ScreenShot
| Created | 2024.08.12 10:00 | Machine | s1_win7_x6403 |
| Filename | Run1.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 34 detected (AIDetectMalware, malicious, high confidence, Dacic, Zusy, Attribute, HighConfidence, Barys, Cryptnot, aZNQWaKGtPJ, Detected, ai score=82, Cryptbot, CCJD, Eldorado, R660156, ZexaF, Z@a8MIzWh, Genetic) | ||
| md5 | 76eb776b3942bec9baccd967eb8a39fe | ||
| sha256 | d130ef9bdd68f2368beecd117b5f20e4f763718bd87983f4d82e8849018cbf42 | ||
| ssdeep | 49152:L2/g9GEHg+O5fyd87QQkeTFDm3wpDfSm/dWl:rzOBzJXfSo6 | ||
| imphash | e25eb2ecee0497e34c4dbf805fe3c57d | ||
| impfuzzy | 24:FMVKwuEfiFCDcn+kLEGTX5XGKJkNJlivlbDcqVhGXZd:sKjEfiJ+k4GTXJGKJkNJlivpwqVhGz | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 34 AntiVirus engines on VirusTotal as malicious |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DROP Spamhaus DROP Listed Traffic Inbound group 31
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0xc221b0 RegCloseKey
0xc221b4 RegCreateKeyA
0xc221b8 RegSetValueExA
KERNEL32.dll
0xc221c0 DeleteCriticalSection
0xc221c4 EnterCriticalSection
0xc221c8 FreeLibrary
0xc221cc GetLastError
0xc221d0 GetModuleHandleA
0xc221d4 GetModuleHandleW
0xc221d8 GetProcAddress
0xc221dc GetStartupInfoA
0xc221e0 GetTempPathA
0xc221e4 InitializeCriticalSection
0xc221e8 IsDBCSLeadByteEx
0xc221ec LeaveCriticalSection
0xc221f0 LoadLibraryA
0xc221f4 MultiByteToWideChar
0xc221f8 SetUnhandledExceptionFilter
0xc221fc Sleep
0xc22200 TlsGetValue
0xc22204 VirtualProtect
0xc22208 VirtualQuery
0xc2220c WideCharToMultiByte
0xc22210 lstrlenA
msvcrt.dll
0xc22218 __getmainargs
0xc2221c __initenv
0xc22220 __lconv_init
0xc22224 __mb_cur_max
0xc22228 __p__acmdln
0xc2222c __p__commode
0xc22230 __p__fmode
0xc22234 __set_app_type
0xc22238 __setusermatherr
0xc2223c _amsg_exit
0xc22240 _cexit
0xc22244 _errno
0xc22248 _initterm
0xc2224c _iob
0xc22250 _lock
0xc22254 _onexit
0xc22258 _unlock
0xc2225c abort
0xc22260 atoi
0xc22264 calloc
0xc22268 exit
0xc2226c fclose
0xc22270 fopen
0xc22274 fputc
0xc22278 free
0xc2227c fwrite
0xc22280 getc
0xc22284 islower
0xc22288 isspace
0xc2228c isupper
0xc22290 isxdigit
0xc22294 localeconv
0xc22298 malloc
0xc2229c memcpy
0xc222a0 memset
0xc222a4 perror
0xc222a8 printf
0xc222ac rand
0xc222b0 realloc
0xc222b4 setlocale
0xc222b8 signal
0xc222bc srand
0xc222c0 strcat
0xc222c4 strchr
0xc222c8 strerror
0xc222cc strlen
0xc222d0 strncmp
0xc222d4 strtol
0xc222d8 strtoul
0xc222dc time
0xc222e0 tolower
0xc222e4 ungetc
0xc222e8 vfprintf
0xc222ec wcslen
SHELL32.dll
0xc222f4 ShellExecuteA
EAT(Export Address Table) Library
0x4e180d main
ADVAPI32.dll
0xc221b0 RegCloseKey
0xc221b4 RegCreateKeyA
0xc221b8 RegSetValueExA
KERNEL32.dll
0xc221c0 DeleteCriticalSection
0xc221c4 EnterCriticalSection
0xc221c8 FreeLibrary
0xc221cc GetLastError
0xc221d0 GetModuleHandleA
0xc221d4 GetModuleHandleW
0xc221d8 GetProcAddress
0xc221dc GetStartupInfoA
0xc221e0 GetTempPathA
0xc221e4 InitializeCriticalSection
0xc221e8 IsDBCSLeadByteEx
0xc221ec LeaveCriticalSection
0xc221f0 LoadLibraryA
0xc221f4 MultiByteToWideChar
0xc221f8 SetUnhandledExceptionFilter
0xc221fc Sleep
0xc22200 TlsGetValue
0xc22204 VirtualProtect
0xc22208 VirtualQuery
0xc2220c WideCharToMultiByte
0xc22210 lstrlenA
msvcrt.dll
0xc22218 __getmainargs
0xc2221c __initenv
0xc22220 __lconv_init
0xc22224 __mb_cur_max
0xc22228 __p__acmdln
0xc2222c __p__commode
0xc22230 __p__fmode
0xc22234 __set_app_type
0xc22238 __setusermatherr
0xc2223c _amsg_exit
0xc22240 _cexit
0xc22244 _errno
0xc22248 _initterm
0xc2224c _iob
0xc22250 _lock
0xc22254 _onexit
0xc22258 _unlock
0xc2225c abort
0xc22260 atoi
0xc22264 calloc
0xc22268 exit
0xc2226c fclose
0xc22270 fopen
0xc22274 fputc
0xc22278 free
0xc2227c fwrite
0xc22280 getc
0xc22284 islower
0xc22288 isspace
0xc2228c isupper
0xc22290 isxdigit
0xc22294 localeconv
0xc22298 malloc
0xc2229c memcpy
0xc222a0 memset
0xc222a4 perror
0xc222a8 printf
0xc222ac rand
0xc222b0 realloc
0xc222b4 setlocale
0xc222b8 signal
0xc222bc srand
0xc222c0 strcat
0xc222c4 strchr
0xc222c8 strerror
0xc222cc strlen
0xc222d0 strncmp
0xc222d4 strtol
0xc222d8 strtoul
0xc222dc time
0xc222e0 tolower
0xc222e4 ungetc
0xc222e8 vfprintf
0xc222ec wcslen
SHELL32.dll
0xc222f4 ShellExecuteA
EAT(Export Address Table) Library
0x4e180d main