ScreenShot
| Created | 2021.06.30 10:14 | Machine | s1_win7_x6402 |
| Filename | Protecteded.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 50 detected (AIDetect, malware2, malicious, high confidence, Razy, Unsafe, Save, FLFY, Attribute, HighConfidence, EPJG, R002H0CFS21, PWSX, Solmyr, Auto, AGEN, Inject4, VirRansom, Score, KVM006, kcloud, Zbot, Artemis, ai score=83, BScope, TrojanPSW, Racealer, CLASSIC, susgen, PossibleThreat, HykCPkQA) | ||
| md5 | db77d643f56c5e832b3b67492debaedd | ||
| sha256 | 90cf380fe740fe0238b6657feee9905d2f03a6945bcde6db01f24948a3a41a7a | ||
| ssdeep | 49152:sW6O75oig21VgjmeqP0QE8oIw+P3Rp/exp969:sVb869qNpoIw+PfQT2 | ||
| imphash | 4dfea731e342ecfb5ceb366d5bafbbf1 | ||
| impfuzzy | 48:c4FmAz/l1wzxQQZwgowbbV2gkH1xR3Yl39Pjw419xoT+ytmFNjWc4jMhHw+pxmHy:+Az/l1GxQQZfoubogkH1xRuNPjl19xQG | ||
Network IP location
Signature (21cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 50 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates a windows hook that monitors keyboard input (keylogger) |
| watch | Installs an hook procedure to monitor for mouse events |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Connects to a Dynamic DNS Domain |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)
ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)
ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0x58b000 GetProcAddress
0x58b004 RtlMoveMemory
0x58b008 GetModuleHandleW
0x58b00c WriteFile
0x58b010 RtlFillMemory
MSVBVM60.DLL
0x58b018 __vbaVarSub
0x58b01c __vbaStrI2
0x58b020 _CIcos
0x58b024 _adj_fptan
0x58b028 __vbaVarMove
0x58b02c __vbaStrI4
0x58b030 __vbaVarVargNofree
0x58b034 __vbaFreeVar
0x58b038 __vbaAryMove
0x58b03c __vbaStrVarMove
0x58b040 __vbaLenBstr
0x58b044 __vbaFreeVarList
0x58b048 _adj_fdiv_m64
0x58b04c None
0x58b050 __vbaFreeObjList
0x58b054 __vbaStrErrVarCopy
0x58b058 _adj_fprem1
0x58b05c __vbaStrCat
0x58b060 __vbaSetSystemError
0x58b064 __vbaHresultCheckObj
0x58b068 __vbaLenVar
0x58b06c _adj_fdiv_m32
0x58b070 __vbaAryDestruct
0x58b074 __vbaObjSet
0x58b078 None
0x58b07c _adj_fdiv_m16i
0x58b080 __vbaObjSetAddref
0x58b084 _adj_fdivr_m16i
0x58b088 __vbaVarTstLt
0x58b08c __vbaRefVarAry
0x58b090 __vbaBoolVarNull
0x58b094 _CIsin
0x58b098 None
0x58b09c __vbaChkstk
0x58b0a0 EVENT_SINK_AddRef
0x58b0a4 None
0x58b0a8 None
0x58b0ac __vbaVarLikeVar
0x58b0b0 DllFunctionCall
0x58b0b4 _adj_fpatan
0x58b0b8 __vbaRedim
0x58b0bc EVENT_SINK_Release
0x58b0c0 __vbaNew
0x58b0c4 _CIsqrt
0x58b0c8 EVENT_SINK_QueryInterface
0x58b0cc __vbaStr2Vec
0x58b0d0 __vbaExceptHandler
0x58b0d4 __vbaStrToUnicode
0x58b0d8 _adj_fprem
0x58b0dc _adj_fdivr_m64
0x58b0e0 None
0x58b0e4 __vbaFPException
0x58b0e8 None
0x58b0ec __vbaStrVarVal
