ScreenShot
| Created | 2021.08.28 17:53 | Machine | s1_win7_x6402 |
| Filename | Rbget.exe | ||
| Type | MS-DOS executable, MZ for MS-DOS | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 38 detected (AIDetect, malware1, malicious, high confidence, GenericKD, Unsafe, Save, Starter, ali2000005, ZexaF, @BX@aalOj@ii, Attribute, HighConfidence, ACBZ, CMY3U, FileRepMalware, Siggen15, Artemis, S + Troj, Zbot, MeterpreterSC, hwygp, KVMH008, kcloud, Tnega, score, ai score=85, Limpopo, Generic@ML, RDML, A6XMfKymsms, X6FzOjW, GdSda, susgen) | ||
| md5 | 15478642d48681a67374167d173d4f84 | ||
| sha256 | 4e1c013bf36b27f78e0fdc7ab5a67bc3f62f33c97f5848daf40df7ec7d842fa4 | ||
| ssdeep | 98304:6jT71ntlY5xzFunCcZ2iH9oFfQPjpw6D8cKuEBQ5Qbg+db778Fm/S3DdK1NPgf6K:i3fCcZZ2VQtbXQ9A5DdK1NPgCWXaYRX7 | ||
| imphash | a015e6773f75ebc5c3c4382777305de7 | ||
| impfuzzy | 96:rhmiKd0aQmIZ+ZKrgKSUOfm0OZQUaqyP2e+:QdYjMEQTue+ | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 38 AntiVirus engines on VirusTotal as malicious |
| watch | A process attempted to delay the analysis task. |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates a windows hook that monitors keyboard input (keylogger) |
| watch | Creates an executable file in a user folder |
| watch | Installs an hook procedure to monitor for mouse events |
| watch | Installs itself for autorun at Windows startup |
| watch | Looks for the Windows Idle Time to determine the uptime |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates hidden or system file |
| notice | Moves the original executable to a new location |
| notice | One or more potentially interesting buffers were extracted |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (12cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
| danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
advapi32.dll
0x8cdcf6 GetSidSubAuthority
0x8cdcfa GetSecurityInfo
0x8cdcfe RegCloseKey
0x8cdd02 RegDeleteValueW
0x8cdd06 GetSecurityDescriptorDacl
0x8cdd0a RegCreateKeyExW
0x8cdd0e SetSecurityInfo
0x8cdd12 RegSetValueExW
0x8cdd16 SetNamedSecurityInfoW
0x8cdd1a InitializeSid
0x8cdd1e AddAce
0x8cdd22 InitializeSecurityDescriptor
0x8cdd26 RegQueryValueExW
0x8cdd2a RegQueryValueExA
0x8cdd2e LookupAccountSidW
0x8cdd32 SetEntriesInAclW
0x8cdd36 AllocateAndInitializeSid
0x8cdd3a BuildExplicitAccessWithNameW
0x8cdd3e GetNamedSecurityInfoW
0x8cdd42 CopySid
0x8cdd46 InitializeAcl
0x8cdd4a FreeSid
0x8cdd4e RegOpenKeyExA
0x8cdd52 GetLengthSid
0x8cdd56 RegDeleteKeyW
0x8cdd5a GetAce
0x8cdd5e SetSecurityDescriptorDacl
0x8cdd62 GetTokenInformation
0x8cdd66 IsValidSid
0x8cdd6a GetSidLengthRequired
0x8cdd6e CreateProcessAsUserW
0x8cdd72 GetUserNameW
0x8cdd76 OpenProcessToken
0x8cdd7a RegOpenKeyExW
0x8cdd7e EqualSid
0x8cdd82 GetAclInformation
comctl32.dll
0x8cdd8a _TrackMouseEvent
gdi32.dll
0x8cdd92 GetDeviceCaps
0x8cdd96 RoundRect
0x8cdd9a CreateFontIndirectW
0x8cdd9e CreateCompatibleDC
0x8cdda2 CreatePen
0x8cdda6 GetTextExtentPoint32W
0x8cddaa SetPixel
0x8cddae GetObjectW
0x8cddb2 StretchBlt
0x8cddb6 CreatePatternBrush
0x8cddba GetLayout
0x8cddbe CreateCompatibleBitmap
0x8cddc2 GetPixel
0x8cddc6 BitBlt
0x8cddca SelectObject
0x8cddce CreateSolidBrush
0x8cddd2 DeleteObject
kernel32.dll
0x8cddda GetFileAttributesW
0x8cddde WaitForSingleObject
0x8cdde2 VerifyVersionInfoW
0x8cdde6 CreateFileW
0x8cddea GetComputerNameW
0x8cddee LoadResource
0x8cddf2 GetFullPathNameW
0x8cddf6 ResetEvent
0x8cddfa SetErrorMode
0x8cddfe DeviceIoControl
0x8cde02 SetEvent
0x8cde06 InitializeCriticalSectionAndSpinCount
0x8cde0a InterlockedCompareExchange
0x8cde0e LoadLibraryW
0x8cde12 GetModuleHandleA
0x8cde16 GetLocalTime
0x8cde1a GetModuleFileNameW
0x8cde1e FindClose
0x8cde22 SetCurrentDirectoryW
0x8cde26 WriteFile
0x8cde2a GlobalFree
0x8cde2e HeapFree
0x8cde32 GetProcessHeap
0x8cde36 RaiseException
0x8cde3a OpenProcess
0x8cde3e FindResourceExW
0x8cde42 CreateFileA
0x8cde46 FindResourceW
0x8cde4a CreateProcessW
0x8cde4e SetLastError
0x8cde52 FindNextFileW
0x8cde56 OutputDebugStringW
0x8cde5a GetProcAddress
0x8cde5e GetSystemInfo
0x8cde62 GlobalAlloc
0x8cde66 VerSetConditionMask
0x8cde6a ReleaseMutex
0x8cde6e GlobalLock
0x8cde72 CreateMutexW
0x8cde76 MulDiv
0x8cde7a CreateDirectoryW
0x8cde7e LoadLibraryExW
0x8cde82 IsDebuggerPresent
0x8cde86 GetSystemDirectoryW
0x8cde8a HeapAlloc
0x8cde8e MultiByteToWideChar
0x8cde92 WritePrivateProfileStringW
0x8cde96 GetModuleFileNameA
0x8cde9a GetLastError
0x8cde9e EnterCriticalSection
0x8cdea2 SetFilePointer
0x8cdea6 WideCharToMultiByte
0x8cdeaa GetShortPathNameW
0x8cdeae PulseEvent
0x8cdeb2 FreeLibrary
0x8cdeb6 LeaveCriticalSection
0x8cdeba GetPrivateProfileSectionW
0x8cdebe FindFirstFileW
0x8cdec2 LocalFree
0x8cdec6 GetFileAttributesExW
0x8cdeca GetCurrentProcess
0x8cdece Sleep
0x8cded2 LockResource
0x8cded6 InterlockedExchangeAdd
0x8cdeda GetFileSize
0x8cdede InterlockedIncrement
0x8cdee2 CreateEventW
0x8cdee6 OpenEventW
0x8cdeea ReadFile
0x8cdeee GetModuleHandleW
0x8cdef2 GetStartupInfoW
0x8cdef6 SizeofResource
0x8cdefa RemoveDirectoryW
0x8cdefe InterlockedDecrement
0x8cdf02 GetVersionExW
0x8cdf06 DeleteFileW
0x8cdf0a QueryPerformanceCounter
0x8cdf0e SetEndOfFile
0x8cdf12 GlobalUnlock
0x8cdf16 InitializeCriticalSection
0x8cdf1a InterlockedExchange
0x8cdf1e GetPrivateProfileIntW
0x8cdf22 HeapSize
0x8cdf26 HeapReAlloc
0x8cdf2a IsProcessorFeaturePresent
0x8cdf2e GetTickCount
0x8cdf32 GetCurrentProcessId
0x8cdf36 FormatMessageW
0x8cdf3a HeapDestroy
0x8cdf3e WaitForMultipleObjects
0x8cdf42 CopyFileW
0x8cdf46 GetDriveTypeW
0x8cdf4a GetCurrentThreadId
0x8cdf4e GetWindowsDirectoryW
0x8cdf52 MoveFileExW
0x8cdf56 CloseHandle
0x8cdf5a GetPrivateProfileStringW
0x8cdf5e LocalAlloc
0x8cdf62 VirtualProtectEx
0x8cdf66 ExpandEnvironmentStringsA
0x8cdf6a GetExitCodeProcess
0x8cdf6e DeleteCriticalSection
0x8cdf72 LoadLibraryA
netapi32.dll
0x8cdf7a NetServerEnum
0x8cdf7e NetApiBufferFree
0x8cdf82 DsEnumerateDomainTrustsW
0x8cdf86 NetWkstaGetInfo
ole32.dll
0x8cdf8e CoCreateInstance
0x8cdf92 CoUninitialize
0x8cdf96 CreateStreamOnHGlobal
0x8cdf9a CoInitializeEx
0x8cdf9e CoInitialize
shell32.dll
0x8cdfa6 ShellExecuteExW
0x8cdfaa SHGetSpecialFolderPathW
0x8cdfae SHAppBarMessage
shlwapi.dll
0x8cdfb6 PathIsRelativeA
0x8cdfba PathIsDirectoryW
user32.dll
0x8cdfc2 DestroyWindow
0x8cdfc6 RedrawWindow
0x8cdfca wsprintfW
0x8cdfce SystemParametersInfoW
0x8cdfd2 GetActiveWindow
0x8cdfd6 DrawIconEx
0x8cdfda LoadIconW
0x8cdfde RegisterWindowMessageW
0x8cdfe2 MessageBoxW
0x8cdfe6 SendInput
0x8cdfea PostMessageW
0x8cdfee GetDC
0x8cdff2 GetWindowRect
0x8cdff6 FindWindowW
0x8cdffa ScreenToClient
0x8cdffe SetForegroundWindow
0x8ce002 GetKeyState
0x8ce006 SetWindowLongW
0x8ce00a DestroyIcon
0x8ce00e IsIconic
0x8ce012 GetLastActivePopup
0x8ce016 GetForegroundWindow
0x8ce01a EqualRect
0x8ce01e GetClientRect
0x8ce022 OffsetRect
0x8ce026 IsChild
0x8ce02a SendMessageW
0x8ce02e GetSystemMenu
0x8ce032 InflateRect
0x8ce036 FillRect
0x8ce03a DrawStateW
0x8ce03e PtInRect
0x8ce042 LoadImageW
0x8ce046 CopyRect
0x8ce04a GetSystemMetrics
0x8ce04e DrawIcon
0x8ce052 EnableWindow
0x8ce056 InvalidateRect
0x8ce05a LoadStringW
0x8ce05e GetParent
0x8ce062 GetDlgCtrlID
0x8ce066 TranslateAcceleratorW
0x8ce06a BringWindowToTop
0x8ce06e ReleaseDC
wininet.dll
0x8ce076 InternetCanonicalizeUrlW
0x8ce07a InternetGetConnectedState
EAT(Export Address Table) is none
advapi32.dll
0x8cdcf6 GetSidSubAuthority
0x8cdcfa GetSecurityInfo
0x8cdcfe RegCloseKey
0x8cdd02 RegDeleteValueW
0x8cdd06 GetSecurityDescriptorDacl
0x8cdd0a RegCreateKeyExW
0x8cdd0e SetSecurityInfo
0x8cdd12 RegSetValueExW
0x8cdd16 SetNamedSecurityInfoW
0x8cdd1a InitializeSid
0x8cdd1e AddAce
0x8cdd22 InitializeSecurityDescriptor
0x8cdd26 RegQueryValueExW
0x8cdd2a RegQueryValueExA
0x8cdd2e LookupAccountSidW
0x8cdd32 SetEntriesInAclW
0x8cdd36 AllocateAndInitializeSid
0x8cdd3a BuildExplicitAccessWithNameW
0x8cdd3e GetNamedSecurityInfoW
0x8cdd42 CopySid
0x8cdd46 InitializeAcl
0x8cdd4a FreeSid
0x8cdd4e RegOpenKeyExA
0x8cdd52 GetLengthSid
0x8cdd56 RegDeleteKeyW
0x8cdd5a GetAce
0x8cdd5e SetSecurityDescriptorDacl
0x8cdd62 GetTokenInformation
0x8cdd66 IsValidSid
0x8cdd6a GetSidLengthRequired
0x8cdd6e CreateProcessAsUserW
0x8cdd72 GetUserNameW
0x8cdd76 OpenProcessToken
0x8cdd7a RegOpenKeyExW
0x8cdd7e EqualSid
0x8cdd82 GetAclInformation
comctl32.dll
0x8cdd8a _TrackMouseEvent
gdi32.dll
0x8cdd92 GetDeviceCaps
0x8cdd96 RoundRect
0x8cdd9a CreateFontIndirectW
0x8cdd9e CreateCompatibleDC
0x8cdda2 CreatePen
0x8cdda6 GetTextExtentPoint32W
0x8cddaa SetPixel
0x8cddae GetObjectW
0x8cddb2 StretchBlt
0x8cddb6 CreatePatternBrush
0x8cddba GetLayout
0x8cddbe CreateCompatibleBitmap
0x8cddc2 GetPixel
0x8cddc6 BitBlt
0x8cddca SelectObject
0x8cddce CreateSolidBrush
0x8cddd2 DeleteObject
kernel32.dll
0x8cddda GetFileAttributesW
0x8cddde WaitForSingleObject
0x8cdde2 VerifyVersionInfoW
0x8cdde6 CreateFileW
0x8cddea GetComputerNameW
0x8cddee LoadResource
0x8cddf2 GetFullPathNameW
0x8cddf6 ResetEvent
0x8cddfa SetErrorMode
0x8cddfe DeviceIoControl
0x8cde02 SetEvent
0x8cde06 InitializeCriticalSectionAndSpinCount
0x8cde0a InterlockedCompareExchange
0x8cde0e LoadLibraryW
0x8cde12 GetModuleHandleA
0x8cde16 GetLocalTime
0x8cde1a GetModuleFileNameW
0x8cde1e FindClose
0x8cde22 SetCurrentDirectoryW
0x8cde26 WriteFile
0x8cde2a GlobalFree
0x8cde2e HeapFree
0x8cde32 GetProcessHeap
0x8cde36 RaiseException
0x8cde3a OpenProcess
0x8cde3e FindResourceExW
0x8cde42 CreateFileA
0x8cde46 FindResourceW
0x8cde4a CreateProcessW
0x8cde4e SetLastError
0x8cde52 FindNextFileW
0x8cde56 OutputDebugStringW
0x8cde5a GetProcAddress
0x8cde5e GetSystemInfo
0x8cde62 GlobalAlloc
0x8cde66 VerSetConditionMask
0x8cde6a ReleaseMutex
0x8cde6e GlobalLock
0x8cde72 CreateMutexW
0x8cde76 MulDiv
0x8cde7a CreateDirectoryW
0x8cde7e LoadLibraryExW
0x8cde82 IsDebuggerPresent
0x8cde86 GetSystemDirectoryW
0x8cde8a HeapAlloc
0x8cde8e MultiByteToWideChar
0x8cde92 WritePrivateProfileStringW
0x8cde96 GetModuleFileNameA
0x8cde9a GetLastError
0x8cde9e EnterCriticalSection
0x8cdea2 SetFilePointer
0x8cdea6 WideCharToMultiByte
0x8cdeaa GetShortPathNameW
0x8cdeae PulseEvent
0x8cdeb2 FreeLibrary
0x8cdeb6 LeaveCriticalSection
0x8cdeba GetPrivateProfileSectionW
0x8cdebe FindFirstFileW
0x8cdec2 LocalFree
0x8cdec6 GetFileAttributesExW
0x8cdeca GetCurrentProcess
0x8cdece Sleep
