ScreenShot
| Created | 2024.10.11 14:01 | Machine | s1_win7_x6403 |
| Filename | JavUmar.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 43 detected (AIDetectMalware, GenericKDZ, Kryptik, V6fl, malicious, confidence, Attribute, HighConfidence, high confidence, GenKryptik, HBZR, CrypterX, CryptBot, 25KWoxie6RB, xoyug, AMADEY, YXEJKZ, GenKDZ, Detected, CJGQ47, Eldorado, Artemis, GdSda, Jtgl, AZ8PHU) | ||
| md5 | 3394808f2d5c141b86e33a51ace8a577 | ||
| sha256 | 277eafa55c929bc4c805bd1d540d2385922ddcc26ad360af7b947987ca45e758 | ||
| ssdeep | 49152:zX1kYWFZc6jmmW1RXZmRUd0/Gj4L1iNhQG3nHeSy/o+8k547W9UXwgZJ5hWGDPfk:zSzjmhasSGj4L0NhN3H1y/o+ZwW9 | ||
| imphash | 41db2083dac89343aef584a51a80b293 | ||
| impfuzzy | 24:QT/gfiFAD1vOBoIkLyJdfpTX5XG0bEKkxJgr6vlbDcqSZ9FZGXZ2:9fiIooIk0xTXJG0bNkxJgr6vRwqoFZGM | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 43 AntiVirus engines on VirusTotal as malicious |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Sends data using the HTTP POST Method |
| info | Command line console output was observed |
| info | Queries for the computername |
Rules (8cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0xa1721c CryptAcquireContextA
0xa17220 CryptGenRandom
0xa17224 CryptReleaseContext
KERNEL32.dll
0xa1722c DeleteCriticalSection
0xa17230 EnterCriticalSection
0xa17234 FreeLibrary
0xa17238 GetLastError
0xa1723c GetModuleHandleA
0xa17240 GetModuleHandleW
0xa17244 GetNativeSystemInfo
0xa17248 GetProcAddress
0xa1724c GetProcessHeap
0xa17250 GetStartupInfoA
0xa17254 GetThreadLocale
0xa17258 HeapAlloc
0xa1725c HeapFree
0xa17260 InitializeCriticalSection
0xa17264 IsBadReadPtr
0xa17268 IsDBCSLeadByteEx
0xa1726c LeaveCriticalSection
0xa17270 LoadLibraryA
0xa17274 MultiByteToWideChar
0xa17278 SetLastError
0xa1727c SetUnhandledExceptionFilter
0xa17280 Sleep
0xa17284 TlsGetValue
0xa17288 VirtualAlloc
0xa1728c VirtualFree
0xa17290 VirtualProtect
0xa17294 VirtualQuery
0xa17298 WideCharToMultiByte
0xa1729c lstrlenA
msvcrt.dll
0xa172a4 __getmainargs
0xa172a8 __initenv
0xa172ac __mb_cur_max
0xa172b0 __p__acmdln
0xa172b4 __p__commode
0xa172b8 __p__fmode
0xa172bc __set_app_type
0xa172c0 __setusermatherr
0xa172c4 _amsg_exit
0xa172c8 _assert
0xa172cc _cexit
0xa172d0 _errno
0xa172d4 _chsize
0xa172d8 _exit
0xa172dc _filelengthi64
0xa172e0 _fileno
0xa172e4 _initterm
0xa172e8 _iob
0xa172ec _lock
0xa172f0 _onexit
0xa172f4 _unlock
0xa172f8 _wcsnicmp
0xa172fc abort
0xa17300 atoi
0xa17304 search
0xa17308 calloc
0xa1730c exit
0xa17310 fclose
0xa17314 fflush
0xa17318 fgetpos
0xa1731c fopen
0xa17320 fputc
0xa17324 fread
0xa17328 free
0xa1732c freopen
0xa17330 fsetpos
0xa17334 fwrite
0xa17338 getc
0xa1733c islower
0xa17340 isspace
0xa17344 isupper
0xa17348 isxdigit
0xa1734c localeconv
0xa17350 malloc
0xa17354 mbstowcs
0xa17358 memcmp
0xa1735c memcpy
