ScreenShot
Created | 2023.06.09 09:25 | Machine | s1_win7_x6402 |
Filename | mobsync.exe | ||
Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 23 detected (malicious, high confidence, Barys, Eldorado, Attribute, HighConfidence, GenKryptik, GIIA, Sabsik, Detected, R571995, ai score=86, DisguisedXMRigMiner, YhzrPCllRHI, Krypt) | ||
md5 | 828dda50caa47e37c427142e216c373f | ||
sha256 | 54c7a21de074152b11a9aefb278508706176189c322c08fc2e56fec1a7f9169b | ||
ssdeep | 98304:O+uYZVNKpE1d5eqjDiI5pmOl3AR6hfn47tYjr6uh+PTJtSUBzYXk4fTbZthsZbfH:OId5eqPthrr6uh+PTJtS3t0aZAFtiQMe | ||
imphash | f7505c167603909b7180406402fef19e | ||
impfuzzy | 24:1fPJx+kTdF0tWJd1jIlMblRf5XG6qXZgJkomvlA/Gbtcqc6ZJF:1fPL+kT6kSslJJG6qJgk1vm/GbuqcoF |
Network IP location
Signature (6cnts)
Level | Description |
---|---|
warning | File has been identified by 23 AntiVirus engines on VirusTotal as malicious |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Performs some HTTP requests |
notice | Sends data using the HTTP POST Method |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (2cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | IsPE64 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (9cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
ET INFO Observed DNS Query to .world TLD
ET POLICY Cryptocurrency Miner Checkin
ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
ET MALWARE Win32/Pripyat Activity (POST)
ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
ET INFO Observed DNS Query to .world TLD
ET POLICY Cryptocurrency Miner Checkin
ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
ET MALWARE Win32/Pripyat Activity (POST)
ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1409ca28c CloseHandle
0x1409ca294 CreateSemaphoreW
0x1409ca29c DeleteCriticalSection
0x1409ca2a4 EnterCriticalSection
0x1409ca2ac GetCurrentThreadId
0x1409ca2b4 GetLastError
0x1409ca2bc GetStartupInfoA
0x1409ca2c4 InitializeCriticalSection
0x1409ca2cc IsDBCSLeadByteEx
0x1409ca2d4 LeaveCriticalSection
0x1409ca2dc MultiByteToWideChar
0x1409ca2e4 RaiseException
0x1409ca2ec ReleaseSemaphore
0x1409ca2f4 RtlCaptureContext
0x1409ca2fc RtlLookupFunctionEntry
0x1409ca304 RtlUnwindEx
0x1409ca30c RtlVirtualUnwind
0x1409ca314 SetLastError
0x1409ca31c SetUnhandledExceptionFilter
0x1409ca324 Sleep
0x1409ca32c TlsAlloc
0x1409ca334 TlsFree
0x1409ca33c TlsGetValue
0x1409ca344 TlsSetValue
0x1409ca34c VirtualProtect
0x1409ca354 VirtualQuery
0x1409ca35c WaitForSingleObject
0x1409ca364 WideCharToMultiByte
msvcrt.dll
0x1409ca374 __C_specific_handler
0x1409ca37c ___lc_codepage_func
0x1409ca384 ___mb_cur_max_func
0x1409ca38c __getmainargs
0x1409ca394 __initenv
0x1409ca39c __iob_func
0x1409ca3a4 __set_app_type
0x1409ca3ac __setusermatherr
0x1409ca3b4 _acmdln
0x1409ca3bc _amsg_exit
0x1409ca3c4 _cexit
0x1409ca3cc _commode
0x1409ca3d4 _errno
0x1409ca3dc _fmode
0x1409ca3e4 _initterm
0x1409ca3ec _onexit
0x1409ca3f4 _wcsicmp
0x1409ca3fc _wcsnicmp
0x1409ca404 abort
0x1409ca40c calloc
0x1409ca414 exit
0x1409ca41c fprintf
0x1409ca424 fputc
0x1409ca42c fputs
0x1409ca434 fputwc
0x1409ca43c free
0x1409ca444 fwprintf
0x1409ca44c fwrite
0x1409ca454 localeconv
0x1409ca45c malloc
0x1409ca464 memcpy
0x1409ca46c memset
0x1409ca474 realloc
0x1409ca47c signal
0x1409ca484 strcmp
0x1409ca48c strerror
0x1409ca494 strlen
0x1409ca49c strncmp
0x1409ca4a4 vfprintf
0x1409ca4ac wcscat
0x1409ca4b4 wcscpy
0x1409ca4bc wcslen
0x1409ca4c4 wcsncmp
0x1409ca4cc wcsstr
EAT(Export Address Table) is none
KERNEL32.dll
0x1409ca28c CloseHandle
0x1409ca294 CreateSemaphoreW
0x1409ca29c DeleteCriticalSection
0x1409ca2a4 EnterCriticalSection
0x1409ca2ac GetCurrentThreadId
0x1409ca2b4 GetLastError
0x1409ca2bc GetStartupInfoA
0x1409ca2c4 InitializeCriticalSection
0x1409ca2cc IsDBCSLeadByteEx
0x1409ca2d4 LeaveCriticalSection
0x1409ca2dc MultiByteToWideChar
0x1409ca2e4 RaiseException
0x1409ca2ec ReleaseSemaphore
0x1409ca2f4 RtlCaptureContext
0x1409ca2fc RtlLookupFunctionEntry
0x1409ca304 RtlUnwindEx
0x1409ca30c RtlVirtualUnwind
0x1409ca314 SetLastError
0x1409ca31c SetUnhandledExceptionFilter
0x1409ca324 Sleep
0x1409ca32c TlsAlloc
0x1409ca334 TlsFree
0x1409ca33c TlsGetValue
0x1409ca344 TlsSetValue
0x1409ca34c VirtualProtect
0x1409ca354 VirtualQuery
0x1409ca35c WaitForSingleObject
0x1409ca364 WideCharToMultiByte
msvcrt.dll
0x1409ca374 __C_specific_handler
0x1409ca37c ___lc_codepage_func
0x1409ca384 ___mb_cur_max_func
0x1409ca38c __getmainargs
0x1409ca394 __initenv
0x1409ca39c __iob_func
0x1409ca3a4 __set_app_type
0x1409ca3ac __setusermatherr
0x1409ca3b4 _acmdln
0x1409ca3bc _amsg_exit
0x1409ca3c4 _cexit
0x1409ca3cc _commode
0x1409ca3d4 _errno
0x1409ca3dc _fmode
0x1409ca3e4 _initterm
0x1409ca3ec _onexit
0x1409ca3f4 _wcsicmp
0x1409ca3fc _wcsnicmp
0x1409ca404 abort
0x1409ca40c calloc
0x1409ca414 exit
0x1409ca41c fprintf
0x1409ca424 fputc
0x1409ca42c fputs
0x1409ca434 fputwc
0x1409ca43c free
0x1409ca444 fwprintf
0x1409ca44c fwrite
0x1409ca454 localeconv
0x1409ca45c malloc
0x1409ca464 memcpy
0x1409ca46c memset
0x1409ca474 realloc
0x1409ca47c signal
0x1409ca484 strcmp
0x1409ca48c strerror
0x1409ca494 strlen
0x1409ca49c strncmp
0x1409ca4a4 vfprintf
0x1409ca4ac wcscat
0x1409ca4b4 wcscpy
0x1409ca4bc wcslen
0x1409ca4c4 wcsncmp
0x1409ca4cc wcsstr
EAT(Export Address Table) is none