ScreenShot
| Created | 2021.06.14 13:55 | Machine | s1_win7_x6402 |
| Filename | NewRat.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 61 detected (Tmgrtext, malicious, high confidence, Ramnit, Unsafe, Nimnul, FileInfector, RmnDrp, bqjjnb, K@37eb7u, Ramit, A + W32, IRCNite, Score, 100%, ASVirus, Malex, ai score=84, Neshta, ET#87%, RDMK, cmRtazppoX97wXZt4A1IaCMq+4tB, GenAsa, rluJXE67ft0, Static AI, Malicious PE, Cosmu, confidence) | ||
| md5 | 23ff29e277ce2e65001613c8f79f96dd | ||
| sha256 | a93c6922e26b1a9a9df022a5d5b85b11b84f2b83413f42851ac6ba0141228839 | ||
| ssdeep | 6144:4I0UZgbiyX3FZIRECe5iRA+MOZaWsqirkvOmGBN6IL1Q6xPue77l:lZgIRY5IA+PZasiLbMqQg2et | ||
| imphash | b5838d6aaa3bfdc75af25bfce4c6c923 | ||
| impfuzzy | 48:Tu3MKX1D0VpISestkBcMDnAO9pkx/etHSGrgEyn:TK3X1D0/ISestAcMDA8pkpISlh | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 61 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates known Nitol/ServStart files |
| watch | Installs itself for autorun at Windows startup |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a service |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Foreign language identified in PE resource |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Antivirus | Contains references to security software | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40f038 GetEnvironmentVariableA
0x40f03c GetShortPathNameA
0x40f040 GetModuleFileNameA
0x40f044 ExitProcess
0x40f048 ReleaseMutex
0x40f04c OpenMutexA
0x40f050 MultiByteToWideChar
0x40f054 lstrlenA
0x40f058 WinExec
0x40f05c GetTempPathA
0x40f060 TerminateProcess
0x40f064 lstrcatA
0x40f068 Process32Next
0x40f06c Process32First
0x40f070 CreateToolhelp32Snapshot
0x40f074 WaitForSingleObject
0x40f078 GetLastError
0x40f07c CopyFileA
0x40f080 GlobalMemoryStatusEx
0x40f084 GetSystemInfo
0x40f088 GetVersionExA
0x40f08c GetSystemDefaultUILanguage
0x40f090 SetEnvironmentVariableA
0x40f094 CompareStringW
0x40f098 SetPriorityClass
0x40f09c GetCurrentProcess
0x40f0a0 GetCurrentThread
0x40f0a4 SetThreadPriority
0x40f0a8 LoadLibraryA
0x40f0ac GetProcAddress
0x40f0b0 CloseHandle
0x40f0b4 CreateThread
0x40f0b8 lstrcpyA
0x40f0bc OutputDebugStringA
0x40f0c0 Sleep
0x40f0c4 ExitThread
0x40f0c8 OpenProcess
0x40f0cc GetTickCount
0x40f0d0 CompareStringA
0x40f0d4 SetStdHandle
0x40f0d8 LCMapStringW
0x40f0dc LCMapStringA
0x40f0e0 GetOEMCP
0x40f0e4 GetACP
0x40f0e8 GetCPInfo
0x40f0ec IsBadCodePtr
0x40f0f0 IsBadReadPtr
0x40f0f4 GetStringTypeW
0x40f0f8 GetStringTypeA
0x40f0fc FlushFileBuffers
0x40f100 SetFilePointer
0x40f104 InterlockedIncrement
0x40f108 InterlockedDecrement
0x40f10c WriteFile
0x40f110 GetEnvironmentStringsW
0x40f114 GetEnvironmentStrings
0x40f118 WideCharToMultiByte
0x40f11c FreeEnvironmentStringsW
0x40f120 FreeEnvironmentStringsA
0x40f124 UnhandledExceptionFilter
0x40f128 SetUnhandledExceptionFilter
0x40f12c HeapCreate
0x40f130 GetTimeZoneInformation
0x40f134 GetSystemTime
0x40f138 GetLocalTime
0x40f13c EnterCriticalSection
0x40f140 LeaveCriticalSection
0x40f144 RtlUnwind
0x40f148 HeapReAlloc
0x40f14c HeapAlloc
0x40f150 RaiseException
0x40f154 HeapFree
0x40f158 GetModuleHandleA
0x40f15c GetStartupInfoA
0x40f160 GetCommandLineA
0x40f164 GetVersion
0x40f168 GetCurrentThreadId
0x40f16c TlsSetValue
0x40f170 TlsAlloc
0x40f174 SetLastError
0x40f178 TlsGetValue
0x40f17c SetHandleCount
0x40f180 GetStdHandle
0x40f184 GetFileType
0x40f188 DeleteCriticalSection
0x40f18c InitializeCriticalSection
0x40f190 VirtualFree
0x40f194 VirtualAlloc
0x40f198 IsBadWritePtr
0x40f19c HeapDestroy
USER32.dll
0x40f1c4 wsprintfA
ADVAPI32.dll
0x40f000 CreateServiceA
0x40f004 StartServiceA
0x40f008 RegOpenKeyA
0x40f00c RegSetValueExA
0x40f010 RegCloseKey
0x40f014 RegOpenKeyExA
0x40f018 StartServiceCtrlDispatcherA
0x40f01c RegisterServiceCtrlHandlerA
0x40f020 SetServiceStatus
0x40f024 OpenServiceA
0x40f028 CloseServiceHandle
0x40f02c DeleteService
0x40f030 RegQueryValueExA
SHELL32.dll
0x40f1b0 SHChangeNotify
0x40f1b4 ShellExecuteExA
WS2_32.dll
0x40f1d4 WSASocketA
0x40f1d8 WSAGetLastError
0x40f1dc WSACleanup
0x40f1e0 select
0x40f1e4 sendto
0x40f1e8 recv
0x40f1ec WSAIoctl
0x40f1f0 send
0x40f1f4 inet_addr
0x40f1f8 gethostbyname
0x40f1fc socket
0x40f200 htons
0x40f204 connect
0x40f208 closesocket
0x40f20c WSAStartup
0x40f210 __WSAFDIsSet
0x40f214 setsockopt
0x40f218 htonl
SHLWAPI.dll
0x40f1bc SHDeleteKeyA
WINMM.dll
0x40f1cc timeGetTime
NETAPI32.dll
0x40f1a4 NetUserAdd
0x40f1a8 NetLocalGroupAddMembers
iphlpapi.dll
0x40f220 GetIfTable
EAT(Export Address Table) is none
KERNEL32.dll
0x40f038 GetEnvironmentVariableA
0x40f03c GetShortPathNameA
0x40f040 GetModuleFileNameA
0x40f044 ExitProcess
0x40f048 ReleaseMutex
0x40f04c OpenMutexA
0x40f050 MultiByteToWideChar
0x40f054 lstrlenA
0x40f058 WinExec
0x40f05c GetTempPathA
0x40f060 TerminateProcess
0x40f064 lstrcatA
0x40f068 Process32Next
0x40f06c Process32First
0x40f070 CreateToolhelp32Snapshot
0x40f074 WaitForSingleObject
0x40f078 GetLastError
0x40f07c CopyFileA
0x40f080 GlobalMemoryStatusEx
0x40f084 GetSystemInfo
0x40f088 GetVersionExA
0x40f08c GetSystemDefaultUILanguage
0x40f090 SetEnvironmentVariableA
0x40f094 CompareStringW
0x40f098 SetPriorityClass
0x40f09c GetCurrentProcess
0x40f0a0 GetCurrentThread
0x40f0a4 SetThreadPriority
0x40f0a8 LoadLibraryA
0x40f0ac GetProcAddress
0x40f0b0 CloseHandle
0x40f0b4 CreateThread
0x40f0b8 lstrcpyA
0x40f0bc OutputDebugStringA
0x40f0c0 Sleep
0x40f0c4 ExitThread
0x40f0c8 OpenProcess
0x40f0cc GetTickCount
0x40f0d0 CompareStringA
0x40f0d4 SetStdHandle
0x40f0d8 LCMapStringW
0x40f0dc LCMapStringA
0x40f0e0 GetOEMCP
0x40f0e4 GetACP
0x40f0e8 GetCPInfo
0x40f0ec IsBadCodePtr
0x40f0f0 IsBadReadPtr
0x40f0f4 GetStringTypeW
0x40f0f8 GetStringTypeA
0x40f0fc FlushFileBuffers
0x40f100 SetFilePointer
0x40f104 InterlockedIncrement
0x40f108 InterlockedDecrement
0x40f10c WriteFile
0x40f110 GetEnvironmentStringsW
0x40f114 GetEnvironmentStrings
0x40f118 WideCharToMultiByte
0x40f11c FreeEnvironmentStringsW
0x40f120 FreeEnvironmentStringsA
0x40f124 UnhandledExceptionFilter
0x40f128 SetUnhandledExceptionFilter
0x40f12c HeapCreate
0x40f130 GetTimeZoneInformation
0x40f134 GetSystemTime
0x40f138 GetLocalTime
0x40f13c EnterCriticalSection
0x40f140 LeaveCriticalSection
0x40f144 RtlUnwind
0x40f148 HeapReAlloc
0x40f14c HeapAlloc
0x40f150 RaiseException
0x40f154 HeapFree
0x40f158 GetModuleHandleA
0x40f15c GetStartupInfoA
0x40f160 GetCommandLineA
0x40f164 GetVersion
0x40f168 GetCurrentThreadId
0x40f16c TlsSetValue
0x40f170 TlsAlloc
0x40f174 SetLastError
0x40f178 TlsGetValue
0x40f17c SetHandleCount
0x40f180 GetStdHandle
0x40f184 GetFileType
0x40f188 DeleteCriticalSection
0x40f18c InitializeCriticalSection
0x40f190 VirtualFree
0x40f194 VirtualAlloc
0x40f198 IsBadWritePtr
0x40f19c HeapDestroy
USER32.dll
0x40f1c4 wsprintfA
ADVAPI32.dll
0x40f000 CreateServiceA
0x40f004 StartServiceA
0x40f008 RegOpenKeyA
0x40f00c RegSetValueExA
0x40f010 RegCloseKey
0x40f014 RegOpenKeyExA
0x40f018 StartServiceCtrlDispatcherA
0x40f01c RegisterServiceCtrlHandlerA
0x40f020 SetServiceStatus
0x40f024 OpenServiceA
0x40f028 CloseServiceHandle
0x40f02c DeleteService
0x40f030 RegQueryValueExA
SHELL32.dll
0x40f1b0 SHChangeNotify
0x40f1b4 ShellExecuteExA
WS2_32.dll
0x40f1d4 WSASocketA
0x40f1d8 WSAGetLastError
0x40f1dc WSACleanup
0x40f1e0 select
0x40f1e4 sendto
0x40f1e8 recv
0x40f1ec WSAIoctl
0x40f1f0 send
0x40f1f4 inet_addr
0x40f1f8 gethostbyname
0x40f1fc socket
0x40f200 htons
0x40f204 connect
0x40f208 closesocket
0x40f20c WSAStartup
0x40f210 __WSAFDIsSet
0x40f214 setsockopt
0x40f218 htonl
SHLWAPI.dll
0x40f1bc SHDeleteKeyA
WINMM.dll
0x40f1cc timeGetTime
NETAPI32.dll
0x40f1a4 NetUserAdd
0x40f1a8 NetLocalGroupAddMembers
iphlpapi.dll
0x40f220 GetIfTable
EAT(Export Address Table) is none