Edit tour
Windows
Analysis Report
3_#U0420#U0430#U0445#U0443#U043d#U043e#U043a.pdf.exe
Overview
General Information
Sample name: | 3_#U0420#U0430#U0445#U0443#U043d#U043e#U043a.pdf.exerenamed because original name is a hash value |
Original sample name: | 3_.pdf.exe |
Analysis ID: | 1385428 |
MD5: | 075d6c122274cb9226521d3cd298f2f2 |
SHA1: | 6f54d70f39fa28596ef90bfcb0c14278b016db1b |
SHA256: | 92192af947017c20ad861faf4459fb705e63f7083b34c77c1727891b88091573 |
Tags: | exeRemoteUtilitiesrurat |
Infos: | |
Detection
RMSRemoteAdmin, Remote Utilities
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected Remote Utilities RAT
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Connects to many ports of the same IP (likely port scanning)
Initial sample is a PE file and has a suspicious name
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Extensive use of GetProcAddress (often used to hide API calls)
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Stores large binary data to the registry
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected RMS RemoteAdmin tool
Yara signature match
Classification
- System is w10x64
- 3_#U0420#U0430#U0445#U0443#U043d#U043e#U043a.pdf.exe (PID: 7316 cmdline:
C:\Users\u ser\Deskto p\3_#U0420 #U0430#U04 45#