Malware Analysis is it malware?

[giulia]

Hi

can you please could you help me to tell me if it's malware ?
created with autohotkey , i guess

link

h$$p://www55.zippyshare.com/v/VdvCmeRe/file.html

password infected

thanks
Merry Christmas!!!!

 

[MalwareBlockerYT]

Hi

can you please could you help me to tell me if it's malware ?
created with autohotkey , i guess

link

h$$p://www55.zippyshare.com/v/VdvCmeRe/file.html

password infected

thanks
Merry Christmas!!!!

I can't test the file at the moment maybe later but from the VirusTotal report it looks like it could be a new malicious application, I'm not sure until I test it though - not many well known AVs have detected it so it may be a false positive. Please could you upload the file to this website (Hybrid Analysis):

Free Automated Malware Analysis Service - powered by VxStream Sandbox

Once that's done please share the link

 

[harlan4096]

https://www.hybrid-analysis.com/sam...cd659f8826553e2eef8f4388c8e?environmentId=100

 

[MalwareBlockerYT]

It looks like a keylogger/some sort of spyware....

Yes it's malware it can do the following:

Remote Access
Contains ability to listen for incoming connections
Spyware
Contains ability to open the clipboard
Contains ability to retrieve keyboard strokes
Fingerprint
Contains ability to lookup the windows account name

 

[harlan4096]

I've sent to KLabs and just answer me:

Hello,

No malicious software was found in the attached file.

Best Regards

 

[giulia]

I've sent to KLabs and just answer me:

hi
Kaspersky?
are they so fast?
thanks!

 

[harlan4096]

Anyway, I will test it later in a virtual machine, sometimes They are wrong

 

[giulia]

Anyway, I will test it later in a virtual machine, sometimes They are wrong

hi
thanks a lot
what do you mena "there are wrong" ??
but are they so fast? i guess i will swtich av, kas is slower but the support is better and it was always the top noch between the best av
once i conctacted eset , even i'm a 4 years old client, never gotten an answer

 

[Atlas147]

Sent to Avira, they came back with the results of being malicious with the signature
TR/Dldr.Agent.960450

 

[giulia]

Sent to Avira, they came back with the results of being malicious with the signature
TR/Dldr.Agent.960450

hi
weird virus total show that for avira is clean
thanks

 

[Atlas147]

hi
weird virus total show that for avira is clean
thanks

yes they just got the sample from me and notified me that they found it malicious, it should be included in the next update.

 

[Sr. Normal 2.0]

Unsafe for Crystal Security



Not malware for Norton

 

[harlan4096]

hi
thanks a lot
what do you mena "there are wrong" ??
but are they so fast? i guess i will swtich av, kas is slower but the support is better and it was always the top noch between the best av
once i conctacted eset , even i'm a 4 years old client, never gotten an answer

I just sent t he sample by here: Kaspersky Online Scanner

Sometimes They take more time to answer by usually I always get answers (final verdict-not the automatic), someone faster than other, but in general quite fast...

 

[Wave]

Based on the Hybrid-Analysis results my current verdict is that the sample is at least suspicious since it shows signs of malicious activity; that doesn't necessarily mean it really is malware, even if it has a couple of VirusTotal detection's (they could be False Positive detection's). Kaspersky have a very good analysis team, they are one of the most experienced vendors in the market, therefore the chances are they are right... They would have most likely reverse engineered the sample through disassembly as opposed to relying just on sandbox analysis results.

For the time being at least I would just consider the sample as "malware" and SUD to the respective vendors and then wait and see for their responses from the malware analyst team they have.

hi
weird virus total show that for avira is clean
thanks

The engine used on VirusTotal is not always the same as the one used in either the Home/Enterprise products; VirusTotal have said this themselves over on their FAQ: FAQ - VirusTotal

VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. Very often, antivirus companies parametrize their engines specifically for VirusTotal (stronger heuristics, cloud interaction, inclusion of beta signatures, etc.). Therefore, sometimes the antivirus solution in VirusTotal will not behave exactly the same as the equivalent public commercial version of the given product.

 

[uncle bill]

..not to mention that inside screen_O.png you can find the string PAYLOAD. also all those calls to ntdll apis are really, really suspicious to me. Where do you get it from? i mean the original binary.. or are you the author?

 

[TheMalwareMaster]

This file has been submitted to Microsoft Submission History Details
The file has also been submitted to Bitdefender and Symantec

 

[Wave]

also all those calls to ntdll apis are really, really suspicious to me.

What are you talking about?

The sample does not directly import NTAPI functions and call them manually, but it imports the normal Win32 functions (which of course causes execution to end at the NTAPI function stubs before kernel-mode execution for the correct function - this is perfectly normal behavior).

Below is a list of the imported functions (from the Import Address Table):

Spoiler

Address  Ordinal Name                                  Library
-------  ------- ----                                  -------
0048F000         GetAce                                ADVAPI32
0048F004         RegEnumValueW                         ADVAPI32
0048F008         RegDeleteValueW                       ADVAPI32
0048F00C         RegDeleteKeyW                         ADVAPI32
0048F010         RegEnumKeyExW                         ADVAPI32
0048F014         RegSetValueExW                        ADVAPI32
0048F018         RegOpenKeyExW                         ADVAPI32
0048F01C         RegCloseKey                           ADVAPI32
0048F020         RegQueryValueExW                      ADVAPI32
0048F024         RegConnectRegistryW                   ADVAPI32
0048F028         InitializeSecurityDescriptor          ADVAPI32
0048F02C         InitializeAcl                         ADVAPI32
0048F030         AdjustTokenPrivileges                 ADVAPI32
0048F034         OpenThreadToken                       ADVAPI32
0048F038         OpenProcessToken                      ADVAPI32
0048F03C         LookupPrivilegeValueW                 ADVAPI32
0048F040         DuplicateTokenEx                      ADVAPI32
0048F044         CreateProcessAsUserW                  ADVAPI32
0048F048         CreateProcessWithLogonW               ADVAPI32
0048F04C         GetLengthSid                          ADVAPI32
0048F050         CopySid                               ADVAPI32
0048F054         LogonUserW                            ADVAPI32
0048F058         AllocateAndInitializeSid              ADVAPI32
0048F05C         CheckTokenMembership                  ADVAPI32
0048F060         RegCreateKeyExW                       ADVAPI32
0048F064         FreeSid                               ADVAPI32
0048F068         GetTokenInformation                   ADVAPI32
0048F06C         GetSecurityDescriptorDacl             ADVAPI32
0048F070         GetAclInformation                     ADVAPI32
0048F074         AddAce                                ADVAPI32
0048F078         SetSecurityDescriptorDacl             ADVAPI32
0048F07C         GetUserNameW                          ADVAPI32
0048F080         InitiateSystemShutdownExW             ADVAPI32
0048F088         ImageList_ReplaceIcon                 COMCTL32
0048F08C         ImageList_Destroy                     COMCTL32
0048F090         ImageList_Remove                      COMCTL32
0048F094         ImageList_SetDragCursorImage          COMCTL32
0048F098         ImageList_BeginDrag                   COMCTL32
0048F09C         ImageList_DragEnter                   COMCTL32
0048F0A0         ImageList_DragLeave                   COMCTL32
0048F0A4         ImageList_EndDrag                     COMCTL32
0048F0A8         ImageList_DragMove                    COMCTL32
0048F0AC         InitCommonControlsEx                  COMCTL32
0048F0B0         ImageList_Create                      COMCTL32
0048F0B8         GetOpenFileNameW                      COMDLG32
0048F0BC         GetSaveFileNameW                      COMDLG32
0048F0C4         StrokePath                            GDI32 
0048F0C8         DeleteObject                          GDI32 
0048F0CC         GetTextExtentPoint32W                 GDI32 
0048F0D0         ExtCreatePen                          GDI32 
0048F0D4         GetDeviceCaps                         GDI32 
0048F0D8         EndPath                               GDI32 
0048F0DC         SetPixel                              GDI32 
0048F0E0         CloseFigure                           GDI32 
0048F0E4         CreateCompatibleBitmap                GDI32 
0048F0E8         CreateCompatibleDC                    GDI32 
0048F0EC         SelectObject                          GDI32 
0048F0F0         StretchBlt                            GDI32 
0048F0F4         GetDIBits                             GDI32 
0048F0F8         LineTo                                GDI32 
0048F0FC         AngleArc                              GDI32 
0048F100         MoveToEx                              GDI32 
0048F104         Ellipse                               GDI32 
0048F108         DeleteDC                              GDI32 
0048F10C         GetPixel                              GDI32 
0048F110         CreateDCW                             GDI32 
0048F114         GetStockObject                        GDI32 
0048F118         GetTextFaceW                          GDI32 
0048F11C         CreateFontW                           GDI32 
0048F120         SetTextColor                          GDI32 
0048F124         PolyDraw                              GDI32 
0048F128         BeginPath                             GDI32 
0048F12C         Rectangle                             GDI32 
0048F130         SetViewportOrgEx                      GDI32 
0048F134         GetObjectW                            GDI32 
0048F138         SetBkMode                             GDI32 
0048F13C         RoundRect                             GDI32 
0048F140         SetBkColor                            GDI32 
0048F144         CreatePen                             GDI32 
0048F148         CreateSolidBrush                      GDI32 
0048F14C         StrokeAndFillPath                     GDI32 
0048F154         IcmpCreateFile                        IPHLPAPI
0048F158         IcmpCloseHandle                       IPHLPAPI
0048F15C         IcmpSendEcho                          IPHLPAPI
0048F164         DuplicateHandle                       KERNEL32
0048F168         CreateThread                          KERNEL32
0048F16C         WaitForSingleObject                   KERNEL32
0048F170         HeapAlloc                             KERNEL32
0048F174         GetProcessHeap                        KERNEL32
0048F178         HeapFree                              KERNEL32
0048F17C         Sleep                                 KERNEL32
0048F180         GetCurrentThreadId                    KERNEL32
0048F184         MultiByteToWideChar                   KERNEL32
0048F188         MulDiv                                KERNEL32
0048F18C         GetVersionExW                         KERNEL32
0048F190         IsWow64Process                        KERNEL32
0048F194         GetSystemInfo                         KERNEL32
0048F198         FreeLibrary                           KERNEL32
0048F19C         LoadLibraryA                          KERNEL32
0048F1A0         GetProcAddress                        KERNEL32
0048F1A4         SetErrorMode                          KERNEL32
0048F1A8         GetModuleFileNameW                    KERNEL32
0048F1AC         WideCharToMultiByte                   KERNEL32
0048F1B0         lstrcpyW                              KERNEL32
0048F1B4         lstrlenW                              KERNEL32
0048F1B8         GetModuleHandleW                      KERNEL32
0048F1BC         QueryPerformanceCounter               KERNEL32
0048F1C0         VirtualFreeEx                         KERNEL32
0048F1C4         OpenProcess                           KERNEL32
0048F1C8         VirtualAllocEx                        KERNEL32
0048F1CC         WriteProcessMemory                    KERNEL32
0048F1D0         ReadProcessMemory                     KERNEL32
0048F1D4         CreateFileW                           KERNEL32
0048F1D8         SetFilePointerEx                      KERNEL32
0048F1DC         SetEndOfFile                          KERNEL32
0048F1E0         ReadFile                              KERNEL32
0048F1E4         WriteFile                             KERNEL32
0048F1E8         FlushFileBuffers                      KERNEL32
0048F1EC         TerminateProcess                      KERNEL32
0048F1F0         CreateToolhelp32Snapshot              KERNEL32
0048F1F4         Process32FirstW                       KERNEL32
0048F1F8         Process32NextW                        KERNEL32
0048F1FC         SetFileTime                           KERNEL32
0048F200         GetFileAttributesW                    KERNEL32
0048F204         FindFirstFileW                        KERNEL32
0048F208         SetCurrentDirectoryW                  KERNEL32
0048F20C         GetLongPathNameW                      KERNEL32
0048F210         GetShortPathNameW                     KERNEL32
0048F214         DeleteFileW                           KERNEL32
0048F218         FindNextFileW                         KERNEL32
0048F21C         CopyFileExW                           KERNEL32
0048F220         MoveFileW                             KERNEL32
0048F224         CreateDirectoryW                      KERNEL32
0048F228         RemoveDirectoryW                      KERNEL32
0048F22C         SetSystemPowerState                   KERNEL32
0048F230         QueryPerformanceFrequency             KERNEL32
0048F234         FindResourceW                         KERNEL32
0048F238         LoadResource                          KERNEL32
0048F23C         LockResource                          KERNEL32
0048F240         SizeofResource                        KERNEL32
0048F244         EnumResourceNamesW                    KERNEL32
0048F248         OutputDebugStringW                    KERNEL32
0048F24C         GetTempPathW                          KERNEL32
0048F250         GetTempFileNameW                      KERNEL32
0048F254         DeviceIoControl                       KERNEL32
0048F258         GetLocalTime                          KERNEL32
0048F25C         CompareStringW                        KERNEL32
0048F260         GetCurrentProcess                     KERNEL32
0048F264         EnterCriticalSection                  KERNEL32
0048F268         LeaveCriticalSection                  KERNEL32
0048F26C         GetStdHandle                          KERNEL32
0048F270         CreatePipe                            KERNEL32
0048F274         InterlockedExchange                   KERNEL32
0048F278         TerminateThread                       KERNEL32
0048F27C         LoadLibraryExW                        KERNEL32
0048F280         FindResourceExW                       KERNEL32
0048F284         CopyFileW                             KERNEL32
0048F288         VirtualFree                           KERNEL32
0048F28C         FormatMessageW                        KERNEL32
0048F290         GetExitCodeProcess                    KERNEL32
0048F294         GetPrivateProfileStringW              KERNEL32
0048F298         WritePrivateProfileStringW            KERNEL32
0048F29C         GetPrivateProfileSectionW             KERNEL32
0048F2A0         WritePrivateProfileSectionW           KERNEL32
0048F2A4         GetPrivateProfileSectionNamesW        KERNEL32
0048F2A8         FileTimeToLocalFileTime               KERNEL32
0048F2AC         FileTimeToSystemTime                  KERNEL32
0048F2B0         SystemTimeToFileTime                  KERNEL32
0048F2B4         LocalFileTimeToFileTime               KERNEL32
0048F2B8         GetDriveTypeW                         KERNEL32
0048F2BC         GetDiskFreeSpaceExW                   KERNEL32
0048F2C0         GetDiskFreeSpaceW                     KERNEL32
0048F2C4         GetVolumeInformationW                 KERNEL32
0048F2C8         SetVolumeLabelW                       KERNEL32
0048F2CC         CreateHardLinkW                       KERNEL32
0048F2D0         SetFileAttributesW                    KERNEL32
0048F2D4         CreateEventW                          KERNEL32
0048F2D8         SetEvent                              KERNEL32
0048F2DC         GetEnvironmentVariableW               KERNEL32
0048F2E0         SetEnvironmentVariableW               KERNEL32
0048F2E4         GlobalLock                            KERNEL32
0048F2E8         GlobalUnlock                          KERNEL32
0048F2EC         GlobalAlloc                           KERNEL32
0048F2F0         GetFileSize                           KERNEL32
0048F2F4         GlobalFree                            KERNEL32
0048F2F8         GlobalMemoryStatusEx                  KERNEL32
0048F2FC         Beep                                  KERNEL32
0048F300         GetSystemDirectoryW                   KERNEL32
0048F304         HeapReAlloc                           KERNEL32
0048F308         HeapSize                              KERNEL32
0048F30C         GetComputerNameW                      KERNEL32
0048F310         GetWindowsDirectoryW                  KERNEL32
0048F314         GetCurrentProcessId                   KERNEL32
0048F318         GetProcessIoCounters                  KERNEL32
0048F31C         CreateProcessW                        KERNEL32
0048F320         GetProcessId                          KERNEL32
0048F324         SetPriorityClass                      KERNEL32
0048F328         LoadLibraryW                          KERNEL32
0048F32C         VirtualAlloc                          KERNEL32
0048F330         IsDebuggerPresent                     KERNEL32
0048F334         GetCurrentDirectoryW                  KERNEL32
0048F338         lstrcmpiW                             KERNEL32
0048F33C         DecodePointer                         KERNEL32
0048F340         GetLastError                          KERNEL32
0048F344         RaiseException                        KERNEL32
0048F348         InitializeCriticalSectionAndSpinCount KERNEL32
0048F34C         DeleteCriticalSection                 KERNEL32
0048F350         InterlockedDecrement                  KERNEL32
0048F354         InterlockedIncrement                  KERNEL32
0048F358         GetCurrentThread                      KERNEL32
0048F35C         CloseHandle                           KERNEL32
0048F360         GetFullPathNameW                      KERNEL32
0048F364         EncodePointer                         KERNEL32
0048F368         ExitProcess                           KERNEL32
0048F36C         GetModuleHandleExW                    KERNEL32
0048F370         ExitThread                            KERNEL32
0048F374         GetSystemTimeAsFileTime               KERNEL32
0048F378         ResumeThread                          KERNEL32
0048F37C         GetCommandLineW                       KERNEL32
0048F380         IsProcessorFeaturePresent             KERNEL32
0048F384         IsValidCodePage                       KERNEL32
0048F388         GetACP                                KERNEL32
0048F38C         GetOEMCP                              KERNEL32
0048F390         GetCPInfo                             KERNEL32
0048F394         SetLastError                          KERNEL32
0048F398         UnhandledExceptionFilter              KERNEL32
0048F39C         SetUnhandledExceptionFilter           KERNEL32
0048F3A0         TlsAlloc                              KERNEL32
0048F3A4         TlsGetValue                           KERNEL32
0048F3A8         TlsSetValue                           KERNEL32
0048F3AC         TlsFree                               KERNEL32
0048F3B0         GetStartupInfoW                       KERNEL32
0048F3B4         GetStringTypeW                        KERNEL32
0048F3B8         SetStdHandle                          KERNEL32
0048F3BC         GetFileType                           KERNEL32
0048F3C0         GetConsoleCP                          KERNEL32
0048F3C4         GetConsoleMode                        KERNEL32
0048F3C8         RtlUnwind                             KERNEL32
0048F3CC         ReadConsoleW                          KERNEL32
0048F3D0         GetTimeZoneInformation                KERNEL32
0048F3D4         GetDateFormatW                        KERNEL32
0048F3D8         GetTimeFormatW                        KERNEL32
0048F3DC         LCMapStringW                          KERNEL32
0048F3E0         GetEnvironmentStringsW                KERNEL32
0048F3E4         FreeEnvironmentStringsW               KERNEL32
0048F3E8         WriteConsoleW                         KERNEL32
0048F3EC         FindClose                             KERNEL32
0048F3F0         SetEnvironmentVariableA               KERNEL32
0048F3F8         WNetUseConnectionW                    MPR   
0048F3FC         WNetCancelConnection2W                MPR   
0048F400         WNetGetConnectionW                    MPR   
0048F404         WNetAddConnection2W                   MPR   
0048F40C 183     LoadTypeLibEx                         OLEAUT32
0048F410 11      VariantCopyInd                        OLEAUT32
0048F414 3       SysReAllocString                      OLEAUT32
0048F418 6       SysFreeString                         OLEAUT32
0048F41C 38      SafeArrayDestroyDescriptor            OLEAUT32
0048F420 39      SafeArrayDestroyData                  OLEAUT32
0048F424 24      SafeArrayUnaccessData                 OLEAUT32
0048F428 23      SafeArrayAccessData                   OLEAUT32
0048F42C 37      SafeArrayAllocData                    OLEAUT32
0048F430 41      SafeArrayAllocDescriptorEx            OLEAUT32
0048F434 411     SafeArrayCreateVector                 OLEAUT32
0048F438 163     RegisterTypeLib                       OLEAUT32
0048F43C 32      CreateStdDispatch                     OLEAUT32
0048F440 146     DispCallFunc                          OLEAUT32
0048F444 12      VariantChangeType                     OLEAUT32
0048F448 7       SysStringLen                          OLEAUT32
0048F44C 185     VariantTimeToSystemTime               OLEAUT32
0048F450 220     VarR8FromDec                          OLEAUT32
0048F454 77      SafeArrayGetVartype                   OLEAUT32
0048F458 10      VariantCopy                           OLEAUT32
0048F45C 9       VariantClear                          OLEAUT32
0048F460 418     OleLoadPicture                        OLEAUT32
0048F464 164     QueryPathOfRegTypeLib                 OLEAUT32
0048F468 442     RegisterTypeLibForUser                OLEAUT32
0048F46C 443     UnRegisterTypeLibForUser              OLEAUT32
0048F470 186     UnRegisterTypeLib                     OLEAUT32
0048F474 31      CreateDispTypeInfo                    OLEAUT32
0048F478 2       SysAllocString                        OLEAUT32
0048F47C 8       VariantInit                           OLEAUT32
0048F484         GetProcessMemoryInfo                  PSAPI 
0048F48C         DragQueryPoint                        SHELL32
0048F490         ShellExecuteExW                       SHELL32
0048F494         DragQueryFileW                        SHELL32
0048F498         SHEmptyRecycleBinW                    SHELL32
0048F49C         SHGetPathFromIDListW                  SHELL32
0048F4A0         SHBrowseForFolderW                    SHELL32
0048F4A4         SHCreateShellItem                     SHELL32
0048F4A8         SHGetDesktopFolder                    SHELL32
0048F4AC         SHGetSpecialFolderLocation            SHELL32
0048F4B0         SHGetFolderPathW                      SHELL32
0048F4B4         SHFileOperationW                      SHELL32
0048F4B8         ExtractIconExW                        SHELL32
0048F4BC         Shell_NotifyIconW                     SHELL32
0048F4C0         ShellExecuteW                         SHELL32
0048F4C4         DragFinish                            SHELL32
0048F4CC         AdjustWindowRectEx                    USER32
0048F4D0         CopyImage                             USER32
0048F4D4         SetWindowPos                          USER32
0048F4D8         GetCursorInfo                         USER32
0048F4DC         RegisterHotKey                        USER32
0048F4E0         ClientToScreen                        USER32
0048F4E4         GetKeyboardLayoutNameW                USER32
0048F4E8         IsCharAlphaW                          USER32
0048F4EC         IsCharAlphaNumericW                   USER32
0048F4F0         IsCharLowerW                          USER32
0048F4F4         IsCharUpperW                          USER32
0048F4F8         GetMenuStringW                        USER32
0048F4FC         GetSubMenu                            USER32
0048F500         GetCaretPos                           USER32
0048F504         IsZoomed                              USER32
0048F508         MonitorFromPoint                      USER32
0048F50C         GetMonitorInfoW                       USER32
0048F510         SetWindowLongW                        USER32
0048F514         SetLayeredWindowAttributes            USER32
0048F518         FlashWindow                           USER32
0048F51C         GetClassLongW                         USER32
0048F520         TranslateAcceleratorW                 USER32
0048F524         IsDialogMessageW                      USER32
0048F528         GetSysColor                           USER32
0048F52C         InflateRect                           USER32
0048F530         DrawFocusRect                         USER32
0048F534         DrawTextW                             USER32
0048F538         FrameRect                             USER32
0048F53C         DrawFrameControl                      USER32
0048F540         FillRect                              USER32
0048F544         PtInRect                              USER32
0048F548         DestroyAcceleratorTable               USER32
0048F54C         CreateAcceleratorTableW               USER32
0048F550         SetCursor                             USER32
0048F554         GetWindowDC                           USER32
0048F558         GetSystemMetrics                      USER32
0048F55C         GetActiveWindow                       USER32
0048F560         CharNextW                             USER32
0048F564         wsprintfW                             USER32
0048F568         RedrawWindow                          USER32
0048F56C         DrawMenuBar                           USER32
0048F570         DestroyMenu                           USER32
0048F574         SetMenu                               USER32
0048F578         GetWindowTextLengthW                  USER32
0048F57C         CreateMenu                            USER32
0048F580         IsDlgButtonChecked                    USER32
0048F584         DefDlgProcW                           USER32
0048F588         CallWindowProcW                       USER32
0048F58C         ReleaseCapture                        USER32
0048F590         SetCapture                            USER32
0048F594         CreateIconFromResourceEx              USER32
0048F598         mouse_event                           USER32
0048F59C         ExitWindowsEx                         USER32
0048F5A0         SetActiveWindow                       USER32
0048F5A4         FindWindowExW                         USER32
0048F5A8         EnumThreadWindows                     USER32
0048F5AC         SetMenuDefaultItem                    USER32
0048F5B0         InsertMenuItemW                       USER32
0048F5B4         IsMenu                                USER32
0048F5B8         TrackPopupMenuEx                      USER32
0048F5BC         GetCursorPos                          USER32
0048F5C0         DeleteMenu                            USER32
0048F5C4         SetRect                               USER32
0048F5C8         GetMenuItemID                         USER32
0048F5CC         GetMenuItemCount                      USER32
0048F5D0         SetMenuItemInfoW                      USER32
0048F5D4         GetMenuItemInfoW                      USER32
0048F5D8         SetForegroundWindow                   USER32
0048F5DC         IsIconic                              USER32
0048F5E0         FindWindowW                           USER32
0048F5E4         MonitorFromRect                       USER32
0048F5E8         keybd_event                           USER32
0048F5EC         SendInput                             USER32
0048F5F0         GetAsyncKeyState                      USER32
0048F5F4         SetKeyboardState                      USER32
0048F5F8         GetKeyboardState                      USER32
0048F5FC         GetKeyState                           USER32
0048F600         VkKeyScanW                            USER32
0048F604         LoadStringW                           USER32
0048F608         DialogBoxParamW                       USER32
0048F60C         MessageBeep                           USER32
0048F610         EndDialog                             USER32
0048F614         SendDlgItemMessageW                   USER32
0048F618         GetDlgItem                            USER32
0048F61C         SetWindowTextW                        USER32
0048F620         CopyRect                              USER32
0048F624         ReleaseDC                             USER32
0048F628         GetDC                                 USER32
0048F62C         EndPaint                              USER32
0048F630         BeginPaint                            USER32
0048F634         GetClientRect                         USER32
0048F638         GetMenu                               USER32
0048F63C         DestroyWindow                         USER32
0048F640         EnumWindows                           USER32
0048F644         GetDesktopWindow                      USER32
0048F648         IsWindow                              USER32
0048F64C         IsWindowEnabled                       USER32
0048F650         IsWindowVisible                       USER32
0048F654         EnableWindow                          USER32
0048F658         InvalidateRect                        USER32
0048F65C         GetWindowLongW                        USER32
0048F660         GetWindowThreadProcessId              USER32
0048F664         AttachThreadInput                     USER32
0048F668         GetFocus                              USER32
0048F66C         GetWindowTextW                        USER32
0048F670         ScreenToClient                        USER32
0048F674         SendMessageTimeoutW                   USER32
0048F678         EnumChildWindows                      USER32
0048F67C         CharUpperBuffW                        USER32
0048F680         GetParent                             USER32
0048F684         GetDlgCtrlID                          USER32
0048F688         SendMessageW                          USER32
0048F68C         MapVirtualKeyW                        USER32
0048F690         PostMessageW                          USER32
0048F694         GetWindowRect                         USER32
0048F698         SetUserObjectSecurity                 USER32
0048F69C         CloseDesktop                          USER32
0048F6A0         CloseWindowStation                    USER32
0048F6A4         OpenDesktopW                          USER32
0048F6A8         SetProcessWindowStation               USER32
0048F6AC         GetProcessWindowStation               USER32
0048F6B0         OpenWindowStationW                    USER32
0048F6B4         GetUserObjectSecurity                 USER32
0048F6B8         MessageBoxW                           USER32
0048F6BC         DefWindowProcW                        USER32
0048F6C0         SetClipboardData                      USER32
0048F6C4         EmptyClipboard                        USER32
0048F6C8         CountClipboardFormats                 USER32
0048F6CC         CloseClipboard                        USER32
0048F6D0         GetClipboardData                      USER32
0048F6D4         IsClipboardFormatAvailable            USER32
0048F6D8         OpenClipboard                         USER32
0048F6DC         BlockInput                            USER32
0048F6E0         GetMessageW                           USER32
0048F6E4         LockWindowUpdate                      USER32
0048F6E8         DispatchMessageW                      USER32
0048F6EC         TranslateMessage                      USER32
0048F6F0         PeekMessageW                          USER32
0048F6F4         UnregisterHotKey                      USER32
0048F6F8         CheckMenuRadioItem                    USER32
0048F6FC         CharLowerBuffW                        USER32
0048F700         MoveWindow                            USER32
0048F704         SetFocus                              USER32
0048F708         PostQuitMessage                       USER32
0048F70C         KillTimer                             USER32
0048F710         CreatePopupMenu                       USER32
0048F714         RegisterWindowMessageW                USER32
0048F718         SetTimer                              USER32
0048F71C         ShowWindow                            USER32
0048F720         CreateWindowExW                       USER32
0048F724         RegisterClassExW                      USER32
0048F728         LoadIconW                             USER32
0048F72C         LoadCursorW                           USER32
0048F730         GetSysColorBrush                      USER32
0048F734         GetForegroundWindow                   USER32
0048F738         MessageBoxA                           USER32
0048F73C         DestroyIcon                           USER32
0048F740         SystemParametersInfoW                 USER32
0048F744         LoadImageW                            USER32
0048F748         GetClassNameW                         USER32
0048F750         DestroyEnvironmentBlock               USERENV
0048F754         UnloadUserProfile                     USERENV
0048F758         CreateEnvironmentBlock                USERENV
0048F75C         LoadUserProfileW                      USERENV
0048F764         IsThemeActive                         UxTheme
0048F76C         GetFileVersionInfoW                   VERSION
0048F770         GetFileVersionInfoSizeW               VERSION
0048F774         VerQueryValueW                        VERSION
0048F77C         InternetQueryDataAvailable            WININET
0048F780         InternetCloseHandle                   WININET
0048F784         InternetOpenW                         WININET
0048F788         InternetSetOptionW                    WININET
0048F78C         InternetCrackUrlW                     WININET
0048F790         HttpQueryInfoW                        WININET
0048F794         InternetQueryOptionW                  WININET
0048F798         HttpOpenRequestW                      WININET
0048F79C         HttpSendRequestW                      WININET
0048F7A0         FtpOpenFileW                          WININET
0048F7A4         FtpGetFileSize                        WININET
0048F7A8         InternetOpenUrlW                      WININET
0048F7AC         InternetReadFile                      WININET
0048F7B0         InternetConnectW                      WININET
0048F7B8         timeGetTime                           WINMM 
0048F7BC         waveOutSetVolume                      WINMM 
0048F7C0         mciSendStringW                        WINMM 
0048F7C8 116     WSACleanup                            WSOCK32
0048F7CC 23      socket                                WSOCK32
0048F7D0 12      ioctlsocket                           WSOCK32
0048F7D4 21      setsockopt                            WSOCK32
0048F7D8 15      ntohs                                 WSOCK32
0048F7DC 17      recvfrom                              WSOCK32
0048F7E0 10      inet_addr                             WSOCK32
0048F7E4 9       htons                                 WSOCK32
0048F7E8 115     WSAStartup                            WSOCK32
0048F7EC 151     __WSAFDIsSet                          WSOCK32
0048F7F0 18      select                                WSOCK32
0048F7F4 1       accept                                WSOCK32
0048F7F8 13      listen                                WSOCK32
0048F7FC 2       bind                                  WSOCK32
0048F800 3       closesocket                           WSOCK32
0048F804 111     WSAGetLastError                       WSOCK32
0048F808 16      recv                                  WSOCK32
0048F80C 20      sendto                                WSOCK32
0048F810 19      send                                  WSOCK32
0048F814 11      inet_ntoa                             WSOCK32
0048F818 52      gethostbyname                         WSOCK32
0048F81C 57      gethostname                           WSOCK32
0048F820 4       connect                               WSOCK32
0048F828         CoTaskMemAlloc                        ole32 
0048F82C         CoTaskMemFree                         ole32 
0048F830         CLSIDFromString                       ole32 
0048F834         ProgIDFromCLSID                       ole32 
0048F838         CLSIDFromProgID                       ole32 
0048F83C         OleSetMenuDescriptor                  ole32 
0048F840         MkParseDisplayName                    ole32 
0048F844         OleSetContainedObject                 ole32 
0048F848         CoCreateInstance                      ole32 
0048F84C         IIDFromString                         ole32 
0048F850         StringFromGUID2                       ole32 
0048F854         CreateStreamOnHGlobal                 ole32 
0048F858         OleInitialize                         ole32 
0048F85C         OleUninitialize                       ole32 
0048F860         CoInitialize                          ole32 
0048F864         CoUninitialize                        ole32 
0048F868         GetRunningObjectTable                 ole32 
0048F86C         CoGetInstanceFromFile                 ole32 
0048F870         CoGetObject                           ole32 
0048F874         CoSetProxyBlanket                     ole32 
0048F878         CoCreateInstanceEx                    ole32 
0048F87C         CoInitializeSecurity                  ole32

The above list (from the spoiler) was generated with use of IDA Pro - as you can see it does not import from ntdll.dll itself - Windows will handle all this work once the Win32 calls have been made -> call the NTAPI function stub -> syscall for kernel-mode execution.

 

[giulia]

hi
i have't found any suspicious activity

 

[TheMalwareMaster]

hi
i have't found any suspicious activity

Where did you find that file? What was supposed to do? (why did you download it?)

 

[Atlas147]

Yes like what @TheMalwareMaster said, if you could shed some light on what the program is supposed to do or where you downloaded it it would greatly help.