ScreenShot
| Created | 2024.10.04 11:19 | Machine | s1_win7_x6403 |
| Filename | javumarfirst.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 11 detected (AIDetectMalware, malicious, confidence, high confidence, GenKryptik, HBZR, CrypterX, Kryptik, 25KWoxie6RB, CryptBot, Ckjl) | ||
| md5 | 506f20dc6d2d9a4bd2725a726679b74e | ||
| sha256 | 9259b00bb10494cb883a4999ea33ff59452df9e09d2c30beafae09fd980b8baf | ||
| ssdeep | 49152:o18FBWG6cBjNOL/SoDUVs7dxzg57AEgPQhaYkOr74oBxBRO+uaXHMEUs9N+qaKDJ:RBDBpi/SoDUVshx03wQA | ||
| imphash | 41db2083dac89343aef584a51a80b293 | ||
| impfuzzy | 24:QT/gfiFAD1vOBoIkLyJdfpTX5XG0bEKkxJgr6vlbDcqSZ9FZGXZ2:9fiIooIk0xTXJG0bNkxJgr6vRwqoFZGM | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| watch | File has been identified by 11 AntiVirus engines on VirusTotal as malicious |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0xa9921c CryptAcquireContextA
0xa99220 CryptGenRandom
0xa99224 CryptReleaseContext
KERNEL32.dll
0xa9922c DeleteCriticalSection
0xa99230 EnterCriticalSection
0xa99234 FreeLibrary
0xa99238 GetLastError
0xa9923c GetModuleHandleA
0xa99240 GetModuleHandleW
0xa99244 GetNativeSystemInfo
0xa99248 GetProcAddress
0xa9924c GetProcessHeap
0xa99250 GetStartupInfoA
0xa99254 GetThreadLocale
0xa99258 HeapAlloc
0xa9925c HeapFree
0xa99260 InitializeCriticalSection
0xa99264 IsBadReadPtr
0xa99268 IsDBCSLeadByteEx
0xa9926c LeaveCriticalSection
0xa99270 LoadLibraryA
0xa99274 MultiByteToWideChar
0xa99278 SetLastError
0xa9927c SetUnhandledExceptionFilter
0xa99280 Sleep
0xa99284 TlsGetValue
0xa99288 VirtualAlloc
0xa9928c VirtualFree
0xa99290 VirtualProtect
0xa99294 VirtualQuery
0xa99298 WideCharToMultiByte
0xa9929c lstrlenA
msvcrt.dll
0xa992a4 __getmainargs
0xa992a8 __initenv
0xa992ac __mb_cur_max
0xa992b0 __p__acmdln
0xa992b4 __p__commode
0xa992b8 __p__fmode
0xa992bc __set_app_type
0xa992c0 __setusermatherr
0xa992c4 _amsg_exit
0xa992c8 _assert
0xa992cc _cexit
0xa992d0 _errno
0xa992d4 _chsize
0xa992d8 _exit
0xa992dc _filelengthi64
0xa992e0 _fileno
0xa992e4 _initterm
0xa992e8 _iob
0xa992ec _lock
0xa992f0 _onexit
0xa992f4 _unlock
0xa992f8 _wcsnicmp
0xa992fc abort
0xa99300 atoi
0xa99304 search
0xa99308 calloc
0xa9930c exit
0xa99310 fclose
0xa99314 fflush
0xa99318 fgetpos
0xa9931c fopen
0xa99320 fputc
0xa99324 fread
0xa99328 free
0xa9932c freopen
0xa99330 fsetpos
0xa99334 fwrite
0xa99338 getc
0xa9933c islower
0xa99340 isspace
0xa99344 isupper
0xa99348 isxdigit
0xa9934c localeconv
0xa99350 malloc
0xa99354 mbstowcs
0xa99358 memcmp
0xa9935c memcpy
0xa99360 memmove
0xa99364 memset
0xa99368 mktime
0xa9936c localtime
0xa99370 difftime
0xa99374 _mkdir
0xa99378 perror
0xa9937c qsort
0xa99380 realloc
