ScreenShot
| Created | 2023.10.03 19:38 | Machine | s1_win7_x6401 |
| Filename | bQrq.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 62 detected (AIDetectMalware, Remcos, Dacic, Artemis, Rescoms, Save, malicious, Kryptik, Genus, Eldorado, moderate confidence, score, kakzkh, RATX, Vimw, DownLoader46, YXDJBZ, high, Emogen, Detected, ZexaF, omGfaeRiNcki, ai score=88, unsafe, FKuWrtG2iWT, Static AI, Malicious PE, susgen, confidence) | ||
| md5 | 9da8f029a4eb62771fff586e7018a79c | ||
| sha256 | aebb058dc5414da5bff003dc5630421d84b0b8935a0a1981a66301f85e8af9ea | ||
| ssdeep | 3072:sOSI2I7txG68nYrugMZJMfsciIpuKNtrUQlAK3qSjYPS+IAXb3Ixi5eFrgurIlNt:9vG68YrvM80ypnjAedo3qiGUY2ChzI | ||
| imphash | bc4f8e98d1041d53dd63bfb91ed10d0a | ||
| impfuzzy | 6:omRgCHWvC365rBJAEoZ/OEGDzyRZr4/b4RUptIKVSZozAhQcY460qtZGvR:omRgYh+ABZG/Dzgr4kYSIAx72ZGJ | ||
Network IP location
Signature (32cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 62 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Creates a windows hook that monitors keyboard input (keylogger) |
| watch | Deletes executed files from disk |
| watch | Harvests credentials from local email clients |
| watch | Harvests information related to installed instant messenger clients |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | The process wscript.exe wrote an executable file to disk |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Connects to a Dynamic DNS Domain |
| notice | Creates executable files on the filesystem |
| notice | Drops a binary and executes it |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (17cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | Network_Downloader | File Downloader | binaries (download) |
| watch | Network_Downloader | File Downloader | binaries (upload) |
| notice | ScreenShot | Take ScreenShot | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Network (5cnts) ?
Suricata ids
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET JA3 Hash - Remcos 3.x TLS Connection
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET JA3 Hash - Remcos 3.x TLS Connection
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x489724 RegCloseKey
GDI32.dll
0x48972c BitBlt
gdiplus.dll
0x489734 GdipFree
KERNEL32.DLL
0x48973c LoadLibraryA
0x489740 ExitProcess
0x489744 GetProcAddress
0x489748 VirtualProtect
ole32.dll
0x489750 CoGetObject
SHELL32.dll
0x489758 ExtractIconA
SHLWAPI.dll
0x489760 StrToIntA
urlmon.dll
0x489768 URLDownloadToFileW
USER32.dll
0x489770 DrawIcon
WININET.dll
0x489778 InternetOpenW
WINMM.dll
0x489780 waveInOpen
WS2_32.dll
0x489788 socket
EAT(Export Address Table) is none
ADVAPI32.dll
0x489724 RegCloseKey
GDI32.dll
0x48972c BitBlt
gdiplus.dll
0x489734 GdipFree
KERNEL32.DLL
0x48973c LoadLibraryA
0x489740 ExitProcess
0x489744 GetProcAddress
0x489748 VirtualProtect
ole32.dll
0x489750 CoGetObject
SHELL32.dll
0x489758 ExtractIconA
SHLWAPI.dll
0x489760 StrToIntA
urlmon.dll
0x489768 URLDownloadToFileW
USER32.dll
0x489770 DrawIcon
WININET.dll
0x489778 InternetOpenW
WINMM.dll
0x489780 waveInOpen
WS2_32.dll
0x489788 socket
EAT(Export Address Table) is none