popup

Report - RuntimeBroker.exe

XMRig Miner Generic Malware UPX Malicious Library ASPack Malicious Packer PE File PE32 PE64 OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.06.07 09:39 Machine s1_win7_x6401
Filename RuntimeBroker.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
AI Score
10
 Behavior Score
7.2
ZERO API file : malware
VT API (file) 54 detected (AIDetectMalware, Dacic, Malicious, score, Dorv, BitCoinMiner, Unsafe, Save, Attribute, HighConfidence, moderate confidence, FlyStudio, Artemis, CoinminerX, Coinminer, Miner, HackTool, VulnDriver, CLOUD, StartPage1, R011C0WF424, Real Protect, high, Generic Reputation PUA, Detected, Wacatac, 1OV7PVV, ABRisk, IYZQ, ZexaF, coKfaODhXugb, GenAsa, sMNOAPEjgxc, ai score=88, susgen)
md5 6cf863b98e0282f50e8d5f90f611f664
sha256 7e2d83b2683c93d79c4168abc7c8d3f6072b0744365c92161194ae0a24f2d920
ssdeep 49152:bkay7C/f8R+II5hIp9uTOzNnzOxG0BKTFYkFENrFyb6QOnB:Qay7WHIIkpAWhzOrItFENrFfn
imphash 8b94135981ded7e6762d97348e2b9f39
impfuzzy 6:dBJAEHGDzyRlbRmVOZ/EwRgsyIBM9IVbyxLMKJAmzRjLbtuISXqVqXvEt2:VA/DzqYOZ9RghIBAIVex+m9xutXuksI
  Network IP location

Signature (17cnts)

Level Description
danger File has been identified by 54 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Created a service where a service was also not started
watch Detects Virtual Machines through their custom firmware
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Expresses interest in specific running processes
notice Foreign language identified in PE resource
notice Repeatedly searches for a not-found process
notice Searches running processes potentially to identify processes for sandbox evasion
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX
info Checks amount of memory in system
info Command line console output was observed
info Queries for the computername
info The executable uses a known packer
info The file contains an unknown PE resource name possibly indicative of a packer

Rules (12cnts)

Level Name Description Collection
danger XMRig_Miner_IN XMRig Miner binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
watch ASPack_Zero ASPack packed file binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
104.26.5.15
whois
US CLOUDFLARENET 104.26.5.15 clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
 0xa35fd4 LoadLibraryA
 0xa35fd8 GetProcAddress
 0xa35fdc VirtualProtect
 0xa35fe0 VirtualAlloc
 0xa35fe4 VirtualFree
 0xa35fe8 ExitProcess
ADVAPI32.dll
 0xa35ff0 RegCloseKey
COMCTL32.dll
 0xa35ff8 None
comdlg32.dll
 0xa36000 ChooseColorA
GDI32.dll
 0xa36008 Escape
ole32.dll
 0xa36010 OleInitialize
OLEAUT32.dll
 0xa36018 LoadTypeLib
SHELL32.dll
 0xa36020 ShellExecuteA
USER32.dll
 0xa36028 GetDC
WINMM.dll
 0xa36030 waveOutOpen
WINSPOOL.DRV
 0xa36038 OpenPrinterA
WS2_32.dll
 0xa36040 WSAAsyncSelect

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure