ScreenShot
| Created | 2021.03.30 09:22 | Machine | s1_win7_x6402 |
| Filename | ret83d.exe | ||
| Type | PE32+ executable (GUI) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 7 detected (malicious, high confidence, Unsafe, Wacatac, score, confidence) | ||
| md5 | 6db26c9db14987acb16fa21fbc499525 | ||
| sha256 | 74da3ea957d693096779aceac7a1bd3ec775291606df62429f73e8a9d9cec682 | ||
| ssdeep | 6144:C+Bpo9r5nwIa3DF6W2Kl2cxa9u/jfjMj6Idw3CDuiKB:XBpozni3D4s23aQ5WCuz | ||
| imphash | 042fc167bd0ac3b1819d7ffa36bc5920 | ||
| impfuzzy | 6:c5CrcgDyQYXJAIKypbtdtz0pZQxaYk1wk4XIy:KCrCQUJAiFtdOpKxaah | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| warning | Generates some ICMP traffic |
| watch | Communicates with host for which no DNS query was performed |
| watch | Drops a binary and executes it |
| watch | Installs itself for autorun at Windows startup |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Creates executable files on the filesystem |
| notice | File has been identified by 7 AntiVirus engines on VirusTotal as malicious |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Queries for the computername |
Rules (52cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE64 | (no description) | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
| info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | win_hook | Affect hook table | memory |
| info | create_service | Create a windows service | memory |
| info | cred_local | Steal credential | memory |
| info | escalate_priv | Escalade priviledges | memory |
| info | HasDebugData | DebugData Check | binaries (download) |
| info | HasDebugData | DebugData Check | binaries (upload) |
| info | HasRichSignature | Rich Signature Check | binaries (download) |
| info | HasRichSignature | Rich Signature Check | binaries (upload) |
| info | inject_thread | Code injection with CreateRemoteThread in a remote process | memory |
| info | IsWindowsGUI | (no description) | binaries (download) |
| info | IsWindowsGUI | (no description) | binaries (upload) |
| info | keylogger | Run a keylogger | memory |
| info | migrate_apc | APC queue tasks migration | memory |
| info | network_dga | Communication using dga | memory |
| info | network_dns | Communications use DNS | memory |
| info | network_dropper | File downloader/dropper | memory |
| info | network_ftp | Communications over FTP | memory |
| info | network_http | Communications over HTTP | memory |
| info | network_p2p_win | Communications over P2P network | memory |
| info | network_tcp_listen | Listen for incoming communication | memory |
| info | network_tcp_socket | Communications over RAW socket | memory |
| info | network_udp_sock | Communications over UDP network | memory |
| info | screenshot | Take screenshot | memory |
| info | sniff_audio | Record Audio | memory |
| info | spreading_file | Malware can spread east-west file | memory |
| info | spreading_share | Malware can spread east-west using share drive | memory |
| info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | memory |
| info | Str_Win32_Winsock2_Library | Match Winsock 2 API library declaration | memory |
| info | win_files_operation | Affect private profile | memory |
| info | win_mutex | Create or check mutex | memory |
| info | win_private_profile | Affect private profile | memory |
| info | win_registry | Affect system registries | memory |
| info | win_token | Affect system token | memory |
PE API
IAT(Import Address Table) Library
USER32.dll
0x140005050 ChangeDisplaySettingsA
0x140005058 DrawTextA
0x140005060 CopyAcceleratorTableA
0x140005068 CharPrevA
0x140005070 DeferWindowPos
GDI32.dll
0x140005000 GetCharABCWidthsFloatA
0x140005008 GetCharWidth32W
0x140005010 CreatePenIndirect
0x140005018 ExtCreatePen
0x140005020 GetPixel
SHLWAPI.dll
0x140005030 StrStrIA
0x140005038 StrRStrIW
0x140005040 StrRChrIW
EAT(Export Address Table) is none
USER32.dll
0x140005050 ChangeDisplaySettingsA
0x140005058 DrawTextA
0x140005060 CopyAcceleratorTableA
0x140005068 CharPrevA
0x140005070 DeferWindowPos
GDI32.dll
0x140005000 GetCharABCWidthsFloatA
0x140005008 GetCharWidth32W
0x140005010 CreatePenIndirect
0x140005018 ExtCreatePen
0x140005020 GetPixel
SHLWAPI.dll
0x140005030 StrStrIA
0x140005038 StrRStrIW
0x140005040 StrRChrIW
EAT(Export Address Table) is none