ScreenShot
| Created | 2023.04.02 09:03 | Machine | s1_win7_x6403 |
| Filename | updater.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 34 detected (GenericKD, unsafe, malicious, confidence, Attribute, HighConfidence, moderate confidence, score, xavjgw, EPACK, Gen2, high, Generic Reputation PUA, Wacatac, Detected, Artemis, ai score=86, CLOUD, susgen, PossibleThreat) | ||
| md5 | a04a12bd76283170bc83848686e4f946 | ||
| sha256 | 13d6361137c3e50b65f6e7385e44e2a5bbcb435aea861112953579ec2230fd44 | ||
| ssdeep | 98304:vT72zCNeI+sjbIBNmJ1t2WJ8BJXzN9Bhvu4:vPb+sjbIXgUJXzN9Bhvu4 | ||
| imphash | 1f19b48b1743dc444330a51f961069d0 | ||
| impfuzzy | 24:U+2WDoeQtWOovbOGMUD1uBvgJWDGZWylnjBLPOXr07Gy46uu9PJUHYjg6:UDQoTx361GuZxJjBbO+GyvgHr6 | ||
Network IP location
Signature (11cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 34 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Drops a binary and executes it |
| notice | A process created a hidden window |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
Rules (8cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (8cnts) ?
Suricata ids
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
ET INFO Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com)
ET MALWARE Win32/Pripyat Activity (POST)
ET INFO Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com)
ET MALWARE Win32/Pripyat Activity (POST)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140032450 CloseHandle
0x140032458 CompareStringW
0x140032460 CreateEventW
0x140032468 CreateFileW
0x140032470 DecodePointer
0x140032478 DeleteCriticalSection
0x140032480 EncodePointer
0x140032488 EnterCriticalSection
0x140032490 EnumSystemLocalesW
0x140032498 ExitProcess
0x1400324a0 FindClose
0x1400324a8 FindFirstFileExW
0x1400324b0 FindNextFileW
0x1400324b8 FlushFileBuffers
0x1400324c0 FreeConsole
0x1400324c8 FreeEnvironmentStringsW
0x1400324d0 FreeLibrary
0x1400324d8 GetACP
0x1400324e0 GetCPInfo
0x1400324e8 GetCommandLineA
0x1400324f0 GetCommandLineW
0x1400324f8 GetConsoleMode
0x140032500 GetConsoleOutputCP
0x140032508 GetCurrentProcess
0x140032510 GetCurrentProcessId
0x140032518 GetCurrentThreadId
0x140032520 GetEnvironmentStringsW
0x140032528 GetFileSizeEx
0x140032530 GetFileType
0x140032538 GetLastError
0x140032540 GetLocaleInfoW
0x140032548 GetModuleFileNameW
0x140032550 GetModuleHandleExW
0x140032558 GetModuleHandleW
0x140032560 GetOEMCP
0x140032568 GetProcAddress
0x140032570 GetProcessHeap
0x140032578 GetStartupInfoW
0x140032580 GetStdHandle
0x140032588 GetStringTypeW
0x140032590 GetSystemInfo
0x140032598 GetSystemTimeAsFileTime
0x1400325a0 GetUserDefaultLCID
0x1400325a8 HeapAlloc
0x1400325b0 HeapFree
0x1400325b8 HeapReAlloc
0x1400325c0 HeapSize
0x1400325c8 InitializeCriticalSectionAndSpinCount
0x1400325d0 InitializeCriticalSectionEx
0x1400325d8 InitializeSListHead
0x1400325e0 IsDebuggerPresent
0x1400325e8 IsProcessorFeaturePresent
0x1400325f0 IsValidCodePage
0x1400325f8 IsValidLocale
0x140032600 LCMapStringEx
0x140032608 LCMapStringW
0x140032610 LeaveCriticalSection
0x140032618 LoadLibraryExW
0x140032620 MultiByteToWideChar
0x140032628 QueryPerformanceCounter
0x140032630 RaiseException
0x140032638 ReadConsoleW
0x140032640 ReadFile
0x140032648 ResetEvent
0x140032650 RtlCaptureContext
0x140032658 RtlLookupFunctionEntry
0x140032660 RtlPcToFileHeader
