Report - 09LW5kZ-.exe

PE64 PE File
ScreenShot
Created 2023.07.30 09:00 Machine s1_win7_x6401
Filename 09LW5kZ-.exe
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
AI Score
2
Behavior Score
3.6
ZERO API file : malware
VT API (file) 49 detected (Common, Siggen21, Tedy, Save, Reflo, malicious, confidence, 100%, Eldorado, high confidence, GenKryptik, GIIA, score, Nekark, hlkng, AMADEY, YXDGXZ, Sivis, Static AI, Suspicious PE, Xmrig, Detected, R570073, Artemis, ai score=81, unsafe, Kryptik, tSjl4DNY5BP, Krypt, susgen)
md5 b56676093945f3c0c4676803cf7e0d50
sha256 ce7a9a4a88a1a9f154bb4e0650864933d87fd75bef94ec000faf24f75d0a308f
ssdeep 196608:8Q9EVu0I6h00r8jBYHob4t+6c7vdFjoRfkq3N6Zs83xH:80uu0LLYjA1uTpq3NDYH
imphash d3be2dc19ba54f7225d7679c3f791cf7
impfuzzy 24:1fPJx+kTdF0tWJd1jIlMblRf5XG6qXZgJkomvlA/GbtcqcJvZJF:1fPL+kT6kSslJJG6qJgk1vm/GbuqcJLF
  Network IP location

Signature (5cnts)

Level Description
danger File has been identified by 49 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice The binary likely contains encrypted or compressed data indicative of a packer

Rules (2cnts)

Level Name Description Collection
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
randomxmonero.auto.nicehash.com Unknown 34.149.22.228 clean
34.149.22.228 Unknown 34.149.22.228 clean
104.248.239.160 US DIGITALOCEAN-ASN 104.248.239.160 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x1409f029c CloseHandle
 0x1409f02a4 CreateSemaphoreW
 0x1409f02ac DeleteCriticalSection
 0x1409f02b4 EnterCriticalSection
 0x1409f02bc GetCurrentThreadId
 0x1409f02c4 GetLastError
 0x1409f02cc GetStartupInfoA
 0x1409f02d4 InitializeCriticalSection
 0x1409f02dc IsDBCSLeadByteEx
 0x1409f02e4 LeaveCriticalSection
 0x1409f02ec MultiByteToWideChar
 0x1409f02f4 RaiseException
 0x1409f02fc ReleaseSemaphore
 0x1409f0304 RtlCaptureContext
 0x1409f030c RtlLookupFunctionEntry
 0x1409f0314 RtlUnwindEx
 0x1409f031c RtlVirtualUnwind
 0x1409f0324 SetLastError
 0x1409f032c SetUnhandledExceptionFilter
 0x1409f0334 Sleep
 0x1409f033c TlsAlloc
 0x1409f0344 TlsFree
 0x1409f034c TlsGetValue
 0x1409f0354 TlsSetValue
 0x1409f035c VirtualProtect
 0x1409f0364 VirtualQuery
 0x1409f036c WaitForSingleObject
 0x1409f0374 WideCharToMultiByte
msvcrt.dll
 0x1409f0384 __C_specific_handler
 0x1409f038c ___lc_codepage_func
 0x1409f0394 ___mb_cur_max_func
 0x1409f039c __getmainargs
 0x1409f03a4 __initenv
 0x1409f03ac __iob_func
 0x1409f03b4 __set_app_type
 0x1409f03bc __setusermatherr
 0x1409f03c4 _acmdln
 0x1409f03cc _amsg_exit
 0x1409f03d4 _cexit
 0x1409f03dc _commode
 0x1409f03e4 _errno
 0x1409f03ec _fmode
 0x1409f03f4 _initterm
 0x1409f03fc _onexit
 0x1409f0404 _wcsicmp
 0x1409f040c _wcsnicmp
 0x1409f0414 abort
 0x1409f041c calloc
 0x1409f0424 exit
 0x1409f042c fprintf
 0x1409f0434 fputc
 0x1409f043c fputs
 0x1409f0444 fputwc
 0x1409f044c free
 0x1409f0454 fwprintf
 0x1409f045c fwrite
 0x1409f0464 localeconv
 0x1409f046c malloc
 0x1409f0474 memcpy
 0x1409f047c memset
 0x1409f0484 realloc
 0x1409f048c signal
 0x1409f0494 strcat
 0x1409f049c strcmp
 0x1409f04a4 strerror
 0x1409f04ac strlen
 0x1409f04b4 strncmp
 0x1409f04bc strstr
 0x1409f04c4 vfprintf
 0x1409f04cc wcscat
 0x1409f04d4 wcscpy
 0x1409f04dc wcslen
 0x1409f04e4 wcsncmp
 0x1409f04ec wcsstr

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure