ScreenShot
| Created | 2022.12.23 07:50 | Machine | s1_win7_x6403 |
| Filename | h.exe | ||
| Type | PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 12 detected (Unsafe, Save, malicious, Attribute, HighConfidence, high confidence, Rozena, score, Bandra, Wacatac, ZexaE, nKW@auzqhue) | ||
| md5 | 983ed231bdab4d132bfbef694e74ebc1 | ||
| sha256 | ac85235ed7905d82b2cb1571448089b9387f49a2b41091b163fbdde30b0925a8 | ||
| ssdeep | 3072:2b8w3uAcS/5GD8Ezm6EXB8OEk2AqrPF72FocFNzxMgncTtPYh6hB:A8ycS/5GDTzmTPqr9uRngPr | ||
| imphash | f171bb6c6f6b1d6d32649a265a2ed44a | ||
| impfuzzy | 12:K0zRJRGZGS4nJ2cDn5ARKLqRLAxDhPXJHqVzZ4GQGX5XGXKYIk6lTpJqJiZn:KifCr4JlDqFLOxKhTX5XGKkoDqoZn | ||
Network IP location
Signature (23cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | File has been identified by 12 AntiVirus engines on VirusTotal as malicious |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x437104 CreateEventW
0x437108 CreateMutexW
0x43710c DeleteCriticalSection
0x437110 EnterCriticalSection
0x437114 ExitProcess
0x437118 FreeConsole
0x43711c FreeLibrary
0x437120 GetCurrentProcessId
0x437124 GetLastError
0x437128 GetModuleHandleA
0x43712c GetProcAddress
0x437130 GetStartupInfoA
0x437134 InitializeCriticalSection
0x437138 IsProcessorFeaturePresent
0x43713c LeaveCriticalSection
0x437140 LoadLibraryA
0x437144 ReleaseMutex
0x437148 ResetEvent
0x43714c SetEvent
0x437150 SetUnhandledExceptionFilter
0x437154 Sleep
0x437158 TlsGetValue
0x43715c VirtualProtect
0x437160 VirtualQuery
msvcrt.dll
0x437168 __getmainargs
0x43716c __initenv
0x437170 __p__acmdln
0x437174 __p__commode
0x437178 __p__fmode
0x43717c __set_app_type
0x437180 __setusermatherr
0x437184 _amsg_exit
0x437188 _cexit
0x43718c _initterm
0x437190 _iob
0x437194 _onexit
0x437198 abort
0x43719c calloc
0x4371a0 exit
0x4371a4 fprintf
0x4371a8 free
0x4371ac fwrite
0x4371b0 malloc
0x4371b4 memcpy
0x4371b8 signal
0x4371bc strlen
0x4371c0 strncmp
0x4371c4 vfprintf
EAT(Export Address Table) is none
KERNEL32.dll
0x437104 CreateEventW
0x437108 CreateMutexW
0x43710c DeleteCriticalSection
0x437110 EnterCriticalSection
0x437114 ExitProcess
0x437118 FreeConsole
0x43711c FreeLibrary
0x437120 GetCurrentProcessId
0x437124 GetLastError
0x437128 GetModuleHandleA
0x43712c GetProcAddress
0x437130 GetStartupInfoA
0x437134 InitializeCriticalSection
0x437138 IsProcessorFeaturePresent
0x43713c LeaveCriticalSection
0x437140 LoadLibraryA
0x437144 ReleaseMutex
0x437148 ResetEvent
0x43714c SetEvent
0x437150 SetUnhandledExceptionFilter
0x437154 Sleep
0x437158 TlsGetValue
0x43715c VirtualProtect
0x437160 VirtualQuery
msvcrt.dll
0x437168 __getmainargs
0x43716c __initenv
0x437170 __p__acmdln
0x437174 __p__commode
0x437178 __p__fmode
0x43717c __set_app_type
0x437180 __setusermatherr
0x437184 _amsg_exit
0x437188 _cexit
0x43718c _initterm
0x437190 _iob
0x437194 _onexit
0x437198 abort
0x43719c calloc
0x4371a0 exit
0x4371a4 fprintf
0x4371a8 free
0x4371ac fwrite
0x4371b0 malloc
0x4371b4 memcpy
0x4371b8 signal
0x4371bc strlen
0x4371c0 strncmp
0x4371c4 vfprintf
EAT(Export Address Table) is none