ScreenShot
| Created | 2021.11.01 11:37 | Machine | s1_win7_x6403 |
| Filename | rollerkind.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 25 detected (AIDetect, malware1, malicious, high confidence, Unsafe, Save, Hacktool, confidence, Kryptik, Eldorado, Convagent, A + Troj, Krypt, Score, Wacatac, R373480, ET#92%, RDMK, cmRtazo2usPKGHEWQSfHL7T4az3+, Static AI, Malicious PE, susgen) | ||
| md5 | f12a2a6e1d8b3c7e2e998e808da6ac3a | ||
| sha256 | f3d5fa1c93562561de5b75fca1ff06dfaaf276886f409f3130f6da32f92c708d | ||
| ssdeep | 12288:eoPOjkoO9zYFZ6r0rPVOfW+sfAw4We+qis9KvX3unnn:woo8Yr6QZcwiRn | ||
| imphash | 399419c867e1b29b8b53fcd0cc79fbe7 | ||
| impfuzzy | 24:cEq+fm4X7alyDq+uco1TiOovA1tFXgJ3IRIlyv9fcVq1VGSUjMku:nv7GTt1tmRK9fcM1kSZ | ||
Network IP location
Signature (23cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 25 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Checks the CPU name from registry |
| watch | Communicates with host for which no DNS query was performed |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | This executable has a PDB path |
Rules (25cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
Network (9cnts) ?
Suricata ids
ET USER_AGENTS Suspicious User-Agent (AutoHotkey)
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible EXE Download From Suspicious TLD
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible EXE Download From Suspicious TLD
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x47d000 FindVolumeClose
0x47d004 HeapAlloc
0x47d008 EndUpdateResourceW
0x47d00c HeapFree
0x47d010 GetEnvironmentStringsW
0x47d014 SetConsoleScreenBufferSize
0x47d018 AddConsoleAliasW
0x47d01c SetEvent
0x47d020 GetTickCount
0x47d024 GetProcessHeap
0x47d028 FindActCtxSectionStringA
0x47d02c Sleep
0x47d030 InitAtomTable
0x47d034 GetTapePosition
0x47d038 GetAtomNameW
0x47d03c GetMailslotInfo
0x47d040 GetModuleFileNameW
0x47d044 CreateActCtxA
0x47d048 GetConsoleOutputCP
0x47d04c GetCPInfoExW
0x47d050 GetProcAddress
0x47d054 VirtualAlloc
0x47d058 LoadLibraryA
0x47d05c WriteConsoleA
0x47d060 LocalAlloc
0x47d064 BeginUpdateResourceA
0x47d068 SetEnvironmentVariableA
0x47d06c GetModuleFileNameA
0x47d070 GetProcessAffinityMask
0x47d074 Module32Next
0x47d078 FindNextVolumeA
0x47d07c TlsFree
0x47d080 lstrcpyA
0x47d084 EncodePointer
0x47d088 DecodePointer
0x47d08c GetCommandLineA
0x47d090 HeapSetInformation
0x47d094 GetStartupInfoW
0x47d098 RaiseException
0x47d09c UnhandledExceptionFilter
0x47d0a0 SetUnhandledExceptionFilter
0x47d0a4 IsDebuggerPresent
0x47d0a8 TerminateProcess
0x47d0ac GetCurrentProcess
0x47d0b0 GetLastError
0x47d0b4 IsProcessorFeaturePresent
0x47d0b8 TlsAlloc
0x47d0bc TlsGetValue
0x47d0c0 TlsSetValue
0x47d0c4 InterlockedIncrement
0x47d0c8 GetModuleHandleW
0x47d0cc SetLastError
0x47d0d0 GetCurrentThreadId
0x47d0d4 InterlockedDecrement
0x47d0d8 WideCharToMultiByte
0x47d0dc SetHandleCount
0x47d0e0 GetStdHandle
0x47d0e4 InitializeCriticalSectionAndSpinCount
0x47d0e8 GetFileType
0x47d0ec DeleteCriticalSection
0x47d0f0 EnterCriticalSection
