Analysis Report Setup RDP Defender 2.4.exe
Overview
General Information
Detection
Score: | 24 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 20% |
Signatures
Detected unpacking (changes PE section rights)
Contains capabilities to detect virtual machines
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Enables security privileges
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
Analysis Advice |
---|
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook |
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") |
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook |
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Dropped Files |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp |
| |
SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp |
| |
SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp |
|
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: New Service Creation | Show sources |
Source: | Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: |
Sigma detected: Service Execution | Show sources |
Source: | Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: |
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
Source: | Static PE information: |
Source: | Window detected: |