ScreenShot
| Created | 2025.01.02 10:50 | Machine | s1_win7_x6401 |
| Filename | Bootxr.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | |||
| VT API (file) | 39 detected (AIDetectMalware, Boxter, Ghanarava, Unsafe, V48e, malicious, confidence, Attribute, HighConfidence, moderate confidence, XMRMiner, Bitmin, CLOUD, score, Static AI, Malicious PE, Detected, XMRig, Wacatac, Artemis, R002H09LV24, PossibleThreat) | ||
| md5 | cab92c144fd667cef7315c451bed854b | ||
| sha256 | 49f94ed44fa9a834f246a5a038aa971b26f928d32ed438faacccba2398753297 | ||
| ssdeep | 3072:miC9j6h94pOCEAXZjjRbkspKUywXd5LJsNVQFGdFPHzcDq5OAg0Fuj0IpabX/FHi:miCDG4Bk/9IdzEQFGMAOtwX/FHi | ||
| imphash | a5eda6aa560c438e40024c6429fdd42a | ||
| impfuzzy | 24:3hjPcpVWcstdS1CM3JBl3eDoroIOovbO3gv9FZYjMAkEZHu9QADuKmIb1/me:tcpV5stdS1CMPpXe3y9FZmA6KV/X | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 39 AntiVirus engines on VirusTotal as malicious |
| watch | A stratum cryptocurrency mining command was executed |
| watch | Creates a suspicious Powershell process |
| watch | Installs itself for autorun at Windows startup |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x423018 CloseHandle
0x42301c CreateProcessW
0x423020 GetLastError
0x423024 HeapSize
0x423028 SetStdHandle
0x42302c Sleep
0x423030 GetFileAttributesW
0x423034 WaitForSingleObject
0x423038 GetModuleFileNameW
0x42303c CreateFileW
0x423040 CreateDirectoryW
0x423044 WideCharToMultiByte
0x423048 EnterCriticalSection
0x42304c LeaveCriticalSection
0x423050 InitializeCriticalSectionEx
0x423054 DeleteCriticalSection
0x423058 EncodePointer
0x42305c DecodePointer
0x423060 MultiByteToWideChar
0x423064 LCMapStringEx
0x423068 GetStringTypeW
0x42306c GetCPInfo
0x423070 UnhandledExceptionFilter
0x423074 SetUnhandledExceptionFilter
0x423078 GetCurrentProcess
0x42307c TerminateProcess
0x423080 IsProcessorFeaturePresent
0x423084 IsDebuggerPresent
0x423088 GetStartupInfoW
0x42308c GetModuleHandleW
0x423090 QueryPerformanceCounter
0x423094 GetCurrentProcessId
0x423098 GetCurrentThreadId
0x42309c GetSystemTimeAsFileTime
0x4230a0 InitializeSListHead
0x4230a4 RtlUnwind
0x4230a8 RaiseException
0x4230ac SetLastError
0x4230b0 InitializeCriticalSectionAndSpinCount
0x4230b4 TlsAlloc
0x4230b8 TlsGetValue
0x4230bc TlsSetValue
0x4230c0 TlsFree
0x4230c4 FreeLibrary
0x4230c8 GetProcAddress
0x4230cc LoadLibraryExW
0x4230d0 ExitProcess
0x4230d4 GetModuleHandleExW
0x4230d8 GetStdHandle
0x4230dc WriteFile
0x4230e0 GetCommandLineA
0x4230e4 GetCommandLineW
0x4230e8 HeapAlloc
0x4230ec HeapFree
0x4230f0 GetFileType
0x4230f4 CompareStringW
0x4230f8 LCMapStringW
0x4230fc GetLocaleInfoW
0x423100 IsValidLocale
0x423104 GetUserDefaultLCID
0x423108 EnumSystemLocalesW
0x42310c FlushFileBuffers
0x423110 GetConsoleCP
0x423114 GetConsoleMode
