ScreenShot
| Created | 2021.04.02 10:53 | Machine | s1_win7_x6401 |
| Filename | rldr.10.4.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 6 detected (malicious, high confidence, kcloud, score) | ||
| md5 | 81e6dcf2510ffc2400743e912448013f | ||
| sha256 | 258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4 | ||
| ssdeep | 6144:4hzyPKlU/jriw3T2ZWAz7aFnFLbUkMHEdlFzMKVEyMWAF:AOCqZU81i9W | ||
| imphash | bb3b7b74ba5cf43655fdbba213daa5ca | ||
| impfuzzy | 48:NEtZ/+fcAu8gtMAGuA6E/gXlEUAkRzVanBSvF1bKGCAoPT:NEn/+fcAu8gtMAUpFbA2 | ||
Network IP location
Signature (27cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | Generates some ICMP traffic |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Code injection by writing an executable or DLL to the memory of another process |
| watch | Communicates with host for which no DNS query was performed |
| watch | Drops a binary and executes it |
| watch | Installs itself for autorun at Windows startup |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Creates hidden or system file |
| notice | File has been identified by 6 AntiVirus engines on VirusTotal as malicious |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | This executable has a PDB path |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | create_service | Create a windows service | memory |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
| info | network_dns | Communications use DNS | binaries (download) |
| info | network_dns | Communications use DNS | binaries (upload) |
| info | win_files_operation | Affect private profile | binaries (download) |
| info | win_files_operation | Affect private profile | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140018000 GetProcAddress
0x140018008 LoadLibraryW
0x140018010 CloseHandle
0x140018018 CreateThread
0x140018020 GetModuleHandleW
0x140018028 GetLastError
0x140018030 ExitProcess
0x140018038 CreateEventW
0x140018040 WaitForMultipleObjects
0x140018048 CreateFileA
0x140018050 GetLocaleInfoW
0x140018058 SetStdHandle
0x140018060 WriteConsoleW
0x140018068 GetConsoleOutputCP
0x140018070 WriteConsoleA
0x140018078 InitializeCriticalSectionAndSpinCount
0x140018080 LoadLibraryA
0x140018088 IsValidLocale
0x140018090 EnumSystemLocalesA
0x140018098 GetUserDefaultLCID
0x1400180a0 HeapReAlloc
0x1400180a8 GetLocaleInfoA
0x1400180b0 IsValidCodePage
0x1400180b8 GetOEMCP
0x1400180c0 GetACP
0x1400180c8 HeapSize
0x1400180d0 SetFilePointer
0x1400180d8 ReadFile
0x1400180e0 GetStringTypeA
0x1400180e8 FlushFileBuffers
0x1400180f0 GetConsoleMode
0x1400180f8 GetConsoleCP
0x140018100 GetSystemTimeAsFileTime
0x140018108 Sleep
0x140018110 InitializeCriticalSection
0x140018118 DeleteCriticalSection
0x140018120 EnterCriticalSection
0x140018128 LeaveCriticalSection
0x140018130 WideCharToMultiByte
0x140018138 MultiByteToWideChar
0x140018140 RaiseException
0x140018148 RtlPcToFileHeader
0x140018150 RtlLookupFunctionEntry
0x140018158 RtlUnwindEx
0x140018160 GetStartupInfoW
0x140018168 TerminateProcess
0x140018170 GetCurrentProcess
0x140018178 UnhandledExceptionFilter
0x140018180 SetUnhandledExceptionFilter
0x140018188 IsDebuggerPresent
0x140018190 RtlVirtualUnwind
0x140018198 RtlCaptureContext
0x1400181a0 HeapFree
0x1400181a8 GetCPInfo
0x1400181b0 LCMapStringA
0x1400181b8 LCMapStringW
0x1400181c0 GetStringTypeW
0x1400181c8 HeapAlloc
0x1400181d0 EncodePointer
0x1400181d8 DecodePointer
0x1400181e0 FlsGetValue
0x1400181e8 FlsSetValue
0x1400181f0 FlsFree
0x1400181f8 SetLastError
0x140018200 GetCurrentThreadId
0x140018208 FlsAlloc
0x140018210 WriteFile
0x140018218 GetStdHandle
0x140018220 GetModuleFileNameA
0x140018228 GetModuleFileNameW
0x140018230 FreeEnvironmentStringsW
0x140018238 GetEnvironmentStringsW
0x140018240 GetCommandLineW
0x140018248 SetHandleCount
0x140018250 GetFileType
0x140018258 GetStartupInfoA
0x140018260 HeapSetInformation
0x140018268 HeapCreate
0x140018270 QueryPerformanceCounter
0x140018278 GetTickCount
0x140018280 GetCurrentProcessId
USER32.dll
0x140018290 EnableWindow
0x140018298 MessageBoxW
0x1400182a0 SendMessageA
0x1400182a8 SendMessageW
0x1400182b0 GetWindowTextLengthW
0x1400182b8 SetWindowTextW
0x1400182c0 GetDlgItem
0x1400182c8 SetDlgItemTextW
0x1400182d0 GetDlgItemTextA
0x1400182d8 GetDlgItemInt
0x1400182e0 PostQuitMessage
0x1400182e8 EndDialog
0x1400182f0 GetMessageW
0x1400182f8 CreateDialogParamW
0x140018300 ShowWindow
0x140018308 TranslateMessage
0x140018310 DispatchMessageW
WS2_32.dll
0x140018320 WSACleanup
0x140018328 WSAGetLastError
0x140018330 WSAStartup
0x140018338 closesocket
0x140018340 WSAEventSelect
0x140018348 connect
0x140018350 htons
0x140018358 getaddrinfo
0x140018360 socket
0x140018368 WSAEnumNetworkEvents
0x140018370 send
0x140018378 recv
EAT(Export Address Table) is none
KERNEL32.dll
0x140018000 GetProcAddress
0x140018008 LoadLibraryW
0x140018010 CloseHandle
0x140018018 CreateThread
0x140018020 GetModuleHandleW
0x140018028 GetLastError
0x140018030 ExitProcess
0x140018038 CreateEventW
0x140018040 WaitForMultipleObjects
0x140018048 CreateFileA
0x140018050 GetLocaleInfoW
0x140018058 SetStdHandle
0x140018060 WriteConsoleW
0x140018068 GetConsoleOutputCP
0x140018070 WriteConsoleA
0x140018078 InitializeCriticalSectionAndSpinCount
0x140018080 LoadLibraryA
0x140018088 IsValidLocale
0x140018090 EnumSystemLocalesA
0x140018098 GetUserDefaultLCID
0x1400180a0 HeapReAlloc
0x1400180a8 GetLocaleInfoA
0x1400180b0 IsValidCodePage
0x1400180b8 GetOEMCP
0x1400180c0 GetACP
0x1400180c8 HeapSize
0x1400180d0 SetFilePointer
0x1400180d8 ReadFile
0x1400180e0 GetStringTypeA
0x1400180e8 FlushFileBuffers
0x1400180f0 GetConsoleMode
0x1400180f8 GetConsoleCP
0x140018100 GetSystemTimeAsFileTime
0x140018108 Sleep
0x140018110 InitializeCriticalSection
0x140018118 DeleteCriticalSection
0x140018120 EnterCriticalSection
0x140018128 LeaveCriticalSection
0x140018130 WideCharToMultiByte
0x140018138 MultiByteToWideChar
0x140018140 RaiseException
0x140018148 RtlPcToFileHeader
0x140018150 RtlLookupFunctionEntry
0x140018158 RtlUnwindEx
0x140018160 GetStartupInfoW
0x140018168 TerminateProcess
0x140018170 GetCurrentProcess
0x140018178 UnhandledExceptionFilter
0x140018180 SetUnhandledExceptionFilter
0x140018188 IsDebuggerPresent
0x140018190 RtlVirtualUnwind
0x140018198 RtlCaptureContext
0x1400181a0 HeapFree
0x1400181a8 GetCPInfo
0x1400181b0 LCMapStringA
0x1400181b8 LCMapStringW
0x1400181c0 GetStringTypeW
0x1400181c8 HeapAlloc
0x1400181d0 EncodePointer
0x1400181d8 DecodePointer
0x1400181e0 FlsGetValue
0x1400181e8 FlsSetValue
0x1400181f0 FlsFree
0x1400181f8 SetLastError
0x140018200 GetCurrentThreadId
0x140018208 FlsAlloc
0x140018210 WriteFile
0x140018218 GetStdHandle
0x140018220 GetModuleFileNameA
0x140018228 GetModuleFileNameW
0x140018230 FreeEnvironmentStringsW
0x140018238 GetEnvironmentStringsW
0x140018240 GetCommandLineW
0x140018248 SetHandleCount
0x140018250 GetFileType
0x140018258 GetStartupInfoA
0x140018260 HeapSetInformation
0x140018268 HeapCreate
0x140018270 QueryPerformanceCounter
0x140018278 GetTickCount
0x140018280 GetCurrentProcessId
USER32.dll
0x140018290 EnableWindow
0x140018298 MessageBoxW
0x1400182a0 SendMessageA
0x1400182a8 SendMessageW
0x1400182b0 GetWindowTextLengthW
0x1400182b8 SetWindowTextW
0x1400182c0 GetDlgItem
0x1400182c8 SetDlgItemTextW
0x1400182d0 GetDlgItemTextA
0x1400182d8 GetDlgItemInt
0x1400182e0 PostQuitMessage
0x1400182e8 EndDialog
0x1400182f0 GetMessageW
0x1400182f8 CreateDialogParamW
0x140018300 ShowWindow
0x140018308 TranslateMessage
0x140018310 DispatchMessageW
WS2_32.dll
0x140018320 WSACleanup
0x140018328 WSAGetLastError
0x140018330 WSAStartup
0x140018338 closesocket
0x140018340 WSAEventSelect
0x140018348 connect
0x140018350 htons
0x140018358 getaddrinfo
0x140018360 socket
0x140018368 WSAEnumNetworkEvents
0x140018370 send
0x140018378 recv
EAT(Export Address Table) is none