0x140032668 RtlUnwind
0x140032670 RtlUnwindEx
0x140032678 RtlVirtualUnwind
0x140032680 SetCommBreak
0x140032688 SetEndOfFile
0x140032690 SetEnvironmentVariableW
0x140032698 SetEvent
0x1400326a0 SetFilePointerEx
0x1400326a8 SetLastError
0x1400326b0 SetStdHandle
0x1400326b8 SetUnhandledExceptionFilter
0x1400326c0 Sleep
0x1400326c8 TerminateProcess
0x1400326d0 TlsAlloc
0x1400326d8 TlsFree
0x1400326e0 TlsGetValue
0x1400326e8 TlsSetValue
0x1400326f0 UnhandledExceptionFilter
0x1400326f8 WaitForSingleObjectEx
0x140032700 WideCharToMultiByte
0x140032708 WriteConsoleW
0x140032710 WriteFile
SHELL32.dll
0x140032720 ShellExecuteA
USER32.dll
0x140032730 DdeQueryNextServer
EAT(Export Address Table) is none
KERNEL32.dll
0x140032450 CloseHandle
0x140032458 CompareStringW
0x140032460 CreateEventW
0x140032468 CreateFileW
0x140032470 DecodePointer
0x140032478 DeleteCriticalSection
0x140032480 EncodePointer
0x140032488 EnterCriticalSection
0x140032490 EnumSystemLocalesW
0x140032498 ExitProcess
0x1400324a0 FindClose
0x1400324a8 FindFirstFileExW
0x1400324b0 FindNextFileW
0x1400324b8 FlushFileBuffers
0x1400324c0 FreeConsole
0x1400324c8 FreeEnvironmentStringsW
0x1400324d0 FreeLibrary
0x1400324d8 GetACP
0x1400324e0 GetCPInfo
0x1400324e8 GetCommandLineA
0x1400324f0 GetCommandLineW
0x1400324f8 GetConsoleMode
0x140032500 GetConsoleOutputCP
0x140032508 GetCurrentProcess
0x140032510 GetCurrentProcessId
0x140032518 GetCurrentThreadId
0x140032520 GetEnvironmentStringsW
0x140032528 GetFileSizeEx
0x140032530 GetFileType
0x140032538 GetLastError
0x140032540 GetLocaleInfoW
0x140032548 GetModuleFileNameW
0x140032550 GetModuleHandleExW
0x140032558 GetModuleHandleW
0x140032560 GetOEMCP
0x140032568 GetProcAddress
0x140032570 GetProcessHeap
0x140032578 GetStartupInfoW
0x140032580 GetStdHandle
0x140032588 GetStringTypeW
0x140032590 GetSystemInfo
0x140032598 GetSystemTimeAsFileTime
0x1400325a0 GetUserDefaultLCID
0x1400325a8 HeapAlloc
0x1400325b0 HeapFree
0x1400325b8 HeapReAlloc
0x1400325c0 HeapSize
0x1400325c8 InitializeCriticalSectionAndSpinCount
0x1400325d0 InitializeCriticalSectionEx
0x1400325d8 InitializeSListHead
0x1400325e0 IsDebuggerPresent
0x1400325e8 IsProcessorFeaturePresent
0x1400325f0 IsValidCodePage
0x1400325f8 IsValidLocale
0x140032600 LCMapStringEx
0x140032608 LCMapStringW
0x140032610 LeaveCriticalSection
0x140032618 LoadLibraryExW
0x140032620 MultiByteToWideChar
0x140032628 QueryPerformanceCounter
0x140032630 RaiseException
0x140032638 ReadConsoleW
0x140032640 ReadFile
0x140032648 ResetEvent
0x140032650 RtlCaptureContext
0x140032658 RtlLookupFunctionEntry
0x140032660 RtlPcToFileHeader
0x140032668 RtlUnwind
0x140032670 RtlUnwindEx
0x140032678 RtlVirtualUnwind
0x140032680 SetCommBreak
0x140032688 SetEndOfFile
0x140032690 SetEnvironmentVariableW
0x140032698 SetEvent
0x1400326a0 SetFilePointerEx
0x1400326a8 SetLastError
0x1400326b0 SetStdHandle
0x1400326b8 SetUnhandledExceptionFilter
0x1400326c0 Sleep
0x1400326c8 TerminateProcess
0x1400326d0 TlsAlloc
0x1400326d8 TlsFree
0x1400326e0 TlsGetValue
0x1400326e8 TlsSetValue
0x1400326f0 UnhandledExceptionFilter
0x1400326f8 WaitForSingleObjectEx
0x140032700 WideCharToMultiByte
0x140032708 WriteConsoleW
0x140032710 WriteFile
SHELL32.dll
0x140032720 ShellExecuteA
USER32.dll
0x140032730 DdeQueryNextServer
EAT(Export Address Table) is none