ScreenShot
| Created | 2024.08.18 14:14 | Machine | s1_win7_x6401 |
| Filename | 3546345.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 28 detected (AIDetectMalware, malicious, high confidence, Dacic, Zusy, Barys, h9aZED7bPvN, Detected, ai score=83, CryptBot, CCJD, R661086, ZexaF, Z@amDw0) | ||
| md5 | fd2defc436fc7960d6501a01c91d893e | ||
| sha256 | ba13da01c41fa50ec5e340061973bc912b1f41cd1f96a7cae5d40afc00ff7945 | ||
| ssdeep | 49152:kpiVaJ9m+8FdK1BZKVD2CMwbbIip7q18N/jH1:ks3+11vKV7Fs89jH1 | ||
| imphash | 74aaf0b5a0230a863603c8c6bcd8756b | ||
| impfuzzy | 24:8fiFCDcn+kLEGTX5XG0bhkNJl6vlbDcqxZ9dZGXZ7:8fiJ+k4GTXJG0bhkNJl6vRwqtdZGp | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 28 AntiVirus engines on VirusTotal as malicious |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0xbfc1c0 DeleteCriticalSection
0xbfc1c4 EnterCriticalSection
0xbfc1c8 FreeLibrary
0xbfc1cc GetLastError
0xbfc1d0 GetModuleHandleA
0xbfc1d4 GetModuleHandleW
0xbfc1d8 GetProcAddress
0xbfc1dc GetStartupInfoA
0xbfc1e0 GetTempPathA
0xbfc1e4 InitializeCriticalSection
0xbfc1e8 IsDBCSLeadByteEx
0xbfc1ec LeaveCriticalSection
0xbfc1f0 LoadLibraryA
0xbfc1f4 MultiByteToWideChar
0xbfc1f8 SetUnhandledExceptionFilter
0xbfc1fc Sleep
0xbfc200 TlsGetValue
0xbfc204 VirtualProtect
0xbfc208 VirtualQuery
0xbfc20c WideCharToMultiByte
0xbfc210 lstrlenA
msvcrt.dll
0xbfc218 __getmainargs
0xbfc21c __initenv
0xbfc220 __lconv_init
0xbfc224 __mb_cur_max
0xbfc228 __p__acmdln
0xbfc22c __p__commode
0xbfc230 __p__fmode
0xbfc234 __set_app_type
0xbfc238 __setusermatherr
0xbfc23c _amsg_exit
0xbfc240 _assert
0xbfc244 _cexit
0xbfc248 _errno
0xbfc24c _chsize
0xbfc250 _filelengthi64
0xbfc254 _fileno
0xbfc258 _initterm
0xbfc25c _iob
0xbfc260 _lock
0xbfc264 _onexit
0xbfc268 _unlock
0xbfc26c abort
0xbfc270 atoi
0xbfc274 calloc
0xbfc278 exit
0xbfc27c fclose
0xbfc280 fflush
0xbfc284 fgetpos
0xbfc288 fopen
0xbfc28c fputc
0xbfc290 fread
0xbfc294 free
0xbfc298 freopen
0xbfc29c fsetpos
0xbfc2a0 fwrite
0xbfc2a4 getc
0xbfc2a8 islower
0xbfc2ac isspace
0xbfc2b0 isupper
0xbfc2b4 isxdigit
0xbfc2b8 localeconv
0xbfc2bc malloc
0xbfc2c0 memcmp
0xbfc2c4 memcpy
0xbfc2c8 memmove
0xbfc2cc memset
0xbfc2d0 mktime
0xbfc2d4 localtime
0xbfc2d8 difftime
0xbfc2dc _mkdir
0xbfc2e0 perror
0xbfc2e4 printf
0xbfc2e8 realloc
