ScreenShot
| Created | 2022.12.08 10:40 | Machine | s1_win7_x6403 |
| Filename | setup_1670430157.2111816.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 20 detected (Redline, Eldorado, Attribute, HighConfidence, malicious, high confidence, Kryptik, HQMY, score, high, Sabsik, Detected, ZexaF, OqW@aiheZ8d, BScope, TrojanPSW, Generic@AI, RDML, Wdjt+CucZd44QNWdgZWP4Q, Krypt, susgen, confidence) | ||
| md5 | 89b2ce64736e525d07b5385fa50c5266 | ||
| sha256 | 89b3b5153c603ad3266b91baa3f2e8dfef61f583af6ffaced5a718f28c017718 | ||
| ssdeep | 12288:VpIWImxDuP2MCMwV+5uqskQwrcEi1ZaNWWcyoB3ZtLu53PRGThvE:VpIWIGDuP2MuJEi1YNWWcRHWGW | ||
| imphash | 43052fbcc86537f02aea12e98d776319 | ||
| impfuzzy | 24:9brQrOg9VcpVWZsCrMS1jt2GzplJBlCDoLoEOovSOuFZMvGGMAHTq+lEZHu9n:9brQag9VcpVeZrMS1jt2GzPVcguFZGew | ||
Network IP location
Signature (27cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Executed a process and injected code into it |
| warning | File has been identified by 20 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Resolves a suspicious Top Level Domain (TLD) |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
SHELL32.dll
0x472168 CommandLineToArgvW
0x47216c SHGetFolderPathAndSubDirW
ADVAPI32.dll
0x472000 GetLengthSid
KERNEL32.dll
0x472008 HeapSize
0x47200c CreateFileW
0x472010 FreeLibrary
0x472014 GetCommandLineW
0x472018 GetCurrentProcess
0x47201c LocalFree
0x472020 MultiByteToWideChar
0x472024 FormatMessageA
0x472028 GetStringTypeW
0x47202c WideCharToMultiByte
0x472030 EnterCriticalSection
0x472034 LeaveCriticalSection
0x472038 InitializeCriticalSectionEx
0x47203c DeleteCriticalSection
0x472040 EncodePointer
0x472044 DecodePointer
0x472048 LCMapStringEx
0x47204c GetLocaleInfoEx
0x472050 CompareStringEx
0x472054 GetCPInfo
0x472058 QueryPerformanceCounter
0x47205c GetCurrentProcessId
0x472060 GetCurrentThreadId
0x472064 GetSystemTimeAsFileTime
0x472068 InitializeSListHead
0x47206c IsDebuggerPresent
0x472070 UnhandledExceptionFilter
0x472074 SetUnhandledExceptionFilter
0x472078 GetStartupInfoW
0x47207c IsProcessorFeaturePresent
0x472080 GetModuleHandleW
0x472084 TerminateProcess
0x472088 ReadConsoleW
0x47208c RaiseException
0x472090 RtlUnwind
0x472094 InterlockedPushEntrySList
0x472098 InterlockedFlushSList
0x47209c GetLastError
0x4720a0 SetLastError
0x4720a4 InitializeCriticalSectionAndSpinCount
0x4720a8 TlsAlloc
0x4720ac TlsGetValue
0x4720b0 TlsSetValue
0x4720b4 TlsFree
0x4720b8 WriteConsoleW
0x4720bc GetProcAddress
0x4720c0 LoadLibraryExW
0x4720c4 GetStdHandle
0x4720c8 WriteFile
0x4720cc GetModuleFileNameW
0x4720d0 ExitProcess
0x4720d4 GetModuleHandleExW
0x4720d8 GetCommandLineA
0x4720dc HeapAlloc
0x4720e0 HeapFree
0x4720e4 GetDateFormatW
0x4720e8 GetTimeFormatW
0x4720ec CompareStringW
0x4720f0 LCMapStringW
0x4720f4 GetLocaleInfoW
0x4720f8 IsValidLocale
0x4720fc GetUserDefaultLCID
0x472100 EnumSystemLocalesW
0x472104 GetFileType
0x472108 GetCurrentThread
0x47210c GetFileSizeEx
0x472110 SetFilePointerEx
0x472114 CloseHandle
0x472118 FlushFileBuffers
0x47211c GetConsoleOutputCP
0x472120 GetConsoleMode
0x472124 ReadFile
0x472128 HeapReAlloc
0x47212c SetConsoleCtrlHandler
0x472130 GetTimeZoneInformation
0x472134 OutputDebugStringW
0x472138 FindClose
0x47213c FindFirstFileExW
0x472140 FindNextFileW
0x472144 IsValidCodePage
0x472148 GetACP
0x47214c GetOEMCP
0x472150 GetEnvironmentStringsW
0x472154 FreeEnvironmentStringsW
0x472158 SetEnvironmentVariableW
0x47215c SetStdHandle
0x472160 GetProcessHeap
EAT(Export Address Table) is none
SHELL32.dll
0x472168 CommandLineToArgvW
0x47216c SHGetFolderPathAndSubDirW
ADVAPI32.dll
0x472000 GetLengthSid
KERNEL32.dll
0x472008 HeapSize
0x47200c CreateFileW
0x472010 FreeLibrary
0x472014 GetCommandLineW
0x472018 GetCurrentProcess
0x47201c LocalFree
0x472020 MultiByteToWideChar
0x472024 FormatMessageA
0x472028 GetStringTypeW
0x47202c WideCharToMultiByte
0x472030 EnterCriticalSection
0x472034 LeaveCriticalSection
0x472038 InitializeCriticalSectionEx
0x47203c DeleteCriticalSection
0x472040 EncodePointer
0x472044 DecodePointer
0x472048 LCMapStringEx
0x47204c GetLocaleInfoEx
0x472050 CompareStringEx
0x472054 GetCPInfo
0x472058 QueryPerformanceCounter
0x47205c GetCurrentProcessId
0x472060 GetCurrentThreadId
0x472064 GetSystemTimeAsFileTime
0x472068 InitializeSListHead
0x47206c IsDebuggerPresent
0x472070 UnhandledExceptionFilter
0x472074 SetUnhandledExceptionFilter
0x472078 GetStartupInfoW
0x47207c IsProcessorFeaturePresent
0x472080 GetModuleHandleW
0x472084 TerminateProcess
0x472088 ReadConsoleW
0x47208c RaiseException
0x472090 RtlUnwind
0x472094 InterlockedPushEntrySList
0x472098 InterlockedFlushSList
0x47209c GetLastError
0x4720a0 SetLastError
0x4720a4 InitializeCriticalSectionAndSpinCount
0x4720a8 TlsAlloc
0x4720ac TlsGetValue
0x4720b0 TlsSetValue
0x4720b4 TlsFree
0x4720b8 WriteConsoleW
0x4720bc GetProcAddress
0x4720c0 LoadLibraryExW
0x4720c4 GetStdHandle
0x4720c8 WriteFile
0x4720cc GetModuleFileNameW
0x4720d0 ExitProcess
0x4720d4 GetModuleHandleExW
0x4720d8 GetCommandLineA
0x4720dc HeapAlloc
0x4720e0 HeapFree
0x4720e4 GetDateFormatW
0x4720e8 GetTimeFormatW
0x4720ec CompareStringW
0x4720f0 LCMapStringW
0x4720f4 GetLocaleInfoW
0x4720f8 IsValidLocale
0x4720fc GetUserDefaultLCID
0x472100 EnumSystemLocalesW
0x472104 GetFileType
0x472108 GetCurrentThread
0x47210c GetFileSizeEx
0x472110 SetFilePointerEx
0x472114 CloseHandle
0x472118 FlushFileBuffers
0x47211c GetConsoleOutputCP
0x472120 GetConsoleMode
0x472124 ReadFile
0x472128 HeapReAlloc
0x47212c SetConsoleCtrlHandler
0x472130 GetTimeZoneInformation
0x472134 OutputDebugStringW
0x472138 FindClose
0x47213c FindFirstFileExW
0x472140 FindNextFileW
0x472144 IsValidCodePage
0x472148 GetACP
0x47214c GetOEMCP
0x472150 GetEnvironmentStringsW
0x472154 FreeEnvironmentStringsW
0x472158 SetEnvironmentVariableW
0x47215c SetStdHandle
0x472160 GetProcessHeap
EAT(Export Address Table) is none