ScreenShot
| Created | 2024.08.12 11:36 | Machine | s1_win7_x6401 |
| Filename | 222fastsetup.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 35 detected (AIDetectMalware, malicious, high confidence, Dacic, Zusy, Attribute, HighConfidence, Artemis, Barys, rLw0cFpN2KM, Real Protect, Detected, ai score=87, Cryptnot, QYAA, Eldorado, CryptBot, R659955, ZexaF, Z@aq04k3b, PasswordStealer, Genetic) | ||
| md5 | d9c2521c8dd6cfdb84244a46a681dfa8 | ||
| sha256 | a38b514a313e566ffef61acfc7bb9fd07c0499cb87cc795815e84eb2618427c9 | ||
| ssdeep | 49152:3b/FFiGqsqUTUZefhTfOJrqXA/5jn917fFHrle:3i+ULdo | ||
| imphash | 196992c146062db84cbd73903ca4b0ad | ||
| impfuzzy | 24:8fiFCDq+kLEGTX5XGKJkNJlkvlbDcq30GXZy:8fir+k4GTXJGKJkNJlkvpwq30GQ | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 35 AntiVirus engines on VirusTotal as malicious |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0xbcb154 DeleteCriticalSection
0xbcb158 EnterCriticalSection
0xbcb15c FreeLibrary
0xbcb160 GetLastError
0xbcb164 GetModuleHandleA
0xbcb168 GetModuleHandleW
0xbcb16c GetProcAddress
0xbcb170 GetStartupInfoA
0xbcb174 InitializeCriticalSection
0xbcb178 IsDBCSLeadByteEx
0xbcb17c LeaveCriticalSection
0xbcb180 LoadLibraryA
0xbcb184 MultiByteToWideChar
0xbcb188 SetUnhandledExceptionFilter
0xbcb18c Sleep
0xbcb190 TlsGetValue
0xbcb194 VirtualProtect
0xbcb198 VirtualQuery
0xbcb19c WideCharToMultiByte
0xbcb1a0 lstrlenA
msvcrt.dll
0xbcb1a8 __getmainargs
0xbcb1ac __initenv
0xbcb1b0 __lconv_init
0xbcb1b4 __mb_cur_max
0xbcb1b8 __p__acmdln
0xbcb1bc __p__commode
0xbcb1c0 __p__fmode
0xbcb1c4 __set_app_type
0xbcb1c8 __setusermatherr
0xbcb1cc _amsg_exit
0xbcb1d0 _cexit
0xbcb1d4 _errno
0xbcb1d8 _initterm
0xbcb1dc _iob
0xbcb1e0 _lock
0xbcb1e4 _onexit
0xbcb1e8 _unlock
0xbcb1ec abort
0xbcb1f0 atoi
0xbcb1f4 calloc
0xbcb1f8 exit
0xbcb1fc fputc
0xbcb200 free
0xbcb204 fwrite
0xbcb208 getc
0xbcb20c islower
0xbcb210 isspace
0xbcb214 isupper
0xbcb218 isxdigit
0xbcb21c localeconv
0xbcb220 malloc
0xbcb224 memcpy
0xbcb228 memset
0xbcb22c perror
0xbcb230 printf
0xbcb234 realloc
0xbcb238 setlocale
0xbcb23c signal
0xbcb240 strchr
0xbcb244 strerror
0xbcb248 strlen
0xbcb24c strncmp
0xbcb250 strtol
0xbcb254 strtoul
0xbcb258 tolower
0xbcb25c ungetc
0xbcb260 vfprintf
0xbcb264 wcslen
EAT(Export Address Table) Library
0x490f55 main
KERNEL32.dll
0xbcb154 DeleteCriticalSection
0xbcb158 EnterCriticalSection
0xbcb15c FreeLibrary
0xbcb160 GetLastError
0xbcb164 GetModuleHandleA
0xbcb168 GetModuleHandleW
0xbcb16c GetProcAddress
0xbcb170 GetStartupInfoA
0xbcb174 InitializeCriticalSection
0xbcb178 IsDBCSLeadByteEx
0xbcb17c LeaveCriticalSection
0xbcb180 LoadLibraryA
0xbcb184 MultiByteToWideChar
0xbcb188 SetUnhandledExceptionFilter
0xbcb18c Sleep
0xbcb190 TlsGetValue
0xbcb194 VirtualProtect
0xbcb198 VirtualQuery
0xbcb19c WideCharToMultiByte
0xbcb1a0 lstrlenA
msvcrt.dll
0xbcb1a8 __getmainargs
0xbcb1ac __initenv
0xbcb1b0 __lconv_init
0xbcb1b4 __mb_cur_max
0xbcb1b8 __p__acmdln
0xbcb1bc __p__commode
0xbcb1c0 __p__fmode
0xbcb1c4 __set_app_type
0xbcb1c8 __setusermatherr
0xbcb1cc _amsg_exit
0xbcb1d0 _cexit
0xbcb1d4 _errno
0xbcb1d8 _initterm
0xbcb1dc _iob
0xbcb1e0 _lock
0xbcb1e4 _onexit
0xbcb1e8 _unlock
0xbcb1ec abort
0xbcb1f0 atoi
0xbcb1f4 calloc
0xbcb1f8 exit
0xbcb1fc fputc
0xbcb200 free
0xbcb204 fwrite
0xbcb208 getc
0xbcb20c islower
0xbcb210 isspace
0xbcb214 isupper
0xbcb218 isxdigit
0xbcb21c localeconv
0xbcb220 malloc
0xbcb224 memcpy
0xbcb228 memset
0xbcb22c perror
0xbcb230 printf
0xbcb234 realloc
0xbcb238 setlocale
0xbcb23c signal
0xbcb240 strchr
0xbcb244 strerror
0xbcb248 strlen
0xbcb24c strncmp
0xbcb250 strtol
0xbcb254 strtoul
0xbcb258 tolower
0xbcb25c ungetc
0xbcb260 vfprintf
0xbcb264 wcslen
EAT(Export Address Table) Library
0x490f55 main