getscreen[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

getscreen.exe
Size

7.2MB
MD5

4efd7f675ca38d9755cad731d59f74ae
SHA1

5192e2ec29fecfdd26a1075f7c261a5b50bffa38
SHA256

0671938a3229f1a073554898fcbe1a2d7410d10a9ecaee026c6448a641997a09
SHA512

8b5a3d08f773fd7ad8ba0c73dbcfbdbe48ab67ff6d0e80b27b7f8d9037ea590a4c29f8d76547e63c0b4b0bd4f1fdf7ef69425866c536c7bf9d261a38b35249bd
SSDEEP

98304:/fdqquVLP4Lmi5FtY0iuhtJXXZXl46iSs/zc5pS09pvDWzat1BnfETaP3dXe:/fdqB8LmiKKbZ14Is/yp/lSMdO

Score

5^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
sample	upx

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
getscreen.exe
unpack001/out.upx

Files

getscreen.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

UPX0
Size: - Virtual size: 26.3MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 7.2MB - Virtual size: 7.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 11KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Exports

Exports

?_log_cached_ptr@?3??gdi_CRgnToCRect@@9@9
?_log_cached_ptr@?3??gdi_CRgnToRect@@9@9
?_log_cached_ptr@?3??gdi_RgnToCRect@@9@9
?_log_cached_ptr@?7??gdi_CRgnToCRect@@9@9
AcceptSecurityContext
AcquireCredentialsHandleA
AcquireCredentialsHandleW
ApplyControlToken
Bitmap_Alloc
Bitmap_SetDimensions
Bitmap_SetRectangle
CompleteAuthToken
DecryptMessage
EncryptMessage
EnumerateSecurityPackagesA
EnumerateSecurityPackagesW
ExportSecurityContext
FreeContextBuffer
FreeRDP_InitWtsApi
Glyph_Alloc
ImpersonateSecurityContext
ImportSecurityContextA
ImportSecurityContextW
InitSecurityInterfaceA
InitSecurityInterfaceW
InitializeSecurityContextA
InitializeSecurityContextW
MakeSignature
Pointer_Alloc
QueryContextAttributesA
QueryContextAttributesW
QueryCredentialsAttributesA
QueryCredentialsAttributesW
QuerySecurityContextToken
QuerySecurityPackageInfoA
QuerySecurityPackageInfoW
RevertSecurityContext
SetContextAttributesA
SetContextAttributesW
VerifySignature
WTSChannelGetHandleById
WTSChannelGetHandleByName
WTSChannelGetId
WTSChannelGetIdByHandle
WTSChannelGetName
WTSChannelGetOptions
WTSChannelSetHandleById
WTSChannelSetHandleByName
WTSGetAcceptedChannelNames
WTSIsChannelJoinedById
WTSIsChannelJoinedByName
WTSVirtualChannelManagerCheckFileDescriptor
WTSVirtualChannelManagerGetDrdynvcState
WTSVirtualChannelManagerGetEventHandle
WTSVirtualChannelManagerGetFileDescriptor
WTSVirtualChannelManagerIsChannelJoined
WTSVirtualChannelManagerSetDVCCreationCallback
_ber_sizeof_length
audio_format_compatible
audio_format_compute_time_length
audio_format_copy
audio_format_free
audio_format_get_tag_string
audio_format_new
audio_format_print
audio_format_read
audio_format_write
audio_formats_free
audio_formats_new
audio_formats_print
avc420_compress
avc420_decompress
avc444_compress
avc444_decompress
ber_read_BOOL
ber_read_application_tag
ber_read_bit_string
ber_read_contextual_tag
ber_read_enumerated
ber_read_integer
ber_read_integer_length
ber_read_length
ber_read_octet_string_tag
ber_read_sequence_tag
ber_read_universal_tag
ber_sizeof_contextual_tag
ber_sizeof_integer
ber_sizeof_octet_string
ber_sizeof_sequence
ber_sizeof_sequence_tag
ber_write_BOOL
ber_write_application_tag
ber_write_contextual_tag
ber_write_enumerated
ber_write_integer
ber_write_length
ber_write_octet_string
ber_write_octet_string_tag
ber_write_sequence_tag
ber_write_universal_tag
bitmap_cache_free
bitmap_cache_new
bitmap_cache_register_callbacks
bitmap_interleaved_context_free
bitmap_interleaved_context_new
bitmap_interleaved_context_reset
brush_cache_free
brush_cache_get
brush_cache_new
brush_cache_put
brush_cache_register_callbacks
cache_free
cache_new
certificate_data_free
certificate_data_match
certificate_data_new
certificate_data_print
certificate_data_replace
certificate_get_stored_data
certificate_store_free
certificate_store_new
checkChannelErrorEvent
clearChannelError
clear_compress
clear_context_free
clear_context_new
clear_context_reset
clear_decompress
client_auto_reconnect
client_auto_reconnect_ex
client_cli_authenticate
client_cli_gw_authenticate
client_cli_present_gateway_message
client_cli_verify_certificate
client_cli_verify_certificate_ex
client_cli_verify_changed_certificate
client_cli_verify_changed_certificate_ex
codecs_free
codecs_new
connectErrorCode
crypto_base64_decode
crypto_base64_encode
crypto_cert_dns_names_free
crypto_cert_fingerprint
crypto_cert_fingerprint_by_hash
crypto_cert_free
crypto_cert_get_dns_names
crypto_cert_get_email
crypto_cert_get_public_key
crypto_cert_get_signature_alg
crypto_cert_get_upn
crypto_cert_hash
crypto_cert_issuer
crypto_cert_print_info
crypto_cert_read
crypto_cert_subject
crypto_cert_subject_alt_name
crypto_cert_subject_alt_name_free
