ScreenShot
| Created | 2024.01.17 08:14 | Machine | s1_win7_x6403 |
| Filename | rty27.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 35 detected (AIDetectMalware, Fabookie, malicious, high confidence, score, unsafe, GenericKD, Attribute, HighConfidence, GenKryptik, GSSS, Artemis, CLOUD, Swrort, wzhtj, DownLoader46, Detected, Wacatac, PrivateLoader, GGD75K, ABRisk, KAFK, R631490, PossibleThreat, confidence) | ||
| md5 | 34a7dbf9c978714dd0679079c5445a10 | ||
| sha256 | 0c9093975346591d7fe991ed8bd448d21aaeb1d65b7c48122a19624e0775d583 | ||
| ssdeep | 1536:XyK9MKyCC4UuOCWqeyGaOi2K+Sm6uCWqe+aOi2K+Sm6uuCuCWqeyGaOi2K+Sm6u9:XX9MLxuBXnAYy4AZ6qevcgJFW | ||
| imphash | 96cc98468ed325b3857363887597bc67 | ||
| impfuzzy | 96:Dk7OmQO3W71ifMwvhU18Jp9az5qKxLXtB3EGzuC7:DzOfNpU18D9i5q6LXt7zT | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 35 AntiVirus engines on VirusTotal as malicious |
| watch | Attempts to create or modify system certificates |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Performs some HTTP requests |
| info | Collects information to fingerprint the system (MachineGuid |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (4cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x100001010 RegQueryValueExW
0x100001018 RegCloseKey
0x100001020 FreeSid
0x100001028 GetLengthSid
0x100001030 AddAccessAllowedAce
0x100001038 InitializeAcl
0x100001040 InitializeSecurityDescriptor
0x100001048 RegOpenKeyExW
0x100001050 MakeSelfRelativeSD
0x100001058 AllocateAndInitializeSid
0x100001060 LookupAccountNameW
0x100001068 MapGenericMask
0x100001070 GetSecurityDescriptorLength
0x100001078 GetSecurityDescriptorControl
0x100001080 RegQueryValueExA
0x100001088 SetSecurityDescriptorDacl
0x100001090 RegConnectRegistryW
0x100001098 RegOpenKeyExA
KERNEL32.dll
0x1000010e8 CreateDirectoryW
0x1000010f0 LocalAlloc
0x1000010f8 GlobalAlloc
0x100001100 GetFileAttributesW
0x100001108 GetComputerNameExW
0x100001110 lstrcmpiW
0x100001118 GetDriveTypeW
0x100001120 GetLogicalDriveStringsW
0x100001128 FormatMessageW
0x100001130 GetProcAddress
0x100001138 LocalFree
0x100001140 LoadLibraryA
0x100001148 ExpandEnvironmentStringsA
0x100001150 RtlCaptureContext
0x100001158 RtlLookupFunctionEntry
0x100001160 RtlVirtualUnwind
0x100001168 UnhandledExceptionFilter
0x100001170 GetCurrentProcess
0x100001178 TerminateProcess
0x100001180 GetSystemTimeAsFileTime
0x100001188 GetCurrentProcessId
0x100001190 GetCurrentThreadId
0x100001198 HeapSetInformation
0x1000011a0 RegisterApplicationRestart
0x1000011a8 lstrlenW
0x1000011b0 GetComputerNameW
0x1000011b8 GetLastError
0x1000011c0 Sleep
0x1000011c8 GetStartupInfoW
0x1000011d0 SetUnhandledExceptionFilter
0x1000011d8 GetModuleHandleW
0x1000011e0 QueryPerformanceCounter
0x1000011e8 GetTickCount
0x1000011f0 FreeLibrary
0x1000011f8 LoadLibraryW
GDI32.dll
0x1000010c8 CreateFontIndirectW
0x1000010d0 GetDeviceCaps
0x1000010d8 DeleteObject
USER32.dll
0x100001668 MessageBoxW
0x100001670 RegisterClipboardFormatW
0x100001678 EnableWindow
0x100001680 SendMessageW
0x100001688 GetParent
0x100001690 GetActiveWindow
0x100001698 ReleaseDC
0x1000016a0 PostMessageW
0x1000016a8 LoadImageW
0x1000016b0 SystemParametersInfoW
0x1000016b8 GetDC
MFC42u.dll
0x100001208 None
0x100001210 None
0x100001218 None
0x100001220 None
0x100001228 None
0x100001230 None
0x100001238 None
0x100001240 None
0x100001248 None
0x100001250 None
0x100001258 None
0x100001260 None
0x100001268 None
0x100001270 None
0x100001278 None
0x100001280 None
0x100001288 None
0x100001290 None
0x100001298 None
0x1000012a0 None
0x1000012a8 None
0x1000012b0 None
0x1000012b8 None
0x1000012c0 None
0x1000012c8 None
0x1000012d0 None
0x1000012d8 None
0x1000012e0 None
0x1000012e8 None
0x1000012f0 None
0x1000012f8 None
0x100001300 None
0x100001308 None
0x100001310 None
0x100001318 None
0x100001320 None
0x100001328 None
0x100001330 None
0x100001338 None
0x100001340 None
0x100001348 None
0x100001350 None
0x100001358 None
0x100001360 None
0x100001368 None
0x100001370 None
0x100001378 None
0x100001380 None
0x100001388 None
0x100001390 None
0x100001398 None
0x1000013a0 None
0x1000013a8 None
0x1000013b0 None
0x1000013b8 None
0x1000013c0 None
0x1000013c8 None
0x1000013d0 None
0x1000013d8 None
0x1000013e0 None
0x1000013e8 None
0x1000013f0 None
0x1000013f8 None
0x100001400 None
0x100001408 None
0x100001410 None
0x100001418 None
0x100001420 None
0x100001428 None
0x100001430 None
0x100001438 None
0x100001440 None
0x100001448 None
0x100001450 None
0x100001458 None
0x100001460 None
0x100001468 None
0x100001470 None
0x100001478 None
0x100001480 None
0x100001488 None
0x100001490 None
0x100001498 None
0x1000014a0 None
0x1000014a8 None
0x1000014b0 None
0x1000014b8 None
0x1000014c0 None
0x1000014c8 None
0x1000014d0 None
0x1000014d8 None
0x1000014e0 None
0x1000014e8 None
0x1000014f0 None
0x1000014f8 None
0x100001500 None
0x100001508 None
0x100001510 None
0x100001518 None
0x100001520 None
0x100001528 None
0x100001530 None
0x100001538 None
0x100001540 None
0x100001548 None
0x100001550 None
0x100001558 None
0x100001560 None
0x100001568 None
0x100001570 None
0x100001578 None
0x100001580 None
0x100001588 None
0x100001590 None
0x100001598 None
0x1000015a0 None
0x1000015a8 None
0x1000015b0 None
0x1000015b8 None
0x1000015c0 None
0x1000015c8 None
0x1000015d0 None
0x1000015d8 None
0x1000015e0 None
0x1000015e8 None
0x1000015f0 None
msvcrt.dll
0x1000016e8 _cexit
0x1000016f0 ?terminate@@YAXXZ
0x1000016f8 calloc
0x100001700 wcsncmp
0x100001708 free
0x100001710 __wgetmainargs
0x100001718 towupper
0x100001720 _exit
0x100001728 exit
0x100001730 _XcptFilter
0x100001738 __C_specific_handler
0x100001740 __CxxFrameHandler3
0x100001748 ??1type_info@@UEAA@XZ
0x100001750 _onexit
0x100001758 _lock
0x100001760 __dllonexit
0x100001768 _unlock
0x100001770 __set_app_type
0x100001778 _fmode
0x100001780 _commode
0x100001788 __setusermatherr
0x100001790 _amsg_exit
0x100001798 _initterm
0x1000017a0 _wcmdln
0x1000017a8 memset
0x1000017b0 memmove
0x1000017b8 _wcsnicmp
0x1000017c0 wcschr
0x1000017c8 wcsrchr
0x1000017d0 iswspace
0x1000017d8 memcpy
COMCTL32.dll
0x1000010a8 DestroyPropertySheetPage
0x1000010b0 PropertySheetW
0x1000010b8 None
ole32.dll
0x100001810 CoInitializeEx
0x100001818 CoCreateInstance
0x100001820 CoUninitialize
netutils.dll
0x1000017e8 NetApiBufferFree
0x1000017f0 NetpwPathType
0x1000017f8 NetpIsRemote
0x100001800 NetpwNameValidate
srvcli.dll
0x100001830 NetShareAdd
0x100001838 NetShareEnum
0x100001840 NetpsNameValidate
0x100001848 NetServerGetInfo
0x100001850 NetServerDiskEnum
0x100001858 NetShareSetInfo
0x100001860 NetShareGetInfo
ACLUI.dll
0x100001000 None
WS2_32.dll
0x1000016c8 WSACleanup
0x1000016d0 WSAStringToAddressW
0x1000016d8 WSAStartup
SHELL32.dll
0x100001600 None
0x100001608 None
0x100001610 None
0x100001618 None
0x100001620 None
0x100001628 None
0x100001630 SHChangeNotify
0x100001638 SHBrowseForFolderW
0x100001640 SHGetSpecialFolderLocation
0x100001648 SHGetDesktopFolder
0x100001650 SHGetMalloc
0x100001658 SHGetPathFromIDListW
EAT(Export Address Table) is none
ADVAPI32.dll
0x100001010 RegQueryValueExW
0x100001018 RegCloseKey
0x100001020 FreeSid
0x100001028 GetLengthSid
0x100001030 AddAccessAllowedAce
0x100001038 InitializeAcl
0x100001040 InitializeSecurityDescriptor
0x100001048 RegOpenKeyExW
0x100001050 MakeSelfRelativeSD
0x100001058 AllocateAndInitializeSid
0x100001060 LookupAccountNameW
0x100001068 MapGenericMask
0x100001070 GetSecurityDescriptorLength
0x100001078 GetSecurityDescriptorControl
0x100001080 RegQueryValueExA
0x100001088 SetSecurityDescriptorDacl
0x100001090 RegConnectRegistryW
0x100001098 RegOpenKeyExA
KERNEL32.dll
0x1000010e8 CreateDirectoryW
0x1000010f0 LocalAlloc
0x1000010f8 GlobalAlloc
0x100001100 GetFileAttributesW
0x100001108 GetComputerNameExW
0x100001110 lstrcmpiW
0x100001118 GetDriveTypeW
0x100001120 GetLogicalDriveStringsW
0x100001128 FormatMessageW
0x100001130 GetProcAddress
0x100001138 LocalFree
0x100001140 LoadLibraryA
0x100001148 ExpandEnvironmentStringsA
0x100001150 RtlCaptureContext
0x100001158 RtlLookupFunctionEntry
0x100001160 RtlVirtualUnwind
0x100001168 UnhandledExceptionFilter
0x100001170 GetCurrentProcess
0x100001178 TerminateProcess
0x100001180 GetSystemTimeAsFileTime
0x100001188 GetCurrentProcessId
0x100001190 GetCurrentThreadId
0x100001198 HeapSetInformation
0x1000011a0 RegisterApplicationRestart
0x1000011a8 lstrlenW
0x1000011b0 GetComputerNameW
0x1000011b8 GetLastError
0x1000011c0 Sleep
0x1000011c8 GetStartupInfoW
0x1000011d0 SetUnhandledExceptionFilter
0x1000011d8 GetModuleHandleW
0x1000011e0 QueryPerformanceCounter
0x1000011e8 GetTickCount
0x1000011f0 FreeLibrary
0x1000011f8 LoadLibraryW
GDI32.dll
0x1000010c8 CreateFontIndirectW
0x1000010d0 GetDeviceCaps
0x1000010d8 DeleteObject
USER32.dll
0x100001668 MessageBoxW
0x100001670 RegisterClipboardFormatW
0x100001678 EnableWindow
0x100001680 SendMessageW
0x100001688 GetParent
0x100001690 GetActiveWindow
0x100001698 ReleaseDC
0x1000016a0 PostMessageW
0x1000016a8 LoadImageW
0x1000016b0 SystemParametersInfoW
0x1000016b8 GetDC
MFC42u.dll
0x100001208 None
0x100001210 None
0x100001218 None
0x100001220 None
0x100001228 None
0x100001230 None
0x100001238 None
0x100001240 None
0x100001248 None
0x100001250 None
0x100001258 None
0x100001260 None
0x100001268 None
0x100001270 None
0x100001278 None
0x100001280 None
0x100001288 None
0x100001290 None
0x100001298 None
0x1000012a0 None
0x1000012a8 None
0x1000012b0 None
0x1000012b8 None
0x1000012c0 None
0x1000012c8 None
0x1000012d0 None
0x1000012d8 None
0x1000012e0 None
0x1000012e8 None
0x1000012f0 None
0x1000012f8 None
0x100001300 None
0x100001308 None
0x100001310 None
0x100001318 None
0x100001320 None
