getscreen[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

getscreen.exe
Size

4.1MB
MD5

bbc4c1acc77666e7259ad7066010de20
SHA1

5568abfab1a7fc70d6bae7ddc1a8dd8b43455d1e
SHA256

4a0a92fa34eeffb15a201735e9c4ef89f6d5d0b6c9149bf554b0912c08019176
SHA512

1e2e8067aa2ac84341012984e64b1aae004accabf036329226b89d2e066f93126596ea749a1d5c9a065ead505a99998b45aa65c0a3c4eb3c8f426206260ebf78
SSDEEP

98304:W8YlQbDbj6CKUW4p2wgoQBVPJ77vmUkR2u/CTsTqRvsug:WPKNWSrtWPJ7QR5/CTsQvq

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
sample	upx

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
getscreen.exe
unpack001/out.upx

Files

getscreen.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

UPX0
Size: - Virtual size: 21.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 4.0MB - Virtual size: 4.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 17KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Exports

Exports

?_log_cached_ptr@?3??gdi_CRgnToCRect@@9@9
?_log_cached_ptr@?3??gdi_CRgnToRect@@9@9
?_log_cached_ptr@?3??gdi_RgnToCRect@@9@9
?_log_cached_ptr@?7??gdi_CRgnToCRect@@9@9
AcceptSecurityContext
AcquireCredentialsHandleA
AcquireCredentialsHandleW
ApplyControlToken
Bitmap_Alloc
Bitmap_SetDimensions
Bitmap_SetRectangle
CompleteAuthToken
DecryptMessage
EncryptMessage
EnumerateSecurityPackagesA
EnumerateSecurityPackagesW
ExportSecurityContext
FreeContextBuffer
FreeRDP_InitWtsApi
Glyph_Alloc
ImpersonateSecurityContext
ImportSecurityContextA
ImportSecurityContextW
InitSecurityInterfaceA
InitSecurityInterfaceW
InitializeSecurityContextA
InitializeSecurityContextW
MakeSignature
Pointer_Alloc
QueryContextAttributesA
QueryContextAttributesW
QueryCredentialsAttributesA
QueryCredentialsAttributesW
QuerySecurityContextToken
QuerySecurityPackageInfoA
QuerySecurityPackageInfoW
RevertSecurityContext
SetContextAttributesA
SetContextAttributesW
VerifySignature
WTSChannelGetHandleById
WTSChannelGetHandleByName
WTSChannelGetId
WTSChannelGetIdByHandle
WTSChannelGetName
WTSChannelGetOptions
WTSChannelSetHandleById
WTSChannelSetHandleByName
WTSGetAcceptedChannelNames
WTSIsChannelJoinedById
WTSIsChannelJoinedByName
WTSVirtualChannelManagerCheckFileDescriptor
WTSVirtualChannelManagerGetDrdynvcState
WTSVirtualChannelManagerGetEventHandle
WTSVirtualChannelManagerGetFileDescriptor
WTSVirtualChannelManagerIsChannelJoined
WTSVirtualChannelManagerSetDVCCreationCallback
_ber_sizeof_length
audio_format_compatible
audio_format_compute_time_length
audio_format_copy
audio_format_free
audio_format_get_tag_string
audio_format_new
audio_format_print
audio_format_read
audio_format_write
audio_formats_free
audio_formats_new
audio_formats_print
avc420_compress
avc420_decompress
avc444_compress
avc444_decompress
ber_read_BOOL
ber_read_application_tag
ber_read_bit_string
ber_read_contextual_tag
ber_read_enumerated
ber_read_integer
ber_read_integer_length
ber_read_length
ber_read_octet_string_tag
ber_read_sequence_tag
ber_read_universal_tag
ber_sizeof_contextual_tag
ber_sizeof_integer
ber_sizeof_octet_string
ber_sizeof_sequence
ber_sizeof_sequence_tag
ber_write_BOOL
ber_write_application_tag
ber_write_contextual_tag
ber_write_enumerated
ber_write_integer
ber_write_length
ber_write_octet_string
ber_write_octet_string_tag
ber_write_sequence_tag
ber_write_universal_tag
bitmap_cache_free
bitmap_cache_new
bitmap_cache_register_callbacks
bitmap_interleaved_context_free
bitmap_interleaved_context_new
bitmap_interleaved_context_reset
brush_cache_free
brush_cache_get
brush_cache_new
brush_cache_put
brush_cache_register_callbacks
cache_free
cache_new
certificate_data_free
certificate_data_match
certificate_data_new
certificate_data_print
certificate_data_replace
certificate_get_stored_data
certificate_store_free
certificate_store_new
checkChannelErrorEvent
clearChannelError
clear_compress
clear_context_free
clear_context_new
clear_context_reset
clear_decompress
client_auto_reconnect
client_auto_reconnect_ex
client_cli_authenticate
client_cli_gw_authenticate
client_cli_present_gateway_message
client_cli_verify_certificate
client_cli_verify_certificate_ex
client_cli_verify_changed_certificate
client_cli_verify_changed_certificate_ex
codecs_free
codecs_new
connectErrorCode
crypto_base64_decode
crypto_base64_encode
crypto_cert_dns_names_free
crypto_cert_fingerprint
crypto_cert_fingerprint_by_hash
crypto_cert_free
crypto_cert_get_dns_names
crypto_cert_get_email
crypto_cert_get_public_key
crypto_cert_get_signature_alg
crypto_cert_get_upn
crypto_cert_hash
crypto_cert_issuer
crypto_cert_print_info
crypto_cert_read
crypto_cert_subject
crypto_cert_subject_alt_name
crypto_cert_subject_alt_name_free
crypto_cert_subject_common_name
crypto_get_certificate_data
crypto_reverse
crypto_rsa_private_decrypt
crypto_rsa_private_encrypt
crypto_rsa_public_decrypt
crypto_rsa_public_encrypt
freerdp_abort_connect
freerdp_addin_replace_argument
freerdp_addin_replace_argument_value
freerdp_addin_set_argument
freerdp_addin_set_argument_value
freerdp_assistance_bin_to_hex_string
freerdp_assistance_construct_expert_blob
freerdp_assistance_encrypt_pass_stub
freerdp_assistance_file_free
freerdp_assistance_file_new
freerdp_assistance_generate_pass_stub
freerdp_assistance_get_encrypted_pass_stub
freerdp_assistance_hex_string_to_bin
freerdp_assistance_parse_file
freerdp_assistance_parse_file_buffer
freerdp_assistance_populate_settings_from_assistance_file
freerdp_assistance_print_file
freerdp_assistance_set_connection_string2
freerdp_bitmap_compress
freerdp_bitmap_compress_planar
freerdp_bitmap_planar_context_free
freerdp_bitmap_planar_context_new
freerdp_bitmap_planar_context_reset
freerdp_channel_add_init_handle_data
freerdp_channel_add_open_handle_data
freerdp_channel_get_init_handle_data
freerdp_channel_get_open_handle_data
freerdp_channel_remove_init_handle_data
freerdp_channel_remove_open_handle_data
freerdp_channels_addin_list_free
freerdp_channels_attach
freerdp_channels_check_fds
freerdp_channels_client_find_static_entry
freerdp_channels_client_load
freerdp_channels_client_load_ex
freerdp_channels_data
freerdp_channels_detach
freerdp_channels_get_event_handle
freerdp_channels_get_fds
freerdp_channels_get_id_by_name
freerdp_channels_get_name_by_id
freerdp_channels_get_static_channel_interface
freerdp_channels_list_addins
freerdp_channels_load_plugin
freerdp_channels_load_static_addin_entry
freerdp_channels_process_pending_messages
freerdp_check_event_handles
freerdp_check_fds
freerdp_client_add_device_channel
freerdp_client_add_dynamic_channel
freerdp_client_add_static_channel
freerdp_client_codecs_prepare
freerdp_client_codecs_reset
freerdp_client_context_free
freerdp_client_context_new
freerdp_client_get_instance
freerdp_client_get_thread
freerdp_client_load_addins
freerdp_client_parse_rdp_file
freerdp_client_parse_rdp_file_buffer
freerdp_client_parse_rdp_file_buffer_ex
freerdp_client_parse_rdp_file_ex
freerdp_client_populate_rdp_file_from_settings
freerdp_client_populate_settings_from_rdp_file
freerdp_client_print_buildconfig
freerdp_client_print_command_line_help
freerdp_client_print_command_line_help_ex
freerdp_client_print_version
freerdp_client_rdp_file_free
freerdp_client_rdp_file_get_integer_option
freerdp_client_rdp_file_get_string_option
freerdp_client_rdp_file_new
freerdp_client_rdp_file_new_ex
freerdp_client_rdp_file_set_callback_context
freerdp_client_rdp_file_set_integer_option
freerdp_client_rdp_file_set_string_option
freerdp_client_settings_command_line_status_print
freerdp_client_settings_command_line_status_print_ex
freerdp_client_settings_parse_assistance_file
freerdp_client_settings_parse_command_line
freerdp_client_settings_parse_command_line_arguments
freerdp_client_settings_parse_connection_file
freerdp_client_settings_parse_connection_file_buffer
freerdp_client_settings_write_connection_file
freerdp_client_start
freerdp_client_stop
freerdp_client_write_rdp_file
freerdp_client_write_rdp_file_buffer
freerdp_codepages_free
freerdp_connect
freerdp_context_free
freerdp_context_new
freerdp_device_clone
freerdp_device_collection_add
freerdp_device_collection_find
freerdp_device_collection_find_type
freerdp_device_collection_free
freerdp_disconnect
freerdp_disconnect_before_reconnect
freerdp_display_send_monitor_layout
freerdp_dsp_context_free
freerdp_dsp_context_new
freerdp_dsp_context_reset
freerdp_dsp_decode
freerdp_dsp_encode
freerdp_dsp_supports_format
freerdp_dynamic_channel_clone
freerdp_dynamic_channel_collection_add
freerdp_dynamic_channel_collection_find
freerdp_dynamic_channel_collection_free
freerdp_error_info
freerdp_focus_required
freerdp_free
freerdp_get_build_config
freerdp_get_build_date
freerdp_get_build_revision
freerdp_get_disconnect_ultimatum
freerdp_get_dynamic_addin_install_path
freerdp_get_error_base_category
freerdp_get_error_base_name
freerdp_get_error_base_string
freerdp_get_error_connect_category
freerdp_get_error_connect_name
freerdp_get_error_connect_string
freerdp_get_error_info_category
freerdp_get_error_info_name
freerdp_get_error_info_string
freerdp_get_event_handles
freerdp_get_fds
freerdp_get_last_error
freerdp_get_last_error_category
freerdp_get_last_error_name
freerdp_get_last_error_string
freerdp_get_library_install_path
freerdp_get_logon_error_info_data
freerdp_get_logon_error_info_type
freerdp_get_message_queue
