ScreenShot
| Created | 2025.04.11 13:57 | Machine | s1_win7_x6401 |
| Filename | c2new.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 55 detected (AIDetectMalware, Rozena, Malicious, score, Ghanarava, VirRansom, GenericKD, Unsafe, Save, confidence, 100%, Genus, Attribute, HighConfidence, high confidence, Tedy, SilentCryptoMiner, 5LqL13wtlLE, EPACK, Gen2, Siggen31, Static AI, Malicious PE, Detected, CoinMiner, Malware@#d7bkdrsk6afb, TPQ25L, Eldorado, R603078, Artemis, MeterpreterSC, Chgt, PE04C9V, Gencirc, Miner) | ||
| md5 | d0640e92557e6e8e5ecd511b4c61094e | ||
| sha256 | de16b5c3d206c6a7d3f9eb8db90c912e6b1ae04e7cccaec35861b09bc9ad91a1 | ||
| ssdeep | 98304:IseDHwoQzQ4QrGOvvqfu7ghoa6pQkr+N3SCzhIw68ts9XVBBbT25R:IVGOvChoa8IJSCzew6v9XTVT25 | ||
| imphash | 84364258335aa120aa66630a9ee645bf | ||
| impfuzzy | 12:YRJRJJoARZqRVPXJHqV0MHHGf5XGXKiEG6eGJwk6lm/GaJqhiZJn:8fjBcVK0MGf5XGf6Zykom/GCqgZJn | ||
Network IP location
Signature (2cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x14057d190 DeleteCriticalSection
0x14057d198 EnterCriticalSection
0x14057d1a0 GetLastError
0x14057d1a8 InitializeCriticalSection
0x14057d1b0 LeaveCriticalSection
0x14057d1b8 SetUnhandledExceptionFilter
0x14057d1c0 Sleep
0x14057d1c8 TlsGetValue
0x14057d1d0 VirtualProtect
0x14057d1d8 VirtualQuery
msvcrt.dll
0x14057d1e8 __C_specific_handler
0x14057d1f0 __getmainargs
0x14057d1f8 __initenv
0x14057d200 __iob_func
0x14057d208 __set_app_type
0x14057d210 __setusermatherr
0x14057d218 _amsg_exit
0x14057d220 _cexit
0x14057d228 _commode
0x14057d230 _fmode
0x14057d238 _initterm
0x14057d240 _onexit
0x14057d248 abort
0x14057d250 calloc
0x14057d258 exit
0x14057d260 fprintf
0x14057d268 fputs
0x14057d270 free
0x14057d278 malloc
0x14057d280 signal
0x14057d288 strlen
0x14057d290 strncmp
0x14057d298 vfprintf
0x14057d2a0 wcscat
0x14057d2a8 wcscpy
0x14057d2b0 wcslen
0x14057d2b8 wcsncmp
0x14057d2c0 wcsstr
0x14057d2c8 _wcsnicmp
0x14057d2d0 _wcsicmp
EAT(Export Address Table) is none
KERNEL32.dll
0x14057d190 DeleteCriticalSection
0x14057d198 EnterCriticalSection
0x14057d1a0 GetLastError
0x14057d1a8 InitializeCriticalSection
0x14057d1b0 LeaveCriticalSection
0x14057d1b8 SetUnhandledExceptionFilter
0x14057d1c0 Sleep
0x14057d1c8 TlsGetValue
0x14057d1d0 VirtualProtect
0x14057d1d8 VirtualQuery
msvcrt.dll
0x14057d1e8 __C_specific_handler
0x14057d1f0 __getmainargs
0x14057d1f8 __initenv
0x14057d200 __iob_func
0x14057d208 __set_app_type
0x14057d210 __setusermatherr
0x14057d218 _amsg_exit
0x14057d220 _cexit
0x14057d228 _commode
0x14057d230 _fmode
0x14057d238 _initterm
0x14057d240 _onexit
0x14057d248 abort
0x14057d250 calloc
0x14057d258 exit
0x14057d260 fprintf
0x14057d268 fputs
0x14057d270 free
0x14057d278 malloc
0x14057d280 signal
0x14057d288 strlen
0x14057d290 strncmp
0x14057d298 vfprintf
0x14057d2a0 wcscat
0x14057d2a8 wcscpy
0x14057d2b0 wcslen
0x14057d2b8 wcsncmp
0x14057d2c0 wcsstr
0x14057d2c8 _wcsnicmp
0x14057d2d0 _wcsicmp
EAT(Export Address Table) is none