ScreenShot
Created | 2024.07.01 09:23 | Machine | s1_win7_x6402 |
Filename | TQ.jpg.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 55 detected (AIDetectMalware, Scar, lpjJ, malicious, moderate confidence, score, Genasom, Babar, Unsafe, Save, CryptoMiner, CVE-2021-1675, Attribute, HighConfidence, CoinMiner, HackTool, JAYPOTATO, Tiggre, JuicyPotato, kpccps, CLOUD, AGEN, Siggen28, Real Protect, high, WinGo, Ranumbot, Detected, Blamon, MUPX, Gen@24tbus, 11N2JTZ, ABRisk, POED, ZexaF, qmKfa89emHkb, BScope, BlackMoon, BitCoinMiner, YXEFVZ, Gencirc, ai score=73, AZID, confidence, 100%) | ||
md5 | f9f5342074462fa1048fea806eef535f | ||
sha256 | 5d87bd723f8267c3c0bef75f2b502321c518ac6a09696f3971ace53d0ba505cd | ||
ssdeep | 6144:r+k9IKKJPa1DyKHC055swEUkezQ12rqyFWaiwV:ik9IKKJip9C0kmzQ12rqyQaX | ||
imphash | 3b3dc2709d13b6bbe20eb1df71d207fa | ||
impfuzzy | 6:omRgslyP1BJAEoZ/OEGDzyRMb2oNfxAdYgbXmJJcn:omRgtVABZG/DzZNJ45bX+O |
Network IP location
Signature (16cnts)
Level | Description |
---|---|
danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
warning | Disables Windows Security features |
warning | Generates some ICMP traffic |
watch | Communicates with host for which no DNS query was performed |
watch | Connects to an IRC server |
notice | Connects to a Dynamic DNS Domain |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | Foreign language identified in PE resource |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Performs some HTTP requests |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | The executable is compressed using UPX |
info | The executable uses a known packer |
Rules (15cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | Win32_Trojan_Emotet_1_Zero | Win32 Trojan Emotet | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
watch | Antivirus | Contains references to security software | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
watch | Network_Downloader | File Downloader | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (download) |
info | IsDLL | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | IsPE64 | (no description) | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (30cnts) ?
Suricata ids
ET DNS Query for .cc TLD
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
ET MALWARE JS/WSF Downloader Dec 08 2016 M4
ET INFO DYNAMIC_DNS Query to 3322.org Domain
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection
ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
ET MALWARE JS/WSF Downloader Dec 08 2016 M4
ET INFO DYNAMIC_DNS Query to 3322.org Domain
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection
ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x4ce3f4 RegCloseKey
COMCTL32.dll
0x4ce3fc None
GDI32.dll
0x4ce404 Escape
KERNEL32.DLL
0x4ce40c LoadLibraryA
0x4ce410 ExitProcess
0x4ce414 GetProcAddress
0x4ce418 VirtualProtect
SHELL32.dll
0x4ce420 None
SHLWAPI.dll
0x4ce428 PathFileExistsA
USER32.dll
0x4ce430 GetDC
WINSPOOL.DRV
0x4ce438 ClosePrinter
EAT(Export Address Table) is none
ADVAPI32.dll
0x4ce3f4 RegCloseKey
COMCTL32.dll
0x4ce3fc None
GDI32.dll
0x4ce404 Escape
KERNEL32.DLL
0x4ce40c LoadLibraryA
0x4ce410 ExitProcess
0x4ce414 GetProcAddress
0x4ce418 VirtualProtect
SHELL32.dll
0x4ce420 None
SHLWAPI.dll
0x4ce428 PathFileExistsA
USER32.dll
0x4ce430 GetDC
WINSPOOL.DRV
0x4ce438 ClosePrinter
EAT(Export Address Table) is none