popup

Report - jgt.exe

PE File PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.10.11 11:14 Machine s1_win7_x6403
Filename jgt.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
6
 Behavior Score
1.8
ZERO API file : malware
VT API (file) 56 detected (AIDetectMalware, Reflo, Malicious, score, FWHP, Tedy, Unsafe, CoinMiner, Kryptik, Vdir, confidence, Attribute, HighConfidence, Windows, Threat, Genkryptik, ksokwe, Staser, g2ZCviiLSKR, AGEN, Siggen29, R002C0DJ824, Static AI, Malicious PE, Detected, Eldorado, DropperX, R622355, Krypt, GdSda, susgen, GQCB, Miner)
md5 1417d38c40d85d1c4eb7fad3444ca069
sha256 5f7c6cdea3c4e825af1d796cbd34b2d45b2b6fabed130e717a30a6d871993f5d
ssdeep 98304:z0uVyIJFN+YjxW2q0pOFklpKRDArh51NuIQIi7by2ud3RK:QucIJbx9TOFkMOL1NuIQIi7by2uRRK
imphash b237ac2118704db9e7609540658f5790
impfuzzy 12:FMHHGf5XGXKiEG6eGJyJk6lTpJqJZJVZJfMRJRJJoARZqRVPXJHqc:FMGf5XGf6ZgJkoDqnvZJfQfjBcV9
  Network IP location

Signature (3cnts)

Level Description
danger File has been identified by 56 AntiVirus engines on VirusTotal as malicious
notice Resolves a suspicious Top Level Domain (TLD)
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (2cnts)

Level Name Description Collection
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (10cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.su
whois
US CLOUDFLARENET 172.67.184.91 clean
justpaste.it
whois
PL Espol Sp. z o. o. 83.168.108.45 clean
pool.supportxmr.com
whois
Unknown 141.94.96.195 mailcious
pastebin.com
whois
US CLOUDFLARENET 104.20.3.235 mailcious
rentry.co
whois
US CLOUDFLARENET 104.26.2.16 malware
104.20.3.235
whois
US CLOUDFLARENET 104.20.3.235 malware
104.26.2.16
whois
US CLOUDFLARENET 104.26.2.16 mailcious
104.21.19.3
whois
US CLOUDFLARENET 104.21.19.3 clean
141.94.96.71
whois
Unknown 141.94.96.71 clean
83.168.108.45
whois
PL Espol Sp. z o. o. 83.168.108.45 clean

Suricata ids

ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com)
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)
ET INFO Observed Pastebin-style Service Domain (justpaste .it) in TLS SNI
ET INFO Observed DNS Query to Pastebin-style Service (justpaste .it)

PE API

IAT(Import Address Table) Library

msvcrt.dll
 0x14001d8b0 __C_specific_handler
 0x14001d8b8 __getmainargs
 0x14001d8c0 __initenv
 0x14001d8c8 __iob_func
 0x14001d8d0 __set_app_type
 0x14001d8d8 __setusermatherr
 0x14001d8e0 _amsg_exit
 0x14001d8e8 _cexit
 0x14001d8f0 _commode
 0x14001d8f8 _fmode
 0x14001d900 _initterm
 0x14001d908 _onexit
 0x14001d910 _wcsicmp
 0x14001d918 _wcsnicmp
 0x14001d920 abort
 0x14001d928 calloc
 0x14001d930 exit
 0x14001d938 fprintf
 0x14001d940 free
 0x14001d948 fwrite
 0x14001d950 malloc
 0x14001d958 memcpy
 0x14001d960 memset
 0x14001d968 signal
 0x14001d970 strcat
 0x14001d978 strcpy
 0x14001d980 strlen
 0x14001d988 strncmp
 0x14001d990 strstr
 0x14001d998 vfprintf
 0x14001d9a0 wcscat
 0x14001d9a8 wcscpy
 0x14001d9b0 wcslen
 0x14001d9b8 wcsncmp
 0x14001d9c0 wcsstr
KERNEL32.dll
 0x14001d9d0 DeleteCriticalSection
 0x14001d9d8 EnterCriticalSection
 0x14001d9e0 GetLastError
 0x14001d9e8 InitializeCriticalSection
 0x14001d9f0 LeaveCriticalSection
 0x14001d9f8 SetUnhandledExceptionFilter
 0x14001da00 Sleep
 0x14001da08 TlsGetValue
 0x14001da10 VirtualProtect
 0x14001da18 VirtualQuery

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure