticalSection
0x140393264 EnterCriticalSection
0x14039326c GetLastError
0x140393274 GetModuleFileNameW
0x14039327c GetStartupInfoW
0x140393284 InitializeCriticalSection
0x14039328c IsDBCSLeadByteEx
0x140393294 LeaveCriticalSection
0x14039329c MultiByteToWideChar
0x1403932a4 ReleaseSemaphore
0x1403932ac SetLastError
0x1403932b4 SetUnhandledExceptionFilter
0x1403932bc Sleep
0x1403932c4 TlsAlloc
0x1403932cc TlsFree
0x1403932d4 TlsGetValue
0x1403932dc TlsSetValue
0x1403932e4 VirtualProtect
0x1403932ec VirtualQuery
0x1403932f4 WaitForSingleObject
msvcrt.dll
0x140393304 __C_specific_handler
0x14039330c ___lc_codepage_func
0x140393314 ___mb_cur_max_func
0x14039331c __iob_func
0x140393324 __set_app_type
0x14039332c __setusermatherr
0x140393334 __wgetmainargs
0x14039333c __winitenv
0x140393344 _amsg_exit
0x14039334c _assert
0x140393354 _cexit
0x14039335c _commode
0x140393364 _errno
0x14039336c _fmode
0x140393374 _initterm
0x14039337c _onexit
0x140393384 _wcmdln
0x14039338c _wcsicmp
0x140393394 _wgetenv
0x14039339c abort
0x1403933a4 calloc
0x1403933ac exit
0x1403933b4 fprintf
0x1403933bc fputwc
0x1403933c4 free
0x1403933cc fwprintf
0x1403933d4 fwrite
0x1403933dc localeconv
0x1403933e4 malloc
0x1403933ec memcpy
0x1403933f4 memset
0x1403933fc realloc
0x140393404 signal
0x14039340c strcat
0x140393414 strerror
0x14039341c strlen
0x140393424 strncmp
0x14039342c strstr
0x140393434 vfprintf
0x14039343c wcscat
0x140393444 wcscpy
0x14039344c wcslen
0x140393454 wcsncmp
0x14039345c wcsstr
EAT(Export Address Table) is none
KERNEL32.dll
0x140393254 CreateSemaphoreW
0x14039325c DeleteCriticalSection
0x140393264 EnterCriticalSection
0x14039326c GetLastError
0x140393274 GetModuleFileNameW
0x14039327c GetStartupInfoW
0x140393284 InitializeCriticalSection
0x14039328c IsDBCSLeadByteEx
0x140393294 LeaveCriticalSection
0x14039329c MultiByteToWideChar
0x1403932a4 ReleaseSemaphore
0x1403932ac SetLastError
0x1403932b4 SetUnhandledExceptionFilter
0x1403932bc Sleep
0x1403932c4 TlsAlloc
0x1403932cc TlsFree
0x1403932d4 TlsGetValue
0x1403932dc TlsSetValue
0x1403932e4 VirtualProtect
0x1403932ec VirtualQuery
0x1403932f4 WaitForSingleObject
msvcrt.dll
0x140393304 __C_specific_handler
0x14039330c ___lc_codepage_func
0x140393314 ___mb_cur_max_func
0x14039331c __iob_func
0x140393324 __set_app_type
0x14039332c __setusermatherr
0x140393334 __wgetmainargs
0x14039333c __winitenv
0x140393344 _amsg_exit
0x14039334c _assert
0x140393354 _cexit
0x14039335c _commode
0x140393364 _errno
0x14039336c _fmode
0x140393374 _initterm
0x14039337c _onexit
0x140393384 _wcmdln
0x14039338c _wcsicmp
0x140393394 _wgetenv
0x14039339c abort
0x1403933a4 calloc
0x1403933ac exit
0x1403933b4 fprintf
0x1403933bc fputwc
0x1403933c4 free
0x1403933cc fwprintf
0x1403933d4 fwrite
0x1403933dc localeconv
0x1403933e4 malloc
0x1403933ec memcpy
0x1403933f4 memset
0x1403933fc realloc
0x140393404 signal
0x14039340c strcat
0x140393414 strerror
0x14039341c strlen
0x140393424 strncmp
0x14039342c strstr
0x140393434 vfprintf
0x14039343c wcscat
0x140393444 wcscpy
0x14039344c wcslen
0x140393454 wcsncmp
0x14039345c wcsstr
EAT(Export Address Table) is none