0x8cded2 LockResource
0x8cded6 InterlockedExchangeAdd
0x8cdeda GetFileSize
0x8cdede InterlockedIncrement
0x8cdee2 CreateEventW
0x8cdee6 OpenEventW
0x8cdeea ReadFile
0x8cdeee GetModuleHandleW
0x8cdef2 GetStartupInfoW
0x8cdef6 SizeofResource
0x8cdefa RemoveDirectoryW
0x8cdefe InterlockedDecrement
0x8cdf02 GetVersionExW
0x8cdf06 DeleteFileW
0x8cdf0a QueryPerformanceCounter
0x8cdf0e SetEndOfFile
0x8cdf12 GlobalUnlock
0x8cdf16 InitializeCriticalSection
0x8cdf1a InterlockedExchange
0x8cdf1e GetPrivateProfileIntW
0x8cdf22 HeapSize
0x8cdf26 HeapReAlloc
0x8cdf2a IsProcessorFeaturePresent
0x8cdf2e GetTickCount
0x8cdf32 GetCurrentProcessId
0x8cdf36 FormatMessageW
0x8cdf3a HeapDestroy
0x8cdf3e WaitForMultipleObjects
0x8cdf42 CopyFileW
0x8cdf46 GetDriveTypeW
0x8cdf4a GetCurrentThreadId
0x8cdf4e GetWindowsDirectoryW
0x8cdf52 MoveFileExW
0x8cdf56 CloseHandle
0x8cdf5a GetPrivateProfileStringW
0x8cdf5e LocalAlloc
0x8cdf62 VirtualProtectEx
0x8cdf66 ExpandEnvironmentStringsA
0x8cdf6a GetExitCodeProcess
0x8cdf6e DeleteCriticalSection
0x8cdf72 LoadLibraryA
netapi32.dll
0x8cdf7a NetServerEnum
0x8cdf7e NetApiBufferFree
0x8cdf82 DsEnumerateDomainTrustsW
0x8cdf86 NetWkstaGetInfo
ole32.dll
0x8cdf8e CoCreateInstance
0x8cdf92 CoUninitialize
0x8cdf96 CreateStreamOnHGlobal
0x8cdf9a CoInitializeEx
0x8cdf9e CoInitialize
shell32.dll
0x8cdfa6 ShellExecuteExW
0x8cdfaa SHGetSpecialFolderPathW
0x8cdfae SHAppBarMessage
shlwapi.dll
0x8cdfb6 PathIsRelativeA
0x8cdfba PathIsDirectoryW
user32.dll
0x8cdfc2 DestroyWindow
0x8cdfc6 RedrawWindow
0x8cdfca wsprintfW
0x8cdfce SystemParametersInfoW
0x8cdfd2 GetActiveWindow
0x8cdfd6 DrawIconEx
0x8cdfda LoadIconW
0x8cdfde RegisterWindowMessageW
0x8cdfe2 MessageBoxW
0x8cdfe6 SendInput
0x8cdfea PostMessageW
0x8cdfee GetDC
0x8cdff2 GetWindowRect
0x8cdff6 FindWindowW
0x8cdffa ScreenToClient
0x8cdffe SetForegroundWindow
0x8ce002 GetKeyState
0x8ce006 SetWindowLongW
0x8ce00a DestroyIcon
0x8ce00e IsIconic
0x8ce012 GetLastActivePopup
0x8ce016 GetForegroundWindow
0x8ce01a EqualRect
0x8ce01e GetClientRect
0x8ce022 OffsetRect
0x8ce026 IsChild
0x8ce02a SendMessageW
0x8ce02e GetSystemMenu
0x8ce032 InflateRect
0x8ce036 FillRect
0x8ce03a DrawStateW
0x8ce03e PtInRect
0x8ce042 LoadImageW
0x8ce046 CopyRect
0x8ce04a GetSystemMetrics
0x8ce04e DrawIcon
0x8ce052 EnableWindow
0x8ce056 InvalidateRect
0x8ce05a LoadStringW
0x8ce05e GetParent
0x8ce062 GetDlgCtrlID
0x8ce066 TranslateAcceleratorW
0x8ce06a BringWindowToTop
0x8ce06e ReleaseDC
wininet.dll
0x8ce076 InternetCanonicalizeUrlW
0x8ce07a InternetGetConnectedState
EAT(Export Address Table) is none