ScreenShot
| Created | 2024.07.26 10:52 | Machine | s1_win7_x6401 |
| Filename | RoguePotato.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 55 detected (AIDetectMalware, Hacktool, RoguePotato, Windows, FakePipe, Malicious, score, Unsafe, V61h, Attribute, HighConfidence, Artemis, HacktoolX, XEE7jVchXEU, aauzm, Tool, R002C0DBC24, RPotato, Static AI, Suspicious PE, Detected, ai score=100, GrayWare, Malware@#102lv8uzt4o33, RogueP, Eldorado, R372564, Gencirc, G4+ry0v7GR8, susgen, confidence, 100%) | ||
| md5 | 2dd755be5842e71b304d2fbff93eb2a3 | ||
| sha256 | a4778d50307de4ab13e48de90d72b7c5e19b4f9356a611a9faf95cfda0523c46 | ||
| ssdeep | 3072:OkZ3S+4uT4jKhwkF5FETnXn74/8Q/kV1tZGKbJQ:O6SGTnhwS7KnXnI/KV | ||
| imphash | 959a83047e80ab68b368fdb3f4c6e4ea | ||
| impfuzzy | 48:o0OBteS17Bg2c+ppZ+3MlQj6ugig7m75QKO24O1cm3mM/hdFgdaf:oNteS17Bg2c+ppZpoMnwcm3mM/vOdaf | ||
Network IP location
Signature (3cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1400180e8 SetStdHandle
0x1400180f0 GetStringTypeW
0x1400180f8 FlushFileBuffers
0x140018100 GetConsoleCP
0x140018108 GetConsoleMode
0x140018110 GetFileSizeEx
0x140018118 SetFilePointerEx
0x140018120 HeapSize
0x140018128 CreateFileW
0x140018130 WriteConsoleW
0x140018138 GetProcAddress
0x140018140 OpenProcess
0x140018148 GetModuleHandleA
0x140018150 DuplicateHandle
0x140018158 GetCurrentProcess
0x140018160 ConnectNamedPipe
0x140018168 CreateThread
0x140018170 CloseHandle
0x140018178 GetCurrentThread
0x140018180 WaitForSingleObject
0x140018188 CreateNamedPipeW
0x140018190 ReadFile
0x140018198 GetProcessHeap
0x1400181a0 HeapAlloc
0x1400181a8 GetLastError
0x1400181b0 HeapFree
0x1400181b8 SetEnvironmentVariableW
0x1400181c0 FreeEnvironmentStringsW
0x1400181c8 GetEnvironmentStringsW
0x1400181d0 MultiByteToWideChar
0x1400181d8 GetCPInfo
0x1400181e0 GetOEMCP
0x1400181e8 GetACP
0x1400181f0 IsValidCodePage
0x1400181f8 FindNextFileW
0x140018200 FindFirstFileExW
0x140018208 FindClose
0x140018210 HeapReAlloc
0x140018218 WideCharToMultiByte
0x140018220 GetFileType
0x140018228 LCMapStringW
0x140018230 CompareStringW
0x140018238 UnhandledExceptionFilter
0x140018240 SetUnhandledExceptionFilter
0x140018248 TerminateProcess
0x140018250 IsProcessorFeaturePresent
0x140018258 QueryPerformanceCounter
0x140018260 GetCurrentProcessId
0x140018268 GetCurrentThreadId
0x140018270 GetSystemTimeAsFileTime
0x140018278 InitializeSListHead
0x140018280 IsDebuggerPresent
0x140018288 GetStartupInfoW
0x140018290 GetModuleHandleW
0x140018298 RtlUnwindEx
0x1400182a0 RtlPcToFileHeader
0x1400182a8 RaiseException
0x1400182b0 SetLastError
0x1400182b8 EncodePointer
0x1400182c0 EnterCriticalSection
0x1400182c8 LeaveCriticalSection
0x1400182d0 DeleteCriticalSection
0x1400182d8 InitializeCriticalSectionAndSpinCount
0x1400182e0 TlsAlloc
0x1400182e8 TlsGetValue
0x1400182f0 TlsSetValue
0x1400182f8 TlsFree
0x140018300 FreeLibrary
0x140018308 LoadLibraryExW
0x140018310 ExitProcess
0x140018318 GetModuleHandleExW
0x140018320 GetStdHandle
0x140018328 WriteFile
0x140018330 GetModuleFileNameW
0x140018338 GetCommandLineA
0x140018340 GetCommandLineW
USER32.dll
0x1400183a0 SetProcessWindowStation
0x1400183a8 CloseDesktop
0x1400183b0 GetUserObjectInformationW
0x1400183b8 SetUserObjectSecurity
0x1400183c0 GetUserObjectSecurity
0x1400183c8 OpenWindowStationW
0x1400183d0 CloseWindowStation
0x1400183d8 GetProcessWindowStation
0x1400183e0 OpenDesktopW
0x1400183e8 wsprintfW
ADVAPI32.dll
0x140018000 AddAccessAllowedAce
0x140018008 LookupPrivilegeValueW
0x140018010 AdjustTokenPrivileges
0x140018018 RevertToSelf
0x140018020 EqualSid
0x140018028 CloseServiceHandle
0x140018030 OpenSCManagerW
0x140018038 CreateProcessWithTokenW
0x140018040 ImpersonateLoggedOnUser
0x140018048 OpenProcessToken
0x140018050 CreateProcessAsUserW
0x140018058 OpenServiceW
0x140018060 DuplicateTokenEx
0x140018068 QueryServiceStatusEx
0x140018070 GetTokenInformation
0x140018078 ImpersonateNamedPipeClient
0x140018080 ConvertStringSecurityDescriptorToSecurityDescriptorW
0x140018088 OpenThreadToken
0x140018090 SetSecurityDescriptorDacl
0x140018098 GetSecurityDescriptorDacl
0x1400180a0 GetAclInformation
0x1400180a8 GetAce
0x1400180b0 AllocateAndInitializeSid
0x1400180b8 CopySid
0x1400180c0 AddAce
0x1400180c8 InitializeSecurityDescriptor
0x1400180d0 InitializeAcl
0x1400180d8 GetLengthSid
ole32.dll
0x140018418 CoTaskMemAlloc
0x140018420 CoInitialize
0x140018428 StgCreateDocfileOnILockBytes
0x140018430 CreateILockBytesOnHGlobal
0x140018438 CoGetInstanceFromIStorage
0x140018440 CoUninitialize
0x140018448 CLSIDFromString
RPCRT4.dll
0x140018350 RpcServerRegisterIf2
0x140018358 RpcEpRegisterA
0x140018360 RpcImpersonateClient
0x140018368 NdrServerCall2
0x140018370 NdrServerCallAll
0x140018378 RpcServerInqBindings
0x140018380 RpcServerUseProtseqEpA
0x140018388 RpcServerListen
0x140018390 RpcServerRegisterAuthInfoA
ntdll.dll
0x1400183f8 RtlLookupFunctionEntry
0x140018400 RtlVirtualUnwind
0x140018408 RtlCaptureContext
EAT(Export Address Table) is none
KERNEL32.dll
0x1400180e8 SetStdHandle
0x1400180f0 GetStringTypeW
0x1400180f8 FlushFileBuffers
0x140018100 GetConsoleCP
0x140018108 GetConsoleMode
0x140018110 GetFileSizeEx
0x140018118 SetFilePointerEx
0x140018120 HeapSize
0x140018128 CreateFileW
0x140018130 WriteConsoleW
0x140018138 GetProcAddress
0x140018140 OpenProcess
0x140018148 GetModuleHandleA
0x140018150 DuplicateHandle
0x140018158 GetCurrentProcess
0x140018160 ConnectNamedPipe
0x140018168 CreateThread
0x140018170 CloseHandle
0x140018178 GetCurrentThread
0x140018180 WaitForSingleObject
0x140018188 CreateNamedPipeW
0x140018190 ReadFile
0x140018198 GetProcessHeap
0x1400181a0 HeapAlloc
0x1400181a8 GetLastError
0x1400181b0 HeapFree
0x1400181b8 SetEnvironmentVariableW
0x1400181c0 FreeEnvironmentStringsW
0x1400181c8 GetEnvironmentStringsW
0x1400181d0 MultiByteToWideChar
0x1400181d8 GetCPInfo
0x1400181e0 GetOEMCP
0x1400181e8 GetACP
0x1400181f0 IsValidCodePage
0x1400181f8 FindNextFileW
0x140018200 FindFirstFileExW
0x140018208 FindClose
0x140018210 HeapReAlloc
0x140018218 WideCharToMultiByte
0x140018220 GetFileType
0x140018228 LCMapStringW
0x140018230 CompareStringW
0x140018238 UnhandledExceptionFilter
0x140018240 SetUnhandledExceptionFilter
0x140018248 TerminateProcess
0x140018250 IsProcessorFeaturePresent
0x140018258 QueryPerformanceCounter
0x140018260 GetCurrentProcessId
0x140018268 GetCurrentThreadId
0x140018270 GetSystemTimeAsFileTime
0x140018278 InitializeSListHead
0x140018280 IsDebuggerPresent
0x140018288 GetStartupInfoW
0x140018290 GetModuleHandleW
0x140018298 RtlUnwindEx
0x1400182a0 RtlPcToFileHeader
0x1400182a8 RaiseException
0x1400182b0 SetLastError
0x1400182b8 EncodePointer
0x1400182c0 EnterCriticalSection
0x1400182c8 LeaveCriticalSection
0x1400182d0 DeleteCriticalSection
0x1400182d8 InitializeCriticalSectionAndSpinCount
0x1400182e0 TlsAlloc
0x1400182e8 TlsGetValue
0x1400182f0 TlsSetValue
0x1400182f8 TlsFree
0x140018300 FreeLibrary
0x140018308 LoadLibraryExW
0x140018310 ExitProcess
0x140018318 GetModuleHandleExW
0x140018320 GetStdHandle
0x140018328 WriteFile
0x140018330 GetModuleFileNameW
0x140018338 GetCommandLineA
0x140018340 GetCommandLineW
USER32.dll
0x1400183a0 SetProcessWindowStation
0x1400183a8 CloseDesktop
0x1400183b0 GetUserObjectInformationW
0x1400183b8 SetUserObjectSecurity
0x1400183c0 GetUserObjectSecurity
0x1400183c8 OpenWindowStationW
0x1400183d0 CloseWindowStation
0x1400183d8 GetProcessWindowStation
0x1400183e0 OpenDesktopW
0x1400183e8 wsprintfW
ADVAPI32.dll
0x140018000 AddAccessAllowedAce
0x140018008 LookupPrivilegeValueW
0x140018010 AdjustTokenPrivileges
0x140018018 RevertToSelf
0x140018020 EqualSid
0x140018028 CloseServiceHandle
0x140018030 OpenSCManagerW
0x140018038 CreateProcessWithTokenW
0x140018040 ImpersonateLoggedOnUser
0x140018048 OpenProcessToken
0x140018050 CreateProcessAsUserW
0x140018058 OpenServiceW
0x140018060 DuplicateTokenEx
0x140018068 QueryServiceStatusEx
0x140018070 GetTokenInformation
0x140018078 ImpersonateNamedPipeClient
0x140018080 ConvertStringSecurityDescriptorToSecurityDescriptorW
0x140018088 OpenThreadToken
0x140018090 SetSecurityDescriptorDacl
0x140018098 GetSecurityDescriptorDacl
0x1400180a0 GetAclInformation
0x1400180a8 GetAce
0x1400180b0 AllocateAndInitializeSid
0x1400180b8 CopySid
0x1400180c0 AddAce
0x1400180c8 InitializeSecurityDescriptor
0x1400180d0 InitializeAcl
0x1400180d8 GetLengthSid
ole32.dll
0x140018418 CoTaskMemAlloc
0x140018420 CoInitialize
0x140018428 StgCreateDocfileOnILockBytes
0x140018430 CreateILockBytesOnHGlobal
0x140018438 CoGetInstanceFromIStorage
0x140018440 CoUninitialize
0x140018448 CLSIDFromString
RPCRT4.dll
0x140018350 RpcServerRegisterIf2
0x140018358 RpcEpRegisterA
0x140018360 RpcImpersonateClient
0x140018368 NdrServerCall2
0x140018370 NdrServerCallAll
0x140018378 RpcServerInqBindings
0x140018380 RpcServerUseProtseqEpA
0x140018388 RpcServerListen
0x140018390 RpcServerRegisterAuthInfoA
ntdll.dll
0x1400183f8 RtlLookupFunctionEntry
0x140018400 RtlVirtualUnwind
0x140018408 RtlCaptureContext
EAT(Export Address Table) is none