ScreenShot
| Created | 2023.06.16 07:31 | Machine | s1_win7_x6403 |
| Filename | Srveises.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 22 detected (malicious, high confidence, Save, Attribute, HighConfidence, score, EPACK, Gen2, Sality, Miner, CoinMiner, Detected, R534006, Artemis, Usmw, AGENMM, confidence) | ||
| md5 | 863359773158308ac17b5340a3b76242 | ||
| sha256 | e80c9b5cada25f7888b69a93fd8ecc8f887b8f399abe0641c4c4f97c3a526db9 | ||
| ssdeep | 49152:OoGin4osB4YAvR0hvKg3oNG/lgLVqwBmBSnwyCKJmmBp6e:OViXv+hvKmoBBmBktCZmBpR | ||
| imphash | df9a7bc1c6c6cd97d04c3762fdde6719 | ||
| impfuzzy | 24:Dfjz+kQYJd1j9Mblif5XGTqqXZPFkomtcqcCZJF:DfH+kXHslEJGTqqJdk1uqcAF | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 22 AntiVirus engines on VirusTotal as malicious |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
ET POLICY Cryptocurrency Miner Checkin
ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com)
ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
ET MALWARE Win32/Pripyat Activity (POST)
ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com)
ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
ET MALWARE Win32/Pripyat Activity (POST)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x14020c244 CreateSemaphoreW
0x14020c24c DeleteCriticalSection
0x14020c254 EnterCriticalSection
0x14020c25c GetLastError
0x14020c264 GetModuleFileNameW
0x14020c26c GetStartupInfoW
0x14020c274 InitializeCriticalSection
0x14020c27c IsDBCSLeadByteEx
0x14020c284 LeaveCriticalSection
0x14020c28c MultiByteToWideChar
0x14020c294 ReleaseSemaphore
0x14020c29c SetLastError
0x14020c2a4 SetUnhandledExceptionFilter
0x14020c2ac Sleep
0x14020c2b4 TlsAlloc
0x14020c2bc TlsFree
0x14020c2c4 TlsGetValue
0x14020c2cc TlsSetValue
0x14020c2d4 VirtualProtect
0x14020c2dc VirtualQuery
0x14020c2e4 WaitForSingleObject
msvcrt.dll
0x14020c2f4 __C_specific_handler
0x14020c2fc ___lc_codepage_func
0x14020c304 ___mb_cur_max_func
0x14020c30c __iob_func
0x14020c314 __set_app_type
0x14020c31c __setusermatherr
0x14020c324 __wgetmainargs
0x14020c32c __winitenv
0x14020c334 _amsg_exit
0x14020c33c _assert
0x14020c344 _cexit
0x14020c34c _commode
0x14020c354 _errno
0x14020c35c _fmode
0x14020c364 _initterm
0x14020c36c _onexit
0x14020c374 _wcmdln
0x14020c37c _wcsicmp
0x14020c384 _wgetenv
0x14020c38c abort
0x14020c394 calloc
0x14020c39c exit
0x14020c3a4 fprintf
0x14020c3ac fputwc
0x14020c3b4 free
0x14020c3bc fwprintf
0x14020c3c4 fwrite
0x14020c3cc localeconv
0x14020c3d4 malloc
0x14020c3dc memcpy
0x14020c3e4 memset
0x14020c3ec realloc
0x14020c3f4 signal
0x14020c3fc strerror
0x14020c404 strlen
0x14020c40c strncmp
0x14020c414 vfprintf
0x14020c41c wcscat
0x14020c424 wcscpy
0x14020c42c wcslen
0x14020c434 wcsncmp
0x14020c43c wcsstr
EAT(Export Address Table) is none
KERNEL32.dll
0x14020c244 CreateSemaphoreW
0x14020c24c DeleteCriticalSection
0x14020c254 EnterCriticalSection
0x14020c25c GetLastError
0x14020c264 GetModuleFileNameW
0x14020c26c GetStartupInfoW
0x14020c274 InitializeCriticalSection
0x14020c27c IsDBCSLeadByteEx
0x14020c284 LeaveCriticalSection
0x14020c28c MultiByteToWideChar
0x14020c294 ReleaseSemaphore
0x14020c29c SetLastError
0x14020c2a4 SetUnhandledExceptionFilter
0x14020c2ac Sleep
0x14020c2b4 TlsAlloc
0x14020c2bc TlsFree
0x14020c2c4 TlsGetValue
0x14020c2cc TlsSetValue
0x14020c2d4 VirtualProtect
0x14020c2dc VirtualQuery
0x14020c2e4 WaitForSingleObject
msvcrt.dll
0x14020c2f4 __C_specific_handler
0x14020c2fc ___lc_codepage_func
0x14020c304 ___mb_cur_max_func
0x14020c30c __iob_func
0x14020c314 __set_app_type
0x14020c31c __setusermatherr
0x14020c324 __wgetmainargs
0x14020c32c __winitenv
0x14020c334 _amsg_exit
0x14020c33c _assert
0x14020c344 _cexit
0x14020c34c _commode
0x14020c354 _errno
0x14020c35c _fmode
0x14020c364 _initterm
0x14020c36c _onexit
0x14020c374 _wcmdln
0x14020c37c _wcsicmp
0x14020c384 _wgetenv
0x14020c38c abort
0x14020c394 calloc
0x14020c39c exit
0x14020c3a4 fprintf
0x14020c3ac fputwc
0x14020c3b4 free
0x14020c3bc fwprintf
0x14020c3c4 fwrite
0x14020c3cc localeconv
0x14020c3d4 malloc
0x14020c3dc memcpy
0x14020c3e4 memset
0x14020c3ec realloc
0x14020c3f4 signal
0x14020c3fc strerror
0x14020c404 strlen
0x14020c40c strncmp
0x14020c414 vfprintf
0x14020c41c wcscat
0x14020c424 wcscpy
0x14020c42c wcslen
0x14020c434 wcsncmp
0x14020c43c wcsstr
EAT(Export Address Table) is none