ScreenShot
| Created | 2024.10.15 15:10 | Machine | s1_win7_x6401 |
| Filename | JavUmar1.exe | ||
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 44 detected (CryptBot, Malicious, score, GenericKDZ, Unsafe, Kryptik, Vems, confidence, Attribute, HighConfidence, high confidence, GenKryptik, HBZR, CrypterX, 25KWoxie6RB, byvhq, AMADEY, YXEJNZ, Detected, ABTrojan, YHAV, Artemis, GdSda, Simw, AZ8PHU) | ||
| md5 | 7105a2ba8c897b6c2072a6ab0bdecdf1 | ||
| sha256 | abc53ac9f7564ceba0a7548b880b1e92c8e0329ff9680e3c5f06abcbd4e869b9 | ||
| ssdeep | 49152:w6u6AkFUy00GL2vXkEkaBdCtsRbSgVw1y0y1zTPWs8Mo1FqSiqL7ECI4chxGeO2b:wyA+UtvLgXMaBssNSgAyPzT | ||
| imphash | 41db2083dac89343aef584a51a80b293 | ||
| impfuzzy | 24:QT/gfiFAD1vOBoIkLyJdfpTX5XG0bEKkxJgr6vlbDcqSZ9FZGXZ2:9fiIooIk0xTXJG0bNkxJgr6vRwqoFZGM | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 44 AntiVirus engines on VirusTotal as malicious |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
ET INFO HTTP Request to a *.top domain
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0xab621c CryptAcquireContextA
0xab6220 CryptGenRandom
0xab6224 CryptReleaseContext
KERNEL32.dll
0xab622c DeleteCriticalSection
0xab6230 EnterCriticalSection
0xab6234 FreeLibrary
0xab6238 GetLastError
0xab623c GetModuleHandleA
0xab6240 GetModuleHandleW
0xab6244 GetNativeSystemInfo
0xab6248 GetProcAddress
0xab624c GetProcessHeap
0xab6250 GetStartupInfoA
0xab6254 GetThreadLocale
0xab6258 HeapAlloc
0xab625c HeapFree
0xab6260 InitializeCriticalSection
0xab6264 IsBadReadPtr
0xab6268 IsDBCSLeadByteEx
0xab626c LeaveCriticalSection
0xab6270 LoadLibraryA
0xab6274 MultiByteToWideChar
0xab6278 SetLastError
0xab627c SetUnhandledExceptionFilter
0xab6280 Sleep
0xab6284 TlsGetValue
0xab6288 VirtualAlloc
0xab628c VirtualFree
0xab6290 VirtualProtect
0xab6294 VirtualQuery
0xab6298 WideCharToMultiByte
0xab629c lstrlenA
msvcrt.dll
0xab62a4 __getmainargs
0xab62a8 __initenv
0xab62ac __mb_cur_max
0xab62b0 __p__acmdln
0xab62b4 __p__commode
0xab62b8 __p__fmode
0xab62bc __set_app_type
0xab62c0 __setusermatherr
0xab62c4 _amsg_exit
0xab62c8 _assert
0xab62cc _cexit
0xab62d0 _errno
0xab62d4 _chsize
0xab62d8 _exit
0xab62dc _filelengthi64
0xab62e0 _fileno
0xab62e4 _initterm
0xab62e8 _iob
0xab62ec _lock
0xab62f0 _onexit
0xab62f4 _unlock
0xab62f8 _wcsnicmp
0xab62fc abort
0xab6300 atoi
0xab6304 search
0xab6308 calloc
0xab630c exit
0xab6310 fclose
0xab6314 fflush
0xab6318 fgetpos
0xab631c fopen
0xab6320 fputc
0xab6324 fread
0xab6328 free
0xab632c freopen
0xab6330 fsetpos
0xab6334 fwrite
0xab6338 getc
0xab633c islower
0xab6340 isspace
0xab6344 isupper
0xab6348 isxdigit
0xab634c localeconv
0xab6350 malloc
0xab6354 mbstowcs
0xab6358 memcmp
0xab635c memcpy
0xab6360 memmove
0xab6364 memset
0xab6368 mktime
0xab636c localtime
0xab6370 difftime
0xab6374 _mkdir
0xab6378 perror
0xab637c qsort
0xab6380 realloc
0xab6384 remove
0xab6388 setlocale
0xab638c signal
0xab6390 strchr
0xab6394 strcmp
0xab6398 strerror
0xab639c strlen
0xab63a0 strncmp
0xab63a4 strncpy
0xab63a8 strtol
0xab63ac strtoul
0xab63b0 tolower
0xab63b4 ungetc
0xab63b8 vfprintf
0xab63bc time
0xab63c0 wcslen
0xab63c4 wcstombs
0xab63c8 _stat
0xab63cc _write
0xab63d0 _utime
0xab63d4 _open
0xab63d8 _fileno
0xab63dc _close
0xab63e0 _chmod
EAT(Export Address Table) is none
ADVAPI32.dll
0xab621c CryptAcquireContextA
0xab6220 CryptGenRandom
0xab6224 CryptReleaseContext
KERNEL32.dll
0xab622c DeleteCriticalSection
0xab6230 EnterCriticalSection
0xab6234 FreeLibrary
0xab6238 GetLastError
0xab623c GetModuleHandleA
0xab6240 GetModuleHandleW
0xab6244 GetNativeSystemInfo
0xab6248 GetProcAddress
0xab624c GetProcessHeap
0xab6250 GetStartupInfoA
0xab6254 GetThreadLocale
0xab6258 HeapAlloc
0xab625c HeapFree
0xab6260 InitializeCriticalSection
0xab6264 IsBadReadPtr
0xab6268 IsDBCSLeadByteEx
0xab626c LeaveCriticalSection
0xab6270 LoadLibraryA
0xab6274 MultiByteToWideChar
0xab6278 SetLastError
0xab627c SetUnhandledExceptionFilter
0xab6280 Sleep
0xab6284 TlsGetValue
0xab6288 VirtualAlloc
0xab628c VirtualFree
0xab6290 VirtualProtect
0xab6294 VirtualQuery
0xab6298 WideCharToMultiByte
0xab629c lstrlenA
msvcrt.dll
0xab62a4 __getmainargs
0xab62a8 __initenv
0xab62ac __mb_cur_max
0xab62b0 __p__acmdln
0xab62b4 __p__commode
0xab62b8 __p__fmode
0xab62bc __set_app_type
0xab62c0 __setusermatherr
0xab62c4 _amsg_exit
0xab62c8 _assert
0xab62cc _cexit
0xab62d0 _errno
0xab62d4 _chsize
0xab62d8 _exit
0xab62dc _filelengthi64
0xab62e0 _fileno
0xab62e4 _initterm
0xab62e8 _iob
0xab62ec _lock
0xab62f0 _onexit
0xab62f4 _unlock
0xab62f8 _wcsnicmp
0xab62fc abort
0xab6300 atoi
0xab6304 search
0xab6308 calloc
0xab630c exit
0xab6310 fclose
0xab6314 fflush
0xab6318 fgetpos
0xab631c fopen
0xab6320 fputc
0xab6324 fread
0xab6328 free
0xab632c freopen
0xab6330 fsetpos
0xab6334 fwrite
0xab6338 getc
0xab633c islower
0xab6340 isspace
0xab6344 isupper
0xab6348 isxdigit
0xab634c localeconv
0xab6350 malloc
0xab6354 mbstowcs
0xab6358 memcmp
0xab635c memcpy
0xab6360 memmove
0xab6364 memset
0xab6368 mktime
0xab636c localtime
0xab6370 difftime
0xab6374 _mkdir
0xab6378 perror
0xab637c qsort
0xab6380 realloc
0xab6384 remove
0xab6388 setlocale
0xab638c signal
0xab6390 strchr
0xab6394 strcmp
0xab6398 strerror
0xab639c strlen
0xab63a0 strncmp
0xab63a4 strncpy
0xab63a8 strtol
0xab63ac strtoul
0xab63b0 tolower
0xab63b4 ungetc
0xab63b8 vfprintf
0xab63bc time
0xab63c0 wcslen
0xab63c4 wcstombs
0xab63c8 _stat
0xab63cc _write
0xab63d0 _utime
0xab63d4 _open
0xab63d8 _fileno
0xab63dc _close
0xab63e0 _chmod
EAT(Export Address Table) is none