ScreenShot
| Created | 2023.03.08 11:12 | Machine | s1_win7_x6401 |
| Filename | rhh.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 41 detected (Siggen3, Zusy, Mikey, RedLineStealer, Kryptik, Vjx6, malicious, confidence, Attribute, HighConfidence, high confidence, HSEV, score, CrypterX, FalseSign, Fkjl, RHADAMANTHYS, YXDCGZ, Artemis, high, Nekark, lkowf, ai score=81, Sabsik, CryptInject, Detected, unsafe, qjdrLr3qc8Q, Outbreak) | ||
| md5 | 6426a9c12a40aad907b96837a487e988 | ||
| sha256 | 95df8e09db02d2956bdd6a91041e3424020e9dc1e2775bac33b6c0af30fada43 | ||
| ssdeep | 6144:CcqAPUkzcupqh6R/sdawzeIDTOdKSmmwIZOaH6d6lDlRr:CcqAPUkzcuQh6udaxySmPIIHCx1 | ||
| imphash | 1f7948b75e8007bde9f40a49c22ca16a | ||
| impfuzzy | 24:oDd0YvtqMjOov1lG/J3IiQFQ8RyvDkRT4Qf4plWgLm:+0YvtqMCd13DgcQfAI9 | ||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 41 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Appends a known CryptoMix ransomware file extension to files that have been encrypted |
| watch | Attempts to access Bitcoin/ALTCoin wallets |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Queries for the computername |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (upload) |
Suricata ids
ET POLICY curl User-Agent Outbound
ET HUNTING curl User-Agent to Dotted Quad
ET HUNTING curl User-Agent to Dotted Quad
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41600c GetModuleHandleA
0x416010 FreeConsole
0x416014 GetProcAddress
0x416018 GetSystemInfo
0x41601c GetLogicalDrives
0x416020 AreFileApisANSI
0x416024 TerminateProcess
0x416028 GetCurrentProcess
0x41602c UnhandledExceptionFilter
0x416030 SetUnhandledExceptionFilter
0x416034 IsDebuggerPresent
0x416038 RtlUnwind
0x41603c RaiseException
0x416040 GetCommandLineA
0x416044 GetLastError
0x416048 HeapFree
0x41604c GetModuleHandleW
0x416050 TlsGetValue
0x416054 TlsAlloc
0x416058 TlsSetValue
0x41605c TlsFree
0x416060 InterlockedIncrement
0x416064 SetLastError
0x416068 GetCurrentThreadId
0x41606c InterlockedDecrement
0x416070 HeapAlloc
0x416074 Sleep
0x416078 ExitProcess
0x41607c WriteFile
0x416080 GetStdHandle
0x416084 GetModuleFileNameA
0x416088 FreeEnvironmentStringsA
0x41608c GetEnvironmentStrings
0x416090 FreeEnvironmentStringsW
0x416094 WideCharToMultiByte
0x416098 GetEnvironmentStringsW
0x41609c SetHandleCount
0x4160a0 GetFileType
0x4160a4 GetStartupInfoA
0x4160a8 DeleteCriticalSection
0x4160ac HeapCreate
0x4160b0 VirtualFree
0x4160b4 QueryPerformanceCounter
0x4160b8 GetTickCount
0x4160bc GetCurrentProcessId
0x4160c0 GetSystemTimeAsFileTime
0x4160c4 GetCPInfo
0x4160c8 GetACP
0x4160cc GetOEMCP
0x4160d0 IsValidCodePage
0x4160d4 LeaveCriticalSection
0x4160d8 EnterCriticalSection
0x4160dc VirtualAlloc
0x4160e0 HeapReAlloc
0x4160e4 HeapSize
0x4160e8 LoadLibraryA
0x4160ec InitializeCriticalSectionAndSpinCount
0x4160f0 LCMapStringA
0x4160f4 MultiByteToWideChar
0x4160f8 LCMapStringW
0x4160fc GetStringTypeA
0x416100 GetStringTypeW
0x416104 GetLocaleInfoA
COMDLG32.dll
0x416000 GetSaveFileNameA
0x416004 GetOpenFileNameA
EAT(Export Address Table) is none
KERNEL32.dll
0x41600c GetModuleHandleA
0x416010 FreeConsole
0x416014 GetProcAddress
0x416018 GetSystemInfo
0x41601c GetLogicalDrives
0x416020 AreFileApisANSI
0x416024 TerminateProcess
0x416028 GetCurrentProcess
0x41602c UnhandledExceptionFilter
0x416030 SetUnhandledExceptionFilter
0x416034 IsDebuggerPresent
0x416038 RtlUnwind
0x41603c RaiseException
0x416040 GetCommandLineA
0x416044 GetLastError
0x416048 HeapFree
0x41604c GetModuleHandleW
0x416050 TlsGetValue
0x416054 TlsAlloc
0x416058 TlsSetValue
0x41605c TlsFree
0x416060 InterlockedIncrement
0x416064 SetLastError
0x416068 GetCurrentThreadId
0x41606c InterlockedDecrement
0x416070 HeapAlloc
0x416074 Sleep
0x416078 ExitProcess
0x41607c WriteFile
0x416080 GetStdHandle
0x416084 GetModuleFileNameA
0x416088 FreeEnvironmentStringsA
0x41608c GetEnvironmentStrings
0x416090 FreeEnvironmentStringsW
0x416094 WideCharToMultiByte
0x416098 GetEnvironmentStringsW
0x41609c SetHandleCount
0x4160a0 GetFileType
0x4160a4 GetStartupInfoA
0x4160a8 DeleteCriticalSection
0x4160ac HeapCreate
0x4160b0 VirtualFree
0x4160b4 QueryPerformanceCounter
0x4160b8 GetTickCount
0x4160bc GetCurrentProcessId
0x4160c0 GetSystemTimeAsFileTime
0x4160c4 GetCPInfo
0x4160c8 GetACP
0x4160cc GetOEMCP
0x4160d0 IsValidCodePage
0x4160d4 LeaveCriticalSection
0x4160d8 EnterCriticalSection
0x4160dc VirtualAlloc
0x4160e0 HeapReAlloc
0x4160e4 HeapSize
0x4160e8 LoadLibraryA
0x4160ec InitializeCriticalSectionAndSpinCount
0x4160f0 LCMapStringA
0x4160f4 MultiByteToWideChar
0x4160f8 LCMapStringW
0x4160fc GetStringTypeA
0x416100 GetStringTypeW
0x416104 GetLocaleInfoA
COMDLG32.dll
0x416000 GetSaveFileNameA
0x416004 GetOpenFileNameA
EAT(Export Address Table) is none