0x423118 ReadFile
0x42311c GetFileSizeEx
0x423120 SetFilePointerEx
0x423124 ReadConsoleW
0x423128 HeapReAlloc
0x42312c FindClose
0x423130 FindFirstFileExW
0x423134 FindNextFileW
0x423138 IsValidCodePage
0x42313c GetACP
0x423140 GetOEMCP
0x423144 GetEnvironmentStringsW
0x423148 FreeEnvironmentStringsW
0x42314c SetEnvironmentVariableW
0x423150 GetProcessHeap
0x423154 WriteConsoleW
USER32.dll
0x42315c wsprintfW
ADVAPI32.dll
0x423000 RegSetValueExW
0x423004 RegOpenKeyExW
0x423008 RegCreateKeyW
0x42300c RegQueryValueExW
0x423010 RegCloseKey
EAT(Export Address Table) is none
KERNEL32.dll
0x423018 CloseHandle
0x42301c CreateProcessW
0x423020 GetLastError
0x423024 HeapSize
0x423028 SetStdHandle
0x42302c Sleep
0x423030 GetFileAttributesW
0x423034 WaitForSingleObject
0x423038 GetModuleFileNameW
0x42303c CreateFileW
0x423040 CreateDirectoryW
0x423044 WideCharToMultiByte
0x423048 EnterCriticalSection
0x42304c LeaveCriticalSection
0x423050 InitializeCriticalSectionEx
0x423054 DeleteCriticalSection
0x423058 EncodePointer
0x42305c DecodePointer
0x423060 MultiByteToWideChar
0x423064 LCMapStringEx
0x423068 GetStringTypeW
0x42306c GetCPInfo
0x423070 UnhandledExceptionFilter
0x423074 SetUnhandledExceptionFilter
0x423078 GetCurrentProcess
0x42307c TerminateProcess
0x423080 IsProcessorFeaturePresent
0x423084 IsDebuggerPresent
0x423088 GetStartupInfoW
0x42308c GetModuleHandleW
0x423090 QueryPerformanceCounter
0x423094 GetCurrentProcessId
0x423098 GetCurrentThreadId
0x42309c GetSystemTimeAsFileTime
0x4230a0 InitializeSListHead
0x4230a4 RtlUnwind
0x4230a8 RaiseException
0x4230ac SetLastError
0x4230b0 InitializeCriticalSectionAndSpinCount
0x4230b4 TlsAlloc
0x4230b8 TlsGetValue
0x4230bc TlsSetValue
0x4230c0 TlsFree
0x4230c4 FreeLibrary
0x4230c8 GetProcAddress
0x4230cc LoadLibraryExW
0x4230d0 ExitProcess
0x4230d4 GetModuleHandleExW
0x4230d8 GetStdHandle
0x4230dc WriteFile
0x4230e0 GetCommandLineA
0x4230e4 GetCommandLineW
0x4230e8 HeapAlloc
0x4230ec HeapFree
0x4230f0 GetFileType
0x4230f4 CompareStringW
0x4230f8 LCMapStringW
0x4230fc GetLocaleInfoW
0x423100 IsValidLocale
0x423104 GetUserDefaultLCID
0x423108 EnumSystemLocalesW
0x42310c FlushFileBuffers
0x423110 GetConsoleCP
0x423114 GetConsoleMode
0x423118 ReadFile
0x42311c GetFileSizeEx
0x423120 SetFilePointerEx
0x423124 ReadConsoleW
0x423128 HeapReAlloc
0x42312c FindClose
0x423130 FindFirstFileExW
0x423134 FindNextFileW
0x423138 IsValidCodePage
0x42313c GetACP
0x423140 GetOEMCP
0x423144 GetEnvironmentStringsW
0x423148 FreeEnvironmentStringsW
0x42314c SetEnvironmentVariableW
0x423150 GetProcessHeap
0x423154 WriteConsoleW
USER32.dll
0x42315c wsprintfW
ADVAPI32.dll
0x423000 RegSetValueExW
0x423004 RegOpenKeyExW
0x423008 RegCreateKeyW
0x42300c RegQueryValueExW
0x423010 RegCloseKey
EAT(Export Address Table) is none