ScreenShot
| Created | 2024.08.17 22:30 | Machine | s1_win7_x6401 |
| Filename | DOC.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 50 detected (AIDetectMalware, Dacic, malicious, high confidence, score, Cryptnot, Unsafe, Zusy, Attribute, HighConfidence, Barys, TrojanPSW, rLw0cFpN2KM, fkjil, AMADEY, YXEHNZ, Real Protect, Detected, ai score=89, QYAA, Eldorado, CryptBot, R659955, ZexaF, Z@a86dO, PasswordStealer, GdSda, QQPass, QQRob, Swhl, QNZO3DGW) | ||
| md5 | 2dbdc645b9776239b18f772c30c1a626 | ||
| sha256 | 2b92d1c34b7f0278703c98e9fd755e061d0f120eea327996b223dfc65610dfcd | ||
| ssdeep | 49152:hhVSCIoIdMdFH/x0EtwDPbtjlEzVu0K64EiSADdUNigC:7Ivnq80bODdU6 | ||
| imphash | 196992c146062db84cbd73903ca4b0ad | ||
| impfuzzy | 24:8fiFCDq+kLEGTX5XGKJkNJlkvlbDcq30GXZy:8fir+k4GTXJGKJkNJlkvpwq30GQ | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 50 AntiVirus engines on VirusTotal as malicious |
| warning | Generates some ICMP traffic |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0xbd6154 DeleteCriticalSection
0xbd6158 EnterCriticalSection
0xbd615c FreeLibrary
0xbd6160 GetLastError
0xbd6164 GetModuleHandleA
0xbd6168 GetModuleHandleW
0xbd616c GetProcAddress
0xbd6170 GetStartupInfoA
0xbd6174 InitializeCriticalSection
0xbd6178 IsDBCSLeadByteEx
0xbd617c LeaveCriticalSection
0xbd6180 LoadLibraryA
0xbd6184 MultiByteToWideChar
0xbd6188 SetUnhandledExceptionFilter
0xbd618c Sleep
0xbd6190 TlsGetValue
0xbd6194 VirtualProtect
0xbd6198 VirtualQuery
0xbd619c WideCharToMultiByte
0xbd61a0 lstrlenA
msvcrt.dll
0xbd61a8 __getmainargs
0xbd61ac __initenv
0xbd61b0 __lconv_init
0xbd61b4 __mb_cur_max
0xbd61b8 __p__acmdln
0xbd61bc __p__commode
0xbd61c0 __p__fmode
0xbd61c4 __set_app_type
0xbd61c8 __setusermatherr
0xbd61cc _amsg_exit
0xbd61d0 _cexit
0xbd61d4 _errno
0xbd61d8 _initterm
0xbd61dc _iob
0xbd61e0 _lock
0xbd61e4 _onexit
0xbd61e8 _unlock
0xbd61ec abort
0xbd61f0 atoi
0xbd61f4 calloc
0xbd61f8 exit
0xbd61fc fputc
0xbd6200 free
0xbd6204 fwrite
0xbd6208 getc
0xbd620c islower
0xbd6210 isspace
0xbd6214 isupper
0xbd6218 isxdigit
0xbd621c localeconv
0xbd6220 malloc
0xbd6224 memcpy
0xbd6228 memset
0xbd622c perror
0xbd6230 printf
0xbd6234 realloc
0xbd6238 setlocale
0xbd623c signal
0xbd6240 strchr
0xbd6244 strerror
0xbd6248 strlen
0xbd624c strncmp
0xbd6250 strtol
0xbd6254 strtoul
0xbd6258 tolower
0xbd625c ungetc
0xbd6260 vfprintf
0xbd6264 wcslen
EAT(Export Address Table) Library
0x4d17fe main
KERNEL32.dll
0xbd6154 DeleteCriticalSection
0xbd6158 EnterCriticalSection
0xbd615c FreeLibrary
0xbd6160 GetLastError
0xbd6164 GetModuleHandleA
0xbd6168 GetModuleHandleW
0xbd616c GetProcAddress
0xbd6170 GetStartupInfoA
0xbd6174 InitializeCriticalSection
0xbd6178 IsDBCSLeadByteEx
0xbd617c LeaveCriticalSection
0xbd6180 LoadLibraryA
0xbd6184 MultiByteToWideChar
0xbd6188 SetUnhandledExceptionFilter
0xbd618c Sleep
0xbd6190 TlsGetValue
0xbd6194 VirtualProtect
0xbd6198 VirtualQuery
0xbd619c WideCharToMultiByte
0xbd61a0 lstrlenA
msvcrt.dll
0xbd61a8 __getmainargs
0xbd61ac __initenv
0xbd61b0 __lconv_init
0xbd61b4 __mb_cur_max
0xbd61b8 __p__acmdln
0xbd61bc __p__commode
0xbd61c0 __p__fmode
0xbd61c4 __set_app_type
0xbd61c8 __setusermatherr
0xbd61cc _amsg_exit
0xbd61d0 _cexit
0xbd61d4 _errno
0xbd61d8 _initterm
0xbd61dc _iob
0xbd61e0 _lock
0xbd61e4 _onexit
0xbd61e8 _unlock
0xbd61ec abort
0xbd61f0 atoi
0xbd61f4 calloc
0xbd61f8 exit
0xbd61fc fputc
0xbd6200 free
0xbd6204 fwrite
0xbd6208 getc
0xbd620c islower
0xbd6210 isspace
0xbd6214 isupper
0xbd6218 isxdigit
0xbd621c localeconv
0xbd6220 malloc
0xbd6224 memcpy
0xbd6228 memset
0xbd622c perror
0xbd6230 printf
0xbd6234 realloc
0xbd6238 setlocale
0xbd623c signal
0xbd6240 strchr
0xbd6244 strerror
0xbd6248 strlen
0xbd624c strncmp
0xbd6250 strtol
0xbd6254 strtoul
0xbd6258 tolower
0xbd625c ungetc
0xbd6260 vfprintf
0xbd6264 wcslen
EAT(Export Address Table) Library
0x4d17fe main