crypto_cert_subject_common_name
crypto_get_certificate_data
crypto_reverse
crypto_rsa_private_decrypt
crypto_rsa_private_encrypt
crypto_rsa_public_decrypt
crypto_rsa_public_encrypt
freerdp_abort_connect
freerdp_addin_replace_argument
freerdp_addin_replace_argument_value
freerdp_addin_set_argument
freerdp_addin_set_argument_value
freerdp_assistance_bin_to_hex_string
freerdp_assistance_construct_expert_blob
freerdp_assistance_encrypt_pass_stub
freerdp_assistance_file_free
freerdp_assistance_file_new
freerdp_assistance_generate_pass_stub
freerdp_assistance_get_encrypted_pass_stub
freerdp_assistance_hex_string_to_bin
freerdp_assistance_parse_file
freerdp_assistance_parse_file_buffer
freerdp_assistance_populate_settings_from_assistance_file
freerdp_assistance_print_file
freerdp_assistance_set_connection_string2
freerdp_bitmap_compress
freerdp_bitmap_compress_planar
freerdp_bitmap_planar_context_free
freerdp_bitmap_planar_context_new
freerdp_bitmap_planar_context_reset
freerdp_channel_add_init_handle_data
freerdp_channel_add_open_handle_data
freerdp_channel_get_init_handle_data
freerdp_channel_get_open_handle_data
freerdp_channel_remove_init_handle_data
freerdp_channel_remove_open_handle_data
freerdp_channels_addin_list_free
freerdp_channels_attach
freerdp_channels_check_fds
freerdp_channels_client_find_static_entry
freerdp_channels_client_load
freerdp_channels_client_load_ex
freerdp_channels_data
freerdp_channels_detach
freerdp_channels_get_event_handle
freerdp_channels_get_fds
freerdp_channels_get_id_by_name
freerdp_channels_get_name_by_id
freerdp_channels_get_static_channel_interface
freerdp_channels_list_addins
freerdp_channels_load_plugin
freerdp_channels_load_static_addin_entry
freerdp_channels_process_pending_messages
freerdp_check_event_handles
freerdp_check_fds
freerdp_client_add_device_channel
freerdp_client_add_dynamic_channel
freerdp_client_add_static_channel
freerdp_client_codecs_prepare
freerdp_client_codecs_reset
freerdp_client_context_free
freerdp_client_context_new
freerdp_client_get_instance
freerdp_client_get_thread
freerdp_client_load_addins
freerdp_client_parse_rdp_file
freerdp_client_parse_rdp_file_buffer
freerdp_client_parse_rdp_file_buffer_ex
freerdp_client_parse_rdp_file_ex
freerdp_client_populate_rdp_file_from_settings
freerdp_client_populate_settings_from_rdp_file
freerdp_client_print_buildconfig
freerdp_client_print_command_line_help
freerdp_client_print_command_line_help_ex
freerdp_client_print_version
freerdp_client_rdp_file_free
freerdp_client_rdp_file_get_integer_option
freerdp_client_rdp_file_get_string_option
freerdp_client_rdp_file_new
freerdp_client_rdp_file_new_ex
freerdp_client_rdp_file_set_callback_context
freerdp_client_rdp_file_set_integer_option
freerdp_client_rdp_file_set_string_option
freerdp_client_settings_command_line_status_print
freerdp_client_settings_command_line_status_print_ex
freerdp_client_settings_parse_assistance_file
freerdp_client_settings_parse_command_line
freerdp_client_settings_parse_command_line_arguments
freerdp_client_settings_parse_connection_file
freerdp_client_settings_parse_connection_file_buffer
freerdp_client_settings_write_connection_file
freerdp_client_start
freerdp_client_stop
freerdp_client_write_rdp_file
freerdp_client_write_rdp_file_buffer
freerdp_codepages_free
freerdp_connect
freerdp_context_free
freerdp_context_new
freerdp_device_clone
freerdp_device_collection_add
freerdp_device_collection_find
freerdp_device_collection_find_type
freerdp_device_collection_free
freerdp_disconnect
freerdp_disconnect_before_reconnect
freerdp_display_send_monitor_layout
freerdp_dsp_context_free
freerdp_dsp_context_new
freerdp_dsp_context_reset
freerdp_dsp_decode
freerdp_dsp_encode
freerdp_dsp_supports_format
freerdp_dynamic_channel_clone
freerdp_dynamic_channel_collection_add
freerdp_dynamic_channel_collection_find
freerdp_dynamic_channel_collection_free
freerdp_error_info
freerdp_focus_required
freerdp_free
freerdp_get_build_config
freerdp_get_build_date
freerdp_get_build_revision
freerdp_get_disconnect_ultimatum
freerdp_get_dynamic_addin_install_path
freerdp_get_error_base_category
freerdp_get_error_base_name
freerdp_get_error_base_string
freerdp_get_error_connect_category
freerdp_get_error_connect_name
freerdp_get_error_connect_string
freerdp_get_error_info_category
freerdp_get_error_info_name
freerdp_get_error_info_string
freerdp_get_event_handles
freerdp_get_fds
freerdp_get_last_error
freerdp_get_last_error_category
freerdp_get_last_error_name
freerdp_get_last_error_string
freerdp_get_library_install_path
freerdp_get_logon_error_info_data
freerdp_get_logon_error_info_type
freerdp_get_message_queue
freerdp_get_message_queue_event_handle
freerdp_get_param_bool
freerdp_get_param_int
freerdp_get_param_string
freerdp_get_param_uint32
freerdp_get_param_uint64
freerdp_get_state
freerdp_get_stats
freerdp_get_transport_sent
freerdp_get_version
freerdp_get_version_string
freerdp_glyph_convert
freerdp_heartbeat_send_heartbeat_pdu
freerdp_image_copy
freerdp_image_copy_from_icon_data
freerdp_image_copy_from_monochrome
freerdp_image_copy_from_pointer_data
freerdp_image_fill
freerdp_image_scale
freerdp_input_send_extended_mouse_event
freerdp_input_send_focus_in_event
freerdp_input_send_keyboard_event
freerdp_input_send_keyboard_event_ex
freerdp_input_send_keyboard_pause_event
freerdp_input_send_mouse_event
freerdp_input_send_synchronize_event
freerdp_input_send_unicode_keyboard_event
freerdp_keyboard_get_layout_id_from_name
freerdp_keyboard_get_layout_name_from_id
freerdp_keyboard_get_layouts
freerdp_keyboard_get_matching_codepages
freerdp_keyboard_layouts_free
freerdp_load_channel_addin_entry
freerdp_load_dynamic_addin
freerdp_load_dynamic_channel_addin_entry
freerdp_message_queue_process_message
freerdp_message_queue_process_pending_messages
freerdp_nego_get_routing_token
freerdp_new
freerdp_nla_impersonate
freerdp_nla_revert_to_self
freerdp_parse_hostname
freerdp_parse_username
freerdp_passphrase_read
freerdp_performance_flags_make
freerdp_performance_flags_split
freerdp_planar_switch_bgr
freerdp_rail_support_flags_to_string
freerdp_rdpsnd_get_context
freerdp_reconnect
freerdp_register_addin_provider
freerdp_send_error_info
freerdp_set_connection_type
freerdp_set_error_info
freerdp_set_focus
freerdp_set_gateway_usage_method
freerdp_set_last_error
freerdp_set_last_error_ex
freerdp_set_param_bool
freerdp_set_param_int
freerdp_set_param_string
freerdp_set_param_uint32
freerdp_set_param_uint64
freerdp_settings_clone
freerdp_settings_copy
freerdp_settings_free
freerdp_settings_get_bool
freerdp_settings_get_int16
freerdp_settings_get_int32
freerdp_settings_get_int64
freerdp_settings_get_key_for_name
freerdp_settings_get_name_for_key
freerdp_settings_get_pointer
freerdp_settings_get_string
freerdp_settings_get_type_for_key
freerdp_settings_get_type_for_name
freerdp_settings_get_uint16
freerdp_settings_get_uint32
freerdp_settings_get_uint64
freerdp_settings_new
freerdp_settings_set_bool
freerdp_settings_set_int16
freerdp_settings_set_int32
freerdp_settings_set_int64
freerdp_settings_set_string
freerdp_settings_set_uint16
freerdp_settings_set_uint32
freerdp_settings_set_uint64
freerdp_settings_set_value_for_name
freerdp_shall_disconnect
freerdp_state_string
freerdp_static_channel_clone
freerdp_static_channel_collection_add
freerdp_static_channel_collection_find
freerdp_static_channel_collection_free
freerdp_target_net_addresses_copy
freerdp_target_net_addresses_free
freerdp_update_gateway_usage_method
gdi_BitBlt
gdi_CRectToCRgn
gdi_CRectToRgn
gdi_CRgnToCRect
gdi_CRgnToRect
gdi_CopyOverlap
gdi_CopyRect
gdi_CreateBitmap
gdi_CreateBitmapEx
gdi_CreateCompatibleBitmap
gdi_CreateCompatibleDC
gdi_CreateDC
gdi_CreatePen
gdi_CreateRect
gdi_CreateRectRgn
gdi_DeleteDC
gdi_DeleteObject
gdi_Ellipse
gdi_EqualRgn
gdi_FillRect
gdi_GetDC
gdi_GetPenColor
gdi_GetPixel
gdi_GetPointer
gdi_InvalidateRegion
gdi_PolyPolygon
gdi_Polygon
gdi_PtInRect
gdi_RectToCRgn
gdi_RectToRgn
gdi_Rectangle
gdi_RgnToCRect
gdi_RgnToRect
gdi_SelectObject
gdi_SetPixel
gdi_SetRect
gdi_SetRectRgn
gdi_SetRgn
gdi_decode_color
gdi_free
gdi_get_pixel_format
gdi_init
gdi_init_ex
gdi_resize
gdi_resize_ex
gdi_rop3_code
gdi_rop3_code_string
gdi_rop3_string
gdi_send_suppress_output
getChannelError
getChannelErrorDescription
getChannelErrorEventHandle
glyph_cache_free
glyph_cache_new
glyph_cache_register_callbacks
graphics_free
graphics_new
graphics_register_bitmap
graphics_register_glyph
graphics_register_pointer
h264_context_free
h264_context_new
h264_context_reset
interleaved_compress
interleaved_decompress
license_send_valid_client_error_packet
mappedGeometryRef
mappedGeometryUnref
metrics_free
metrics_new
metrics_write_bytes
mppc_compress
mppc_context_free
mppc_context_new
mppc_context_reset
mppc_decompress
mppc_set_compression_level
ncrush_compress
ncrush_context_free
ncrush_context_new
ncrush_context_reset
ncrush_decompress
nine_grid_cache_free
nine_grid_cache_new
nine_grid_cache_register_callbacks
nsc_compose_message
nsc_context_free
nsc_context_new
nsc_context_reset
nsc_context_set_parameters
nsc_context_set_pixel_format
nsc_decompose_message
nsc_process_message
offscreen_cache_free
offscreen_cache_get
offscreen_cache_new
offscreen_cache_register_callbacks
palette_cache_free
palette_cache_new
palette_cache_register_callbacks

Sections

.text
Size: 13.9MB - Virtual size: 13.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rodata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3.2MB - Virtual size: 3.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 530KB - Virtual size: 15.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 455KB - Virtual size: 454KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 203KB - Virtual size: 202KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 138KB - Virtual size: 138KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Headers

DLL Characteristics

File Characteristics

Sections

UPX0 Size: - Virtual size: 26.3MB

UPX1 Size: 7.2MB - Virtual size: 7.2MB

.rsrc Size: 11KB - Virtual size: 12KB

Headers

DLL Characteristics

File Characteristics

Exports

Exports

Sections

.text Size: 13.9MB - Virtual size: 13.9MB

.rodata Size: 4KB - Virtual size: 4KB

.rdata Size: 3.2MB - Virtual size: 3.2MB

.data Size: 530KB - Virtual size: 15.5MB

.pdata Size: 455KB - Virtual size: 454KB

.rsrc Size: 203KB - Virtual size: 202KB

.reloc Size: 138KB - Virtual size: 138KB

UPX0
Size: - Virtual size: 26.3MB

UPX1
Size: 7.2MB - Virtual size: 7.2MB

.rsrc
Size: 11KB - Virtual size: 12KB

.text
Size: 13.9MB - Virtual size: 13.9MB

.rodata
Size: 4KB - Virtual size: 4KB

.rdata
Size: 3.2MB - Virtual size: 3.2MB

.data
Size: 530KB - Virtual size: 15.5MB

.pdata
Size: 455KB - Virtual size: 454KB

.rsrc
Size: 203KB - Virtual size: 202KB

.reloc
Size: 138KB - Virtual size: 138KB