ScreenShot
| Created | 2025.03.28 09:30 | Machine | s1_win7_x6403 |
| Filename | gfdthawdddd.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | 54 detected (AIDetectMalware, Miner, Malicious, score, FWHP, Tedy, Unsafe, CoinMiner, Kryptik, Vszr, confidence, 100%, Attribute, HighConfidence, Windows, Threat, Genkryptik, kwkdek, Staser, g2ZCviiLSKR, AGEN, Siggen31, Static AI, Malicious PE, Detected, Eldorado, DropperX, R622355, GdSda, PE04C9V, ln79aBUTstE, GQCB, RK8PHU) | ||
| md5 | cb1ab881df77d5e59c9cd71a042489dd | ||
| sha256 | 23fa323eea0a8a6367e810996a54337197c1750a9a0a53c306c8c4022dd94780 | ||
| ssdeep | 98304:JiGUZDIMGpNQVgB6W9Yj1FbFKGZkZk0a51wYKZpptRA3x9JEY0UiHO5RcrNkjR:KGpNfB8pFbFK1G0a5k7A3LJGUiu5WJkd | ||
| imphash | b237ac2118704db9e7609540658f5790 | ||
| impfuzzy | 12:FMHHGf5XGXKiEG6eGJyJk6lTpJqJZJVZJfMRJRJJoARZqRVPXJHqc:FMGf5XGf6ZgJkoDqnvZJfQfjBcV9 | ||
Network IP location
Signature (2cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 54 AntiVirus engines on VirusTotal as malicious |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (6cnts) ?
Suricata ids
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x140016b00 __C_specific_handler
0x140016b08 __getmainargs
0x140016b10 __initenv
0x140016b18 __iob_func
0x140016b20 __set_app_type
0x140016b28 __setusermatherr
0x140016b30 _amsg_exit
0x140016b38 _cexit
0x140016b40 _commode
0x140016b48 _fmode
0x140016b50 _initterm
0x140016b58 _onexit
0x140016b60 _wcsicmp
0x140016b68 _wcsnicmp
0x140016b70 abort
0x140016b78 calloc
0x140016b80 exit
0x140016b88 fprintf
0x140016b90 free
0x140016b98 fwrite
0x140016ba0 malloc
0x140016ba8 memcpy
0x140016bb0 memset
0x140016bb8 signal
0x140016bc0 strcat
0x140016bc8 strcpy
0x140016bd0 strlen
0x140016bd8 strncmp
0x140016be0 strstr
0x140016be8 vfprintf
0x140016bf0 wcscat
0x140016bf8 wcscpy
0x140016c00 wcslen
0x140016c08 wcsncmp
0x140016c10 wcsstr
KERNEL32.dll
0x140016c20 DeleteCriticalSection
0x140016c28 EnterCriticalSection
0x140016c30 GetLastError
0x140016c38 InitializeCriticalSection
0x140016c40 LeaveCriticalSection
0x140016c48 SetUnhandledExceptionFilter
0x140016c50 Sleep
0x140016c58 TlsGetValue
0x140016c60 VirtualProtect
0x140016c68 VirtualQuery
EAT(Export Address Table) is none
msvcrt.dll
0x140016b00 __C_specific_handler
0x140016b08 __getmainargs
0x140016b10 __initenv
0x140016b18 __iob_func
0x140016b20 __set_app_type
0x140016b28 __setusermatherr
0x140016b30 _amsg_exit
0x140016b38 _cexit
0x140016b40 _commode
0x140016b48 _fmode
0x140016b50 _initterm
0x140016b58 _onexit
0x140016b60 _wcsicmp
0x140016b68 _wcsnicmp
0x140016b70 abort
0x140016b78 calloc
0x140016b80 exit
0x140016b88 fprintf
0x140016b90 free
0x140016b98 fwrite
0x140016ba0 malloc
0x140016ba8 memcpy
0x140016bb0 memset
0x140016bb8 signal
0x140016bc0 strcat
0x140016bc8 strcpy
0x140016bd0 strlen
0x140016bd8 strncmp
0x140016be0 strstr
0x140016be8 vfprintf
0x140016bf0 wcscat
0x140016bf8 wcscpy
0x140016c00 wcslen
0x140016c08 wcsncmp
0x140016c10 wcsstr
KERNEL32.dll
0x140016c20 DeleteCriticalSection
0x140016c28 EnterCriticalSection
0x140016c30 GetLastError
0x140016c38 InitializeCriticalSection
0x140016c40 LeaveCriticalSection
0x140016c48 SetUnhandledExceptionFilter
0x140016c50 Sleep
0x140016c58 TlsGetValue
0x140016c60 VirtualProtect
0x140016c68 VirtualQuery
EAT(Export Address Table) is none