ScreenShot
| Created | 2024.02.01 08:04 | Machine | s1_win7_x6403 |
| Filename | rty25.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 5fd7aff48d27771ca0aec6776afefb93 | ||
| sha256 | a9498e18f267a568b57d3a281d14118c70ffd1aae42411ee9a7661092beee97b | ||
| ssdeep | 6144:k7F5GxMr+PtCE2kWCZ3j9Z0CINiNRpxyN90vE:4FYxMqAEVBkCIWZy90 | ||
| imphash | 5f7cc0f5167c2e87d5d2573013f2660f | ||
| impfuzzy | 96:FKx5LBmf6TP8ZZeVcjEIhVKnC4cvd5WBizlB3EG6KSe:oxfTUlERC4cvdABizl7/Se | ||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| watch | Attempts to create or modify system certificates |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Performs some HTTP requests |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | Collects information to fingerprint the system (MachineGuid |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | This executable has a PDB path |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (4cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x100001000 RegCreateKeyExW
0x100001008 RegSetValueExW
0x100001010 RegCloseKey
0x100001018 InitiateSystemShutdownExW
0x100001020 CreateProcessAsUserW
0x100001028 RegOpenKeyExW
0x100001030 ConvertSidToStringSidW
0x100001038 RegDeleteValueW
0x100001040 RegEnumKeyW
0x100001048 RegQueryValueExW
0x100001050 RegDeleteKeyW
0x100001058 AllocateAndInitializeSid
0x100001060 CheckTokenMembership
0x100001068 FreeSid
0x100001070 LookupPrivilegeValueW
0x100001078 OpenProcessToken
0x100001080 AdjustTokenPrivileges
0x100001088 GetTokenInformation
0x100001090 CopySid
0x100001098 RegDeleteKeyValueW
0x1000010a0 StartTraceW
0x1000010a8 EnableTrace
0x1000010b0 ControlTraceW
0x1000010b8 CloseTrace
0x1000010c0 IsValidSid
0x1000010c8 GetLengthSid
0x1000010d0 InitializeSecurityDescriptor
0x1000010d8 InitializeAcl
0x1000010e0 AddAccessAllowedAce
0x1000010e8 SetSecurityDescriptorDacl
0x1000010f0 CryptAcquireContextW
0x1000010f8 CryptGenRandom
0x100001100 DecryptFileA
0x100001108 CryptReleaseContext
0x100001110 EventRegister
0x100001118 EventUnregister
0x100001120 EventEnabled
0x100001128 EventWrite
KERNEL32.dll
0x100001190 ProcessIdToSessionId
0x100001198 GetCurrentProcessId
0x1000011a0 FormatMessageW
0x1000011a8 GetModuleHandleW
0x1000011b0 CreateFileW
0x1000011b8 GetFullPathNameW
0x1000011c0 GetCurrentProcess
0x1000011c8 CreateEventW
0x1000011d0 InitializeCriticalSectionAndSpinCount
0x1000011d8 DeleteCriticalSection
0x1000011e0 SetEvent
0x1000011e8 EnterCriticalSection
0x1000011f0 LeaveCriticalSection
0x1000011f8 GetExitCodeProcess
0x100001200 GetFileAttributesA
0x100001208 MultiByteToWideChar
0x100001210 GetSystemDirectoryA
0x100001218 lstrcmpW
0x100001220 DeleteFileW
0x100001228 MoveFileExW
0x100001230 RemoveDirectoryW
0x100001238 CreateDirectoryW
0x100001240 OutputDebugStringW
0x100001248 lstrlenW
0x100001250 GetFileAttributesW
0x100001258 WaitForSingleObject
0x100001260 GetSystemDirectoryW
0x100001268 FreeLibrary
0x100001270 GetProcAddress
0x100001278 LoadLibraryW
0x100001280 GetSystemWindowsDirectoryW
0x100001288 FindClose
0x100001290 CloseHandle
0x100001298 CreateDirectoryA
0x1000012a0 GetCommandLineW
0x1000012a8 GetLastError
0x1000012b0 LocalFree
0x1000012b8 CreateThread
0x1000012c0 FindFirstFileW
0x1000012c8 lstrcmpiW
0x1000012d0 FindNextFileW
0x1000012d8 Sleep
0x1000012e0 GetStartupInfoW
0x1000012e8 SetUnhandledExceptionFilter
0x1000012f0 QueryPerformanceCounter
0x1000012f8 GetTickCount
0x100001300 GetCurrentThreadId
0x100001308 GetSystemTimeAsFileTime
0x100001310 TerminateProcess
0x100001318 UnhandledExceptionFilter
0x100001320 OutputDebugStringA
0x100001328 GetExitCodeThread
GDI32.dll
0x100001148 GetStockObject
0x100001150 GetDeviceCaps
0x100001158 DeleteDC
0x100001160 GetTextExtentPoint32W
0x100001168 SelectObject
0x100001170 CreateCompatibleDC
0x100001178 DeleteObject
0x100001180 CreateFontIndirectW
USER32.dll
0x100001398 EndPaint
0x1000013a0 FillRect
0x1000013a8 BeginPaint
0x1000013b0 ReleaseDC
0x1000013b8 SendDlgItemMessageW
0x1000013c0 SendMessageW
0x1000013c8 SetRect
0x1000013d0 GetClientRect
0x1000013d8 ShowWindow
0x1000013e0 SystemParametersInfoW
0x1000013e8 PostMessageW
0x1000013f0 SetFocus
0x1000013f8 DestroyAcceleratorTable
0x100001400 TranslateAcceleratorW
0x100001408 CreateAcceleratorTableW
0x100001410 DestroyWindow
0x100001418 ShutdownBlockReasonDestroy
0x100001420 ShutdownBlockReasonCreate
0x100001428 CreateWindowExW
0x100001430 RegisterClassExW
0x100001438 DefWindowProcW
0x100001440 DispatchMessageW
0x100001448 TranslateMessage
0x100001450 PeekMessageW
0x100001458 GetDlgItem
0x100001460 SetDlgItemTextW
0x100001468 EnableWindow
0x100001470 SetWindowLongW
0x100001478 LoadIconW
0x100001480 LoadCursorW
0x100001488 UpdateWindow
0x100001490 EndDialog
0x100001498 DialogBoxParamW
0x1000014a0 MessageBoxW
0x1000014a8 MsgWaitForMultipleObjects
0x1000014b0 GetDC
msvcrt.dll
0x1000014e0 _amsg_exit
0x1000014e8 memcpy
0x1000014f0 memmove
0x1000014f8 wcsrchr
0x100001500 _vsnwprintf
0x100001508 ??2@YAPEAX_K@Z
0x100001510 ??3@YAXPEAX@Z
0x100001518 _wcsicmp
0x100001520 ?terminate@@YAXXZ
0x100001528 _onexit
0x100001530 _lock
0x100001538 __dllonexit
0x100001540 _unlock
0x100001548 __set_app_type
0x100001550 _fmode
0x100001558 _commode
0x100001560 __setusermatherr
0x100001568 memset
0x100001570 _initterm
0x100001578 _wcmdln
0x100001580 exit
0x100001588 _cexit
0x100001590 _exit
0x100001598 _XcptFilter
0x1000015a0 __C_specific_handler
0x1000015a8 __wgetmainargs
0x1000015b0 _vsnprintf
0x1000015b8 wcschr
0x1000015c0 iswdigit
0x1000015c8 _wcsnicmp
ole32.dll
0x100001618 CoInitializeSecurity
0x100001620 CoUninitialize
0x100001628 CoTaskMemFree
0x100001630 CoInitializeEx
0x100001638 CoCreateInstance
OLEAUT32.dll
0x100001338 SysAllocString
0x100001340 VariantInit
0x100001348 SysFreeString
SHELL32.dll
0x100001358 CommandLineToArgvW
0x100001360 SHBrowseForFolderW
0x100001368 ShellExecuteExW
0x100001370 SHGetPathFromIDListW
0x100001378 None
SHLWAPI.dll
0x100001388 StrToIntExW
ntdll.dll
0x1000015d8 WinSqmSetDWORD
0x1000015e0 RtlVirtualUnwind
0x1000015e8 RtlLookupFunctionEntry
0x1000015f0 RtlCaptureContext
0x1000015f8 WinSqmStartSession
0x100001600 WinSqmSetString
0x100001608 WinSqmEndSession
dpx.dll
0x1000014d0 DpxNewJob
WTSAPI32.dll
0x1000014c0 WTSQueryUserToken
COMCTL32.dll
0x100001138 InitCommonControlsEx
EAT(Export Address Table) is none
ADVAPI32.dll
0x100001000 RegCreateKeyExW
0x100001008 RegSetValueExW
0x100001010 RegCloseKey
0x100001018 InitiateSystemShutdownExW
0x100001020 CreateProcessAsUserW
0x100001028 RegOpenKeyExW
0x100001030 ConvertSidToStringSidW
0x100001038 RegDeleteValueW
0x100001040 RegEnumKeyW
0x100001048 RegQueryValueExW
0x100001050 RegDeleteKeyW
0x100001058 AllocateAndInitializeSid
0x100001060 CheckTokenMembership
0x100001068 FreeSid
0x100001070 LookupPrivilegeValueW
0x100001078 OpenProcessToken
0x100001080 AdjustTokenPrivileges
0x100001088 GetTokenInformation
0x100001090 CopySid
0x100001098 RegDeleteKeyValueW
0x1000010a0 StartTraceW
0x1000010a8 EnableTrace
0x1000010b0 ControlTraceW
0x1000010b8 CloseTrace
0x1000010c0 IsValidSid
0x1000010c8 GetLengthSid
0x1000010d0 InitializeSecurityDescriptor
0x1000010d8 InitializeAcl
0x1000010e0 AddAccessAllowedAce
0x1000010e8 SetSecurityDescriptorDacl
0x1000010f0 CryptAcquireContextW
0x1000010f8 CryptGenRandom
0x100001100 DecryptFileA
0x100001108 CryptReleaseContext
0x100001110 EventRegister
0x100001118 EventUnregister
0x100001120 EventEnabled
0x100001128 EventWrite
KERNEL32.dll
0x100001190 ProcessIdToSessionId
0x100001198 GetCurrentProcessId
0x1000011a0 FormatMessageW
0x1000011a8 GetModuleHandleW
0x1000011b0 CreateFileW
0x1000011b8 GetFullPathNameW
0x1000011c0 GetCurrentProcess
0x1000011c8 CreateEventW
0x1000011d0 InitializeCriticalSectionAndSpinCount
0x1000011d8 DeleteCriticalSection
0x1000011e0 SetEvent
0x1000011e8 EnterCriticalSection
0x1000011f0 LeaveCriticalSection
0x1000011f8 GetExitCodeProcess
0x100001200 GetFileAttributesA
0x100001208 MultiByteToWideChar
0x100001210 GetSystemDirectoryA
0x100001218 lstrcmpW
0x100001220 DeleteFileW
0x100001228 MoveFileExW
0x100001230 RemoveDirectoryW
0x100001238 CreateDirectoryW
0x100001240 OutputDebugStringW
0x100001248 lstrlenW
0x100001250 GetFileAttributesW
0x100001258 WaitForSingleObject
0x100001260 GetSystemDirectoryW
0x100001268 FreeLibrary
0x100001270 GetProcAddress
0x100001278 LoadLibraryW
0x100001280 GetSystemWindowsDirectoryW
0x100001288 FindClose
0x100001290 CloseHandle
0x100001298 CreateDirectoryA
0x1000012a0 GetCommandLineW
0x1000012a8 GetLastError
0x1000012b0 LocalFree
0x1000012b8 CreateThread
0x1000012c0 FindFirstFileW
0x1000012c8 lstrcmpiW
0x1000012d0 FindNextFileW
0x1000012d8 Sleep
0x1000012e0 GetStartupInfoW
0x1000012e8 SetUnhandledExceptionFilter
0x1000012f0 QueryPerformanceCounter
0x1000012f8 GetTickCount
0x100001300 GetCurrentThreadId
0x100001308 GetSystemTimeAsFileTime
0x100001310 TerminateProcess
0x100001318 UnhandledExceptionFilter
0x100001320 OutputDebugStringA
0x100001328 GetExitCodeThread
GDI32.dll
0x100001148 GetStockObject
0x100001150 GetDeviceCaps
0x100001158 DeleteDC
0x100001160 GetTextExtentPoint32W
0x100001168 SelectObject
0x100001170 CreateCompatibleDC
0x100001178 DeleteObject
0x100001180 CreateFontIndirectW
USER32.dll
0x100001398 EndPaint
0x1000013a0 FillRect
0x1000013a8 BeginPaint
0x1000013b0 ReleaseDC
0x1000013b8 SendDlgItemMessageW
0x1000013c0 SendMessageW
0x1000013c8 SetRect
0x1000013d0 GetClientRect
0x1000013d8 ShowWindow
0x1000013e0 SystemParametersInfoW
0x1000013e8 PostMessageW
0x1000013f0 SetFocus
0x1000013f8 DestroyAcceleratorTable
0x100001400 TranslateAcceleratorW
0x100001408 CreateAcceleratorTableW
0x100001410 DestroyWindow
0x100001418 ShutdownBlockReasonDestroy
0x100001420 ShutdownBlockReasonCreate
0x100001428 CreateWindowExW
0x100001430 RegisterClassExW
0x100001438 DefWindowProcW
0x100001440 DispatchMessageW
0x100001448 TranslateMessage
0x100001450 PeekMessageW
0x100001458 GetDlgItem
0x100001460 SetDlgItemTextW
0x100001468 EnableWindow
0x100001470 SetWindowLongW
0x100001478 LoadIconW
0x100001480 LoadCursorW
0x100001488 UpdateWindow
0x100001490 EndDialog
0x100001498 DialogBoxParamW
0x1000014a0 MessageBoxW
0x1000014a8 MsgWaitForMultipleObjects
0x1000014b0 GetDC
msvcrt.dll
0x1000014e0 _amsg_exit
0x1000014e8 memcpy
0x1000014f0 memmove
0x1000014f8 wcsrchr
0x100001500 _vsnwprintf
0x100001508 ??2@YAPEAX_K@Z
0x100001510 ??3@YAXPEAX@Z
0x100001518 _wcsicmp
0x100001520 ?terminate@@YAXXZ
0x100001528 _onexit
0x100001530 _lock
0x100001538 __dllonexit
0x100001540 _unlock
0x100001548 __set_app_type
0x100001550 _fmode
0x100001558 _commode
0x100001560 __setusermatherr
0x100001568 memset
0x100001570 _initterm
0x100001578 _wcmdln
0x100001580 exit
0x100001588 _cexit
0x100001590 _exit
0x100001598 _XcptFilter
0x1000015a0 __C_specific_handler
0x1000015a8 __wgetmainargs
0x1000015b0 _vsnprintf
0x1000015b8 wcschr
0x1000015c0 iswdigit
0x1000015c8 _wcsnicmp
ole32.dll
0x100001618 CoInitializeSecurity
0x100001620 CoUninitialize
0x100001628 CoTaskMemFree
0x100001630 CoInitializeEx
0x100001638 CoCreateInstance
OLEAUT32.dll
0x100001338 SysAllocString
0x100001340 VariantInit
0x100001348 SysFreeString
SHELL32.dll
0x100001358 CommandLineToArgvW
0x100001360 SHBrowseForFolderW
0x100001368 ShellExecuteExW
0x100001370 SHGetPathFromIDListW
0x100001378 None
SHLWAPI.dll
0x100001388 StrToIntExW
ntdll.dll
0x1000015d8 WinSqmSetDWORD
0x1000015e0 RtlVirtualUnwind
0x1000015e8 RtlLookupFunctionEntry
0x1000015f0 RtlCaptureContext
0x1000015f8 WinSqmStartSession
0x100001600 WinSqmSetString
0x100001608 WinSqmEndSession
dpx.dll
0x1000014d0 DpxNewJob
WTSAPI32.dll
0x1000014c0 WTSQueryUserToken
COMCTL32.dll
0x100001138 InitCommonControlsEx
EAT(Export Address Table) is none