Report - rollerkind2.exe

Malicious Library UPX PE File OS Processor Check PE32
ScreenShot
Created 2021.11.07 09:50 Machine s1_win7_x6401
Filename rollerkind2.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
7
Behavior Score
2.2
ZERO API file : clean
VT API (file) 25 detected (AIDetect, malware2, malicious, high confidence, GenericRXQC, Save, Hacktool, confidence, Kryptik, Eldorado, FileRepMetagen, Lockbit, Static AI, Malicious PE, DllCheck, score, Generic@ML, RDML, WZT8r, 7gJ6Uegug9RBIIqg, susgen)
md5 ebff6c5c942d1800caef3eda207889d3
sha256 6ada41d9a361d5c85efee76854f0b52bb2aa8456e19b5f239fccf0191b6adeee
ssdeep 12288:BThiZG/+ZqmBVIIyA4y0VdpWZX+g+4mDc8OueHsunnaXYX:BQI/+1BqIyA4yipWUg78OnvaXYX
imphash 9e3ac2424cecff905bdab3e7336b91cb
impfuzzy 24:tXSPbG2SmESxCIB1cDku9jpso7qoOovVtUwcpluiyv92/J3I+JSnujMfK318n:tX/1wTn2tbcpsb981SnkF8
  Network IP location

Signature (5cnts)

Level Description
warning File has been identified by 25 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice Foreign language identified in PE resource
notice The binary likely contains encrypted or compressed data indicative of a packer
info This executable has a PDB path

Rules (5cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x47a008 SetThreadContext
 0x47a00c WriteConsoleOutputCharacterW
 0x47a010 GetDefaultCommConfigW
 0x47a014 HeapAlloc
 0x47a018 UpdateResourceA
 0x47a01c HeapFree
 0x47a020 GetEnvironmentStringsW
 0x47a024 BackupSeek
 0x47a028 GetTickCount
 0x47a02c GlobalAlloc
 0x47a030 LoadLibraryW
 0x47a034 SizeofResource
 0x47a038 GetTapePosition
 0x47a03c SetConsoleCursorPosition
 0x47a040 WriteConsoleW
 0x47a044 GetAtomNameW
 0x47a048 LCMapStringA
 0x47a04c GetLastError
 0x47a050 GetProcAddress
 0x47a054 VirtualAlloc
 0x47a058 GetFirmwareEnvironmentVariableW
 0x47a05c LoadLibraryA
 0x47a060 WriteConsoleA
 0x47a064 BeginUpdateResourceA
 0x47a068 GetModuleFileNameA
 0x47a06c SetConsoleCursorInfo
 0x47a070 AddConsoleAliasA
 0x47a074 FindNextVolumeA
 0x47a078 lstrcpyA
 0x47a07c SetProcessAffinityMask
 0x47a080 CreateFileW
 0x47a084 GetStringTypeW
 0x47a088 GetModuleHandleW
 0x47a08c ExitProcess
 0x47a090 DecodePointer
 0x47a094 GetCommandLineA
 0x47a098 HeapSetInformation
 0x47a09c GetStartupInfoW
 0x47a0a0 UnhandledExceptionFilter
 0x47a0a4 SetUnhandledExceptionFilter
 0x47a0a8 IsDebuggerPresent
 0x47a0ac EncodePointer
 0x47a0b0 TerminateProcess
 0x47a0b4 GetCurrentProcess
 0x47a0b8 IsProcessorFeaturePresent
 0x47a0bc WriteFile
 0x47a0c0 GetStdHandle
 0x47a0c4 GetModuleFileNameW
 0x47a0c8 HeapCreate
 0x47a0cc EnterCriticalSection
 0x47a0d0 LeaveCriticalSection
 0x47a0d4 InitializeCriticalSectionAndSpinCount
 0x47a0d8 RtlUnwind
 0x47a0dc SetHandleCount
 0x47a0e0 GetFileType
 0x47a0e4 DeleteCriticalSection
 0x47a0e8 SetFilePointer
 0x47a0ec CloseHandle
 0x47a0f0 TlsAlloc
 0x47a0f4 TlsGetValue
 0x47a0f8 TlsSetValue
 0x47a0fc TlsFree
 0x47a100 InterlockedIncrement
 0x47a104 SetLastError
 0x47a108 GetCurrentThreadId
 0x47a10c InterlockedDecrement
 0x47a110 FreeEnvironmentStringsW
 0x47a114 WideCharToMultiByte
 0x47a118 QueryPerformanceCounter
 0x47a11c GetCurrentProcessId
 0x47a120 GetSystemTimeAsFileTime
 0x47a124 RaiseException
 0x47a128 Sleep
 0x47a12c CreateFileA
 0x47a130 GetCPInfo
 0x47a134 GetACP
 0x47a138 GetOEMCP
 0x47a13c IsValidCodePage
 0x47a140 GetConsoleCP
 0x47a144 GetConsoleMode
 0x47a148 SetStdHandle
 0x47a14c FlushFileBuffers
 0x47a150 HeapSize
 0x47a154 HeapReAlloc
 0x47a158 SetEndOfFile
 0x47a15c GetProcessHeap
 0x47a160 MultiByteToWideChar
 0x47a164 ReadFile
 0x47a168 LCMapStringW
USER32.dll
 0x47a170 GetCursorPos
ADVAPI32.dll
 0x47a000 NotifyChangeEventLog

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure