ScreenShot
| Created | 2022.05.20 14:10 | Machine | s1_win7_x6403 |
| Filename | rtst1039.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 35 detected (Artemis, Unsafe, Save, malicious, confidence, VMProtect, Eldorado, high confidence, score, GenericKD, Generic ML PUA, Static AI, Malicious PE, OQDD98, AGEN, kcloud, Phonzy, ai score=88, R002H0AEJ22, Fabookie, CLOUD, susgen, MalwareX) | ||
| md5 | 966722db7d8eaee5b5b8b17dfed90d8f | ||
| sha256 | ac63aee7353b19a3e418907615558481661549f6c892c3b798940b814a064d66 | ||
| ssdeep | 49152:fpynoZZGXahMy/ChMQC3pJDJ4xdrOoLFEIbZ6YooogWNeLxd5yR1K5w+KnP6SObU:zZ7vqDwDArHLiIbsfCWNgx3yFhnBO+ | ||
| imphash | bb46f1abb2c1ede95f964a725f9d1284 | ||
| impfuzzy | 12:XR/RgRpr+BrOZGoQtXJxZGb9AJcDfA5kLfP9m:B/ipKqQtXJHc9NDI5Q8 | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 35 AntiVirus engines on VirusTotal as malicious |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is likely packed with VMProtect |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | VMProtect_Zero | VMProtect packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1402d8000 EnterCriticalSection
ADVAPI32.dll
0x1402d8010 RegCloseKey
SHELL32.dll
0x1402d8020 SHGetFolderPathW
WINHTTP.dll
0x1402d8030 WinHttpSetOption
CRYPT32.dll
0x1402d8040 CryptUnprotectData
KERNEL32.dll
0x1402d8050 LocalAlloc
0x1402d8058 LocalFree
0x1402d8060 GetModuleFileNameW
0x1402d8068 GetProcessAffinityMask
0x1402d8070 SetProcessAffinityMask
0x1402d8078 SetThreadAffinityMask
0x1402d8080 Sleep
0x1402d8088 ExitProcess
0x1402d8090 FreeLibrary
0x1402d8098 LoadLibraryA
0x1402d80a0 GetModuleHandleA
0x1402d80a8 GetProcAddress
USER32.dll
0x1402d80b8 GetProcessWindowStation
0x1402d80c0 GetUserObjectInformationW
EAT(Export Address Table) is none
KERNEL32.dll
0x1402d8000 EnterCriticalSection
ADVAPI32.dll
0x1402d8010 RegCloseKey
SHELL32.dll
0x1402d8020 SHGetFolderPathW
WINHTTP.dll
0x1402d8030 WinHttpSetOption
CRYPT32.dll
0x1402d8040 CryptUnprotectData
KERNEL32.dll
0x1402d8050 LocalAlloc
0x1402d8058 LocalFree
0x1402d8060 GetModuleFileNameW
0x1402d8068 GetProcessAffinityMask
0x1402d8070 SetProcessAffinityMask
0x1402d8078 SetThreadAffinityMask
0x1402d8080 Sleep
0x1402d8088 ExitProcess
0x1402d8090 FreeLibrary
0x1402d8098 LoadLibraryA
0x1402d80a0 GetModuleHandleA
0x1402d80a8 GetProcAddress
USER32.dll
0x1402d80b8 GetProcessWindowStation
0x1402d80c0 GetUserObjectInformationW
EAT(Export Address Table) is none