ScreenShot
| Created | 2024.09.02 10:02 | Machine | s1_win7_x6403 |
| Filename | joffer2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 30 detected (malicious, high confidence, Dacic, Attribute, HighConfidence, Barys, CryptBot, du8Y4XG1zuF, Detected, ai score=88, CCJD, 1D64ECY, ZexaF, @@Z@aCOEHzb, Genetic, confidence) | ||
| md5 | 4386df2790a9752e9cf0424dca91ad15 | ||
| sha256 | e2f0e525c66dba847bedf887398405348159ce607bc6cc826bef73651fd7135d | ||
| ssdeep | 49152:B0QJDHck3aW3sg1Kptd473sgCMMqfHFIUYIIKdkiT1dEKIOLxlbid:B9JLckf31QtG3sghMqfH+V81ddLxl+d | ||
| imphash | 92a00f4d0a4448266e9c638fdb1341b9 | ||
| impfuzzy | 24:8fiFCDcn+kLEGTX5XG0bhkNJl6vlbDcqxZ96HGXZQ:8fiJ+k4GTXJG0bhkNJl6vRwqt6HGG | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 30 AntiVirus engines on VirusTotal as malicious |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0xf361e0 DeleteCriticalSection
0xf361e4 EnterCriticalSection
0xf361e8 FreeLibrary
0xf361ec GetLastError
0xf361f0 GetModuleHandleA
0xf361f4 GetModuleHandleW
0xf361f8 GetProcAddress
0xf361fc GetStartupInfoA
0xf36200 GetTempPathA
0xf36204 InitializeCriticalSection
0xf36208 IsDBCSLeadByteEx
0xf3620c LeaveCriticalSection
0xf36210 LoadLibraryA
0xf36214 MultiByteToWideChar
0xf36218 SetUnhandledExceptionFilter
0xf3621c Sleep
0xf36220 TlsGetValue
0xf36224 VirtualProtect
0xf36228 VirtualQuery
0xf3622c WideCharToMultiByte
0xf36230 lstrlenA
msvcrt.dll
0xf36238 __getmainargs
0xf3623c __initenv
0xf36240 __lconv_init
0xf36244 __mb_cur_max
0xf36248 __p__acmdln
0xf3624c __p__commode
0xf36250 __p__fmode
0xf36254 __set_app_type
0xf36258 __setusermatherr
0xf3625c _amsg_exit
0xf36260 _assert
0xf36264 _cexit
0xf36268 _errno
0xf3626c _chsize
0xf36270 _filelengthi64
0xf36274 _fileno
0xf36278 _initterm
0xf3627c _iob
0xf36280 _lock
0xf36284 _onexit
0xf36288 _unlock
0xf3628c abort
0xf36290 atoi
0xf36294 calloc
0xf36298 exit
0xf3629c fclose
0xf362a0 fflush
0xf362a4 fgetpos
0xf362a8 fopen
0xf362ac fputc
0xf362b0 fread
0xf362b4 free
0xf362b8 freopen
0xf362bc fsetpos
0xf362c0 fwrite
0xf362c4 getc
0xf362c8 islower
0xf362cc isspace
0xf362d0 isupper
0xf362d4 isxdigit
0xf362d8 localeconv
0xf362dc malloc
0xf362e0 memcmp
0xf362e4 memcpy
0xf362e8 memmove
0xf362ec memset
0xf362f0 mktime
0xf362f4 localtime
0xf362f8 difftime
0xf362fc _mkdir
0xf36300 perror
0xf36304 puts
0xf36308 realloc
0xf3630c remove
0xf36310 setlocale
0xf36314 signal
0xf36318 strchr
0xf3631c strcmp
0xf36320 strcpy
0xf36324 strerror
0xf36328 strlen
0xf3632c strncmp
0xf36330 strncpy
0xf36334 strtol
0xf36338 strtoul
0xf3633c tolower
0xf36340 ungetc
0xf36344 vfprintf
0xf36348 time
0xf3634c wcslen
0xf36350 wcstombs
0xf36354 _stat
0xf36358 _utime
0xf3635c _fileno
0xf36360 _chmod
SHELL32.dll
0xf36368 ShellExecuteA
EAT(Export Address Table) Library
0x451fb3 main
KERNEL32.dll
0xf361e0 DeleteCriticalSection
0xf361e4 EnterCriticalSection
0xf361e8 FreeLibrary
0xf361ec GetLastError
0xf361f0 GetModuleHandleA
0xf361f4 GetModuleHandleW
0xf361f8 GetProcAddress
0xf361fc GetStartupInfoA
0xf36200 GetTempPathA
0xf36204 InitializeCriticalSection
0xf36208 IsDBCSLeadByteEx
0xf3620c LeaveCriticalSection
0xf36210 LoadLibraryA
0xf36214 MultiByteToWideChar
0xf36218 SetUnhandledExceptionFilter
0xf3621c Sleep
0xf36220 TlsGetValue
0xf36224 VirtualProtect
0xf36228 VirtualQuery
0xf3622c WideCharToMultiByte
0xf36230 lstrlenA
msvcrt.dll
0xf36238 __getmainargs
0xf3623c __initenv
0xf36240 __lconv_init
0xf36244 __mb_cur_max
0xf36248 __p__acmdln
0xf3624c __p__commode
0xf36250 __p__fmode
0xf36254 __set_app_type
0xf36258 __setusermatherr
0xf3625c _amsg_exit
0xf36260 _assert
0xf36264 _cexit
0xf36268 _errno
0xf3626c _chsize
0xf36270 _filelengthi64
0xf36274 _fileno
0xf36278 _initterm
0xf3627c _iob
0xf36280 _lock
0xf36284 _onexit
0xf36288 _unlock
0xf3628c abort
0xf36290 atoi
0xf36294 calloc
0xf36298 exit
0xf3629c fclose
0xf362a0 fflush
0xf362a4 fgetpos
0xf362a8 fopen
0xf362ac fputc
0xf362b0 fread
0xf362b4 free
0xf362b8 freopen
0xf362bc fsetpos
0xf362c0 fwrite
0xf362c4 getc
0xf362c8 islower
0xf362cc isspace
0xf362d0 isupper
0xf362d4 isxdigit
0xf362d8 localeconv
0xf362dc malloc
0xf362e0 memcmp
0xf362e4 memcpy
0xf362e8 memmove
0xf362ec memset
0xf362f0 mktime
0xf362f4 localtime
0xf362f8 difftime
0xf362fc _mkdir
0xf36300 perror
0xf36304 puts
0xf36308 realloc
0xf3630c remove
0xf36310 setlocale
0xf36314 signal
0xf36318 strchr
0xf3631c strcmp
0xf36320 strcpy
0xf36324 strerror
0xf36328 strlen
0xf3632c strncmp
0xf36330 strncpy
0xf36334 strtol
0xf36338 strtoul
0xf3633c tolower
0xf36340 ungetc
0xf36344 vfprintf
0xf36348 time
0xf3634c wcslen
0xf36350 wcstombs
0xf36354 _stat
0xf36358 _utime
0xf3635c _fileno
0xf36360 _chmod
SHELL32.dll
0xf36368 ShellExecuteA
EAT(Export Address Table) Library
0x451fb3 main