Report - rundll.exe

RAT VMProtect PE File PE64
ScreenShot
Created 2022.06.10 18:29 Machine s1_win7_x6401
Filename rundll.exe
Type PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
AI Score
5
Behavior Score
5.4
ZERO API file : clean
VT API (file) 34 detected (Fileless, malicious, high confidence, Artemis, Save, Coinminer, Eldorado, R002H0CFA22, score, CoinminerX, AGEN, moderate, Vmprotect, K96IE9, kcloud, Wacatac, Unsafe, FakeChrome, CLASSIC, Static AI, Malicious PE, susgen, Miner, confidence, 100%)
md5 8d042aad9f0f5f149fdf1fad7320fad1
sha256 ad78c9580b03cf3943bb989b3fc8d5cfd37828c2dbef3c9dd7affc36e59092bc
ssdeep 98304:+YKLv4HzNbKdsH53MxGeGCB+LseyeClgMIJYRPskUUAYdZ+:+YgvWx+O9MxhsyeCVIJS9U/P
imphash
impfuzzy 3::
  Network IP location

Signature (14cnts)

Level Description
danger File has been identified by 34 AntiVirus engines on VirusTotal as malicious
watch Installs itself for autorun at Windows startup
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Creates a suspicious process
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is likely packed with VMProtect
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (4cnts)

Level Name Description Collection
watch VMProtect_Zero VMProtect packed file binaries (upload)
info IsPE64 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info Win_Backdoor_AsyncRAT_Zero Win Backdoor AsyncRAT binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) is none

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure