popup

Report - s2lub.exe

RedLine stealer[m] Malicious Library UPX AntiDebug AntiVM PE32 OS Processor Check PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2022.12.07 09:44 Machine s1_win7_x6403
Filename s2lub.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
3
 Behavior Score
13.2
ZERO API file : malware
VT API (file) 35 detected (Jaik, Unsafe, None, Redline, Eldorado, Attribute, HighConfidence, malicious, high confidence, Kryptik, HRVP, Strab, PWSX, StealerNET, YXCLFZ, moderate, score, Static AI, Suspicious PE, kcloud, Detected, Artemis, ai score=87, Generic@AI, RDML, 9UK+llQfcxDcPDD71Q, Outbreak, susgen, HRVA)
md5 2c7867a1749edef10274f3e34b047865
sha256 8845215ed3299ff3381580ab3c1e1feb69d8c44361bc15d64b57a597147a74c7
ssdeep 12288:p7HdieNsYHk31Qb9b01KCgZg7bn8eI3ilumDo+Wxga7oRFL:q31Qxg1K/g7z8r3iC+Qf0L
imphash 3a25e3f90ed97610850855a91e61572c
impfuzzy 24:9brXYEO2teS1Nv6hlJnc+pl3eDo/Y2OovSOuFZMvalRZHu95TZGMa:9br82teS1Nv65c+ppsRguFZGC
  Network IP location

Signature (26cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger Executed a process and injected code into it
danger File has been identified by 35 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
watch Allocates execute permission to another process indicative of possible code injection
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local FTP client softwares
watch One or more of the buffers contains an embedded PE file
watch Potential code injection by writing to the memory of another process
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice One or more potentially interesting buffers were extracted
notice Queries for potentially installed applications
notice Steals private information from local Internet browsers
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info This executable has a PDB path
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (14cnts)

Level Name Description Collection
danger RedLine_Stealer_m_Zero RedLine stealer memory
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (56cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
clysma.com
whois
Unknown clean
actmin.com
whois
Unknown clean
webband.com
whois
Unknown clean
165.160.13.20
whois
US CSC 165.160.13.20 mailcious
61.200.81.23
whois
JP NTT-COMMUNICATIONS-2914 61.200.81.23 clean
212.44.102.57
whois
SI DHH.si d.o.o. 212.44.102.57 clean
192.64.150.164
whois
US VOODOO1 192.64.150.164 clean
172.67.165.62
whois
US CLOUDFLARENET 172.67.165.62 clean
76.74.184.61
whois
CA COGECO-PEER1 76.74.184.61 clean
192.241.158.94
whois
US DIGITALOCEAN-ASN 192.241.158.94 clean
65.21.5.58
whois
Unknown 65.21.5.58 clean
185.163.45.187
whois
MD MivoCloud SRL 185.163.45.187 clean
203.210.102.34
whois
AU WebCentral 203.210.102.34 clean
3.64.163.50
whois
Unknown 3.64.163.50 mailcious
195.128.140.29
whois
PL RBO Sp. z o. o. 195.128.140.29 clean
154.213.117.166
whois
HK POWER LINE DATACENTER 154.213.117.166 mailcious
62.75.216.107
whois
FR Host Europe GmbH 62.75.216.107 mailcious
18.197.121.220
whois
DE AMAZON-02 18.197.121.220 mailcious
104.37.84.3
whois
US CLOUDACCESS-NETWORK 104.37.84.3 clean
164.132.175.106
whois
FR OVH SAS 164.132.175.106 clean
198.199.101.195
whois
US DIGITALOCEAN-ASN 198.199.101.195 mailcious
198.185.159.144
whois
US SQUARESPACE 198.185.159.144 mailcious
104.164.117.233
whois
US EGIHOSTING 104.164.117.233 clean
148.72.176.26
whois
US AS-30083-GO-DADDY-COM-LLC 148.72.176.26 clean
49.212.243.77
whois
JP SAKURA Internet Inc. 49.212.243.77 mailcious
79.96.32.254
whois
PL home.pl S.A. 79.96.32.254 clean
157.7.107.49
whois
JP GMO Internet,Inc 157.7.107.49 malware
172.67.160.168
whois
US CLOUDFLARENET 172.67.160.168 clean
195.5.116.23
whois
Unknown 195.5.116.23 clean
49.212.232.113
whois
JP SAKURA Internet Inc. 49.212.232.113 mailcious
35.206.109.131
whois
US GOOGLE-2 35.206.109.131 mailcious
192.99.226.184
whois
CA OVH SAS 192.99.226.184 clean
211.1.226.67
whois
JP NTT SmartConnect Corporation 211.1.226.67 clean
178.249.70.75
whois
Unknown 178.249.70.75 clean
76.223.15.82
whois
US AMAZON-02 76.223.15.82 clean
23.236.62.147
whois
US GOOGLE 23.236.62.147 mailcious
213.175.217.57
whois
GB Node4 Limited 213.175.217.57 clean
91.220.211.163
whois
RU LLC Gydrozo 91.220.211.163 clean
52.50.65.32
whois
IE AMAZON-02 52.50.65.32 suspicious
79.96.161.192
whois
PL home.pl S.A. 79.96.161.192 clean
192.124.249.3
whois
US SUCURI-SEC 192.124.249.3 clean
205.149.134.32
whois
US CNIWEB 205.149.134.32 mailcious
89.161.136.188
whois
PL home.pl S.A. 89.161.136.188 clean
192.124.249.9
whois
US SUCURI-SEC 192.124.249.9 mailcious
93.187.206.66
whois
TR Netdirekt A.S. 93.187.206.66 mailcious
135.125.108.170
whois
US AVAYA 135.125.108.170 clean
198.49.23.144
whois
US SQUARESPACE 198.49.23.144 mailcious
192.124.249.13
whois
US SUCURI-SEC 192.124.249.13 mailcious
199.59.243.220
whois
Unknown 199.59.243.220 mailcious
172.67.33.95
whois
US CLOUDFLARENET 172.67.33.95 clean
202.172.28.187
whois
JP DigiRock, Inc. 202.172.28.187 clean
77.72.4.226
whois
GB Krystal Hosting Ltd 77.72.4.226 mailcious
157.7.107.38
whois
JP GMO Internet,Inc 157.7.107.38 mailcious
5.134.4.115
whois
BE Combell NV 5.134.4.115 mailcious
104.21.8.75
whois
US CLOUDFLARENET 104.21.8.75 clean
34.224.10.110
whois
US AMAZON-AES 34.224.10.110 mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

SHELL32.dll
 0x446158 CommandLineToArgvW
 0x44615c SHGetFolderPathAndSubDirW
ADVAPI32.dll
 0x446000 GetLengthSid
KERNEL32.dll
 0x446008 ReadFile
 0x44600c ReadConsoleW
 0x446010 GetModuleHandleExW
 0x446014 GetCommandLineW
 0x446018 GetCurrentProcess
 0x44601c FreeConsole
 0x446020 LocalFree
 0x446024 UnhandledExceptionFilter
 0x446028 SetUnhandledExceptionFilter
 0x44602c TerminateProcess
 0x446030 IsProcessorFeaturePresent
 0x446034 QueryPerformanceCounter
 0x446038 GetCurrentProcessId
 0x44603c GetCurrentThreadId
 0x446040 GetSystemTimeAsFileTime
 0x446044 InitializeSListHead
 0x446048 IsDebuggerPresent
 0x44604c GetStartupInfoW
 0x446050 GetModuleHandleW
 0x446054 SetEndOfFile
 0x446058 RaiseException
 0x44605c InterlockedPushEntrySList
 0x446060 InterlockedFlushSList
 0x446064 RtlUnwind
 0x446068 GetLastError
 0x44606c SetLastError
 0x446070 EnterCriticalSection
 0x446074 LeaveCriticalSection
 0x446078 DeleteCriticalSection
 0x44607c InitializeCriticalSectionAndSpinCount
 0x446080 TlsAlloc
 0x446084 TlsGetValue
 0x446088 TlsSetValue
 0x44608c TlsFree
 0x446090 FreeLibrary
 0x446094 GetProcAddress
 0x446098 LoadLibraryExW
 0x44609c EncodePointer
 0x4460a0 GetStdHandle
 0x4460a4 WriteFile
 0x4460a8 GetModuleFileNameW
 0x4460ac ExitProcess
 0x4460b0 WriteConsoleW
 0x4460b4 GetCommandLineA
 0x4460b8 HeapAlloc
 0x4460bc HeapFree
 0x4460c0 GetDateFormatW
 0x4460c4 GetTimeFormatW
 0x4460c8 CompareStringW
 0x4460cc LCMapStringW
 0x4460d0 GetLocaleInfoW
 0x4460d4 IsValidLocale
 0x4460d8 GetUserDefaultLCID
 0x4460dc EnumSystemLocalesW
 0x4460e0 GetFileType
 0x4460e4 CloseHandle
 0x4460e8 GetCurrentThread
 0x4460ec OutputDebugStringW
 0x4460f0 FindClose
 0x4460f4 FindFirstFileExW
 0x4460f8 FindNextFileW
 0x4460fc IsValidCodePage
 0x446100 GetACP
 0x446104 GetOEMCP
 0x446108 GetCPInfo
 0x44610c MultiByteToWideChar
 0x446110 WideCharToMultiByte
 0x446114 GetEnvironmentStringsW
 0x446118 FreeEnvironmentStringsW
 0x44611c SetEnvironmentVariableW
 0x446120 SetStdHandle
 0x446124 GetStringTypeW
 0x446128 GetProcessHeap
 0x44612c SetConsoleCtrlHandler
 0x446130 CreateFileW
 0x446134 FlushFileBuffers
 0x446138 GetConsoleOutputCP
 0x44613c GetConsoleMode
 0x446140 GetFileSizeEx
 0x446144 SetFilePointerEx
 0x446148 DecodePointer
 0x44614c HeapSize
 0x446150 HeapReAlloc

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure