ScreenShot
| Created | 2021.06.24 20:51 | Machine | s1_win7_x6401 |
| Filename | rdpclipd.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 53 detected (AIDetect, malware1, malicious, high confidence, Redosdru, Unsafe, Save, confidence, 100%, Domar, dpmsdy, Gencirc, DownLoader16, ZEGOST, SM14, FJYJ, arjxq, ATRAPS, Gen4, ASCommon, Farfli, score, R139782, ai score=89, BScope, Generic@ML, RDMK, +dPQK8sRmgLxemUf9AU4iA, GenAsa, WSlM6c0I2qQ, Static AI, Suspicious PE, susgen) | ||
| md5 | 9356e66f9e704c587c66521fff104ddd | ||
| sha256 | 0a26e5b7a813b49276c7b02470d677db61171701b71e5697fa80cb6518a34865 | ||
| ssdeep | 192:67C2//WhoH9wwvLRkaD7oU/zTVXW0vGY2C+vkfEJD2JswP1oyn5608/:uC2XqoLRka/or0vGYtvADGsm1v6d | ||
| imphash | 92d3052d4cbf487e84c4f1e98366fff8 | ||
| impfuzzy | 12:JaB+5QGu4Gv+GXRzGy5Fk7GzUJTMJqGOwd9Hydd43QBA/DzCqeJ2:JaB+5T0v+GdXk7+CIqqd243QB0Dz22 | ||
Network IP location
Signature (9cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 53 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Installs itself for autorun at Windows startup |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a service |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| info | The executable uses a known packer |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (4cnts) ?
Suricata ids
ET ADWARE_PUP User-Agent (Mozilla/4.0 (compatible))
PE API
IAT(Import Address Table) Library
MSVCRT.dll
0x403060 realloc
0x403064 _controlfp
0x403068 _except_handler3
0x40306c __set_app_type
0x403070 __p__fmode
0x403074 __p__commode
0x403078 _adjust_fdiv
0x40307c __setusermatherr
0x403080 _initterm
0x403084 __getmainargs
0x403088 _acmdln
0x40308c exit
0x403090 _XcptFilter
0x403094 _exit
0x403098 _CIasin
0x40309c _ftol
0x4030a0 printf
0x4030a4 ??3@YAXPAX@Z
0x4030a8 ??2@YAPAXI@Z
0x4030ac malloc
0x4030b0 free
imagehlp.dll
0x4030b8 MakeSureDirectoryPathExists
KERNEL32.dll
0x403000 InterlockedExchange
0x403004 LocalAlloc
0x403008 GetStartupInfoA
0x40300c GetModuleHandleA
0x403010 SetFilePointer
0x403014 GetFileSize
0x403018 ReadFile
0x40301c CreateFileA
0x403020 WriteFile
0x403024 CloseHandle
0x403028 FreeLibrary
0x40302c HeapFree
0x403030 IsBadReadPtr
0x403034 LoadLibraryA
0x403038 GetProcAddress
0x40303c VirtualFree
0x403040 VirtualProtect
0x403044 Sleep
0x403048 VirtualAlloc
0x40304c GetProcessHeap
0x403050 HeapAlloc
0x403054 GetLastError
0x403058 RaiseException
EAT(Export Address Table) is none
MSVCRT.dll
0x403060 realloc
0x403064 _controlfp
0x403068 _except_handler3
0x40306c __set_app_type
0x403070 __p__fmode
0x403074 __p__commode
0x403078 _adjust_fdiv
0x40307c __setusermatherr
0x403080 _initterm
0x403084 __getmainargs
0x403088 _acmdln
0x40308c exit
0x403090 _XcptFilter
0x403094 _exit
0x403098 _CIasin
0x40309c _ftol
0x4030a0 printf
0x4030a4 ??3@YAXPAX@Z
0x4030a8 ??2@YAPAXI@Z
0x4030ac malloc
0x4030b0 free
imagehlp.dll
0x4030b8 MakeSureDirectoryPathExists
KERNEL32.dll
0x403000 InterlockedExchange
0x403004 LocalAlloc
0x403008 GetStartupInfoA
0x40300c GetModuleHandleA
0x403010 SetFilePointer
0x403014 GetFileSize
0x403018 ReadFile
0x40301c CreateFileA
0x403020 WriteFile
0x403024 CloseHandle
0x403028 FreeLibrary
0x40302c HeapFree
0x403030 IsBadReadPtr
0x403034 LoadLibraryA
0x403038 GetProcAddress
0x40303c VirtualFree
0x403040 VirtualProtect
0x403044 Sleep
0x403048 VirtualAlloc
0x40304c GetProcessHeap
0x403050 HeapAlloc
0x403054 GetLastError
0x403058 RaiseException
EAT(Export Address Table) is none