ScreenShot
| Created | 2024.07.26 10:48 | Machine | s1_win7_x6403 |
| Filename | RP.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 57 detected (AIDetectMalware, RottenPotato, malicious, high confidence, score, Generic PUP, Unsafe, Vtxv, Hacktool, Rotpotato, JuicyPotato, Tool, ggktja, CLOUD, zdeuc, R002C0PH523, RPotato, Detected, Malware@#2gv803ec2hv58, Presenoker, Eldorado, R649243, Gencirc, GenAsa, Q0+kINxFBkI, Potato, susgen, confidence, 100%) | ||
| md5 | 3fc6176c962e7a70da7cc35fbdaf3fdc | ||
| sha256 | 0fb342f94f359c9f54205a979854b7a3a3910bb7e118f0fc44cead28ebd81f0d | ||
| ssdeep | 6144:Ifb2qZR/Ir/fvq7PjtsDMoxyhluYOVI9/j5q2Bfui+tvvvvRtAQ:IT2qZR/ITf6rYrebjS | ||
| imphash | 0705dbbe2c1de90903291dcc72a5d6a0 | ||
| impfuzzy | 96:wW3BIa9aXNyrteS1scg+CuBzIJ9lX174lnM+:wWRf9a9e0JbF7Uv | ||
Network IP location
Signature (4cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 57 AntiVirus engines on VirusTotal as malicious |
| notice | Starts servers listening |
| info | Collects information to fingerprint the system (MachineGuid |
| info | This executable has a PDB path |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
Secur32.dll
0x140037390 AcquireCredentialsHandleW
0x140037398 QuerySecurityContextToken
0x1400373a0 AcceptSecurityContext
KERNEL32.dll
0x140037028 CreateThread
0x140037030 Sleep
0x140037038 LoadLibraryW
0x140037040 GetLastError
0x140037048 GetCurrentProcess
0x140037050 GetModuleFileNameA
0x140037058 UnregisterWaitEx
0x140037060 QueryDepthSList
0x140037068 InterlockedPopEntrySList
0x140037070 ReleaseSemaphore
0x140037078 DuplicateHandle
0x140037080 VirtualFree
0x140037088 VirtualProtect
0x140037090 VirtualAlloc
0x140037098 GetVersionExW
0x1400370a0 GetModuleHandleA
0x1400370a8 FreeLibraryAndExitThread
0x1400370b0 GetThreadTimes
0x1400370b8 UnregisterWait
0x1400370c0 RegisterWaitForSingleObject
0x1400370c8 SetThreadAffinityMask
0x1400370d0 GetProcessAffinityMask
0x1400370d8 GetNumaHighestNodeNumber
0x1400370e0 DeleteTimerQueueTimer
0x1400370e8 ChangeTimerQueueTimer
0x1400370f0 CreateTimerQueueTimer
0x1400370f8 GetLogicalProcessorInformation
0x140037100 RtlCaptureContext
0x140037108 RtlLookupFunctionEntry
0x140037110 RtlVirtualUnwind
0x140037118 UnhandledExceptionFilter
0x140037120 SetUnhandledExceptionFilter
0x140037128 TerminateProcess
0x140037130 IsProcessorFeaturePresent
0x140037138 QueryPerformanceCounter
0x140037140 GetCurrentProcessId
0x140037148 GetCurrentThreadId
0x140037150 GetSystemTimeAsFileTime
0x140037158 InitializeSListHead
0x140037160 IsDebuggerPresent
0x140037168 GetStartupInfoW
0x140037170 GetModuleHandleW
0x140037178 EnterCriticalSection
0x140037180 LeaveCriticalSection
0x140037188 TryEnterCriticalSection
0x140037190 DeleteCriticalSection
0x140037198 WideCharToMultiByte
0x1400371a0 SetLastError
0x1400371a8 InitializeCriticalSectionAndSpinCount
0x1400371b0 CreateEventW
0x1400371b8 TlsAlloc
0x1400371c0 TlsGetValue
0x1400371c8 TlsSetValue
0x1400371d0 TlsFree
0x1400371d8 GetTickCount
0x1400371e0 GetProcAddress
0x1400371e8 RtlUnwindEx
0x1400371f0 RtlPcToFileHeader
0x1400371f8 EncodePointer
0x140037200 RaiseException
0x140037208 InterlockedPushEntrySList
0x140037210 InterlockedFlushSList
0x140037218 FreeLibrary
0x140037220 LoadLibraryExW
0x140037228 GetStdHandle
0x140037230 WriteFile
0x140037238 GetModuleFileNameW
0x140037240 DecodePointer
0x140037248 MultiByteToWideChar
0x140037250 ExitProcess
0x140037258 GetModuleHandleExW
0x140037260 GetCommandLineA
0x140037268 GetCommandLineW
0x140037270 GetACP
0x140037278 HeapAlloc
0x140037280 HeapFree
0x140037288 CompareStringW
0x140037290 LCMapStringW
0x140037298 GetFileType
0x1400372a0 GetCurrentThread
0x1400372a8 CloseHandle
0x1400372b0 WaitForSingleObjectEx
0x1400372b8 FindClose
0x1400372c0 FindFirstFileExA
0x1400372c8 FindNextFileA
0x1400372d0 IsValidCodePage
0x1400372d8 GetOEMCP
0x1400372e0 GetCPInfo
0x1400372e8 GetEnvironmentStringsW
0x1400372f0 FreeEnvironmentStringsW
0x1400372f8 SetEnvironmentVariableA
0x140037300 SetStdHandle
0x140037308 GetStringTypeW
0x140037310 GetProcessHeap
0x140037318 FlushFileBuffers
0x140037320 GetConsoleCP
0x140037328 GetConsoleMode
0x140037330 HeapSize
0x140037338 HeapReAlloc
0x140037340 SetFilePointerEx
0x140037348 WriteConsoleW
0x140037350 CreateFileW
0x140037358 CreateTimerQueue
0x140037360 SetEvent
0x140037368 SignalObjectAndWait
0x140037370 SwitchToThread
0x140037378 SetThreadPriority
0x140037380 GetThreadPriority
ADVAPI32.dll
0x140037000 AdjustTokenPrivileges
0x140037008 LookupPrivilegeValueW
0x140037010 OpenProcessToken
0x140037018 CreateProcessWithTokenW
ole32.dll
0x140037430 CoTaskMemAlloc
0x140037438 CLSIDFromString
0x140037440 StgCreateDocfileOnILockBytes
0x140037448 CoGetInstanceFromIStorage
0x140037450 CoInitialize
0x140037458 CreateILockBytesOnHGlobal
WS2_32.dll
0x1400373b0 shutdown
0x1400373b8 recv
0x1400373c0 send
0x1400373c8 closesocket
0x1400373d0 connect
0x1400373d8 freeaddrinfo
0x1400373e0 socket
0x1400373e8 WSACleanup
0x1400373f0 getaddrinfo
0x1400373f8 WSAStartup
0x140037400 accept
0x140037408 select
0x140037410 ind
0x140037418 listen
0x140037420 WSAGetLastError
EAT(Export Address Table) Library
0x1400018b0 ??0CMSFRottenPotato@@QEAA@XZ
0x140001870 ??4CMSFRottenPotato@@QEAAAEAV0@$$QEAV0@@Z
0x140001850 ??4CMSFRottenPotato@@QEAAAEAV0@AEBV0@@Z
0x140001890 ?__autoclassinit2@CMSFRottenPotato@@QEAAX_K@Z
0x140001ac0 ?findNTLMBytes@CMSFRottenPotato@@AEAAHPEADH@Z
0x140050810 ?newConnection@CMSFRottenPotato@@0HA
0x140001b20 ?processNtlmBytes@CMSFRottenPotato@@AEAAHPEADH@Z
0x140002140 ?startCOMListener@CMSFRottenPotato@@QEAAHXZ
0x140001a50 ?startCOMListenerThread@CMSFRottenPotato@@QEAAKXZ
0x140001db0 ?startRPCConnection@CMSFRottenPotato@@QEAAHXZ
0x140001a00 ?startRPCConnectionThread@CMSFRottenPotato@@QEAAKXZ
0x140001ab0 ?staticStartCOMListener@CMSFRottenPotato@@CAKPEAX@Z
0x140001aa0 ?staticStartRPCConnection@CMSFRottenPotato@@CAKPEAX@Z
0x140001c80 ?triggerDCOM@CMSFRottenPotato@@QEAAHXZ
Secur32.dll
0x140037390 AcquireCredentialsHandleW
0x140037398 QuerySecurityContextToken
0x1400373a0 AcceptSecurityContext
KERNEL32.dll
0x140037028 CreateThread
0x140037030 Sleep
0x140037038 LoadLibraryW
0x140037040 GetLastError
0x140037048 GetCurrentProcess
0x140037050 GetModuleFileNameA
0x140037058 UnregisterWaitEx
0x140037060 QueryDepthSList
0x140037068 InterlockedPopEntrySList
0x140037070 ReleaseSemaphore
0x140037078 DuplicateHandle
0x140037080 VirtualFree
0x140037088 VirtualProtect
0x140037090 VirtualAlloc
0x140037098 GetVersionExW
0x1400370a0 GetModuleHandleA
0x1400370a8 FreeLibraryAndExitThread
0x1400370b0 GetThreadTimes
0x1400370b8 UnregisterWait
0x1400370c0 RegisterWaitForSingleObject
0x1400370c8 SetThreadAffinityMask
0x1400370d0 GetProcessAffinityMask
0x1400370d8 GetNumaHighestNodeNumber
0x1400370e0 DeleteTimerQueueTimer
0x1400370e8 ChangeTimerQueueTimer
0x1400370f0 CreateTimerQueueTimer
0x1400370f8 GetLogicalProcessorInformation
0x140037100 RtlCaptureContext
0x140037108 RtlLookupFunctionEntry
0x140037110 RtlVirtualUnwind
0x140037118 UnhandledExceptionFilter
0x140037120 SetUnhandledExceptionFilter
0x140037128 TerminateProcess
0x140037130 IsProcessorFeaturePresent
0x140037138 QueryPerformanceCounter
0x140037140 GetCurrentProcessId
0x140037148 GetCurrentThreadId
0x140037150 GetSystemTimeAsFileTime
0x140037158 InitializeSListHead
0x140037160 IsDebuggerPresent
0x140037168 GetStartupInfoW
0x140037170 GetModuleHandleW
0x140037178 EnterCriticalSection
0x140037180 LeaveCriticalSection
0x140037188 TryEnterCriticalSection
0x140037190 DeleteCriticalSection
0x140037198 WideCharToMultiByte
0x1400371a0 SetLastError
0x1400371a8 InitializeCriticalSectionAndSpinCount
0x1400371b0 CreateEventW
0x1400371b8 TlsAlloc
0x1400371c0 TlsGetValue
0x1400371c8 TlsSetValue
0x1400371d0 TlsFree
0x1400371d8 GetTickCount
0x1400371e0 GetProcAddress
0x1400371e8 RtlUnwindEx
0x1400371f0 RtlPcToFileHeader
0x1400371f8 EncodePointer
0x140037200 RaiseException
0x140037208 InterlockedPushEntrySList
0x140037210 InterlockedFlushSList
0x140037218 FreeLibrary
0x140037220 LoadLibraryExW
0x140037228 GetStdHandle
