ScreenShot
Created | 2021.03.23 10:32 | Machine | s1_win7_x6402 |
Filename | rl8.exe | ||
Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 3 detected () | ||
md5 | 5ab10b180aca215ff3af5ec0e0e00b87 | ||
sha256 | abe0c08037af3a6f1ee5f815c0c58d3c61aa8c4270ed432839872d0ea758b1bc | ||
ssdeep | 6144:tYeXsc8j7QUp4g/nWriB412fGzktXGBp3IFMunPd2TBdRTi+urG2WgC9fVw2EU4j:j6GBSMun12TxTibraHzs+j01Fa | ||
imphash | 9aaa3e3eed44343463e328e78988f290 | ||
impfuzzy | 24:R6WHHuOGOovWyuDoe1j2Lf0qtUdc+jlJ3TaMUvKlNdbS4Gx4y:R6QBq02FtWc+L0KlbS4G3 |
Network IP location
Signature (23cnts)
Level | Description |
---|---|
danger | Executed a process and injected code into it |
warning | Generates some ICMP traffic |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Code injection by writing an executable or DLL to the memory of another process |
watch | Communicates with host for which no DNS query was performed |
watch | Drops a binary and executes it |
watch | Installs itself for autorun at Windows startup |
watch | Potential code injection by writing to the memory of another process |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | File has been identified by 3 AntiVirus engines on VirusTotal as malicious |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Searches running processes potentially to identify processes for sandbox evasion |
notice | Uses Windows utilities for basic Windows functionality |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Queries for the computername |
Rules (55cnts)
Level | Name | Description | Collection |
---|---|---|---|
notice | Str_Win32_Http_API | Match Windows Http API call | memory |
notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
info | anti_dbg | Checks if being debugged | memory |
info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
info | Check_Dlls | (no description) | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerCheck__RemoteAPI | (no description) | memory |
info | DebuggerException__ConsoleCtrl | (no description) | memory |
info | DebuggerException__SetConsoleCtrl | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE64 | (no description) | binaries (download) |
info | IsPE64 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
info | win_hook | Affect hook table | memory |
info | create_service | Create a windows service | memory |
info | cred_local | Steal credential | memory |
info | escalate_priv | Escalade priviledges | memory |
info | HasDebugData | DebugData Check | binaries (download) |
info | HasDebugData | DebugData Check | binaries (upload) |
info | HasRichSignature | Rich Signature Check | binaries (download) |
info | HasRichSignature | Rich Signature Check | binaries (upload) |
info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
info | IsWindowsGUI | (no description) | binaries (download) |
info | IsWindowsGUI | (no description) | binaries (upload) |
info | keylogger | Run a keylogger | memory |
info | migrate_apc | APC queue tasks migration | memory |
info | network_dga | Communication using dga | memory |
info | network_dns | Communications use DNS | memory |
info | network_dropper | File downloader/dropper | memory |
info | network_ftp | Communications over FTP | memory |
info | network_http | Communications over HTTP | memory |
info | network_p2p_win | Communications over P2P network | memory |
info | network_tcp_listen | Listen for incoming communication | memory |
info | network_tcp_socket | Communications over RAW socket | memory |
info | network_udp_sock | Communications over UDP network | memory |
info | screenshot | Take screenshot | memory |
info | sniff_audio | Record Audio | memory |
info | spreading_share | Malware can spread east-west using share drive | memory |
info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
info | win_files_operation | Affect private profile | binaries (download) |
info | win_files_operation | Affect private profile | binaries (upload) |
info | win_files_operation | Affect private profile | memory |
info | win_mutex | Create or check mutex | memory |
info | win_private_profile | Affect private profile | memory |
info | win_registry | Affect system registries | memory |
info | win_token | Affect system token | memory |
Suricata ids
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
PE API
IAT(Import Address Table) Library
ole32.dll
0x140027290 CoInitializeEx
USER32.dll
0x140027278 GetMenu
0x140027280 ShowWindow
KERNEL32.dll
0x140027000 LoadLibraryExW
0x140027008 FreeEnvironmentStringsW
0x140027010 GetEnvironmentStringsW
0x140027018 GetCommandLineW
0x140027020 GetCommandLineA
0x140027028 OutputDebugStringA
0x140027030 GetProcAddress
0x140027038 LoadLibraryA
0x140027040 GetModuleHandleA
0x140027048 LoadResource
0x140027050 LockResource
0x140027058 SizeofResource
0x140027060 FindResourceA
0x140027068 GetCurrentProcess
0x140027070 ExitProcess
0x140027078 TerminateProcess
0x140027080 FreeLibrary
0x140027088 GetModuleHandleW
0x140027090 GetModuleHandleExW
0x140027098 RtlCaptureContext
0x1400270a0 RtlLookupFunctionEntry
0x1400270a8 RtlVirtualUnwind
0x1400270b0 IsDebuggerPresent
0x1400270b8 UnhandledExceptionFilter
0x1400270c0 SetUnhandledExceptionFilter
0x1400270c8 IsProcessorFeaturePresent
0x1400270d0 ReadFile
0x1400270d8 EnterCriticalSection
0x1400270e0 LeaveCriticalSection
0x1400270e8 DeleteCriticalSection
0x1400270f0 GetLastError
0x1400270f8 SetLastError
0x140027100 GetCurrentThreadId
0x140027108 HeapFree
0x140027110 HeapAlloc
0x140027118 CloseHandle
0x140027120 GetConsoleMode
0x140027128 ReadConsoleW
0x140027130 SetFilePointerEx
0x140027138 GetStdHandle
0x140027140 GetFileType
0x140027148 GetStartupInfoW
0x140027150 InitializeCriticalSectionAndSpinCount
0x140027158 TlsAlloc
0x140027160 TlsGetValue
0x140027168 TlsSetValue
0x140027170 TlsFree
0x140027178 GetSystemTimeAsFileTime
0x140027180 LCMapStringW
0x140027188 WriteFile
0x140027190 GetConsoleCP
0x140027198 GetFileSizeEx
0x1400271a0 IsValidCodePage
0x1400271a8 GetACP
0x1400271b0 GetOEMCP
0x1400271b8 GetCPInfo
0x1400271c0 GetProcessHeap
0x1400271c8 SetStdHandle
0x1400271d0 FlushFileBuffers
0x1400271d8 CreateFileW
0x1400271e0 MultiByteToWideChar
0x1400271e8 GetStringTypeW
0x1400271f0 WideCharToMultiByte
0x1400271f8 HeapSize
0x140027200 HeapReAlloc
0x140027208 GetModuleFileNameW
0x140027210 SetEndOfFile
0x140027218 WriteConsoleW
0x140027220 RaiseException
0x140027228 QueryPerformanceCounter
0x140027230 GetCurrentProcessId
0x140027238 InitializeSListHead
0x140027240 FindNextFileW
0x140027248 RtlPcToFileHeader
0x140027250 RtlUnwindEx
0x140027258 EncodePointer
0x140027260 FindClose
0x140027268 FindFirstFileExW
EAT(Export Address Table) is none
ole32.dll
0x140027290 CoInitializeEx
USER32.dll
0x140027278 GetMenu
0x140027280 ShowWindow
KERNEL32.dll
0x140027000 LoadLibraryExW
0x140027008 FreeEnvironmentStringsW
0x140027010 GetEnvironmentStringsW
0x140027018 GetCommandLineW
0x140027020 GetCommandLineA
0x140027028 OutputDebugStringA
0x140027030 GetProcAddress
0x140027038 LoadLibraryA
0x140027040 GetModuleHandleA
0x140027048 LoadResource
0x140027050 LockResource
0x140027058 SizeofResource
0x140027060 FindResourceA
0x140027068 GetCurrentProcess
0x140027070 ExitProcess
0x140027078 TerminateProcess
0x140027080 FreeLibrary
0x140027088 GetModuleHandleW
0x140027090 GetModuleHandleExW
0x140027098 RtlCaptureContext
0x1400270a0 RtlLookupFunctionEntry
0x1400270a8 RtlVirtualUnwind
0x1400270b0 IsDebuggerPresent
0x1400270b8 UnhandledExceptionFilter
0x1400270c0 SetUnhandledExceptionFilter
0x1400270c8 IsProcessorFeaturePresent
0x1400270d0 ReadFile
0x1400270d8 EnterCriticalSection
0x1400270e0 LeaveCriticalSection
0x1400270e8 DeleteCriticalSection
0x1400270f0 GetLastError
0x1400270f8 SetLastError
0x140027100 GetCurrentThreadId
0x140027108 HeapFree
0x140027110 HeapAlloc
0x140027118 CloseHandle
0x140027120 GetConsoleMode
0x140027128 ReadConsoleW
0x140027130 SetFilePointerEx
0x140027138 GetStdHandle
0x140027140 GetFileType
0x140027148 GetStartupInfoW
0x140027150 InitializeCriticalSectionAndSpinCount
0x140027158 TlsAlloc
0x140027160 TlsGetValue
0x140027168 TlsSetValue
0x140027170 TlsFree
0x140027178 GetSystemTimeAsFileTime
0x140027180 LCMapStringW
0x140027188 WriteFile
0x140027190 GetConsoleCP
0x140027198 GetFileSizeEx
0x1400271a0 IsValidCodePage
0x1400271a8 GetACP
0x1400271b0 GetOEMCP
0x1400271b8 GetCPInfo
0x1400271c0 GetProcessHeap
0x1400271c8 SetStdHandle
0x1400271d0 FlushFileBuffers
0x1400271d8 CreateFileW
0x1400271e0 MultiByteToWideChar
0x1400271e8 GetStringTypeW
0x1400271f0 WideCharToMultiByte
0x1400271f8 HeapSize
0x140027200 HeapReAlloc
0x140027208 GetModuleFileNameW
0x140027210 SetEndOfFile
0x140027218 WriteConsoleW
0x140027220 RaiseException
0x140027228 QueryPerformanceCounter
0x140027230 GetCurrentProcessId
0x140027238 InitializeSListHead
0x140027240 FindNextFileW
0x140027248 RtlPcToFileHeader
0x140027250 RtlUnwindEx
0x140027258 EncodePointer
0x140027260 FindClose
0x140027268 FindFirstFileExW
EAT(Export Address Table) is none