ScreenShot
| Created | 2024.08.23 09:49 | Machine | s1_win7_x6401 |
| Filename | Updater.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 60 detected (AIDetectMalware, Reflo, malicious, high confidence, score, GenericKD, Unsafe, Vwy5, VMProtect, Artemis, xbrzux, 727qAG4EkQE, AGEN, Siggen29, R002C0XGT24, Real Protect, Detected, ai score=88, GrayWare, Wacapew, Malware@#2g1whylycqm7z, Tedy, R646909, CoinMiner, Chgt, Gencirc, susgen, Behavior, confidence, 100%, HTK2XJC) | ||
| md5 | dd3aa70adbe7894d6705ddb398155628 | ||
| sha256 | 6b32ec90229466753e03ba4d9eb0c4eb225b8ca2fc5beea04f1ca4a887907c6b | ||
| ssdeep | 196608:RNPW2PdkNsUE5pWMF0PJqQFcVYjV7VHSrTEitDuTw+HCwL:Lu5NGwAQx3SskDu8 | ||
| imphash | 5f85c353cf9895ecc2a751010283213a | ||
| impfuzzy | 12:FMHlRowfP9qZGoQtXJxZGb9AJcDfA5kLfP9m:FMrlaQtXJHc9NDI5Q8 | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 60 AntiVirus engines on VirusTotal as malicious |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x140d15000 __C_specific_handler
KERNEL32.dll
0x140d15010 DeleteCriticalSection
WTSAPI32.dll
0x140d15020 WTSSendMessageW
KERNEL32.dll
0x140d15030 GetSystemTimeAsFileTime
USER32.dll
0x140d15040 GetUserObjectInformationW
KERNEL32.dll
0x140d15050 LocalAlloc
0x140d15058 LocalFree
0x140d15060 GetModuleFileNameW
0x140d15068 GetProcessAffinityMask
0x140d15070 SetProcessAffinityMask
0x140d15078 SetThreadAffinityMask
0x140d15080 Sleep
0x140d15088 ExitProcess
0x140d15090 FreeLibrary
0x140d15098 LoadLibraryA
0x140d150a0 GetModuleHandleA
0x140d150a8 GetProcAddress
USER32.dll
0x140d150b8 GetProcessWindowStation
0x140d150c0 GetUserObjectInformationW
EAT(Export Address Table) is none
msvcrt.dll
0x140d15000 __C_specific_handler
KERNEL32.dll
0x140d15010 DeleteCriticalSection
WTSAPI32.dll
0x140d15020 WTSSendMessageW
KERNEL32.dll
0x140d15030 GetSystemTimeAsFileTime
USER32.dll
0x140d15040 GetUserObjectInformationW
KERNEL32.dll
0x140d15050 LocalAlloc
0x140d15058 LocalFree
0x140d15060 GetModuleFileNameW
0x140d15068 GetProcessAffinityMask
0x140d15070 SetProcessAffinityMask
0x140d15078 SetThreadAffinityMask
0x140d15080 Sleep
0x140d15088 ExitProcess
0x140d15090 FreeLibrary
0x140d15098 LoadLibraryA
0x140d150a0 GetModuleHandleA
0x140d150a8 GetProcAddress
USER32.dll
0x140d150b8 GetProcessWindowStation
0x140d150c0 GetUserObjectInformationW
EAT(Export Address Table) is none