0xa99384 remove
0xa99388 setlocale
0xa9938c signal
0xa99390 strchr
0xa99394 strcmp
0xa99398 strerror
0xa9939c strlen
0xa993a0 strncmp
0xa993a4 strncpy
0xa993a8 strtol
0xa993ac strtoul
0xa993b0 tolower
0xa993b4 ungetc
0xa993b8 vfprintf
0xa993bc time
0xa993c0 wcslen
0xa993c4 wcstombs
0xa993c8 _stat
0xa993cc _write
0xa993d0 _utime
0xa993d4 _open
0xa993d8 _fileno
0xa993dc _close
0xa993e0 _chmod
EAT(Export Address Table) is none
ADVAPI32.dll
0xa9921c CryptAcquireContextA
0xa99220 CryptGenRandom
0xa99224 CryptReleaseContext
KERNEL32.dll
0xa9922c DeleteCriticalSection
0xa99230 EnterCriticalSection
0xa99234 FreeLibrary
0xa99238 GetLastError
0xa9923c GetModuleHandleA
0xa99240 GetModuleHandleW
0xa99244 GetNativeSystemInfo
0xa99248 GetProcAddress
0xa9924c GetProcessHeap
0xa99250 GetStartupInfoA
0xa99254 GetThreadLocale
0xa99258 HeapAlloc
0xa9925c HeapFree
0xa99260 InitializeCriticalSection
0xa99264 IsBadReadPtr
0xa99268 IsDBCSLeadByteEx
0xa9926c LeaveCriticalSection
0xa99270 LoadLibraryA
0xa99274 MultiByteToWideChar
0xa99278 SetLastError
0xa9927c SetUnhandledExceptionFilter
0xa99280 Sleep
0xa99284 TlsGetValue
0xa99288 VirtualAlloc
0xa9928c VirtualFree
0xa99290 VirtualProtect
0xa99294 VirtualQuery
0xa99298 WideCharToMultiByte
0xa9929c lstrlenA
msvcrt.dll
0xa992a4 __getmainargs
0xa992a8 __initenv
0xa992ac __mb_cur_max
0xa992b0 __p__acmdln
0xa992b4 __p__commode
0xa992b8 __p__fmode
0xa992bc __set_app_type
0xa992c0 __setusermatherr
0xa992c4 _amsg_exit
0xa992c8 _assert
0xa992cc _cexit
0xa992d0 _errno
0xa992d4 _chsize
0xa992d8 _exit
0xa992dc _filelengthi64
0xa992e0 _fileno
0xa992e4 _initterm
0xa992e8 _iob
0xa992ec _lock
0xa992f0 _onexit
0xa992f4 _unlock
0xa992f8 _wcsnicmp
0xa992fc abort
0xa99300 atoi
0xa99304 search
0xa99308 calloc
0xa9930c exit
0xa99310 fclose
0xa99314 fflush
0xa99318 fgetpos
0xa9931c fopen
0xa99320 fputc
0xa99324 fread
0xa99328 free
0xa9932c freopen
0xa99330 fsetpos
0xa99334 fwrite
0xa99338 getc
0xa9933c islower
0xa99340 isspace
0xa99344 isupper
0xa99348 isxdigit
0xa9934c localeconv
0xa99350 malloc
0xa99354 mbstowcs
0xa99358 memcmp
0xa9935c memcpy
0xa99360 memmove
0xa99364 memset
0xa99368 mktime
0xa9936c localtime
0xa99370 difftime
0xa99374 _mkdir
0xa99378 perror
0xa9937c qsort
0xa99380 realloc
0xa99384 remove
0xa99388 setlocale
0xa9938c signal
0xa99390 strchr
0xa99394 strcmp
0xa99398 strerror
0xa9939c strlen
0xa993a0 strncmp
0xa993a4 strncpy
0xa993a8 strtol
0xa993ac strtoul
0xa993b0 tolower
0xa993b4 ungetc
0xa993b8 vfprintf
0xa993bc time
0xa993c0 wcslen
0xa993c4 wcstombs
0xa993c8 _stat
0xa993cc _write
0xa993d0 _utime
0xa993d4 _open
0xa993d8 _fileno
0xa993dc _close
0xa993e0 _chmod
EAT(Export Address Table) is none