0x47d0f4 LeaveCriticalSection
0x47d0f8 ReadFile
0x47d0fc RtlUnwind
0x47d100 SetFilePointer
0x47d104 CloseHandle
0x47d108 ExitProcess
0x47d10c WriteFile
0x47d110 FreeEnvironmentStringsW
0x47d114 HeapCreate
0x47d118 QueryPerformanceCounter
0x47d11c GetCurrentProcessId
0x47d120 GetSystemTimeAsFileTime
0x47d124 GetConsoleCP
0x47d128 GetConsoleMode
0x47d12c GetCPInfo
0x47d130 GetACP
0x47d134 GetOEMCP
0x47d138 IsValidCodePage
0x47d13c MultiByteToWideChar
0x47d140 CreateFileA
0x47d144 SetStdHandle
0x47d148 FlushFileBuffers
0x47d14c HeapSize
0x47d150 LoadLibraryW
0x47d154 WriteConsoleW
0x47d158 LCMapStringW
0x47d15c GetStringTypeW
0x47d160 HeapReAlloc
0x47d164 SetEndOfFile
0x47d168 CreateFileW
EAT(Export Address Table) is none
KERNEL32.dll
0x47d000 FindVolumeClose
0x47d004 HeapAlloc
0x47d008 EndUpdateResourceW
0x47d00c HeapFree
0x47d010 GetEnvironmentStringsW
0x47d014 SetConsoleScreenBufferSize
0x47d018 AddConsoleAliasW
0x47d01c SetEvent
0x47d020 GetTickCount
0x47d024 GetProcessHeap
0x47d028 FindActCtxSectionStringA
0x47d02c Sleep
0x47d030 InitAtomTable
0x47d034 GetTapePosition
0x47d038 GetAtomNameW
0x47d03c GetMailslotInfo
0x47d040 GetModuleFileNameW
0x47d044 CreateActCtxA
0x47d048 GetConsoleOutputCP
0x47d04c GetCPInfoExW
0x47d050 GetProcAddress
0x47d054 VirtualAlloc
0x47d058 LoadLibraryA
0x47d05c WriteConsoleA
0x47d060 LocalAlloc
0x47d064 BeginUpdateResourceA
0x47d068 SetEnvironmentVariableA
0x47d06c GetModuleFileNameA
0x47d070 GetProcessAffinityMask
0x47d074 Module32Next
0x47d078 FindNextVolumeA
0x47d07c TlsFree
0x47d080 lstrcpyA
0x47d084 EncodePointer
0x47d088 DecodePointer
0x47d08c GetCommandLineA
0x47d090 HeapSetInformation
0x47d094 GetStartupInfoW
0x47d098 RaiseException
0x47d09c UnhandledExceptionFilter
0x47d0a0 SetUnhandledExceptionFilter
0x47d0a4 IsDebuggerPresent
0x47d0a8 TerminateProcess
0x47d0ac GetCurrentProcess
0x47d0b0 GetLastError
0x47d0b4 IsProcessorFeaturePresent
0x47d0b8 TlsAlloc
0x47d0bc TlsGetValue
0x47d0c0 TlsSetValue
0x47d0c4 InterlockedIncrement
0x47d0c8 GetModuleHandleW
0x47d0cc SetLastError
0x47d0d0 GetCurrentThreadId
0x47d0d4 InterlockedDecrement
0x47d0d8 WideCharToMultiByte
0x47d0dc SetHandleCount
0x47d0e0 GetStdHandle
0x47d0e4 InitializeCriticalSectionAndSpinCount
0x47d0e8 GetFileType
0x47d0ec DeleteCriticalSection
0x47d0f0 EnterCriticalSection
0x47d0f4 LeaveCriticalSection
0x47d0f8 ReadFile
0x47d0fc RtlUnwind
0x47d100 SetFilePointer
0x47d104 CloseHandle
0x47d108 ExitProcess
0x47d10c WriteFile
0x47d110 FreeEnvironmentStringsW
0x47d114 HeapCreate
0x47d118 QueryPerformanceCounter
0x47d11c GetCurrentProcessId
0x47d120 GetSystemTimeAsFileTime
0x47d124 GetConsoleCP
0x47d128 GetConsoleMode
0x47d12c GetCPInfo
0x47d130 GetACP
0x47d134 GetOEMCP
0x47d138 IsValidCodePage
0x47d13c MultiByteToWideChar
0x47d140 CreateFileA
0x47d144 SetStdHandle
0x47d148 FlushFileBuffers
0x47d14c HeapSize
0x47d150 LoadLibraryW
0x47d154 WriteConsoleW
0x47d158 LCMapStringW
0x47d15c GetStringTypeW
0x47d160 HeapReAlloc
0x47d164 SetEndOfFile
0x47d168 CreateFileW
EAT(Export Address Table) is none