ScreenShot
| Created | 2022.12.23 08:03 | Machine | s1_win7_x6401 |
| Filename | r.exe | ||
| Type | PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 14 detected (Unsafe, Save, malicious, confidence, Attribute, HighConfidence, high confidence, Rozena, score, Bandra, Wacatac, ZexaE, nKW@aWy2eZk) | ||
| md5 | c1adaf98f8c567048839897999f84f9c | ||
| sha256 | 1873e78bd7364486ab4b563ca9c58ec76cb75c4acfa48b261d78d85a537c749a | ||
| ssdeep | 3072:aQw78gtyq/HfLTr4Ch/KjL4BpwxrY34YMPvBIrVgkhtztAIQ5AovygF7ocTt/oxa:aQ0/LTrB/KcDMnByVgkLztnaygF8g/r | ||
| imphash | f171bb6c6f6b1d6d32649a265a2ed44a | ||
| impfuzzy | 12:K0zRJRGZGS4nJ2cDn5ARKLqRLAxDhPXJHqVzZ4GQGX5XGXKYIk6lTpJqJiZn:KifCr4JlDqFLOxKhTX5XGKkoDqoZn | ||
Network IP location
Signature (26cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Executes one or more WMI queries |
| watch | File has been identified by 14 AntiVirus engines on VirusTotal as malicious |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x438104 CreateEventW
0x438108 CreateMutexW
0x43810c DeleteCriticalSection
0x438110 EnterCriticalSection
0x438114 ExitProcess
0x438118 FreeConsole
0x43811c FreeLibrary
0x438120 GetCurrentProcessId
0x438124 GetLastError
0x438128 GetModuleHandleA
0x43812c GetProcAddress
0x438130 GetStartupInfoA
0x438134 InitializeCriticalSection
0x438138 IsProcessorFeaturePresent
0x43813c LeaveCriticalSection
0x438140 LoadLibraryA
0x438144 ReleaseMutex
0x438148 ResetEvent
0x43814c SetEvent
0x438150 SetUnhandledExceptionFilter
0x438154 Sleep
0x438158 TlsGetValue
0x43815c VirtualProtect
0x438160 VirtualQuery
msvcrt.dll
0x438168 __getmainargs
0x43816c __initenv
0x438170 __p__acmdln
0x438174 __p__commode
0x438178 __p__fmode
0x43817c __set_app_type
0x438180 __setusermatherr
0x438184 _amsg_exit
0x438188 _cexit
0x43818c _initterm
0x438190 _iob
0x438194 _onexit
0x438198 abort
0x43819c calloc
0x4381a0 exit
0x4381a4 fprintf
0x4381a8 free
0x4381ac fwrite
0x4381b0 malloc
0x4381b4 memcpy
0x4381b8 signal
0x4381bc strlen
0x4381c0 strncmp
0x4381c4 vfprintf
EAT(Export Address Table) is none
KERNEL32.dll
0x438104 CreateEventW
0x438108 CreateMutexW
0x43810c DeleteCriticalSection
0x438110 EnterCriticalSection
0x438114 ExitProcess
0x438118 FreeConsole
0x43811c FreeLibrary
0x438120 GetCurrentProcessId
0x438124 GetLastError
0x438128 GetModuleHandleA
0x43812c GetProcAddress
0x438130 GetStartupInfoA
0x438134 InitializeCriticalSection
0x438138 IsProcessorFeaturePresent
0x43813c LeaveCriticalSection
0x438140 LoadLibraryA
0x438144 ReleaseMutex
0x438148 ResetEvent
0x43814c SetEvent
0x438150 SetUnhandledExceptionFilter
0x438154 Sleep
0x438158 TlsGetValue
0x43815c VirtualProtect
0x438160 VirtualQuery
msvcrt.dll
0x438168 __getmainargs
0x43816c __initenv
0x438170 __p__acmdln
0x438174 __p__commode
0x438178 __p__fmode
0x43817c __set_app_type
0x438180 __setusermatherr
0x438184 _amsg_exit
0x438188 _cexit
0x43818c _initterm
0x438190 _iob
0x438194 _onexit
0x438198 abort
0x43819c calloc
0x4381a0 exit
0x4381a4 fprintf
0x4381a8 free
0x4381ac fwrite
0x4381b0 malloc
0x4381b4 memcpy
0x4381b8 signal
0x4381bc strlen
0x4381c0 strncmp
0x4381c4 vfprintf
EAT(Export Address Table) is none