ScreenShot
| Created | 2024.09.02 13:52 | Machine | s1_win7_x6401 |
| Filename | Set-up.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 30 detected (malicious, high confidence, Dacic, Attribute, HighConfidence, Artemis, Barys, Cryptnot, CryptBot, du8Y4XG1zuF, Detected, ai score=87, CCJD, 1D64ECY, R662764, Genetic) | ||
| md5 | 06b767bf2a7deac9b9e524c5b6986bf7 | ||
| sha256 | c4c861dda94e9b3275d123e78d73bb9180b618855730eb2217a656d14e35a854 | ||
| ssdeep | 98304:YNMJ9r+xEJ3cLCB4Ty9Q0GhdjzK4KcNaUqE:RJ9r+x+iiyH7U4KcEPE | ||
| imphash | 92a00f4d0a4448266e9c638fdb1341b9 | ||
| impfuzzy | 24:8fiFCDcn+kLEGTX5XG0bhkNJl6vlbDcqxZ96HGXZQ:8fiJ+k4GTXJG0bhkNJl6vRwqt6HGG | ||
Network IP location
Signature (6cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 30 AntiVirus engines on VirusTotal as malicious |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0xf371e0 DeleteCriticalSection
0xf371e4 EnterCriticalSection
0xf371e8 FreeLibrary
0xf371ec GetLastError
0xf371f0 GetModuleHandleA
0xf371f4 GetModuleHandleW
0xf371f8 GetProcAddress
0xf371fc GetStartupInfoA
0xf37200 GetTempPathA
0xf37204 InitializeCriticalSection
0xf37208 IsDBCSLeadByteEx
0xf3720c LeaveCriticalSection
0xf37210 LoadLibraryA
0xf37214 MultiByteToWideChar
0xf37218 SetUnhandledExceptionFilter
0xf3721c Sleep
0xf37220 TlsGetValue
0xf37224 VirtualProtect
0xf37228 VirtualQuery
0xf3722c WideCharToMultiByte
0xf37230 lstrlenA
msvcrt.dll
0xf37238 __getmainargs
0xf3723c __initenv
0xf37240 __lconv_init
0xf37244 __mb_cur_max
0xf37248 __p__acmdln
0xf3724c __p__commode
0xf37250 __p__fmode
0xf37254 __set_app_type
0xf37258 __setusermatherr
0xf3725c _amsg_exit
0xf37260 _assert
0xf37264 _cexit
0xf37268 _errno
0xf3726c _chsize
0xf37270 _filelengthi64
0xf37274 _fileno
0xf37278 _initterm
0xf3727c _iob
0xf37280 _lock
0xf37284 _onexit
0xf37288 _unlock
0xf3728c abort
0xf37290 atoi
0xf37294 calloc
0xf37298 exit
0xf3729c fclose
0xf372a0 fflush
0xf372a4 fgetpos
0xf372a8 fopen
0xf372ac fputc
0xf372b0 fread
0xf372b4 free
0xf372b8 freopen
0xf372bc fsetpos
0xf372c0 fwrite
0xf372c4 getc
0xf372c8 islower
0xf372cc isspace
0xf372d0 isupper
0xf372d4 isxdigit
0xf372d8 localeconv
0xf372dc malloc
0xf372e0 memcmp
0xf372e4 memcpy
0xf372e8 memmove
0xf372ec memset
0xf372f0 mktime
0xf372f4 localtime
0xf372f8 difftime
0xf372fc _mkdir
0xf37300 perror
0xf37304 puts
0xf37308 realloc
0xf3730c remove
0xf37310 setlocale
0xf37314 signal
0xf37318 strchr
0xf3731c strcmp
0xf37320 strcpy
0xf37324 strerror
0xf37328 strlen
0xf3732c strncmp
0xf37330 strncpy
0xf37334 strtol
0xf37338 strtoul
0xf3733c tolower
0xf37340 ungetc
0xf37344 vfprintf
0xf37348 time
0xf3734c wcslen
0xf37350 wcstombs
0xf37354 _stat
0xf37358 _utime
0xf3735c _fileno
0xf37360 _chmod
SHELL32.dll
0xf37368 ShellExecuteA
EAT(Export Address Table) Library
0x4e6cc3 main
KERNEL32.dll
0xf371e0 DeleteCriticalSection
0xf371e4 EnterCriticalSection
0xf371e8 FreeLibrary
0xf371ec GetLastError
0xf371f0 GetModuleHandleA
0xf371f4 GetModuleHandleW
0xf371f8 GetProcAddress
0xf371fc GetStartupInfoA
0xf37200 GetTempPathA
0xf37204 InitializeCriticalSection
0xf37208 IsDBCSLeadByteEx
0xf3720c LeaveCriticalSection
0xf37210 LoadLibraryA
0xf37214 MultiByteToWideChar
0xf37218 SetUnhandledExceptionFilter
0xf3721c Sleep
0xf37220 TlsGetValue
0xf37224 VirtualProtect
0xf37228 VirtualQuery
0xf3722c WideCharToMultiByte
0xf37230 lstrlenA
msvcrt.dll
0xf37238 __getmainargs
0xf3723c __initenv
0xf37240 __lconv_init
0xf37244 __mb_cur_max
0xf37248 __p__acmdln
0xf3724c __p__commode
0xf37250 __p__fmode
0xf37254 __set_app_type
0xf37258 __setusermatherr
0xf3725c _amsg_exit
0xf37260 _assert
0xf37264 _cexit
0xf37268 _errno
0xf3726c _chsize
0xf37270 _filelengthi64
0xf37274 _fileno
0xf37278 _initterm
0xf3727c _iob
0xf37280 _lock
0xf37284 _onexit
0xf37288 _unlock
0xf3728c abort
0xf37290 atoi
0xf37294 calloc
0xf37298 exit
0xf3729c fclose
0xf372a0 fflush
0xf372a4 fgetpos
0xf372a8 fopen
0xf372ac fputc
0xf372b0 fread
0xf372b4 free
0xf372b8 freopen
0xf372bc fsetpos
0xf372c0 fwrite
0xf372c4 getc
0xf372c8 islower
0xf372cc isspace
0xf372d0 isupper
0xf372d4 isxdigit
0xf372d8 localeconv
0xf372dc malloc
0xf372e0 memcmp
0xf372e4 memcpy
0xf372e8 memmove
0xf372ec memset
0xf372f0 mktime
0xf372f4 localtime
0xf372f8 difftime
0xf372fc _mkdir
0xf37300 perror
0xf37304 puts
0xf37308 realloc
0xf3730c remove
0xf37310 setlocale
0xf37314 signal
0xf37318 strchr
0xf3731c strcmp
0xf37320 strcpy
0xf37324 strerror
0xf37328 strlen
0xf3732c strncmp
0xf37330 strncpy
0xf37334 strtol
0xf37338 strtoul
0xf3733c tolower
0xf37340 ungetc
0xf37344 vfprintf
0xf37348 time
0xf3734c wcslen
0xf37350 wcstombs
0xf37354 _stat
0xf37358 _utime
0xf3735c _fileno
0xf37360 _chmod
SHELL32.dll
0xf37368 ShellExecuteA
EAT(Export Address Table) Library
0x4e6cc3 main