Report - RDPWInst.exe

Gen2 Gen1 UPX Malicious Packer Malicious Library OS Processor Check PE File PE32
ScreenShot
Created 2021.08.11 10:05 Machine s1_win7_x6401
Filename RDPWInst.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
5
Behavior Score
1.6
ZERO API file : malware
VT API (file) 45 detected (RDPWrap, malicious, high confidence, RemoteAdmin, Misc, Unsafe, Tool, RemoteTool, A potentially unsafe, Msilperseus, fgzswy, Generic@ML, RDML, udk7SerMqsOzHh+oM6uaYQ, HackTool, Radmin, Infected, ai score=99, ASMalwS, NetTool, score, R220687, Artemis, Igent, bUFxrI, susgen, confidence, 100%)
md5 3288c284561055044c489567fd630ac2
sha256 ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
ssdeep 24576:prKxoVT2iXc+IZ++6WiaTAsN/3ebTvK+63CWH8iA/iD2hgPjcC8SVdKumYr7:EHZ5pdqYH8ia6GcKuR7
imphash a89655faa2b6840e801be1e1c779fc67
impfuzzy 96:ocW57Nz5cycfpjmgGpjcLS1P9Xg0KhxwDwPOQ/BYXB:ocqNFj1d+hrPOQaB
  Network IP location

Signature (3cnts)

Level Description
danger File has been identified by 45 AntiVirus engines on VirusTotal as malicious
info Command line console output was observed
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (8cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

oleaut32.dll
 0x44c3e8 SysFreeString
 0x44c3ec SysReAllocStringLen
 0x44c3f0 SysAllocStringLen
advapi32.dll
 0x44c3f8 RegQueryValueExW
 0x44c3fc RegOpenKeyExW
 0x44c400 RegCloseKey
user32.dll
 0x44c408 LoadStringW
 0x44c40c MessageBoxA
 0x44c410 CharNextW
kernel32.dll
 0x44c418 lstrcmpiA
 0x44c41c LoadLibraryA
 0x44c420 LocalFree
 0x44c424 LocalAlloc
 0x44c428 GetACP
 0x44c42c Sleep
 0x44c430 VirtualFree
 0x44c434 VirtualAlloc
 0x44c438 GetSystemInfo
 0x44c43c GetTickCount
 0x44c440 QueryPerformanceCounter
 0x44c444 GetVersion
 0x44c448 GetCurrentThreadId
 0x44c44c VirtualQuery
 0x44c450 WideCharToMultiByte
 0x44c454 MultiByteToWideChar
 0x44c458 lstrlenW
 0x44c45c lstrcpynW
 0x44c460 LoadLibraryExW
 0x44c464 IsValidLocale
 0x44c468 GetSystemDefaultUILanguage
 0x44c46c GetStartupInfoA
 0x44c470 GetProcAddress
 0x44c474 GetModuleHandleW
 0x44c478 GetModuleFileNameW
 0x44c47c GetUserDefaultUILanguage
 0x44c480 GetLocaleInfoW
 0x44c484 GetLastError
 0x44c488 GetCommandLineW
 0x44c48c FreeLibrary
 0x44c490 FindFirstFileW
 0x44c494 FindClose
 0x44c498 ExitProcess
 0x44c49c CompareStringW
 0x44c4a0 WriteFile
 0x44c4a4 UnhandledExceptionFilter
 0x44c4a8 SetFilePointer
 0x44c4ac SetEndOfFile
 0x44c4b0 RtlUnwind
 0x44c4b4 ReadFile
 0x44c4b8 RaiseException
 0x44c4bc GetStdHandle
 0x44c4c0 GetFileSize
 0x44c4c4 GetFileType
 0x44c4c8 DeleteCriticalSection
 0x44c4cc LeaveCriticalSection
 0x44c4d0 EnterCriticalSection
 0x44c4d4 InitializeCriticalSection
 0x44c4d8 CreateFileW
 0x44c4dc CloseHandle
kernel32.dll
 0x44c4e4 TlsSetValue
 0x44c4e8 TlsGetValue
 0x44c4ec LocalAlloc
 0x44c4f0 GetModuleHandleW
user32.dll
 0x44c4f8 MessageBoxW
 0x44c4fc LoadStringW
 0x44c500 GetSystemMetrics
 0x44c504 CharUpperBuffW
 0x44c508 CharNextW
kernel32.dll
 0x44c510 WriteFile
 0x44c514 WideCharToMultiByte
 0x44c518 WaitForSingleObject
 0x44c51c VirtualQueryEx
 0x44c520 VirtualQuery
 0x44c524 VirtualFree
 0x44c528 TerminateProcess
 0x44c52c Sleep
 0x44c530 SizeofResource
 0x44c534 SignalObjectAndWait
 0x44c538 SetFilePointer
 0x44c53c SetEvent
 0x44c540 SetEndOfFile
 0x44c544 ResetEvent
 0x44c548 RemoveDirectoryW
 0x44c54c ReadFile
 0x44c550 OpenProcess
 0x44c554 MultiByteToWideChar
 0x44c558 LockResource
 0x44c55c LoadResource
 0x44c560 LoadLibraryExW
 0x44c564 LeaveCriticalSection
 0x44c568 InitializeCriticalSection
 0x44c56c GetVersionExW
 0x44c570 GetThreadLocale
 0x44c574 GetNativeSystemInfo
 0x44c578 GetStdHandle
 0x44c57c GetProcAddress
 0x44c580 GetModuleHandleW
 0x44c584 GetModuleFileNameW
 0x44c588 GetLocaleInfoW
 0x44c58c GetLocalTime
 0x44c590 GetLastError
 0x44c594 GetFullPathNameW
 0x44c598 GetFileAttributesW
 0x44c59c GetDiskFreeSpaceW
 0x44c5a0 GetDateFormatW
 0x44c5a4 GetCurrentThreadId
 0x44c5a8 GetCurrentProcess
 0x44c5ac GetCPInfo
 0x44c5b0 FreeResource
 0x44c5b4 InterlockedExchange
 0x44c5b8 InterlockedCompareExchange
 0x44c5bc FreeLibrary
 0x44c5c0 FormatMessageW
 0x44c5c4 FindResourceW
 0x44c5c8 FindFirstFileW
 0x44c5cc FindClose
 0x44c5d0 ExpandEnvironmentStringsW
 0x44c5d4 EnumCalendarInfoW
 0x44c5d8 EnterCriticalSection
 0x44c5dc DeleteFileW
 0x44c5e0 DeleteCriticalSection
 0x44c5e4 CreateProcessW
 0x44c5e8 CreateFileW
 0x44c5ec CreateEventW
 0x44c5f0 CreateDirectoryW
 0x44c5f4 CompareStringW
 0x44c5f8 CloseHandle
advapi32.dll
 0x44c600 RegUnLoadKeyW
 0x44c604 RegSetValueExW
 0x44c608 RegSaveKeyW
 0x44c60c RegRestoreKeyW
 0x44c610 RegReplaceKeyW
 0x44c614 RegQueryValueExW
 0x44c618 RegQueryInfoKeyW
 0x44c61c RegOpenKeyExW
 0x44c620 RegLoadKeyW
 0x44c624 RegFlushKey
 0x44c628 RegEnumValueW
 0x44c62c RegEnumKeyExW
 0x44c630 RegDeleteValueW
 0x44c634 RegDeleteKeyW
 0x44c638 RegCreateKeyExW
 0x44c63c RegConnectRegistryW
 0x44c640 RegCloseKey
 0x44c644 OpenProcessToken
 0x44c648 LookupPrivilegeValueW
 0x44c64c AdjustTokenPrivileges
kernel32.dll
 0x44c654 Sleep
oleaut32.dll
 0x44c65c SafeArrayPtrOfIndex
 0x44c660 SafeArrayGetUBound
 0x44c664 SafeArrayGetLBound
 0x44c668 SafeArrayCreate
 0x44c66c VariantChangeType
 0x44c670 VariantCopy
 0x44c674 VariantClear
 0x44c678 VariantInit
advapi32.dll
 0x44c680 StartServiceW
 0x44c684 QueryServiceConfigW
 0x44c688 OpenServiceW
 0x44c68c OpenSCManagerW
 0x44c690 CloseServiceHandle
 0x44c694 ChangeServiceConfigW
wininet.dll
 0x44c69c InternetReadFile
 0x44c6a0 InternetOpenUrlW
 0x44c6a4 InternetOpenW
 0x44c6a8 InternetCloseHandle
advapi32.dll
 0x44c6b0 EnumServicesStatusExW

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure