ScreenShot
Created | 2024.06.07 09:39 | Machine | s1_win7_x6401 |
Filename | RuntimeBroker.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 54 detected (AIDetectMalware, Dacic, Malicious, score, Dorv, BitCoinMiner, Unsafe, Save, Attribute, HighConfidence, moderate confidence, FlyStudio, Artemis, CoinminerX, Coinminer, Miner, HackTool, VulnDriver, CLOUD, StartPage1, R011C0WF424, Real Protect, high, Generic Reputation PUA, Detected, Wacatac, 1OV7PVV, ABRisk, IYZQ, ZexaF, coKfaODhXugb, GenAsa, sMNOAPEjgxc, ai score=88, susgen) | ||
md5 | 6cf863b98e0282f50e8d5f90f611f664 | ||
sha256 | 7e2d83b2683c93d79c4168abc7c8d3f6072b0744365c92161194ae0a24f2d920 | ||
ssdeep | 49152:bkay7C/f8R+II5hIp9uTOzNnzOxG0BKTFYkFENrFyb6QOnB:Qay7WHIIkpAWhzOrItFENrFfn | ||
imphash | 8b94135981ded7e6762d97348e2b9f39 | ||
impfuzzy | 6:dBJAEHGDzyRlbRmVOZ/EwRgsyIBM9IVbyxLMKJAmzRjLbtuISXqVqXvEt2:VA/DzqYOZ9RghIBAIVex+m9xutXuksI |
Network IP location
Signature (17cnts)
Level | Description |
---|---|
danger | File has been identified by 54 AntiVirus engines on VirusTotal as malicious |
watch | Communicates with host for which no DNS query was performed |
watch | Created a service where a service was also not started |
watch | Detects Virtual Machines through their custom firmware |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
notice | Expresses interest in specific running processes |
notice | Foreign language identified in PE resource |
notice | Repeatedly searches for a not-found process |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | The executable is compressed using UPX |
info | Checks amount of memory in system |
info | Command line console output was observed |
info | Queries for the computername |
info | The executable uses a known packer |
info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (12cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | XMRig_Miner_IN | XMRig Miner | binaries (download) |
warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
watch | ASPack_Zero | ASPack packed file | binaries (download) |
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | IsPE32 | (no description) | binaries (upload) |
info | IsPE64 | (no description) | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.DLL
0xa35fd4 LoadLibraryA
0xa35fd8 GetProcAddress
0xa35fdc VirtualProtect
0xa35fe0 VirtualAlloc
0xa35fe4 VirtualFree
0xa35fe8 ExitProcess
ADVAPI32.dll
0xa35ff0 RegCloseKey
COMCTL32.dll
0xa35ff8 None
comdlg32.dll
0xa36000 ChooseColorA
GDI32.dll
0xa36008 Escape
ole32.dll
0xa36010 OleInitialize
OLEAUT32.dll
0xa36018 LoadTypeLib
SHELL32.dll
0xa36020 ShellExecuteA
USER32.dll
0xa36028 GetDC
WINMM.dll
0xa36030 waveOutOpen
WINSPOOL.DRV
0xa36038 OpenPrinterA
WS2_32.dll
0xa36040 WSAAsyncSelect
EAT(Export Address Table) is none
KERNEL32.DLL
0xa35fd4 LoadLibraryA
0xa35fd8 GetProcAddress
0xa35fdc VirtualProtect
0xa35fe0 VirtualAlloc
0xa35fe4 VirtualFree
0xa35fe8 ExitProcess
ADVAPI32.dll
0xa35ff0 RegCloseKey
COMCTL32.dll
0xa35ff8 None
comdlg32.dll
0xa36000 ChooseColorA
GDI32.dll
0xa36008 Escape
ole32.dll
0xa36010 OleInitialize
OLEAUT32.dll
0xa36018 LoadTypeLib
SHELL32.dll
0xa36020 ShellExecuteA
USER32.dll
0xa36028 GetDC
WINMM.dll
0xa36030 waveOutOpen
WINSPOOL.DRV
0xa36038 OpenPrinterA
WS2_32.dll
0xa36040 WSAAsyncSelect
EAT(Export Address Table) is none