0x100001328 None
0x100001330 None
0x100001338 None
0x100001340 None
0x100001348 None
0x100001350 None
0x100001358 None
0x100001360 None
0x100001368 None
0x100001370 None
0x100001378 None
0x100001380 None
0x100001388 None
0x100001390 None
0x100001398 None
0x1000013a0 None
0x1000013a8 None
0x1000013b0 None
0x1000013b8 None
0x1000013c0 None
0x1000013c8 None
0x1000013d0 None
0x1000013d8 None
0x1000013e0 None
0x1000013e8 None
0x1000013f0 None
0x1000013f8 None
0x100001400 None
0x100001408 None
0x100001410 None
0x100001418 None
0x100001420 None
0x100001428 None
0x100001430 None
0x100001438 None
0x100001440 None
0x100001448 None
0x100001450 None
0x100001458 None
0x100001460 None
0x100001468 None
0x100001470 None
0x100001478 None
0x100001480 None
0x100001488 None
0x100001490 None
0x100001498 None
0x1000014a0 None
0x1000014a8 None
0x1000014b0 None
0x1000014b8 None
0x1000014c0 None
0x1000014c8 None
0x1000014d0 None
0x1000014d8 None
0x1000014e0 None
0x1000014e8 None
0x1000014f0 None
0x1000014f8 None
0x100001500 None
0x100001508 None
0x100001510 None
0x100001518 None
0x100001520 None
0x100001528 None
0x100001530 None
0x100001538 None
0x100001540 None
0x100001548 None
0x100001550 None
0x100001558 None
0x100001560 None
0x100001568 None
0x100001570 None
0x100001578 None
0x100001580 None
0x100001588 None
0x100001590 None
0x100001598 None
0x1000015a0 None
0x1000015a8 None
0x1000015b0 None
0x1000015b8 None
0x1000015c0 None
0x1000015c8 None
0x1000015d0 None
0x1000015d8 None
0x1000015e0 None
0x1000015e8 None
0x1000015f0 None
msvcrt.dll
0x1000016e8 _cexit
0x1000016f0 ?terminate@@YAXXZ
0x1000016f8 calloc
0x100001700 wcsncmp
0x100001708 free
0x100001710 __wgetmainargs
0x100001718 towupper
0x100001720 _exit
0x100001728 exit
0x100001730 _XcptFilter
0x100001738 __C_specific_handler
0x100001740 __CxxFrameHandler3
0x100001748 ??1type_info@@UEAA@XZ
0x100001750 _onexit
0x100001758 _lock
0x100001760 __dllonexit
0x100001768 _unlock
0x100001770 __set_app_type
0x100001778 _fmode
0x100001780 _commode
0x100001788 __setusermatherr
0x100001790 _amsg_exit
0x100001798 _initterm
0x1000017a0 _wcmdln
0x1000017a8 memset
0x1000017b0 memmove
0x1000017b8 _wcsnicmp
0x1000017c0 wcschr
0x1000017c8 wcsrchr
0x1000017d0 iswspace
0x1000017d8 memcpy
COMCTL32.dll
0x1000010a8 DestroyPropertySheetPage
0x1000010b0 PropertySheetW
0x1000010b8 None
ole32.dll
0x100001810 CoInitializeEx
0x100001818 CoCreateInstance
0x100001820 CoUninitialize
netutils.dll
0x1000017e8 NetApiBufferFree
0x1000017f0 NetpwPathType
0x1000017f8 NetpIsRemote
0x100001800 NetpwNameValidate
srvcli.dll
0x100001830 NetShareAdd
0x100001838 NetShareEnum
0x100001840 NetpsNameValidate
0x100001848 NetServerGetInfo
0x100001850 NetServerDiskEnum
0x100001858 NetShareSetInfo
0x100001860 NetShareGetInfo
ACLUI.dll
0x100001000 None
WS2_32.dll
0x1000016c8 WSACleanup
0x1000016d0 WSAStringToAddressW
0x1000016d8 WSAStartup
SHELL32.dll
0x100001600 None
0x100001608 None
0x100001610 None
0x100001618 None
0x100001620 None
0x100001628 None
0x100001630 SHChangeNotify
0x100001638 SHBrowseForFolderW
0x100001640 SHGetSpecialFolderLocation
0x100001648 SHGetDesktopFolder
0x100001650 SHGetMalloc
0x100001658 SHGetPathFromIDListW
EAT(Export Address Table) is none