popup

Report - updater.exe

Gen1 Generic Malware UPX Antivirus Malicious Library PE32 PE File DLL PE64 OS Processor Check ZIP Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.11.25 18:09 Machine s1_win7_x6403
Filename updater.exe
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score Not founds Behavior Score
6.2
ZERO API file : malware
VT API (file)
md5 8589b564a5ed7920be4b1b08f3d6d8ed
sha256 e380482fc3d8c4fe11073f9734238d60ab66385e3261231358f7d02082b235cd
ssdeep 393216:W1pjCaVtz/VWvpxlAilDWT1IqWwLuMJrV50y9vDx5W:WdrwRxlAYaTWqWwLuM5VZvDx
imphash a9c887a4f18a3fede2cc29ceea138ed3
impfuzzy 6:HMJqX0umyRwXJxSBS0H5sD4sIWDLb4iPEcn:sJqpRSY58PLPXn
  Network IP location

Signature (18cnts)

Level Description
watch Communicates with host for which no DNS query was performed
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice The binary likely contains encrypted or compressed data indicative of a packer
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (12cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch UPX_Zero UPX packed file binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info zip_file_format ZIP file format binaries (download)

Network (8cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://94.156.71.160/carsalepanel/api/endpoint.php
whois
BG Terasyst Ltd 94.156.71.160 clean
xmr.2miners.com
whois
Unknown 162.19.139.184 mailcious
pastebin.com
whois
US CLOUDFLARENET 172.67.34.170 mailcious
pool.hashvault.pro
whois
US 1GSERVERS 142.202.242.43 mailcious
162.19.139.184
whois
Unknown 162.19.139.184 mailcious
172.67.34.170
whois
US CLOUDFLARENET 172.67.34.170 mailcious
94.156.71.160
whois
BG Terasyst Ltd 94.156.71.160 clean
131.153.76.130
whois
SG PhoenixNAP 131.153.76.130 mailcious

Suricata ids

ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com)
ET CINS Active Threat Intelligence Poor Reputation IP group 93
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)

PE API

IAT(Import Address Table) Library

msvcrt.dll
 0x103d1a0 malloc
 0x103d1a4 memset
 0x103d1a8 strcmp
 0x103d1ac strcpy
 0x103d1b0 getenv
 0x103d1b4 sprintf
 0x103d1b8 fopen
 0x103d1bc fwrite
 0x103d1c0 fclose
 0x103d1c4 __argc
 0x103d1c8 __argv
 0x103d1cc _environ
 0x103d1d0 _XcptFilter
 0x103d1d4 __set_app_type
 0x103d1d8 _controlfp
 0x103d1dc __getmainargs
 0x103d1e0 exit
shell32.dll
 0x103d1e8 ShellExecuteA
kernel32.dll
 0x103d1f0 SetUnhandledExceptionFilter

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure