popup

Report - RuntimeBroker.exe

Gen2 Malicious Library PE64 PE File OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.10.01 09:48 Machine s1_win7_x6402
Filename RuntimeBroker.exe
Type PE32+ executable (GUI) x86-64, for MS Windows
AI Score
1
 Behavior Score
4.0
ZERO API file : malware
VT API (file) 15 detected (ClipBanker, TrojanBanker, Malicious, score, xrzdw, kcloud, Wacatac, Artemis)
md5 8065e99bad5ca445cc93fb51511f28a2
sha256 8072b59731f897542f7999d2a9aaa92abc576d364179d057672ec8222afefe06
ssdeep 6144:hjzXhUDN1sGcVwkBCX+6i4HG9LcZ83jCIdTNVKk:hjjhw1svcX+6i4+
imphash 85876006c2ecd2e9a446192cb4f7518c
impfuzzy 48:ZOPLcRrXsWIWFQ99gVL+8vYlaZ/vNz9kl4O+tpMBMLSQMM:ZaLcRrXsWIWFQrgVL+8vxNz9klctpGc
  Network IP location

Signature (5cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
warning Generates some ICMP traffic
watch Communicates with host for which no DNS query was performed
watch File has been identified by 15 AntiVirus engines on VirusTotal as malicious
notice Creates a shortcut to an executable file

Rules (5cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info Win32_Trojan_Gen_2_0904B0_Zero Win32 Trojan Gen binaries (upload)

Network (31cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
61.162.220.58
whois
CN CHINA UNICOM China169 Backbone 61.162.220.58 clean
117.18.237.29
whois
TW EDGECAST 117.18.237.29 clean
119.36.226.210
whois
CN CHINA UNICOM China169 Backbone 119.36.226.210 clean
104.192.110.245
whois
US Beijing Qihu Technology Company Limited 104.192.110.245 clean
116.177.248.108
whois
CN CHINA UNICOM China169 Backbone 116.177.248.108 clean
114.55.205.237
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 114.55.205.237 clean
103.235.46.191
whois
HK Beijing Baidu Netcom Science and Technology Co., Ltd. 103.235.46.191 mailcious
123.56.15.95
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 123.56.15.95 clean
220.185.168.228
whois
CN Chinanet 220.185.168.228 clean
140.249.60.184
whois
CN Qingdao,266000 140.249.60.184 clean
180.163.251.76
whois
CN China Telecom (Group) 180.163.251.76 clean
123.113.216.89
whois
CN China Unicom Beijing Province Network 123.113.216.89 clean
47.108.115.101
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 47.108.115.101 clean
113.105.172.41
whois
CN CHINANET Guangdong province network 113.105.172.41 malware
180.101.190.124
whois
CN Jiangsu ZhenJiang IDC network 180.101.190.124 clean
47.246.29.14
whois
US Zhejiang Taobao Network Co.,Ltd 47.246.29.14 clean
120.52.95.235
whois
CN China Unicom IP network 120.52.95.235 malware
203.119.216.75
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 203.119.216.75 clean
49.233.246.186
whois
CN Shenzhen Tencent Computer Systems Company Limited 49.233.246.186 clean
120.39.202.71
whois
CN Fuzhou 120.39.202.71 clean
106.196.71.55
whois
Unknown 106.196.71.55 clean
119.28.164.142
whois
VN Tencent Building, Kejizhongyi Avenue 119.28.164.142 clean
47.94.223.128
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 47.94.223.128 clean
101.91.140.56
whois
CN China Telecom (Group) 101.91.140.56 clean
139.170.156.220
whois
CN CHINA UNICOM China169 Backbone 139.170.156.220 clean
122.225.216.240
whois
CN CT-HangZhou-IDC 122.225.216.240 clean
106.11.250.206
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 106.11.250.206 clean
58.223.168.189
whois
CN Chinanet 58.223.168.189 clean
106.11.84.4
whois
CN Hangzhou Alibaba Advertising Co.,Ltd. 106.11.84.4 clean
101.198.192.8
whois
CN Beijing Qihu Technology Company Limited 101.198.192.8 clean
106.75.97.110
whois
CN China Unicom Beijing Province Network 106.75.97.110 clean

Suricata ids

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x14003d000 SystemFunction036
KERNEL32.dll
 0x14003d010 DeleteFileW
 0x14003d018 HeapFree
 0x14003d020 GetLastError
 0x14003d028 SetLastError
 0x14003d030 GetModuleFileNameW
 0x14003d038 CopyFileExW
 0x14003d040 Sleep
 0x14003d048 GlobalLock
 0x14003d050 GlobalSize
 0x14003d058 GlobalUnlock
 0x14003d060 EnterCriticalSection
 0x14003d068 LeaveCriticalSection
 0x14003d070 GlobalAlloc
 0x14003d078 GlobalFree
 0x14003d080 CreateSymbolicLinkW
 0x14003d088 AddVectoredExceptionHandler
 0x14003d090 SetThreadStackGuarantee
 0x14003d098 HeapAlloc
 0x14003d0a0 GetProcessHeap
 0x14003d0a8 HeapReAlloc
 0x14003d0b0 lstrlenW
 0x14003d0b8 AcquireSRWLockExclusive
 0x14003d0c0 ReleaseSRWLockExclusive
 0x14003d0c8 GetModuleHandleA
 0x14003d0d0 GetProcAddress
 0x14003d0d8 TlsGetValue
 0x14003d0e0 TlsSetValue
 0x14003d0e8 AcquireSRWLockShared
 0x14003d0f0 ReleaseSRWLockShared
 0x14003d0f8 GetEnvironmentVariableW
 0x14003d100 GetCurrentDirectoryW
 0x14003d108 GetCurrentProcess
 0x14003d110 GetCurrentThread
 0x14003d118 RtlCaptureContext
 0x14003d120 RtlLookupFunctionEntry
 0x14003d128 ReleaseMutex
 0x14003d130 WaitForSingleObjectEx
 0x14003d138 LoadLibraryA
 0x14003d140 CreateMutexA
 0x14003d148 CloseHandle
 0x14003d150 GetStdHandle
 0x14003d158 GetConsoleMode
 0x14003d160 WriteFile
 0x14003d168 WriteConsoleW
 0x14003d170 TlsAlloc
 0x14003d178 GetModuleHandleW
 0x14003d180 FormatMessageW
 0x14003d188 CreateDirectoryW
 0x14003d190 CreateFileW
 0x14003d198 GetFileInformationByHandle
 0x14003d1a0 DeviceIoControl
 0x14003d1a8 InitializeCriticalSection
 0x14003d1b0 TryEnterCriticalSection
 0x14003d1b8 SetUnhandledExceptionFilter
 0x14003d1c0 UnhandledExceptionFilter
 0x14003d1c8 IsDebuggerPresent
 0x14003d1d0 IsProcessorFeaturePresent
 0x14003d1d8 RtlVirtualUnwind
 0x14003d1e0 InitializeSListHead
 0x14003d1e8 GetSystemTimeAsFileTime
 0x14003d1f0 GetCurrentThreadId
 0x14003d1f8 GetCurrentProcessId
 0x14003d200 QueryPerformanceCounter
ole32.dll
 0x14003d380 CoTaskMemFree
SHELL32.dll
 0x14003d210 SHGetKnownFolderPath
USER32.dll
 0x14003d220 SetClipboardData
 0x14003d228 EmptyClipboard
 0x14003d230 GetClipboardData
 0x14003d238 OpenClipboard
 0x14003d240 CloseClipboard
WS2_32.dll
 0x14003d290 WSACleanup
VCRUNTIME140.dll
 0x14003d250 __current_exception
 0x14003d258 memset
 0x14003d260 __C_specific_handler
 0x14003d268 memmove
 0x14003d270 memcmp
 0x14003d278 memcpy
 0x14003d280 __current_exception_context
api-ms-win-crt-runtime-l1-1-0.dll
 0x14003d2d0 _initterm_e
 0x14003d2d8 __p___argv
 0x14003d2e0 __p___argc
 0x14003d2e8 _seh_filter_exe
 0x14003d2f0 _exit
 0x14003d2f8 _c_exit
 0x14003d300 _register_onexit_function
 0x14003d308 _crt_atexit
 0x14003d310 terminate
 0x14003d318 _set_app_type
 0x14003d320 _initialize_onexit_table
 0x14003d328 _cexit
 0x14003d330 exit
 0x14003d338 _initterm
 0x14003d340 _get_initial_narrow_environment
 0x14003d348 _initialize_narrow_environment
 0x14003d350 _configure_narrow_argv
 0x14003d358 _register_thread_local_exe_atexit_callback
api-ms-win-crt-math-l1-1-0.dll
 0x14003d2c0 __setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll
 0x14003d368 __p__commode
 0x14003d370 _set_fmode
api-ms-win-crt-locale-l1-1-0.dll
 0x14003d2b0 _configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll
 0x14003d2a0 _set_new_mode

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure