ScreenShot
| Created | 2023.10.31 09:39 | Machine | s1_win7_x6402 |
| Filename | bRbg.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 63 detected (Remcos, Dacic, GenericRI, S31067642, SpywareLyndra, Artemis, Save, malicious, Kryptik, Genus, moderate confidence, Rescoms, score, kakzkh, FKuWrtG2iWT, Emogen, DownLoader46, YXDJ4Z, high, Outbreak, Detected, Eldorado, ZexaF, omGfa4nx3Vpi, ai score=84, unsafe, GdSda, Gencirc, yzloPsMaQAE, Static AI, Malicious PE, susgen, RATX, confidence, 100%) | ||
| md5 | 2f730ad313cf99a13514a37ff64aab61 | ||
| sha256 | 56b7b422a1f768b817ce93af8c005db587076d3c619a95a42ad34f572c331b93 | ||
| ssdeep | 3072:0OSI2I7txG68nYrugMZJMfsciIpuKNtrUQlAK3qSjYPS+IAXb3Ixi5eFrgurIlNS:lvG68YrvM80ypnjAedo3qiGUY2ChzI | ||
| imphash | bc4f8e98d1041d53dd63bfb91ed10d0a | ||
| impfuzzy | 6:omRgCHWvC365rBJAEoZ/OEGDzyRZr4/b4RUptIKVSZozAhQcY460qtZGvR:omRgYh+ABZG/Dzgr4kYSIAx72ZGJ | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 63 AntiVirus engines on VirusTotal as malicious |
| watch | Creates a windows hook that monitors keyboard input (keylogger) |
| notice | A process attempted to delay the analysis task. |
| notice | Connects to a Dynamic DNS Domain |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | The executable is compressed using UPX |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | Network_Downloader | File Downloader | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET POLICY DNS Query to DynDNS Domain *.ddns .net
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x489724 RegCloseKey
GDI32.dll
0x48972c BitBlt
gdiplus.dll
0x489734 GdipFree
KERNEL32.DLL
0x48973c LoadLibraryA
0x489740 ExitProcess
0x489744 GetProcAddress
0x489748 VirtualProtect
ole32.dll
0x489750 CoGetObject
SHELL32.dll
0x489758 ExtractIconA
SHLWAPI.dll
0x489760 StrToIntA
urlmon.dll
0x489768 URLDownloadToFileW
USER32.dll
0x489770 DrawIcon
WININET.dll
0x489778 InternetOpenW
WINMM.dll
0x489780 waveInOpen
WS2_32.dll
0x489788 socket
EAT(Export Address Table) is none
ADVAPI32.dll
0x489724 RegCloseKey
GDI32.dll
0x48972c BitBlt
gdiplus.dll
0x489734 GdipFree
KERNEL32.DLL
0x48973c LoadLibraryA
0x489740 ExitProcess
0x489744 GetProcAddress
0x489748 VirtualProtect
ole32.dll
0x489750 CoGetObject
SHELL32.dll
0x489758 ExtractIconA
SHLWAPI.dll
0x489760 StrToIntA
urlmon.dll
0x489768 URLDownloadToFileW
USER32.dll
0x489770 DrawIcon
WININET.dll
0x489778 InternetOpenW
WINMM.dll
0x489780 waveInOpen
WS2_32.dll
0x489788 socket
EAT(Export Address Table) is none