0x58b0f0 __vbaUbound
0x58b0f4 __vbaVarCat
0x58b0f8 None
0x58b0fc _CIlog
0x58b100 __vbaNew2
0x58b104 __vbaR8Str
0x58b108 _adj_fdiv_m32i
0x58b10c _adj_fdivr_m32i
0x58b110 __vbaStrCopy
0x58b114 __vbaI4Str
0x58b118 __vbaFreeStrList
0x58b11c _adj_fdivr_m32
0x58b120 _adj_fdiv_r
0x58b124 None
0x58b128 __vbaI4Var
0x58b12c __vbaAryLock
0x58b130 __vbaVarAdd
0x58b134 __vbaStrToAnsi
0x58b138 __vbaVarDup
0x58b13c __vbaVarCopy
0x58b140 None
0x58b144 _CIatan
0x58b148 __vbaStrMove
0x58b14c __vbaCastObj
0x58b150 __vbaAryCopy
0x58b154 _allmul
0x58b158 _CItan
0x58b15c __vbaAryUnlock
0x58b160 None
0x58b164 _CIexp
0x58b168 __vbaFreeStr
0x58b16c __vbaFreeObj
EAT(Export Address Table) is none
KERNEL32.DLL
0x58b000 GetProcAddress
0x58b004 RtlMoveMemory
0x58b008 GetModuleHandleW
0x58b00c WriteFile
0x58b010 RtlFillMemory
MSVBVM60.DLL
0x58b018 __vbaVarSub
0x58b01c __vbaStrI2
0x58b020 _CIcos
0x58b024 _adj_fptan
0x58b028 __vbaVarMove
0x58b02c __vbaStrI4
0x58b030 __vbaVarVargNofree
0x58b034 __vbaFreeVar
0x58b038 __vbaAryMove
0x58b03c __vbaStrVarMove
0x58b040 __vbaLenBstr
0x58b044 __vbaFreeVarList
0x58b048 _adj_fdiv_m64
0x58b04c None
0x58b050 __vbaFreeObjList
0x58b054 __vbaStrErrVarCopy
0x58b058 _adj_fprem1
0x58b05c __vbaStrCat
0x58b060 __vbaSetSystemError
0x58b064 __vbaHresultCheckObj
0x58b068 __vbaLenVar
0x58b06c _adj_fdiv_m32
0x58b070 __vbaAryDestruct
0x58b074 __vbaObjSet
0x58b078 None
0x58b07c _adj_fdiv_m16i
0x58b080 __vbaObjSetAddref
0x58b084 _adj_fdivr_m16i
0x58b088 __vbaVarTstLt
0x58b08c __vbaRefVarAry
0x58b090 __vbaBoolVarNull
0x58b094 _CIsin
0x58b098 None
0x58b09c __vbaChkstk
0x58b0a0 EVENT_SINK_AddRef
0x58b0a4 None
0x58b0a8 None
0x58b0ac __vbaVarLikeVar
0x58b0b0 DllFunctionCall
0x58b0b4 _adj_fpatan
0x58b0b8 __vbaRedim
0x58b0bc EVENT_SINK_Release
0x58b0c0 __vbaNew
0x58b0c4 _CIsqrt
0x58b0c8 EVENT_SINK_QueryInterface
0x58b0cc __vbaStr2Vec
0x58b0d0 __vbaExceptHandler
0x58b0d4 __vbaStrToUnicode
0x58b0d8 _adj_fprem
0x58b0dc _adj_fdivr_m64
0x58b0e0 None
0x58b0e4 __vbaFPException
0x58b0e8 None
0x58b0ec __vbaStrVarVal
0x58b0f0 __vbaUbound
0x58b0f4 __vbaVarCat
0x58b0f8 None
0x58b0fc _CIlog
0x58b100 __vbaNew2
0x58b104 __vbaR8Str
0x58b108 _adj_fdiv_m32i
0x58b10c _adj_fdivr_m32i
0x58b110 __vbaStrCopy
0x58b114 __vbaI4Str
0x58b118 __vbaFreeStrList
0x58b11c _adj_fdivr_m32
0x58b120 _adj_fdiv_r
0x58b124 None
0x58b128 __vbaI4Var
0x58b12c __vbaAryLock
0x58b130 __vbaVarAdd
0x58b134 __vbaStrToAnsi
0x58b138 __vbaVarDup
0x58b13c __vbaVarCopy
0x58b140 None
0x58b144 _CIatan
0x58b148 __vbaStrMove
0x58b14c __vbaCastObj
0x58b150 __vbaAryCopy
0x58b154 _allmul
0x58b158 _CItan
0x58b15c __vbaAryUnlock
0x58b160 None
0x58b164 _CIexp
0x58b168 __vbaFreeStr
0x58b16c __vbaFreeObj
EAT(Export Address Table) is none