ScreenShot
| Created | 2023.12.18 07:55 | Machine | s1_win7_x6401 |
| Filename | updater.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 6f0e94c80d8b9c98ea75bff456eff5a2 | ||
| sha256 | e5e1c5b0d30a39877025ff980e81c9737ff12d5e9b742f9fd1f308082abf1606 | ||
| ssdeep | 393216:NSCEslyO0f4YXDe6lUvlQtav6iiALTfEMf4EwzhMW:M0lytXD1kl23iiALjQq | ||
| imphash | a9c887a4f18a3fede2cc29ceea138ed3 | ||
| impfuzzy | 6:HMJqX0umyRwXJxSBS0H5sD4sIWDLb4iPEcn:sJqpRSY58PLPXn | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| watch | Communicates with host for which no DNS query was performed |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | ftp_command | ftp command | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | zip_file_format | ZIP file format | binaries (download) |
Network (8cnts) ?
Suricata ids
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x1045840 malloc
0x1045844 memset
0x1045848 strcmp
0x104584c strcpy
0x1045850 getenv
0x1045854 sprintf
0x1045858 fopen
0x104585c fwrite
0x1045860 fclose
0x1045864 __argc
0x1045868 __argv
0x104586c _environ
0x1045870 _XcptFilter
0x1045874 __set_app_type
0x1045878 _controlfp
0x104587c __getmainargs
0x1045880 exit
shell32.dll
0x1045888 ShellExecuteA
kernel32.dll
0x1045890 SetUnhandledExceptionFilter
EAT(Export Address Table) is none
msvcrt.dll
0x1045840 malloc
0x1045844 memset
0x1045848 strcmp
0x104584c strcpy
0x1045850 getenv
0x1045854 sprintf
0x1045858 fopen
0x104585c fwrite
0x1045860 fclose
0x1045864 __argc
0x1045868 __argv
0x104586c _environ
0x1045870 _XcptFilter
0x1045874 __set_app_type
0x1045878 _controlfp
0x104587c __getmainargs
0x1045880 exit
shell32.dll
0x1045888 ShellExecuteA
kernel32.dll
0x1045890 SetUnhandledExceptionFilter
EAT(Export Address Table) is none