ScreenShot
Created | 2023.12.23 18:31 | Machine | s1_win7_x6403 |
Filename | Rby1.exe | ||
Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 29 detected (AIDetectMalware, Injuke, Lazy, Suspicioustrojan, Artemis, unsafe, Kryptik, Vigk, None, Attribute, HighConfidence, malicious, moderate confidence, Windigo, PWSX, Krypt, Detected, Wacatac, ai score=82, GenKryptik, WQDW) | ||
md5 | e0bc2140d5a10035fb6d3b4e1b46cdfe | ||
sha256 | 4e2375353e49f18d6679c5372a688fc5c9a2ae3994830e6fe19e1cd20bc5ea6d | ||
ssdeep | 24576:aAlTCq3CQGpn2B5ziaj5n9798/dvDwP81d:tT5T6q5jjX798/dvDwP81d | ||
imphash | b12336fa8cbb9bd1c3e11ad0d8477f71 | ||
impfuzzy | 6:o41wT3WTD1Fz8IAg9Iay4PMtsUdRlYlFBJAEoZ/OEGDzyRdwk:o4MuD1Fwfay4PKrlYjABZG/Dzkwk |
Network IP location
Signature (35cnts)
Level | Description |
---|---|
danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
warning | File has been identified by 29 AntiVirus engines on VirusTotal as malicious |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Attempts to create or modify system certificates |
watch | Attempts to identify installed AV products by installation directory |
watch | Communicates with host for which no DNS query was performed |
watch | Deletes a large number of files from the system indicative of ransomware |
watch | Detects Virtual Machines through their custom firmware |
watch | Detects VirtualBox through the presence of a file |
watch | Drops 157 unknown file mime types indicative of ransomware writing encrypted files back to disk |
watch | Drops a binary and executes it |
watch | Installs itself for autorun at Windows startup |
watch | One or more of the buffers contains an embedded PE file |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | An executable file was downloaded by the process totcmauyzoxr462do2ysqcr9.exe |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
notice | Creates a shortcut to an executable file |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Looks up the external IP address |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Potentially malicious URLs were found in the process memory dump |
notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
notice | Resolves a suspicious Top Level Domain (TLD) |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | The executable is compressed using UPX |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | Queries for the computername |
Rules (36cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | Win32_Trojan_Emotet_1_Zero | Win32 Trojan Emotet | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
warning | NSIS_Installer | Null Soft Installer | binaries (download) |
watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
watch | Antivirus | Contains references to security software | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
info | bmp_file_format | bmp file format | binaries (download) |
info | CAB_file_format | CAB archive file | binaries (download) |
info | chm_file_format | chm file format | binaries (download) |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | docx | Word 2007 file format detection | binaries (download) |
info | icon_file_format | icon file format | binaries (download) |
info | IsDLL | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE64 | (no description) | binaries (download) |
info | IsPE64 | (no description) | binaries (upload) |
info | JPEG_Format_Zero | JPEG Format | binaries (download) |
info | lnk_file_format | Microsoft Windows Shortcut File Format | binaries (download) |
info | Lnk_Format_Zero | LNK Format | binaries (download) |
info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
info | mzp_file_format | MZP(Delphi) file format | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | PNG_Format_Zero | PNG Format | binaries (download) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
info | zip_file_format | ZIP file format | binaries (download) |
Network (53cnts) ?
Suricata ids
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET POLICY External IP Lookup (ipify .org)
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET POLICY External IP Lookup (ipify .org)
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
ET INFO TLS Handshake Failure
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x140267844 EventWrite
api-ms-win-crt-heap-l1-1-0.dll
0x140267854 free
api-ms-win-crt-locale-l1-1-0.dll
0x140267864 _configthreadlocale
api-ms-win-crt-math-l1-1-0.dll
0x140267874 ceil
api-ms-win-crt-runtime-l1-1-0.dll
0x140267884 exit
api-ms-win-crt-stdio-l1-1-0.dll
0x140267894 _set_fmode
api-ms-win-crt-string-l1-1-0.dll
0x1402678a4 strcmp
crypt.dll
0x1402678b4 BCryptDecrypt
KERNEL32.DLL
0x1402678c4 LoadLibraryA
0x1402678cc ExitProcess
0x1402678d4 GetProcAddress
0x1402678dc VirtualProtect
ole32.dll
0x1402678ec CoCreateGuid
EAT(Export Address Table) is none
ADVAPI32.dll
0x140267844 EventWrite
api-ms-win-crt-heap-l1-1-0.dll
0x140267854 free
api-ms-win-crt-locale-l1-1-0.dll
0x140267864 _configthreadlocale
api-ms-win-crt-math-l1-1-0.dll
0x140267874 ceil
api-ms-win-crt-runtime-l1-1-0.dll
0x140267884 exit
api-ms-win-crt-stdio-l1-1-0.dll
0x140267894 _set_fmode
api-ms-win-crt-string-l1-1-0.dll
0x1402678a4 strcmp
crypt.dll
0x1402678b4 BCryptDecrypt
KERNEL32.DLL
0x1402678c4 LoadLibraryA
0x1402678cc ExitProcess
0x1402678d4 GetProcAddress
0x1402678dc VirtualProtect
ole32.dll
0x1402678ec CoCreateGuid
EAT(Export Address Table) is none