ScreenShot
| Created | 2023.05.11 18:41 | Machine | s1_win7_x6403 |
| Filename | AnyDesk.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 52 detected (AIDetectMalware, Convagent, malicious, high confidence, Artemis, Save, Guildma, Genus, ABRisk, RAUR, Warzone, score, dxek, Mqil, MultiPlug, Gen7, Inject4, YXDEIZ, high, Generic Reputation PUA, AveMaria, ai score=68, WarzoneRAT, psyA, AMRat, ASIZ98, Detected, BScope, unsafe, GdSda, 9YInyUOYy6M, Static AI, Suspicious PE, Zusy, confidence, 100%) | ||
| md5 | 1c6e08b5f03c0c7d1455f082b1b02c64 | ||
| sha256 | 4d275403b2993bb1dcf4d3262a5a70b32c0caa04e3cdb8c236420a3b1b1855b6 | ||
| ssdeep | 12288:li+DvjGVRiiguuorYGFutn252EulJ5u75Xeo1jf3mGKJi7Xja/q52iFb:l76VyuuB252EulJ5OtVf3mJY7Xjrsix | ||
| imphash | c01bacedafd6685527cc7a798a4d9a8b | ||
| impfuzzy | 48:90jgZ0ma1tMS1Q65c+ppCu3o9F45r09EoFzaGJznBQ/KAiu/1Zlal9n6gAo/kbiE:90cctMS1v5c+ppCH3MKHo | ||
Network IP location
Signature (30cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 52 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Attempts to remove evidence of file being downloaded from the Internet |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates an Alternate Data Stream (ADS) |
| watch | Harvests credentials from local email clients |
| watch | Installs itself for autorun at Windows startup |
| watch | Potential code injection by writing to the memory of another process |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Checks whether any human activity is being performed by constantly checking whether the foreground window changed |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE Warzone RAT Response (Inbound)
SURICATA Applayer Detect protocol only one direction
SURICATA Applayer Detect protocol only one direction
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x53c000 VirtualAlloc
0x53c004 VirtualProtect
0x53c008 Sleep
0x53c00c FreeConsole
0x53c010 HeapSize
0x53c014 RaiseException
0x53c018 CreateFileW
0x53c01c SetFilePointerEx
0x53c020 GetConsoleMode
0x53c024 GetConsoleCP
0x53c028 FlushFileBuffers
0x53c02c WriteConsoleW
0x53c030 HeapQueryInformation
0x53c034 HeapReAlloc
0x53c038 HeapFree
0x53c03c SetConsoleCtrlHandler
0x53c040 GetProcessHeap
0x53c044 GetStringTypeW
0x53c048 SetStdHandle
0x53c04c SetEnvironmentVariableW
0x53c050 SetEnvironmentVariableA
0x53c054 FreeEnvironmentStringsW
0x53c058 GetEnvironmentStringsW
0x53c05c GetCPInfo
0x53c060 GetOEMCP
0x53c064 IsValidCodePage
0x53c068 FindNextFileW
0x53c06c FindNextFileA
0x53c070 FindFirstFileExW
0x53c074 FindFirstFileExA
0x53c078 FindClose
0x53c07c CreateThread
0x53c080 WaitForSingleObjectEx
0x53c084 CloseHandle
0x53c088 OutputDebugStringW
0x53c08c OutputDebugStringA
0x53c090 GetCurrentThread
0x53c094 GetFileType
0x53c098 EnumSystemLocalesW
0x53c09c GetUserDefaultLCID
