ScreenShot
| Created | 2023.09.10 09:18 | Machine | s1_win7_x6403 |
| Filename | ECheck.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 49 detected (AIDetectMalware, Molotov, malicious, high confidence, Artemis, Save, Reflo, Eldorado, Attribute, HighConfidence, Kryptik, score, FalseSign, Majl, uoimv, R014C0DI823, Static AI, Suspicious PE, ai score=87, GenKryptik, Malware@#zc8g88m26kmw, XMRig, CCAN, Detected, R571995, unsafe, GdSda, DisguisedXMRigMiner, YhzrPCllRHI, Krypt, GIIA, confidence, 100%) | ||
| md5 | 6b6e670cf5ff0d11fafcc2977ce737c9 | ||
| sha256 | 8861faec60a3b506f5c1f48beedab5168a9194f5652ec9c16359caf7f1aec7e8 | ||
| ssdeep | 98304:8N3pd7FnPi5SOmiLPhHQcUDYLWS9Vj7vWMnxzUgw:83PjOmiThHQcUM6S91iMxzUgw | ||
| imphash | f7505c167603909b7180406402fef19e | ||
| impfuzzy | 24:1fPJx+kTdF0tWJd1jIlMblRf5XG6qXZgJkomvlA/Gbtcqc6ZJF:1fPL+kT6kSslJJG6qJgk1vm/GbuqcoF | ||
Network IP location
Signature (2cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 49 AntiVirus engines on VirusTotal as malicious |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x14047d28c CloseHandle
0x14047d294 CreateSemaphoreW
0x14047d29c DeleteCriticalSection
0x14047d2a4 EnterCriticalSection
0x14047d2ac GetCurrentThreadId
0x14047d2b4 GetLastError
0x14047d2bc GetStartupInfoA
0x14047d2c4 InitializeCriticalSection
0x14047d2cc IsDBCSLeadByteEx
0x14047d2d4 LeaveCriticalSection
0x14047d2dc MultiByteToWideChar
0x14047d2e4 RaiseException
0x14047d2ec ReleaseSemaphore
0x14047d2f4 RtlCaptureContext
0x14047d2fc RtlLookupFunctionEntry
0x14047d304 RtlUnwindEx
0x14047d30c RtlVirtualUnwind
0x14047d314 SetLastError
0x14047d31c SetUnhandledExceptionFilter
0x14047d324 Sleep
0x14047d32c TlsAlloc
0x14047d334 TlsFree
0x14047d33c TlsGetValue
0x14047d344 TlsSetValue
0x14047d34c VirtualProtect
0x14047d354 VirtualQuery
0x14047d35c WaitForSingleObject
0x14047d364 WideCharToMultiByte
msvcrt.dll
0x14047d374 __C_specific_handler
0x14047d37c ___lc_codepage_func
0x14047d384 ___mb_cur_max_func
0x14047d38c __getmainargs
0x14047d394 __initenv
0x14047d39c __iob_func
0x14047d3a4 __set_app_type
0x14047d3ac __setusermatherr
0x14047d3b4 _acmdln
0x14047d3bc _amsg_exit
0x14047d3c4 _cexit
0x14047d3cc _commode
0x14047d3d4 _errno
0x14047d3dc _fmode
0x14047d3e4 _initterm
0x14047d3ec _onexit
0x14047d3f4 _wcsicmp
0x14047d3fc _wcsnicmp
0x14047d404 abort
0x14047d40c calloc
0x14047d414 exit
0x14047d41c fprintf
0x14047d424 fputc
0x14047d42c fputs
0x14047d434 fputwc
0x14047d43c free
0x14047d444 fwprintf
0x14047d44c fwrite
0x14047d454 localeconv
0x14047d45c malloc
0x14047d464 memcpy
0x14047d46c memset
0x14047d474 realloc
0x14047d47c signal
0x14047d484 strcmp
0x14047d48c strerror
0x14047d494 strlen
0x14047d49c strncmp
0x14047d4a4 vfprintf
0x14047d4ac wcscat
0x14047d4b4 wcscpy
0x14047d4bc wcslen
0x14047d4c4 wcsncmp
0x14047d4cc wcsstr
EAT(Export Address Table) is none
KERNEL32.dll
0x14047d28c CloseHandle
0x14047d294 CreateSemaphoreW
0x14047d29c DeleteCriticalSection
0x14047d2a4 EnterCriticalSection
0x14047d2ac GetCurrentThreadId
0x14047d2b4 GetLastError
0x14047d2bc GetStartupInfoA
0x14047d2c4 InitializeCriticalSection
0x14047d2cc IsDBCSLeadByteEx
0x14047d2d4 LeaveCriticalSection
0x14047d2dc MultiByteToWideChar
0x14047d2e4 RaiseException
0x14047d2ec ReleaseSemaphore
0x14047d2f4 RtlCaptureContext
0x14047d2fc RtlLookupFunctionEntry
0x14047d304 RtlUnwindEx
0x14047d30c RtlVirtualUnwind
0x14047d314 SetLastError
0x14047d31c SetUnhandledExceptionFilter
0x14047d324 Sleep
0x14047d32c TlsAlloc
0x14047d334 TlsFree
0x14047d33c TlsGetValue
0x14047d344 TlsSetValue
0x14047d34c VirtualProtect
0x14047d354 VirtualQuery
0x14047d35c WaitForSingleObject
0x14047d364 WideCharToMultiByte
msvcrt.dll
0x14047d374 __C_specific_handler
0x14047d37c ___lc_codepage_func
0x14047d384 ___mb_cur_max_func
0x14047d38c __getmainargs
0x14047d394 __initenv
0x14047d39c __iob_func
0x14047d3a4 __set_app_type
0x14047d3ac __setusermatherr
0x14047d3b4 _acmdln
0x14047d3bc _amsg_exit
0x14047d3c4 _cexit
0x14047d3cc _commode
0x14047d3d4 _errno
0x14047d3dc _fmode
0x14047d3e4 _initterm
0x14047d3ec _onexit
0x14047d3f4 _wcsicmp
0x14047d3fc _wcsnicmp
0x14047d404 abort
0x14047d40c calloc
0x14047d414 exit
0x14047d41c fprintf
0x14047d424 fputc
0x14047d42c fputs
0x14047d434 fputwc
0x14047d43c free
0x14047d444 fwprintf
0x14047d44c fwrite
0x14047d454 localeconv
0x14047d45c malloc
0x14047d464 memcpy
0x14047d46c memset
0x14047d474 realloc
0x14047d47c signal
0x14047d484 strcmp
0x14047d48c strerror
0x14047d494 strlen
0x14047d49c strncmp
0x14047d4a4 vfprintf
0x14047d4ac wcscat
0x14047d4b4 wcscpy
0x14047d4bc wcslen
0x14047d4c4 wcsncmp
0x14047d4cc wcsstr
EAT(Export Address Table) is none