ScreenShot
Created | 2023.09.20 18:00 | Machine | s1_win7_x6401 |
Filename | TiWorker.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 53 detected (Common, Noon, Razy, Formbook, Vt2t, malicious, confidence, 100%, GenusT, DRMH, Eldorado, Attribute, HighConfidence, high confidence, score, PWSX, Fajl, ZPACK, Packed2, R002C0DIH23, high, Static AI, Malicious PE, ai score=89, GrayWare, X2184, GenericRXVJ, General, unsafe, Chgt, Digitala, 4bkQNC3KfED) | ||
md5 | 9809924a1fb0082898813c23dbc84b24 | ||
sha256 | 8183f3d03aabd24f00a14cdf4bd6e88c946bc3d2a17ed2368792426d32783e55 | ||
ssdeep | 3072:OPUq+jL3rWh716RfGYSeK95YWX2PaAlN4eT0FNaP0hBUxY3rC8XG4t7hXs+cCk3X:4K/3rUJYSx95YBfSrF8OaiusG6hXs/H | ||
imphash | |||
impfuzzy | 3:: |
Network IP location
Signature (8cnts)
Level | Description |
---|---|
danger | File has been identified by 53 AntiVirus engines on VirusTotal as malicious |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Performs some HTTP requests |
notice | Resolves a suspicious Top Level Domain (TLD) |
notice | Sends data using the HTTP POST Method |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (3cnts)
Level | Name | Description | Collection |
---|---|---|---|
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (45cnts) ?
Suricata ids
SURICATA HTTP unable to match response to request
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .TOP Domain with Minimal Headers
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .TOP Domain with Minimal Headers
ET HUNTING Request to .XYZ Domain with Minimal Headers
PE API
IAT(Import Address Table) is none
EAT(Export Address Table) is none
EAT(Export Address Table) is none