0xa17360 memmove
0xa17364 memset
0xa17368 mktime
0xa1736c localtime
0xa17370 difftime
0xa17374 _mkdir
0xa17378 perror
0xa1737c qsort
0xa17380 realloc
0xa17384 remove
0xa17388 setlocale
0xa1738c signal
0xa17390 strchr
0xa17394 strcmp
0xa17398 strerror
0xa1739c strlen
0xa173a0 strncmp
0xa173a4 strncpy
0xa173a8 strtol
0xa173ac strtoul
0xa173b0 tolower
0xa173b4 ungetc
0xa173b8 vfprintf
0xa173bc time
0xa173c0 wcslen
0xa173c4 wcstombs
0xa173c8 _stat
0xa173cc _write
0xa173d0 _utime
0xa173d4 _open
0xa173d8 _fileno
0xa173dc _close
0xa173e0 _chmod
EAT(Export Address Table) is none
ADVAPI32.dll
0xa1721c CryptAcquireContextA
0xa17220 CryptGenRandom
0xa17224 CryptReleaseContext
KERNEL32.dll
0xa1722c DeleteCriticalSection
0xa17230 EnterCriticalSection
0xa17234 FreeLibrary
0xa17238 GetLastError
0xa1723c GetModuleHandleA
0xa17240 GetModuleHandleW
0xa17244 GetNativeSystemInfo
0xa17248 GetProcAddress
0xa1724c GetProcessHeap
0xa17250 GetStartupInfoA
0xa17254 GetThreadLocale
0xa17258 HeapAlloc
0xa1725c HeapFree
0xa17260 InitializeCriticalSection
0xa17264 IsBadReadPtr
0xa17268 IsDBCSLeadByteEx
0xa1726c LeaveCriticalSection
0xa17270 LoadLibraryA
0xa17274 MultiByteToWideChar
0xa17278 SetLastError
0xa1727c SetUnhandledExceptionFilter
0xa17280 Sleep
0xa17284 TlsGetValue
0xa17288 VirtualAlloc
0xa1728c VirtualFree
0xa17290 VirtualProtect
0xa17294 VirtualQuery
0xa17298 WideCharToMultiByte
0xa1729c lstrlenA
msvcrt.dll
0xa172a4 __getmainargs
0xa172a8 __initenv
0xa172ac __mb_cur_max
0xa172b0 __p__acmdln
0xa172b4 __p__commode
0xa172b8 __p__fmode
0xa172bc __set_app_type
0xa172c0 __setusermatherr
0xa172c4 _amsg_exit
0xa172c8 _assert
0xa172cc _cexit
0xa172d0 _errno
0xa172d4 _chsize
0xa172d8 _exit
0xa172dc _filelengthi64
0xa172e0 _fileno
0xa172e4 _initterm
0xa172e8 _iob
0xa172ec _lock
0xa172f0 _onexit
0xa172f4 _unlock
0xa172f8 _wcsnicmp
0xa172fc abort
0xa17300 atoi
0xa17304 search
0xa17308 calloc
0xa1730c exit
0xa17310 fclose
0xa17314 fflush
0xa17318 fgetpos
0xa1731c fopen
0xa17320 fputc
0xa17324 fread
0xa17328 free
0xa1732c freopen
0xa17330 fsetpos
0xa17334 fwrite
0xa17338 getc
0xa1733c islower
0xa17340 isspace
0xa17344 isupper
0xa17348 isxdigit
0xa1734c localeconv
0xa17350 malloc
0xa17354 mbstowcs
0xa17358 memcmp
0xa1735c memcpy
0xa17360 memmove
0xa17364 memset
0xa17368 mktime
0xa1736c localtime
0xa17370 difftime
0xa17374 _mkdir
0xa17378 perror
0xa1737c qsort
0xa17380 realloc
0xa17384 remove
0xa17388 setlocale
0xa1738c signal
0xa17390 strchr
0xa17394 strcmp
0xa17398 strerror
0xa1739c strlen
0xa173a0 strncmp
0xa173a4 strncpy
0xa173a8 strtol
0xa173ac strtoul
0xa173b0 tolower
0xa173b4 ungetc
0xa173b8 vfprintf
0xa173bc time
0xa173c0 wcslen
0xa173c4 wcstombs
0xa173c8 _stat
0xa173cc _write
0xa173d0 _utime
0xa173d4 _open
0xa173d8 _fileno
0xa173dc _close
0xa173e0 _chmod
EAT(Export Address Table) is none