ScreenShot
Created | 2024.08.17 22:23 | Machine | s1_win7_x6401 |
Filename | 5_6190317556063017550.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 47 detected (AIDetectMalware, Dacic, malicious, high confidence, TrojanPWS, Artemis, Zusy, Attribute, HighConfidence, Barys, Cryptnot, TrojanPSW, CryptBot, h9aZED7bPvN, pgmwd, AMADEY, YXEHOZ, Detected, ai score=85, CCJD, R661086, ZexaF, Z@a8X@8kk, GdSda, 3DGW) | ||
md5 | eb89a69599c9d1dde409ac2b351d9a00 | ||
sha256 | e9de3019d8993801fd32f5e00492fa4f5d389100146a1f6f2d7170cb8b7afebd | ||
ssdeep | 49152:uzwwa0PRV8VL1244wlOgE7siYqtDNeH/5OyveFN94XLrduQaSP1k/nf2ZY2lIrnM:VONtDNQ53Kk43a | ||
imphash | 74aaf0b5a0230a863603c8c6bcd8756b | ||
impfuzzy | 24:8fiFCDcn+kLEGTX5XG0bhkNJl6vlbDcqxZ9dZGXZ7:8fiJ+k4GTXJG0bhkNJl6vRwqtdZGp |
Network IP location
Signature (15cnts)
Level | Description |
---|---|
danger | File has been identified by 47 AntiVirus engines on VirusTotal as malicious |
watch | Checks the CPU name from registry |
watch | Collects information about installed applications |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Queries for potentially installed applications |
notice | Resolves a suspicious Top Level Domain (TLD) |
notice | Sends data using the HTTP POST Method |
notice | Steals private information from local Internet browsers |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
info | Checks amount of memory in system |
info | Queries for the computername |
info | Tries to locate where the browsers are installed |
Rules (5cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0xbfd1c0 DeleteCriticalSection
0xbfd1c4 EnterCriticalSection
0xbfd1c8 FreeLibrary
0xbfd1cc GetLastError
0xbfd1d0 GetModuleHandleA
0xbfd1d4 GetModuleHandleW
0xbfd1d8 GetProcAddress
0xbfd1dc GetStartupInfoA
0xbfd1e0 GetTempPathA
0xbfd1e4 InitializeCriticalSection
0xbfd1e8 IsDBCSLeadByteEx
0xbfd1ec LeaveCriticalSection
0xbfd1f0 LoadLibraryA
0xbfd1f4 MultiByteToWideChar
0xbfd1f8 SetUnhandledExceptionFilter
0xbfd1fc Sleep
0xbfd200 TlsGetValue
0xbfd204 VirtualProtect
0xbfd208 VirtualQuery
0xbfd20c WideCharToMultiByte
0xbfd210 lstrlenA
msvcrt.dll
0xbfd218 __getmainargs
0xbfd21c __initenv
0xbfd220 __lconv_init
0xbfd224 __mb_cur_max
0xbfd228 __p__acmdln
0xbfd22c __p__commode
0xbfd230 __p__fmode
0xbfd234 __set_app_type
0xbfd238 __setusermatherr
0xbfd23c _amsg_exit
0xbfd240 _assert
0xbfd244 _cexit
0xbfd248 _errno
0xbfd24c _chsize
0xbfd250 _filelengthi64
0xbfd254 _fileno
0xbfd258 _initterm
0xbfd25c _iob
0xbfd260 _lock
0xbfd264 _onexit
0xbfd268 _unlock
0xbfd26c abort
0xbfd270 atoi
0xbfd274 calloc
0xbfd278 exit
0xbfd27c fclose
0xbfd280 fflush
0xbfd284 fgetpos
0xbfd288 fopen
0xbfd28c fputc
0xbfd290 fread
0xbfd294 free
0xbfd298 freopen
0xbfd29c fsetpos
0xbfd2a0 fwrite
0xbfd2a4 getc
0xbfd2a8 islower
0xbfd2ac isspace
0xbfd2b0 isupper
0xbfd2b4 isxdigit
0xbfd2b8 localeconv
0xbfd2bc malloc
0xbfd2c0 memcmp
0xbfd2c4 memcpy
0xbfd2c8 memmove
0xbfd2cc memset
0xbfd2d0 mktime
0xbfd2d4 localtime
0xbfd2d8 difftime
0xbfd2dc _mkdir
0xbfd2e0 perror
0xbfd2e4 printf
0xbfd2e8 realloc
0xbfd2ec remove
0xbfd2f0 setlocale
0xbfd2f4 signal
0xbfd2f8 strchr
0xbfd2fc strcmp
0xbfd300 strerror
0xbfd304 strlen
0xbfd308 strncmp
0xbfd30c strncpy
0xbfd310 strtol
0xbfd314 strtoul
0xbfd318 tolower
0xbfd31c ungetc
0xbfd320 vfprintf
0xbfd324 time
0xbfd328 wcslen
0xbfd32c wcstombs
0xbfd330 _stat
0xbfd334 _utime
0xbfd338 _fileno
0xbfd33c _chmod
EAT(Export Address Table) Library
0x497fe5 main
KERNEL32.dll
0xbfd1c0 DeleteCriticalSection
0xbfd1c4 EnterCriticalSection
0xbfd1c8 FreeLibrary
0xbfd1cc GetLastError
0xbfd1d0 GetModuleHandleA
0xbfd1d4 GetModuleHandleW
0xbfd1d8 GetProcAddress
0xbfd1dc GetStartupInfoA
0xbfd1e0 GetTempPathA
0xbfd1e4 InitializeCriticalSection
0xbfd1e8 IsDBCSLeadByteEx
0xbfd1ec LeaveCriticalSection
0xbfd1f0 LoadLibraryA
0xbfd1f4 MultiByteToWideChar
0xbfd1f8 SetUnhandledExceptionFilter
0xbfd1fc Sleep
0xbfd200 TlsGetValue
0xbfd204 VirtualProtect
0xbfd208 VirtualQuery
0xbfd20c WideCharToMultiByte
0xbfd210 lstrlenA
msvcrt.dll
0xbfd218 __getmainargs
0xbfd21c __initenv
0xbfd220 __lconv_init
0xbfd224 __mb_cur_max
0xbfd228 __p__acmdln
0xbfd22c __p__commode
0xbfd230 __p__fmode
0xbfd234 __set_app_type
0xbfd238 __setusermatherr
0xbfd23c _amsg_exit
0xbfd240 _assert
0xbfd244 _cexit
0xbfd248 _errno
0xbfd24c _chsize
0xbfd250 _filelengthi64
0xbfd254 _fileno
0xbfd258 _initterm
0xbfd25c _iob
0xbfd260 _lock
0xbfd264 _onexit
0xbfd268 _unlock
0xbfd26c abort
0xbfd270 atoi
0xbfd274 calloc
0xbfd278 exit
0xbfd27c fclose
0xbfd280 fflush
0xbfd284 fgetpos
0xbfd288 fopen
0xbfd28c fputc
0xbfd290 fread
0xbfd294 free
0xbfd298 freopen
0xbfd29c fsetpos
0xbfd2a0 fwrite
0xbfd2a4 getc
0xbfd2a8 islower
0xbfd2ac isspace
0xbfd2b0 isupper
0xbfd2b4 isxdigit
0xbfd2b8 localeconv
0xbfd2bc malloc
0xbfd2c0 memcmp
0xbfd2c4 memcpy
0xbfd2c8 memmove
0xbfd2cc memset
0xbfd2d0 mktime
0xbfd2d4 localtime
0xbfd2d8 difftime
0xbfd2dc _mkdir
0xbfd2e0 perror
0xbfd2e4 printf
0xbfd2e8 realloc
0xbfd2ec remove
0xbfd2f0 setlocale
0xbfd2f4 signal
0xbfd2f8 strchr
0xbfd2fc strcmp
0xbfd300 strerror
0xbfd304 strlen
0xbfd308 strncmp
0xbfd30c strncpy
0xbfd310 strtol
0xbfd314 strtoul
0xbfd318 tolower
0xbfd31c ungetc
0xbfd320 vfprintf
0xbfd324 time
0xbfd328 wcslen
0xbfd32c wcstombs
0xbfd330 _stat
0xbfd334 _utime
0xbfd338 _fileno
0xbfd33c _chmod
EAT(Export Address Table) Library
0x497fe5 main