popup

Report - RmMai.exe

Generic Malware Malicious Library Malicious Packer UPX PE File DllRegisterServer dll PE32 OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.10.14 10:45 Machine s1_win7_x6403
Filename RmMai.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score Not founds Behavior Score
1.6
ZERO API
VT API (file) 30 detected (AIDetectMalware, Vxg2, Attribute, HighConfidence, malicious, high confidence, a variant of WinGo, Lumma, TrojanPSW, CLASSIC, Redcap, xmneh, moderate, score, Detected, Leonem, HeurC, KVM007, M1YM9U, Artemis, Wingo, R002H01IT24, QQPass, QQRob, Eplw, Wacatac, B9nj)
md5 4f4e640b100583635e7d7218bc03a047
sha256 b68f20b21290f3398b67a6c4b645d5ea94aeaf8e3da4272554b0b8e03753d08c
ssdeep 98304:HgHLafrLC6zJzuOpqjksAFAcp4EwH1dEo5byjV:agtJ8jk+cu1O4u
imphash 1aae8bf580c846f39c71c05898e57e88
impfuzzy 24:ibVjh9wO+VuT7boVaXOr6kwmDgUPMztxdEr6UP:AwO+VUjXOmokx0nP
  Network IP location

Signature (3cnts)

Level Description
danger File has been identified by 30 AntiVirus engines on VirusTotal as malicious
notice Foreign language identified in PE resource
info The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (8cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info DllRegisterServer_Zero execute regsvr32.exe binaries (upload)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

kernel32.dll
 0xd2aa80 WriteFile
 0xd2aa84 WriteConsoleW
 0xd2aa88 WerSetFlags
 0xd2aa8c WerGetFlags
 0xd2aa90 WaitForMultipleObjects
 0xd2aa94 WaitForSingleObject
 0xd2aa98 VirtualQuery
 0xd2aa9c VirtualFree
 0xd2aaa0 VirtualAlloc
 0xd2aaa4 TlsAlloc
 0xd2aaa8 SwitchToThread
 0xd2aaac SuspendThread
 0xd2aab0 SetWaitableTimer
 0xd2aab4 SetUnhandledExceptionFilter
 0xd2aab8 SetProcessPriorityBoost
 0xd2aabc SetEvent
 0xd2aac0 SetErrorMode
 0xd2aac4 SetConsoleCtrlHandler
 0xd2aac8 ResumeThread
 0xd2aacc RaiseFailFastException
 0xd2aad0 PostQueuedCompletionStatus
 0xd2aad4 LoadLibraryW
 0xd2aad8 LoadLibraryExW
 0xd2aadc SetThreadContext
 0xd2aae0 GetThreadContext
 0xd2aae4 GetSystemInfo
 0xd2aae8 GetSystemDirectoryA
 0xd2aaec GetStdHandle
 0xd2aaf0 GetQueuedCompletionStatusEx
 0xd2aaf4 GetProcessAffinityMask
 0xd2aaf8 GetProcAddress
 0xd2aafc GetErrorMode
 0xd2ab00 GetEnvironmentStringsW
 0xd2ab04 GetCurrentThreadId
 0xd2ab08 GetConsoleMode
 0xd2ab0c FreeEnvironmentStringsW
 0xd2ab10 ExitProcess
 0xd2ab14 DuplicateHandle
 0xd2ab18 CreateWaitableTimerExW
 0xd2ab1c CreateThread
 0xd2ab20 CreateIoCompletionPort
 0xd2ab24 CreateEventA
 0xd2ab28 CloseHandle
 0xd2ab2c AddVectoredExceptionHandler

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure