TDL4 Rootkit | VTI by Category
Try VMRay Analyzer
VTI Score 100 / 100 | |
| VTI Database Version | 2.4 |
| VTI Rule Match Count | 31 |
| VTI Rule Type | Default (PE, ...) |
 | Anti Analysis | |
| Dynamic API usage | |
Resolve more than 50 APIs. | ||
| Delay execution | |
One thread sleeps more than 5 minutes. | ||
| Browser | |
| Change security related browser settings | |
Change settings for the Security Zone "internet". | ||
| Device | |
| Write master boot record (MBR) | |
Write 512 bytes to master boot record (MBR). | ||
| Access physical drive | |
Access physical drive "\device\harddisk0\dr0". | ||
| Kernel | |
| Execute code with kernel privileges | |
Execute code with kernel privileges. | ||
| Network | |
| Perform DNS request | |
Resolve "127.0.0.1". | ||
| Connect to remote host | |
Outgoing TCP connection to host "6zrt3vuwf-39qwkam.com:80". | ||
| Download data | |
Url "http://6zrt3vuwf-39qwkam.com/evh0yGtD7e5QO1U4Y2xrPTMuNyZiaWQ9bm9uYW1lJmFpZD02NjY3MSZzaWQ9MCZyZD0xNDgxMDE2OTc037x". | ||
| Connect to HTTP server | |
Remote address "6zrt3vuwf-39qwkam.com". | ||
| Process | |
| Overwrite code | |
Overwrite 4 byte(s) at mswsock.dll (0x757441a7) | ||
Overwrite 1 byte(s) at mswsock.dll (0x757441ab) | ||
Overwrite 4 byte(s) at mswsock.dll (0x75742bf9) | ||
Overwrite 1 byte(s) at mswsock.dll (0x75742bfd) | ||
Overwrite 4 byte(s) at winmm.dll:waveOutOpen+0x0 (0x7581451e) | ||
Overwrite 1 byte(s) at winmm.dll:waveOutOpen+0x4 (0x75814522) | ||
Overwrite 4 byte(s) at ole32.dll:CoCreateInstance+0x0 (0x75da9d0b) | ||
Overwrite 1 byte(s) at ole32.dll:CoCreateInstance+0x4 (0x75da9d0f) | ||
Overwrite 4 byte(s) at user32.dll:GetCursorPos+0x0 (0x75aa1218) | ||
Overwrite 1 byte(s) at user32.dll:GetCursorPos+0x4 (0x75aa121c) | ||
Overwrite 4 byte(s) at user32.dll:WindowFromPoint+0x0 (0x75abed12) | ||
Overwrite 1 byte(s) at user32.dll:WindowFromPoint+0x4 (0x75abed16) | ||
Overwrite 4 byte(s) at user32.dll:GetForegroundWindow+0x0 (0x75aa2320) | ||
Overwrite 1 byte(s) at user32.dll:GetForegroundWindow+0x4 (0x75aa2324) | ||
| Allocate a page with write and execute permissions | |
Change the protection of a page from writable ("PAGE_READWRITE") to executable ("PAGE_EXECUTE_READWRITE"). | ||
Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. | ||
| Create system object | |
Create mutex with name "Global\B10C62E4-234C-4BF6-A1D5-1C0309CED145". | ||
Create mutex with name "Global\C3819288-93FA-4E29-A254-BD9476B53C20". | ||
Create mutex with name "Global\6C29A0C8-62C6-415C-9538-B87690BC58D2". | ||
Create mutex with name "Global\D6E9C81C-3831-4873-96BA-7C98D2DEBEF9". | ||
| Create process with hidden window | |
The process "C:\Windows\SysWOW64\ping.exe 127.0.0.1 -t" starts with hidden window. | ||
| - | File System | |
| - | Hide Tracks | |
| - | Information Stealing | |
| - | Injection | |
| - | Masquerade | |
| - | OS | |
| - | PE | |
| - | Persistence | |
| - | VBA Macro | |
| - | YARA | |