0xbfc2ec remove
0xbfc2f0 setlocale
0xbfc2f4 signal
0xbfc2f8 strchr
0xbfc2fc strcmp
0xbfc300 strerror
0xbfc304 strlen
0xbfc308 strncmp
0xbfc30c strncpy
0xbfc310 strtol
0xbfc314 strtoul
0xbfc318 tolower
0xbfc31c ungetc
0xbfc320 vfprintf
0xbfc324 time
0xbfc328 wcslen
0xbfc32c wcstombs
0xbfc330 _stat
0xbfc334 _utime
0xbfc338 _fileno
0xbfc33c _chmod
EAT(Export Address Table) Library
0x4197e1 main
KERNEL32.dll
0xbfc1c0 DeleteCriticalSection
0xbfc1c4 EnterCriticalSection
0xbfc1c8 FreeLibrary
0xbfc1cc GetLastError
0xbfc1d0 GetModuleHandleA
0xbfc1d4 GetModuleHandleW
0xbfc1d8 GetProcAddress
0xbfc1dc GetStartupInfoA
0xbfc1e0 GetTempPathA
0xbfc1e4 InitializeCriticalSection
0xbfc1e8 IsDBCSLeadByteEx
0xbfc1ec LeaveCriticalSection
0xbfc1f0 LoadLibraryA
0xbfc1f4 MultiByteToWideChar
0xbfc1f8 SetUnhandledExceptionFilter
0xbfc1fc Sleep
0xbfc200 TlsGetValue
0xbfc204 VirtualProtect
0xbfc208 VirtualQuery
0xbfc20c WideCharToMultiByte
0xbfc210 lstrlenA
msvcrt.dll
0xbfc218 __getmainargs
0xbfc21c __initenv
0xbfc220 __lconv_init
0xbfc224 __mb_cur_max
0xbfc228 __p__acmdln
0xbfc22c __p__commode
0xbfc230 __p__fmode
0xbfc234 __set_app_type
0xbfc238 __setusermatherr
0xbfc23c _amsg_exit
0xbfc240 _assert
0xbfc244 _cexit
0xbfc248 _errno
0xbfc24c _chsize
0xbfc250 _filelengthi64
0xbfc254 _fileno
0xbfc258 _initterm
0xbfc25c _iob
0xbfc260 _lock
0xbfc264 _onexit
0xbfc268 _unlock
0xbfc26c abort
0xbfc270 atoi
0xbfc274 calloc
0xbfc278 exit
0xbfc27c fclose
0xbfc280 fflush
0xbfc284 fgetpos
0xbfc288 fopen
0xbfc28c fputc
0xbfc290 fread
0xbfc294 free
0xbfc298 freopen
0xbfc29c fsetpos
0xbfc2a0 fwrite
0xbfc2a4 getc
0xbfc2a8 islower
0xbfc2ac isspace
0xbfc2b0 isupper
0xbfc2b4 isxdigit
0xbfc2b8 localeconv
0xbfc2bc malloc
0xbfc2c0 memcmp
0xbfc2c4 memcpy
0xbfc2c8 memmove
0xbfc2cc memset
0xbfc2d0 mktime
0xbfc2d4 localtime
0xbfc2d8 difftime
0xbfc2dc _mkdir
0xbfc2e0 perror
0xbfc2e4 printf
0xbfc2e8 realloc
0xbfc2ec remove
0xbfc2f0 setlocale
0xbfc2f4 signal
0xbfc2f8 strchr
0xbfc2fc strcmp
0xbfc300 strerror
0xbfc304 strlen
0xbfc308 strncmp
0xbfc30c strncpy
0xbfc310 strtol
0xbfc314 strtoul
0xbfc318 tolower
0xbfc31c ungetc
0xbfc320 vfprintf
0xbfc324 time
0xbfc328 wcslen
0xbfc32c wcstombs
0xbfc330 _stat
0xbfc334 _utime
0xbfc338 _fileno
0xbfc33c _chmod
EAT(Export Address Table) Library
0x4197e1 main