ScreenShot
| Created | 2024.01.28 10:00 | Machine | s1_win7_x6401 |
| Filename | redline1234.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 36 detected (AIDetectMalware, Malicious, score, Tedy, Attribute, HighConfidence, Kryptik, Miner, puXfYWFTsfG, Krypt, Detected, ai score=88, GenKryptik, CoinMiner, Eldorado, DropperX, R622355, OScope, susgen, GQCB, confidence) | ||
| md5 | 5dec9f02f7067194f9928e37ed05c8f6 | ||
| sha256 | dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806 | ||
| ssdeep | 49152:A0jhMlqDbsynliN2InCFvy0l2aMEBLWw/3Ry0rP3Fga/EO7xhbAIXdTBpox:QyliNjnCFvxMEWw/hy0bFga/d7vbASB2 | ||
| imphash | de41d4e0545d977de6ca665131bb479a | ||
| impfuzzy | 12:FMHHGf5XGXKiEG6eGJyJk6lTpJq/iZJAgRJRJJoARZqRVPXJHqc:FMGf5XGf6ZgJkoDq6ZJ9fjBcV9 | ||
Network IP location
Signature (3cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 36 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
ET POLICY Cryptocurrency Miner Checkin
ET POLICY Cryptocurrency Miner Checkin
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x1400091b0 __C_specific_handler
0x1400091b8 __getmainargs
0x1400091c0 __initenv
0x1400091c8 __iob_func
0x1400091d0 __set_app_type
0x1400091d8 __setusermatherr
0x1400091e0 _amsg_exit
0x1400091e8 _cexit
0x1400091f0 _commode
0x1400091f8 _fmode
0x140009200 _initterm
0x140009208 _onexit
0x140009210 _wcsicmp
0x140009218 _wcsnicmp
0x140009220 abort
0x140009228 calloc
0x140009230 exit
0x140009238 fprintf
0x140009240 free
0x140009248 fwrite
0x140009250 malloc
0x140009258 memcpy
0x140009260 memset
0x140009268 signal
0x140009270 strlen
0x140009278 strncmp
0x140009280 vfprintf
0x140009288 wcscat
0x140009290 wcscpy
0x140009298 wcslen
0x1400092a0 wcsncmp
KERNEL32.dll
0x1400092b0 DeleteCriticalSection
0x1400092b8 EnterCriticalSection
0x1400092c0 GetLastError
0x1400092c8 InitializeCriticalSection
0x1400092d0 LeaveCriticalSection
0x1400092d8 SetUnhandledExceptionFilter
0x1400092e0 Sleep
0x1400092e8 TlsGetValue
0x1400092f0 VirtualProtect
0x1400092f8 VirtualQuery
EAT(Export Address Table) is none
msvcrt.dll
0x1400091b0 __C_specific_handler
0x1400091b8 __getmainargs
0x1400091c0 __initenv
0x1400091c8 __iob_func
0x1400091d0 __set_app_type
0x1400091d8 __setusermatherr
0x1400091e0 _amsg_exit
0x1400091e8 _cexit
0x1400091f0 _commode
0x1400091f8 _fmode
0x140009200 _initterm
0x140009208 _onexit
0x140009210 _wcsicmp
0x140009218 _wcsnicmp
0x140009220 abort
0x140009228 calloc
0x140009230 exit
0x140009238 fprintf
0x140009240 free
0x140009248 fwrite
0x140009250 malloc
0x140009258 memcpy
0x140009260 memset
0x140009268 signal
0x140009270 strlen
0x140009278 strncmp
0x140009280 vfprintf
0x140009288 wcscat
0x140009290 wcscpy
0x140009298 wcslen
0x1400092a0 wcsncmp
KERNEL32.dll
0x1400092b0 DeleteCriticalSection
0x1400092b8 EnterCriticalSection
0x1400092c0 GetLastError
0x1400092c8 InitializeCriticalSection
0x1400092d0 LeaveCriticalSection
0x1400092d8 SetUnhandledExceptionFilter
0x1400092e0 Sleep
0x1400092e8 TlsGetValue
0x1400092f0 VirtualProtect
0x1400092f8 VirtualQuery
EAT(Export Address Table) is none