ScreenShot
| Created | 2021.09.22 22:25 | Machine | s1_win7_x6401 |
| Filename | rsoft.exe | ||
| Type | MS-DOS executable, MZ for MS-DOS | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 31 detected (malicious, high confidence, GenericKD, Unsafe, TrojanPSW, Racealer, ZexaF, fovaaqqKQ41P, Attribute, HighConfidence, GenCBL, Artemis, Redcap, glfga, Phonzy, F37PCZ, score, ai score=81, BScope, Witch, PasswordStealer, Behavior, confidence) | ||
| md5 | 31ce4f326c616ad189f2b03bdee1e20d | ||
| sha256 | cb2aff101fb0bdb70d2a113910feee36d63fb65fd9bcee5016b2338d318df67e | ||
| ssdeep | 49152:zKP4T/U5f0IkgIedz0oZ34jhlOKCP5yhQmJNNAiXUn5TKPK6OvhMvC:84DUR53z4j7ODP5yDJ7Aikn5Tp6pvC | ||
| imphash | 4f0265512a1363fc11fe0c410b950baf | ||
| impfuzzy | 6:nERGDfAGavEKFAUKXPMKobGeSc9Q3c2AxyTO6LO7dplYWYE+cEWKC6zAn:EcDfAYK5KjHN3c2A+O6LOTlYKrKCKAn | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 31 AntiVirus engines on VirusTotal as malicious |
| watch | Checks for the presence of known windows from debuggers and forensic tools |
| watch | Checks the version of Bios |
| watch | Communicates with host for which no DNS query was performed |
| watch | Detects Virtual Machines through their custom firmware |
| watch | Detects VirtualBox through the presence of a registry key |
| watch | Detects VMWare through the in instruction feature |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Expresses interest in specific running processes |
| notice | Foreign language identified in PE resource |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Collects information to fingerprint the system (MachineGuid |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (2cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (5cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0xad8118 GetModuleHandleA
0xad811c GetProcAddress
USER32.dll
0xad8124 wsprintfW
GDI32.dll
0xad812c BitBlt
ADVAPI32.dll
0xad8134 GetTokenInformation
SHELL32.dll
0xad813c SHGetFolderPathA
ole32.dll
0xad8144 CoInitialize
USERENV.dll
0xad814c GetUserProfileDirectoryA
ktmw32.dll
0xad8154 CreateTransaction
crypt.dll
0xad815c BCryptDecrypt
CRYPT32.dll
0xad8164 CryptStringToBinaryA
SHLWAPI.dll
0xad816c StrCmpNW
WINHTTP.dll
0xad8174 WinHttpSendRequest
gdiplus.dll
0xad817c GdiplusStartup
EAT(Export Address Table) is none
KERNEL32.DLL
0xad8118 GetModuleHandleA
0xad811c GetProcAddress
USER32.dll
0xad8124 wsprintfW
GDI32.dll
0xad812c BitBlt
ADVAPI32.dll
0xad8134 GetTokenInformation
SHELL32.dll
0xad813c SHGetFolderPathA
ole32.dll
0xad8144 CoInitialize
USERENV.dll
0xad814c GetUserProfileDirectoryA
ktmw32.dll
0xad8154 CreateTransaction
crypt.dll
0xad815c BCryptDecrypt
CRYPT32.dll
0xad8164 CryptStringToBinaryA
SHLWAPI.dll
0xad816c StrCmpNW
WINHTTP.dll
0xad8174 WinHttpSendRequest
gdiplus.dll
0xad817c GdiplusStartup
EAT(Export Address Table) is none