0x53c0a0 IsValidLocale
0x53c0a4 GetLocaleInfoW
0x53c0a8 LCMapStringW
0x53c0ac CompareStringW
0x53c0b0 GetTimeFormatW
0x53c0b4 GetDateFormatW
0x53c0b8 GetSystemInfo
0x53c0bc HeapValidate
0x53c0c0 UnhandledExceptionFilter
0x53c0c4 SetUnhandledExceptionFilter
0x53c0c8 GetCurrentProcess
0x53c0cc TerminateProcess
0x53c0d0 IsProcessorFeaturePresent
0x53c0d4 QueryPerformanceCounter
0x53c0d8 GetCurrentProcessId
0x53c0dc GetCurrentThreadId
0x53c0e0 GetSystemTimeAsFileTime
0x53c0e4 InitializeSListHead
0x53c0e8 IsDebuggerPresent
0x53c0ec GetStartupInfoW
0x53c0f0 GetModuleHandleW
0x53c0f4 InterlockedPushEntrySList
0x53c0f8 InterlockedFlushSList
0x53c0fc RtlUnwind
0x53c100 GetLastError
0x53c104 SetLastError
0x53c108 EnterCriticalSection
0x53c10c LeaveCriticalSection
0x53c110 DeleteCriticalSection
0x53c114 InitializeCriticalSectionAndSpinCount
0x53c118 TlsAlloc
0x53c11c TlsGetValue
0x53c120 TlsSetValue
0x53c124 TlsFree
0x53c128 FreeLibrary
0x53c12c GetProcAddress
0x53c130 LoadLibraryExW
0x53c134 EncodePointer
0x53c138 ExitProcess
0x53c13c GetModuleHandleExW
0x53c140 GetStdHandle
0x53c144 WriteFile
0x53c148 GetModuleFileNameW
0x53c14c GetModuleFileNameA
0x53c150 MultiByteToWideChar
0x53c154 WideCharToMultiByte
0x53c158 GetCommandLineA
0x53c15c GetCommandLineW
0x53c160 GetACP
0x53c164 HeapAlloc
0x53c168 DecodePointer
USER32.dll
0x53c1e0 EnumChildWindows
0x53c1e4 GetSystemMetrics
0x53c1e8 GetDC
0x53c1ec ReleaseDC
0x53c1f0 DrawTextW
0x53c1f4 RegisterClassExW
0x53c1f8 SetWindowPlacement
0x53c1fc SetForegroundWindow
0x53c200 GetMessageW
0x53c204 TranslateAcceleratorW
0x53c208 GetMessageExtraInfo
0x53c20c TranslateMessage
0x53c210 DispatchMessageW
0x53c214 GetFocus
0x53c218 PostQuitMessage
0x53c21c InvalidateRect
0x53c220 DefWindowProcW
0x53c224 IsClipboardFormatAvailable
0x53c228 GetMenuState
0x53c22c SetPropW
0x53c230 GetClipboardData
0x53c234 CloseClipboard
0x53c238 EmptyClipboard
0x53c23c SetClipboardData
0x53c240 CharNextA
0x53c244 PostMessageW
0x53c248 IsWindowEnabled
0x53c24c SetWindowLongW
0x53c250 InsertMenuItemW
0x53c254 GetWindowLongW
0x53c258 GetSubMenu
0x53c25c RemoveMenu
0x53c260 AppendMenuW
0x53c264 SetMenuItemInfoW
0x53c268 DrawMenuBar
0x53c26c GetClassLongW
0x53c270 SetClassLongW
0x53c274 GetSysColor
0x53c278 MessageBoxA
0x53c27c OpenClipboard
EAT(Export Address Table) is none
KERNEL32.dll
0x53c000 VirtualAlloc
0x53c004 VirtualProtect
0x53c008 Sleep
0x53c00c FreeConsole
0x53c010 HeapSize
0x53c014 RaiseException
0x53c018 CreateFileW
0x53c01c SetFilePointerEx
0x53c020 GetConsoleMode
0x53c024 GetConsoleCP
0x53c028 FlushFileBuffers
0x53c02c WriteConsoleW
0x53c030 HeapQueryInformation
0x53c034 HeapReAlloc
0x53c038 HeapFree
0x53c03c SetConsoleCtrlHandler
0x53c040 GetProcessHeap
0x53c044 GetStringTypeW
0x53c048 SetStdHandle
0x53c04c SetEnvironmentVariableW
0x53c050 SetEnvironmentVariableA
0x53c054 FreeEnvironmentStringsW
0x53c058 GetEnvironmentStringsW
0x53c05c GetCPInfo
0x53c060 GetOEMCP
0x53c064 IsValidCodePage
0x53c068 FindNextFileW
0x53c06c FindNextFileA
0x53c070 FindFirstFileExW
0x53c074 FindFirstFileExA
0x53c078 FindClose
0x53c07c CreateThread
0x53c080 WaitForSingleObjectEx
0x53c084 CloseHandle
0x53c088 OutputDebugStringW
0x53c08c OutputDebugStringA
0x53c090 GetCurrentThread
0x53c094 GetFileType
0x53c098 EnumSystemLocalesW
0x53c09c GetUserDefaultLCID
0x53c0a0 IsValidLocale
0x53c0a4 GetLocaleInfoW
0x53c0a8 LCMapStringW
0x53c0ac CompareStringW
0x53c0b0 GetTimeFormatW
0x53c0b4 GetDateFormatW
0x53c0b8 GetSystemInfo
0x53c0bc HeapValidate
0x53c0c0 UnhandledExceptionFilter
0x53c0c4 SetUnhandledExceptionFilter
0x53c0c8 GetCurrentProcess
0x53c0cc TerminateProcess
0x53c0d0 IsProcessorFeaturePresent
0x53c0d4 QueryPerformanceCounter
0x53c0d8 GetCurrentProcessId
0x53c0dc GetCurrentThreadId
0x53c0e0 GetSystemTimeAsFileTime
0x53c0e4 InitializeSListHead
0x53c0e8 IsDebuggerPresent
0x53c0ec GetStartupInfoW
0x53c0f0 GetModuleHandleW
0x53c0f4 InterlockedPushEntrySList
0x53c0f8 InterlockedFlushSList
0x53c0fc RtlUnwind
0x53c100 GetLastError
0x53c104 SetLastError
0x53c108 EnterCriticalSection
0x53c10c LeaveCriticalSection
0x53c110 DeleteCriticalSection
0x53c114 InitializeCriticalSectionAndSpinCount
0x53c118 TlsAlloc
0x53c11c TlsGetValue
0x53c120 TlsSetValue
0x53c124 TlsFree
0x53c128 FreeLibrary
0x53c12c GetProcAddress
0x53c130 LoadLibraryExW
0x53c134 EncodePointer
0x53c138 ExitProcess
0x53c13c GetModuleHandleExW
0x53c140 GetStdHandle
0x53c144 WriteFile
0x53c148 GetModuleFileNameW
0x53c14c GetModuleFileNameA
0x53c150 MultiByteToWideChar
0x53c154 WideCharToMultiByte
0x53c158 GetCommandLineA
0x53c15c GetCommandLineW
0x53c160 GetACP
0x53c164 HeapAlloc
0x53c168 DecodePointer
USER32.dll
0x53c1e0 EnumChildWindows
0x53c1e4 GetSystemMetrics
0x53c1e8 GetDC
0x53c1ec ReleaseDC
0x53c1f0 DrawTextW
0x53c1f4 RegisterClassExW
0x53c1f8 SetWindowPlacement
0x53c1fc SetForegroundWindow
0x53c200 GetMessageW
0x53c204 TranslateAcceleratorW
0x53c208 GetMessageExtraInfo
0x53c20c TranslateMessage
0x53c210 DispatchMessageW
0x53c214 GetFocus
0x53c218 PostQuitMessage
0x53c21c InvalidateRect
0x53c220 DefWindowProcW
0x53c224 IsClipboardFormatAvailable
0x53c228 GetMenuState
0x53c22c SetPropW
0x53c230 GetClipboardData
0x53c234 CloseClipboard
0x53c238 EmptyClipboard
0x53c23c SetClipboardData
0x53c240 CharNextA
0x53c244 PostMessageW
0x53c248 IsWindowEnabled
0x53c24c SetWindowLongW
0x53c250 InsertMenuItemW
0x53c254 GetWindowLongW
0x53c258 GetSubMenu
0x53c25c RemoveMenu
0x53c260 AppendMenuW
0x53c264 SetMenuItemInfoW
0x53c268 DrawMenuBar
0x53c26c GetClassLongW
0x53c270 SetClassLongW
0x53c274 GetSysColor
0x53c278 MessageBoxA
0x53c27c OpenClipboard
EAT(Export Address Table) is none