ScreenShot
| Created | 2023.04.10 09:10 | Machine | s1_win7_x6403 |
| Filename | Updater.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 51 detected (malicious, high confidence, score, Artemis, Kryptik, Vrp3, GenKryptik, Genus, ABRisk, EBYR, Attribute, HighConfidence, GIIA, xavnes, Hosts, jvisvl, FalseSign, Eflw, Nekark, wjaad, R002C0DD623, Generic Reputation PUA, Malware@#38zvo226ygp71, Xmrig, Detected, ai score=79, unsafe, Chgt, tSjl4DNY5BP, susgen) | ||
| md5 | 6fa2a8de3fc30b9c80d12c2ac4ad2e3f | ||
| sha256 | a2c59381ca2fdba45f345eec78681fc417271e2f3fb65ff9ec06998d90abc9fd | ||
| ssdeep | 196608:RHkauZatU8wbxg2e/ZPIq3QkZRgj2wpAY7E6XZufNrM1W:RHcsw22eRI2QkjgjLlErH | ||
| imphash | d3be2dc19ba54f7225d7679c3f791cf7 | ||
| impfuzzy | 24:1fPJx+kTdF0tWJd1jIlMblRf5XG6qXZgJkomvlA/GbtcqcJvZJF:1fPL+kT6kSslJJG6qJgk1vm/GbuqcJLF | ||
Network IP location
Signature (2cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 51 AntiVirus engines on VirusTotal as malicious |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1409d029c CloseHandle
0x1409d02a4 CreateSemaphoreW
0x1409d02ac DeleteCriticalSection
0x1409d02b4 EnterCriticalSection
0x1409d02bc GetCurrentThreadId
0x1409d02c4 GetLastError
0x1409d02cc GetStartupInfoA
0x1409d02d4 InitializeCriticalSection
0x1409d02dc IsDBCSLeadByteEx
0x1409d02e4 LeaveCriticalSection
0x1409d02ec MultiByteToWideChar
0x1409d02f4 RaiseException
0x1409d02fc ReleaseSemaphore
0x1409d0304 RtlCaptureContext
0x1409d030c RtlLookupFunctionEntry
0x1409d0314 RtlUnwindEx
0x1409d031c RtlVirtualUnwind
0x1409d0324 SetLastError
0x1409d032c SetUnhandledExceptionFilter
0x1409d0334 Sleep
0x1409d033c TlsAlloc
0x1409d0344 TlsFree
0x1409d034c TlsGetValue
0x1409d0354 TlsSetValue
0x1409d035c VirtualProtect
0x1409d0364 VirtualQuery
0x1409d036c WaitForSingleObject
0x1409d0374 WideCharToMultiByte
msvcrt.dll
0x1409d0384 __C_specific_handler
0x1409d038c ___lc_codepage_func
0x1409d0394 ___mb_cur_max_func
0x1409d039c __getmainargs
0x1409d03a4 __initenv
0x1409d03ac __iob_func
0x1409d03b4 __set_app_type
0x1409d03bc __setusermatherr
0x1409d03c4 _acmdln
0x1409d03cc _amsg_exit
0x1409d03d4 _cexit
0x1409d03dc _commode
0x1409d03e4 _errno
0x1409d03ec _fmode
0x1409d03f4 _initterm
0x1409d03fc _onexit
0x1409d0404 _wcsicmp
0x1409d040c _wcsnicmp
0x1409d0414 abort
0x1409d041c calloc
0x1409d0424 exit
0x1409d042c fprintf
0x1409d0434 fputc
0x1409d043c fputs
0x1409d0444 fputwc
0x1409d044c free
0x1409d0454 fwprintf
0x1409d045c fwrite
0x1409d0464 localeconv
0x1409d046c malloc
0x1409d0474 memcpy
0x1409d047c memset
0x1409d0484 realloc
0x1409d048c signal
0x1409d0494 strcat
0x1409d049c strcmp
0x1409d04a4 strerror
0x1409d04ac strlen
0x1409d04b4 strncmp
0x1409d04bc strstr
0x1409d04c4 vfprintf
0x1409d04cc wcscat
0x1409d04d4 wcscpy
0x1409d04dc wcslen
0x1409d04e4 wcsncmp
0x1409d04ec wcsstr
EAT(Export Address Table) is none
KERNEL32.dll
0x1409d029c CloseHandle
0x1409d02a4 CreateSemaphoreW
0x1409d02ac DeleteCriticalSection
0x1409d02b4 EnterCriticalSection
0x1409d02bc GetCurrentThreadId
0x1409d02c4 GetLastError
0x1409d02cc GetStartupInfoA
0x1409d02d4 InitializeCriticalSection
0x1409d02dc IsDBCSLeadByteEx
0x1409d02e4 LeaveCriticalSection
0x1409d02ec MultiByteToWideChar
0x1409d02f4 RaiseException
0x1409d02fc ReleaseSemaphore
0x1409d0304 RtlCaptureContext
0x1409d030c RtlLookupFunctionEntry
0x1409d0314 RtlUnwindEx
0x1409d031c RtlVirtualUnwind
0x1409d0324 SetLastError
0x1409d032c SetUnhandledExceptionFilter
0x1409d0334 Sleep
0x1409d033c TlsAlloc
0x1409d0344 TlsFree
0x1409d034c TlsGetValue
0x1409d0354 TlsSetValue
0x1409d035c VirtualProtect
0x1409d0364 VirtualQuery
0x1409d036c WaitForSingleObject
0x1409d0374 WideCharToMultiByte
msvcrt.dll
0x1409d0384 __C_specific_handler
0x1409d038c ___lc_codepage_func
0x1409d0394 ___mb_cur_max_func
0x1409d039c __getmainargs
0x1409d03a4 __initenv
0x1409d03ac __iob_func
0x1409d03b4 __set_app_type
0x1409d03bc __setusermatherr
0x1409d03c4 _acmdln
0x1409d03cc _amsg_exit
0x1409d03d4 _cexit
0x1409d03dc _commode
0x1409d03e4 _errno
0x1409d03ec _fmode
0x1409d03f4 _initterm
0x1409d03fc _onexit
0x1409d0404 _wcsicmp
0x1409d040c _wcsnicmp
0x1409d0414 abort
0x1409d041c calloc
0x1409d0424 exit
0x1409d042c fprintf
0x1409d0434 fputc
0x1409d043c fputs
0x1409d0444 fputwc
0x1409d044c free
0x1409d0454 fwprintf
0x1409d045c fwrite
0x1409d0464 localeconv
0x1409d046c malloc
0x1409d0474 memcpy
0x1409d047c memset
0x1409d0484 realloc
0x1409d048c signal
0x1409d0494 strcat
0x1409d049c strcmp
0x1409d04a4 strerror
0x1409d04ac strlen
0x1409d04b4 strncmp
0x1409d04bc strstr
0x1409d04c4 vfprintf
0x1409d04cc wcscat
0x1409d04d4 wcscpy
0x1409d04dc wcslen
0x1409d04e4 wcsncmp
0x1409d04ec wcsstr
EAT(Export Address Table) is none