ScreenShot
| Created | 2022.01.20 10:38 | Machine | s1_win7_x6401 |
| Filename | rtst1053.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 53 detected (trX7, malicious, high confidence, Mikey, Win64RI, S25839259, Unsafe, aema, NetPass, Eldorado, Spyagent, PSWTool, hqsnsl, MiscX, Gencirc, Tool, PassView, HackTool, NirSoftPT, HToolPassView, Static AI, Suspicious PE, AGEN, ASMalwS, PSWTroj, kcloud, Sabsik, score, R461443, ai score=80, TrojanPSW, PasswordStealer, CLOUD, GenAsa, YHzzSz8xRRg, Webbrowserpassview, confidence, 100%, susgen) | ||
| md5 | 7ce07d94af910e6ffd34fa72ae3060a4 | ||
| sha256 | 37c70b0afb4a0287138c59d169478d09cf216e53b0f4c5e34e83ae2537d731d3 | ||
| ssdeep | 24576:nui93Vkg97e2KjCcGIG4W6VifDWIkJ7iJtxNhtNNefd0OIG3RQlyrLxoA8ZPo+Zn:dlJe9G3D6JYxpNNEd0OIcRfn0Po+Z1I | ||
| imphash | 23e911f9a82ac0d345fa6cc9104b6bf4 | ||
| impfuzzy | 96:5nQJd+phZu7Z36BF1JStoV/cgPg705KleNYp2:5eGu7ZoFi0wzleE2 | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 53 AntiVirus engines on VirusTotal as malicious |
| watch | Deletes executed files from disk |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Foreign language identified in PE resource |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Checks amount of memory in system |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (10cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | ASPack_Zero | ASPack packed file | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
Network (7cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1400f0028 GetTempPathA
0x1400f0030 GetLastError
0x1400f0038 WinExec
0x1400f0040 lstrlenW
0x1400f0048 FormatMessageW
0x1400f0050 LocalFree
0x1400f0058 AreFileApisANSI
0x1400f0060 ReadFile
0x1400f0068 TryEnterCriticalSection
0x1400f0070 HeapCreate
0x1400f0078 HeapFree
0x1400f0080 EnterCriticalSection
0x1400f0088 GetFullPathNameW
0x1400f0090 WriteFile
0x1400f0098 GetDiskFreeSpaceW
0x1400f00a0 LockFile
0x1400f00a8 LeaveCriticalSection
0x1400f00b0 InitializeCriticalSection
0x1400f00b8 SetFilePointer
0x1400f00c0 GetFullPathNameA
0x1400f00c8 SetEndOfFile
0x1400f00d0 UnlockFileEx
0x1400f00d8 GetTempPathW
0x1400f00e0 CreateMutexW
0x1400f00e8 WaitForSingleObject
0x1400f00f0 CreateFileW
0x1400f00f8 GetCurrentThreadId
0x1400f0100 UnmapViewOfFile
0x1400f0108 HeapValidate
0x1400f0110 HeapSize
0x1400f0118 MultiByteToWideChar
0x1400f0120 GetDiskFreeSpaceA
0x1400f0128 GetFileAttributesA
0x1400f0130 GetFileAttributesExW
0x1400f0138 OutputDebugStringW
0x1400f0140 CreateFileA
0x1400f0148 LoadLibraryA
0x1400f0150 WaitForSingleObjectEx
0x1400f0158 DeleteFileA
0x1400f0160 DeleteFileW
0x1400f0168 HeapReAlloc
0x1400f0170 CloseHandle
0x1400f0178 GetSystemInfo
0x1400f0180 LoadLibraryW
0x1400f0188 HeapAlloc
0x1400f0190 HeapCompact
0x1400f0198 HeapDestroy
0x1400f01a0 UnlockFile
0x1400f01a8 GetProcAddress
0x1400f01b0 CreateFileMappingA
0x1400f01b8 LockFileEx
0x1400f01c0 GetFileSize
0x1400f01c8 DeleteCriticalSection
0x1400f01d0 GetCurrentProcessId
0x1400f01d8 GetProcessHeap
0x1400f01e0 SystemTimeToFileTime
0x1400f01e8 FreeLibrary
0x1400f01f0 WideCharToMultiByte
0x1400f01f8 GetSystemTimeAsFileTime
0x1400f0200 GetSystemTime
0x1400f0208 FormatMessageA
0x1400f0210 CreateFileMappingW
0x1400f0218 MapViewOfFile
0x1400f0220 QueryPerformanceCounter
0x1400f0228 GetTickCount
0x1400f0230 FlushFileBuffers
0x1400f0238 GetFileAttributesW
0x1400f0240 FindResourceW
0x1400f0248 LoadResource
0x1400f0250 LockResource
0x1400f0258 FreeResource
0x1400f0260 Sleep
0x1400f0268 GetStringTypeW
0x1400f0270 EncodePointer
0x1400f0278 DecodePointer
0x1400f0280 GetCPInfo
0x1400f0288 SetLastError
0x1400f0290 InitializeCriticalSectionAndSpinCount
0x1400f0298 CreateEventW
0x1400f02a0 TlsAlloc
0x1400f02a8 TlsGetValue
0x1400f02b0 TlsSetValue
0x1400f02b8 TlsFree
0x1400f02c0 GetModuleHandleW
0x1400f02c8 CompareStringW
0x1400f02d0 LCMapStringW
0x1400f02d8 GetLocaleInfoW
0x1400f02e0 InitializeSListHead
0x1400f02e8 SetEvent
0x1400f02f0 ResetEvent
0x1400f02f8 RtlCaptureContext
0x1400f0300 RtlLookupFunctionEntry
0x1400f0308 RtlVirtualUnwind
0x1400f0310 UnhandledExceptionFilter
0x1400f0318 SetUnhandledExceptionFilter
0x1400f0320 GetCurrentProcess
0x1400f0328 TerminateProcess
0x1400f0330 IsProcessorFeaturePresent
0x1400f0338 IsDebuggerPresent
0x1400f0340 GetStartupInfoW
0x1400f0348 QueryPerformanceFrequency
0x1400f0350 GetCurrentThread
0x1400f0358 GetThreadTimes
0x1400f0360 RtlUnwindEx
0x1400f0368 InterlockedPushEntrySList
0x1400f0370 RtlPcToFileHeader
0x1400f0378 RaiseException
0x1400f0380 LoadLibraryExW
0x1400f0388 CreateThread
0x1400f0390 ExitThread
0x1400f0398 FreeLibraryAndExitThread
0x1400f03a0 GetModuleHandleExW
0x1400f03a8 ExitProcess
0x1400f03b0 GetModuleFileNameW
0x1400f03b8 GetStdHandle
0x1400f03c0 GetFileSizeEx
0x1400f03c8 SetFilePointerEx
0x1400f03d0 GetFileType
0x1400f03d8 GetConsoleOutputCP
0x1400f03e0 GetConsoleMode
0x1400f03e8 GetDateFormatW
0x1400f03f0 GetTimeFormatW
0x1400f03f8 IsValidLocale
0x1400f0400 GetUserDefaultLCID
0x1400f0408 EnumSystemLocalesW
0x1400f0410 ReadConsoleW
0x1400f0418 GetTimeZoneInformation
0x1400f0420 FindClose
0x1400f0428 FindFirstFileExW
0x1400f0430 FindNextFileW
0x1400f0438 IsValidCodePage
0x1400f0440 GetACP
0x1400f0448 GetOEMCP
0x1400f0450 GetCommandLineA
0x1400f0458 GetCommandLineW
0x1400f0460 GetEnvironmentStringsW
0x1400f0468 FreeEnvironmentStringsW
0x1400f0470 SetEnvironmentVariableW
0x1400f0478 SetStdHandle
0x1400f0480 WriteConsoleW
0x1400f0488 OutputDebugStringA
0x1400f0490 SizeofResource
0x1400f0498 RtlUnwind
ADVAPI32.dll
0x1400f0000 RegCloseKey
0x1400f0008 RegSetValueExW
0x1400f0010 RegOpenKeyExW
0x1400f0018 RegCreateKeyW
SHELL32.dll
0x1400f04a8 SHGetFolderPathW
WINHTTP.dll
0x1400f04b8 WinHttpQueryHeaders
0x1400f04c0 WinHttpReadData
0x1400f04c8 WinHttpOpenRequest
0x1400f04d0 WinHttpSetOption
0x1400f04d8 WinHttpCloseHandle
0x1400f04e0 WinHttpAddRequestHeaders
0x1400f04e8 WinHttpQueryAuthSchemes
0x1400f04f0 WinHttpGetProxyForUrl
0x1400f04f8 WinHttpSendRequest
0x1400f0500 WinHttpSetCredentials
0x1400f0508 WinHttpConnect
0x1400f0510 WinHttpQueryDataAvailable
0x1400f0518 WinHttpReceiveResponse
0x1400f0520 WinHttpOpen
0x1400f0528 WinHttpGetIEProxyConfigForCurrentUser
EAT(Export Address Table) is none
KERNEL32.dll
0x1400f0028 GetTempPathA
0x1400f0030 GetLastError
0x1400f0038 WinExec
0x1400f0040 lstrlenW
0x1400f0048 FormatMessageW
0x1400f0050 LocalFree
0x1400f0058 AreFileApisANSI
0x1400f0060 ReadFile
0x1400f0068 TryEnterCriticalSection
0x1400f0070 HeapCreate
0x1400f0078 HeapFree
0x1400f0080 EnterCriticalSection
0x1400f0088 GetFullPathNameW
0x1400f0090 WriteFile
0x1400f0098 GetDiskFreeSpaceW
0x1400f00a0 LockFile
0x1400f00a8 LeaveCriticalSection
0x1400f00b0 InitializeCriticalSection
0x1400f00b8 SetFilePointer
0x1400f00c0 GetFullPathNameA
0x1400f00c8 SetEndOfFile
0x1400f00d0 UnlockFileEx
0x1400f00d8 GetTempPathW
0x1400f00e0 CreateMutexW
0x1400f00e8 WaitForSingleObject
0x1400f00f0 CreateFileW
0x1400f00f8 GetCurrentThreadId
0x1400f0100 UnmapViewOfFile
0x1400f0108 HeapValidate
0x1400f0110 HeapSize
0x1400f0118 MultiByteToWideChar
0x1400f0120 GetDiskFreeSpaceA
0x1400f0128 GetFileAttributesA
0x1400f0130 GetFileAttributesExW
0x1400f0138 OutputDebugStringW
0x1400f0140 CreateFileA
0x1400f0148 LoadLibraryA
0x1400f0150 WaitForSingleObjectEx
0x1400f0158 DeleteFileA
0x1400f0160 DeleteFileW
0x1400f0168 HeapReAlloc
0x1400f0170 CloseHandle
0x1400f0178 GetSystemInfo
0x1400f0180 LoadLibraryW
0x1400f0188 HeapAlloc
0x1400f0190 HeapCompact
0x1400f0198 HeapDestroy
0x1400f01a0 UnlockFile
0x1400f01a8 GetProcAddress
0x1400f01b0 CreateFileMappingA
0x1400f01b8 LockFileEx
0x1400f01c0 GetFileSize
0x1400f01c8 DeleteCriticalSection
0x1400f01d0 GetCurrentProcessId
0x1400f01d8 GetProcessHeap
0x1400f01e0 SystemTimeToFileTime
0x1400f01e8 FreeLibrary
0x1400f01f0 WideCharToMultiByte
0x1400f01f8 GetSystemTimeAsFileTime
0x1400f0200 GetSystemTime
0x1400f0208 FormatMessageA
0x1400f0210 CreateFileMappingW
0x1400f0218 MapViewOfFile
0x1400f0220 QueryPerformanceCounter
0x1400f0228 GetTickCount
0x1400f0230 FlushFileBuffers
0x1400f0238 GetFileAttributesW
0x1400f0240 FindResourceW
0x1400f0248 LoadResource
0x1400f0250 LockResource
0x1400f0258 FreeResource
0x1400f0260 Sleep
0x1400f0268 GetStringTypeW
0x1400f0270 EncodePointer
0x1400f0278 DecodePointer
0x1400f0280 GetCPInfo
0x1400f0288 SetLastError
0x1400f0290 InitializeCriticalSectionAndSpinCount
0x1400f0298 CreateEventW
0x1400f02a0 TlsAlloc
0x1400f02a8 TlsGetValue
0x1400f02b0 TlsSetValue
0x1400f02b8 TlsFree
0x1400f02c0 GetModuleHandleW
0x1400f02c8 CompareStringW
0x1400f02d0 LCMapStringW
0x1400f02d8 GetLocaleInfoW
0x1400f02e0 InitializeSListHead
0x1400f02e8 SetEvent
0x1400f02f0 ResetEvent
0x1400f02f8 RtlCaptureContext
0x1400f0300 RtlLookupFunctionEntry
0x1400f0308 RtlVirtualUnwind
0x1400f0310 UnhandledExceptionFilter
0x1400f0318 SetUnhandledExceptionFilter
0x1400f0320 GetCurrentProcess
0x1400f0328 TerminateProcess
0x1400f0330 IsProcessorFeaturePresent
0x1400f0338 IsDebuggerPresent
0x1400f0340 GetStartupInfoW
0x1400f0348 QueryPerformanceFrequency
0x1400f0350 GetCurrentThread
0x1400f0358 GetThreadTimes
0x1400f0360 RtlUnwindEx
0x1400f0368 InterlockedPushEntrySList
0x1400f0370 RtlPcToFileHeader
0x1400f0378 RaiseException
0x1400f0380 LoadLibraryExW
0x1400f0388 CreateThread
0x1400f0390 ExitThread
0x1400f0398 FreeLibraryAndExitThread
0x1400f03a0 GetModuleHandleExW
0x1400f03a8 ExitProcess
0x1400f03b0 GetModuleFileNameW
0x1400f03b8 GetStdHandle
0x1400f03c0 GetFileSizeEx
0x1400f03c8 SetFilePointerEx
0x1400f03d0 GetFileType
0x1400f03d8 GetConsoleOutputCP
0x1400f03e0 GetConsoleMode
0x1400f03e8 GetDateFormatW
0x1400f03f0 GetTimeFormatW
0x1400f03f8 IsValidLocale
0x1400f0400 GetUserDefaultLCID
0x1400f0408 EnumSystemLocalesW
0x1400f0410 ReadConsoleW
0x1400f0418 GetTimeZoneInformation
0x1400f0420 FindClose
0x1400f0428 FindFirstFileExW
0x1400f0430 FindNextFileW
0x1400f0438 IsValidCodePage
0x1400f0440 GetACP
0x1400f0448 GetOEMCP
0x1400f0450 GetCommandLineA
0x1400f0458 GetCommandLineW
0x1400f0460 GetEnvironmentStringsW
0x1400f0468 FreeEnvironmentStringsW
0x1400f0470 SetEnvironmentVariableW
0x1400f0478 SetStdHandle
0x1400f0480 WriteConsoleW
0x1400f0488 OutputDebugStringA
0x1400f0490 SizeofResource
0x1400f0498 RtlUnwind
ADVAPI32.dll
0x1400f0000 RegCloseKey
0x1400f0008 RegSetValueExW
0x1400f0010 RegOpenKeyExW
0x1400f0018 RegCreateKeyW
SHELL32.dll
0x1400f04a8 SHGetFolderPathW
WINHTTP.dll
0x1400f04b8 WinHttpQueryHeaders
0x1400f04c0 WinHttpReadData
0x1400f04c8 WinHttpOpenRequest
0x1400f04d0 WinHttpSetOption
0x1400f04d8 WinHttpCloseHandle
0x1400f04e0 WinHttpAddRequestHeaders
0x1400f04e8 WinHttpQueryAuthSchemes
0x1400f04f0 WinHttpGetProxyForUrl
0x1400f04f8 WinHttpSendRequest
0x1400f0500 WinHttpSetCredentials
0x1400f0508 WinHttpConnect
0x1400f0510 WinHttpQueryDataAvailable
0x1400f0518 WinHttpReceiveResponse
0x1400f0520 WinHttpOpen
0x1400f0528 WinHttpGetIEProxyConfigForCurrentUser
EAT(Export Address Table) is none