ScreenShot
Created | 2024.09.22 17:52 | Machine | s1_win7_x6403 |
Filename | 66e571613a5a3_Server.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 61 detected (AIDetectMalware, BlackMoon, Malicious, score, Injuke, Graftor, Unsafe, Save, confidence, Attribute, HighConfidence, moderate confidence, A suspicious, TrojanX, Tiggre, hfiybo, Blamon, 4rHQxiKfRp, Siggen18, R002C0DIK24, Real Protect, high, CoinMiner, APosT, Detected, C2Lop, Eldorado, R342429, GenericRXAA, BScope, Gencirc, GenAsa, u1i10E6671M, MalBehav, susgen) | ||
md5 | d42e570ec9cf6757af9fbd23f251bdbc | ||
sha256 | 05659d0fc78d1c952a81863433e7d9cc1570d84e931d19ff5a771627e77c8e1a | ||
ssdeep | 3072:/dCkuIzYSve0+BYJC+mcg5ARtOd/nV2aSQbWe:/dCfIBve0+BYJ/mj5A/Y2ahK | ||
imphash | 166f31882ac75763588d61777cc50545 | ||
impfuzzy | 6:om1BJAEoZ/OEGDzyRHCJughdzGbKNEWzT1n:om9ABZG/DzwCMgDmWrzhn |
Network IP location
Signature (12cnts)
Level | Description |
---|---|
danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
danger | File has been identified by 61 AntiVirus engines on VirusTotal as malicious |
watch | Attempts to create or modify system certificates |
watch | Installs itself for autorun at Windows startup |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | Executes one or more WMI queries |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | The executable is compressed using UPX |
info | Queries for the computername |
Rules (7cnts)
Level | Name | Description | Collection |
---|---|---|---|
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (12cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x45e0b4 RegOpenKeyA
KERNEL32.DLL
0x45e0bc LoadLibraryA
0x45e0c0 ExitProcess
0x45e0c4 GetProcAddress
0x45e0c8 VirtualProtect
MSVCRT.dll
0x45e0d0 rand
ole32.dll
0x45e0d8 OleRun
OLEAUT32.dll
0x45e0e0 SafeArrayDestroy
USER32.dll
0x45e0e8 wsprintfA
WINHTTP.dll
0x45e0f0 WinHttpOpen
WS2_32.dll
0x45e0f8 send
EAT(Export Address Table) is none
ADVAPI32.dll
0x45e0b4 RegOpenKeyA
KERNEL32.DLL
0x45e0bc LoadLibraryA
0x45e0c0 ExitProcess
0x45e0c4 GetProcAddress
0x45e0c8 VirtualProtect
MSVCRT.dll
0x45e0d0 rand
ole32.dll
0x45e0d8 OleRun
OLEAUT32.dll
0x45e0e0 SafeArrayDestroy
USER32.dll
0x45e0e8 wsprintfA
WINHTTP.dll
0x45e0f0 WinHttpOpen
WS2_32.dll
0x45e0f8 send
EAT(Export Address Table) is none