0x140037230 WriteFile
0x140037238 GetModuleFileNameW
0x140037240 DecodePointer
0x140037248 MultiByteToWideChar
0x140037250 ExitProcess
0x140037258 GetModuleHandleExW
0x140037260 GetCommandLineA
0x140037268 GetCommandLineW
0x140037270 GetACP
0x140037278 HeapAlloc
0x140037280 HeapFree
0x140037288 CompareStringW
0x140037290 LCMapStringW
0x140037298 GetFileType
0x1400372a0 GetCurrentThread
0x1400372a8 CloseHandle
0x1400372b0 WaitForSingleObjectEx
0x1400372b8 FindClose
0x1400372c0 FindFirstFileExA
0x1400372c8 FindNextFileA
0x1400372d0 IsValidCodePage
0x1400372d8 GetOEMCP
0x1400372e0 GetCPInfo
0x1400372e8 GetEnvironmentStringsW
0x1400372f0 FreeEnvironmentStringsW
0x1400372f8 SetEnvironmentVariableA
0x140037300 SetStdHandle
0x140037308 GetStringTypeW
0x140037310 GetProcessHeap
0x140037318 FlushFileBuffers
0x140037320 GetConsoleCP
0x140037328 GetConsoleMode
0x140037330 HeapSize
0x140037338 HeapReAlloc
0x140037340 SetFilePointerEx
0x140037348 WriteConsoleW
0x140037350 CreateFileW
0x140037358 CreateTimerQueue
0x140037360 SetEvent
0x140037368 SignalObjectAndWait
0x140037370 SwitchToThread
0x140037378 SetThreadPriority
0x140037380 GetThreadPriority
ADVAPI32.dll
0x140037000 AdjustTokenPrivileges
0x140037008 LookupPrivilegeValueW
0x140037010 OpenProcessToken
0x140037018 CreateProcessWithTokenW
ole32.dll
0x140037430 CoTaskMemAlloc
0x140037438 CLSIDFromString
0x140037440 StgCreateDocfileOnILockBytes
0x140037448 CoGetInstanceFromIStorage
0x140037450 CoInitialize
0x140037458 CreateILockBytesOnHGlobal
WS2_32.dll
0x1400373b0 shutdown
0x1400373b8 recv
0x1400373c0 send
0x1400373c8 closesocket
0x1400373d0 connect
0x1400373d8 freeaddrinfo
0x1400373e0 socket
0x1400373e8 WSACleanup
0x1400373f0 getaddrinfo
0x1400373f8 WSAStartup
0x140037400 accept
0x140037408 select
0x140037410 ind
0x140037418 listen
0x140037420 WSAGetLastError
EAT(Export Address Table) Library
0x1400018b0 ??0CMSFRottenPotato@@QEAA@XZ
0x140001870 ??4CMSFRottenPotato@@QEAAAEAV0@$$QEAV0@@Z
0x140001850 ??4CMSFRottenPotato@@QEAAAEAV0@AEBV0@@Z
0x140001890 ?__autoclassinit2@CMSFRottenPotato@@QEAAX_K@Z
0x140001ac0 ?findNTLMBytes@CMSFRottenPotato@@AEAAHPEADH@Z
0x140050810 ?newConnection@CMSFRottenPotato@@0HA
0x140001b20 ?processNtlmBytes@CMSFRottenPotato@@AEAAHPEADH@Z
0x140002140 ?startCOMListener@CMSFRottenPotato@@QEAAHXZ
0x140001a50 ?startCOMListenerThread@CMSFRottenPotato@@QEAAKXZ
0x140001db0 ?startRPCConnection@CMSFRottenPotato@@QEAAHXZ
0x140001a00 ?startRPCConnectionThread@CMSFRottenPotato@@QEAAKXZ
0x140001ab0 ?staticStartCOMListener@CMSFRottenPotato@@CAKPEAX@Z
0x140001aa0 ?staticStartRPCConnection@CMSFRottenPotato@@CAKPEAX@Z
0x140001c80 ?triggerDCOM@CMSFRottenPotato@@QEAAHXZ