freerdp_get_message_queue_event_handle
freerdp_get_param_bool
freerdp_get_param_int
freerdp_get_param_string
freerdp_get_param_uint32
freerdp_get_param_uint64
freerdp_get_state
freerdp_get_stats
freerdp_get_transport_sent
freerdp_get_version
freerdp_get_version_string
freerdp_glyph_convert
freerdp_heartbeat_send_heartbeat_pdu
freerdp_image_copy
freerdp_image_copy_from_icon_data
freerdp_image_copy_from_monochrome
freerdp_image_copy_from_pointer_data
freerdp_image_fill
freerdp_image_scale
freerdp_input_send_extended_mouse_event
freerdp_input_send_focus_in_event
freerdp_input_send_keyboard_event
freerdp_input_send_keyboard_event_ex
freerdp_input_send_keyboard_pause_event
freerdp_input_send_mouse_event
freerdp_input_send_synchronize_event
freerdp_input_send_unicode_keyboard_event
freerdp_keyboard_get_layout_id_from_name
freerdp_keyboard_get_layout_name_from_id
freerdp_keyboard_get_layouts
freerdp_keyboard_get_matching_codepages
freerdp_keyboard_layouts_free
freerdp_load_channel_addin_entry
freerdp_load_dynamic_addin
freerdp_load_dynamic_channel_addin_entry
freerdp_message_queue_process_message
freerdp_message_queue_process_pending_messages
freerdp_nego_get_routing_token
freerdp_new
freerdp_nla_impersonate
freerdp_nla_revert_to_self
freerdp_parse_hostname
freerdp_parse_username
freerdp_passphrase_read
freerdp_performance_flags_make
freerdp_performance_flags_split
freerdp_planar_switch_bgr
freerdp_rail_support_flags_to_string
freerdp_rdpsnd_get_context
freerdp_reconnect
freerdp_register_addin_provider
freerdp_send_error_info
freerdp_set_connection_type
freerdp_set_error_info
freerdp_set_focus
freerdp_set_gateway_usage_method
freerdp_set_last_error
freerdp_set_last_error_ex
freerdp_set_param_bool
freerdp_set_param_int
freerdp_set_param_string
freerdp_set_param_uint32
freerdp_set_param_uint64
freerdp_settings_clone
freerdp_settings_copy
freerdp_settings_free
freerdp_settings_get_bool
freerdp_settings_get_int16
freerdp_settings_get_int32
freerdp_settings_get_int64
freerdp_settings_get_key_for_name
freerdp_settings_get_name_for_key
freerdp_settings_get_pointer
freerdp_settings_get_string
freerdp_settings_get_type_for_key
freerdp_settings_get_type_for_name
freerdp_settings_get_uint16
freerdp_settings_get_uint32
freerdp_settings_get_uint64
freerdp_settings_new
freerdp_settings_set_bool
freerdp_settings_set_int16
freerdp_settings_set_int32
freerdp_settings_set_int64
freerdp_settings_set_string
freerdp_settings_set_uint16
freerdp_settings_set_uint32
freerdp_settings_set_uint64
freerdp_settings_set_value_for_name
freerdp_shall_disconnect
freerdp_state_string
freerdp_static_channel_clone
freerdp_static_channel_collection_add
freerdp_static_channel_collection_find
freerdp_static_channel_collection_free
freerdp_target_net_addresses_copy
freerdp_target_net_addresses_free
freerdp_update_gateway_usage_method
gdi_BitBlt
gdi_CRectToCRgn
gdi_CRectToRgn
gdi_CRgnToCRect
gdi_CRgnToRect
gdi_CopyOverlap
gdi_CopyRect
gdi_CreateBitmap
gdi_CreateBitmapEx
gdi_CreateCompatibleBitmap
gdi_CreateCompatibleDC
gdi_CreateDC
gdi_CreatePen
gdi_CreateRect
gdi_CreateRectRgn
gdi_DeleteDC
gdi_DeleteObject
gdi_Ellipse
gdi_EqualRgn
gdi_FillRect
gdi_GetDC
gdi_GetPenColor
gdi_GetPixel
gdi_GetPointer
gdi_InvalidateRegion
gdi_PolyPolygon
gdi_Polygon
gdi_PtInRect
gdi_RectToCRgn
gdi_RectToRgn
gdi_Rectangle
gdi_RgnToCRect
gdi_RgnToRect
gdi_SelectObject
gdi_SetPixel
gdi_SetRect
gdi_SetRectRgn
gdi_SetRgn
gdi_decode_color
gdi_free
gdi_get_pixel_format
gdi_init
gdi_init_ex
gdi_resize
gdi_resize_ex
gdi_rop3_code
gdi_rop3_code_string
gdi_rop3_string
gdi_send_suppress_output
getChannelError
getChannelErrorDescription
getChannelErrorEventHandle
glyph_cache_free
glyph_cache_new
glyph_cache_register_callbacks
graphics_free
graphics_new
graphics_register_bitmap
graphics_register_glyph
graphics_register_pointer
h264_context_free
h264_context_new
h264_context_reset
interleaved_compress
interleaved_decompress
license_send_valid_client_error_packet
mappedGeometryRef
mappedGeometryUnref
metrics_free
metrics_new
metrics_write_bytes
mppc_compress
mppc_context_free
mppc_context_new
mppc_context_reset
mppc_decompress
mppc_set_compression_level
ncrush_compress
ncrush_context_free
ncrush_context_new
ncrush_context_reset
ncrush_decompress
nine_grid_cache_free
nine_grid_cache_new
nine_grid_cache_register_callbacks
nsc_compose_message
nsc_context_free
nsc_context_new
nsc_context_reset
nsc_context_set_parameters
nsc_context_set_pixel_format
nsc_decompose_message
nsc_process_message
offscreen_cache_free
offscreen_cache_get
offscreen_cache_new
offscreen_cache_register_callbacks
palette_cache_free
palette_cache_new
palette_cache_register_callbacks

Sections

.text
Size: 8.1MB - Virtual size: 8.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rodata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 416KB - Virtual size: 14.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 255KB - Virtual size: 254KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 393KB - Virtual size: 392KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 46KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Headers

DLL Characteristics

File Characteristics

Sections

UPX0 Size: - Virtual size: 21.0MB

UPX1 Size: 4.0MB - Virtual size: 4.0MB

.rsrc Size: 17KB - Virtual size: 20KB

Headers

DLL Characteristics

File Characteristics

Exports

Exports

Sections

.text Size: 8.1MB - Virtual size: 8.1MB

.rodata Size: 4KB - Virtual size: 4KB

.rdata Size: 1.5MB - Virtual size: 1.5MB

.data Size: 416KB - Virtual size: 14.7MB

.pdata Size: 255KB - Virtual size: 254KB

.rsrc Size: 393KB - Virtual size: 392KB

.reloc Size: 46KB - Virtual size: 46KB

UPX0
Size: - Virtual size: 21.0MB

UPX1
Size: 4.0MB - Virtual size: 4.0MB

.rsrc
Size: 17KB - Virtual size: 20KB

.text
Size: 8.1MB - Virtual size: 8.1MB

.rodata
Size: 4KB - Virtual size: 4KB

.rdata
Size: 1.5MB - Virtual size: 1.5MB

.data
Size: 416KB - Virtual size: 14.7MB

.pdata
Size: 255KB - Virtual size: 254KB

.rsrc
Size: 393KB - Virtual size: 392KB

.reloc
Size: 46KB - Virtual size: 46KB