ScreenShot
| Created | 2023.01.19 12:43 | Machine | s1_win7_x6401 |
| Filename | 3eaxk3ch1hxkih.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 45 detected (Artemis, Unsafe, malicious, confidence, 100%, runner, ali1000123, ZexaF, GuW@aSpLDRg, Kryptik, Eldorado, Attribute, HighConfidence, high confidence, HRZU, score, PWSX, Ekjl, Inject4, REDLINE, YXDAQZ, Static AI, Suspicious PE, RedLineSteal, wnyvp, Detected, ai score=84, BScope, TrojanPSW, 3t22hXHlkUO, HSIR, Chgt) | ||
| md5 | f14521ae608114a93970fc0fa56f2b37 | ||
| sha256 | 6dd2706b26208b0dab625fadab85731bdc6a8c169f4b4db057364ae22ad55b00 | ||
| ssdeep | 12288:NoqTPg1z/kdSyMrOt9SeRjI8eHyE+yi2L:NoqTI1z/kdSyIeRPekyiy | ||
| imphash | fe6c9b473349465e571611857ce5cb94 | ||
| impfuzzy | 24:BcpVWZsCrYtMS1wGhlJBl3eDoLoEOovbO3OuFZMvrGMAOWEZHu95:BcpVeZrYtMS1wGnpXc3euFZGvM | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 45 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (upload) |
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x440000 AuditFree
KERNEL32.dll
0x440008 VirtualProtect
0x44000c FreeConsole
0x440010 MultiByteToWideChar
0x440014 GetStringTypeW
0x440018 WideCharToMultiByte
0x44001c EnterCriticalSection
0x440020 LeaveCriticalSection
0x440024 InitializeCriticalSectionEx
0x440028 DeleteCriticalSection
0x44002c EncodePointer
0x440030 DecodePointer
0x440034 LCMapStringEx
0x440038 GetLocaleInfoEx
0x44003c CompareStringEx
0x440040 GetCPInfo
0x440044 UnhandledExceptionFilter
0x440048 SetUnhandledExceptionFilter
0x44004c GetCurrentProcess
0x440050 TerminateProcess
0x440054 IsProcessorFeaturePresent
0x440058 QueryPerformanceCounter
0x44005c GetCurrentProcessId
0x440060 GetCurrentThreadId
0x440064 GetSystemTimeAsFileTime
0x440068 InitializeSListHead
0x44006c IsDebuggerPresent
0x440070 GetStartupInfoW
0x440074 GetModuleHandleW
0x440078 CreateFileW
0x44007c RaiseException
0x440080 RtlUnwind
0x440084 GetLastError
0x440088 SetLastError
0x44008c InitializeCriticalSectionAndSpinCount
0x440090 TlsAlloc
0x440094 TlsGetValue
0x440098 TlsSetValue
0x44009c TlsFree
0x4400a0 FreeLibrary
0x4400a4 GetProcAddress
0x4400a8 LoadLibraryExW
0x4400ac GetStdHandle
0x4400b0 WriteFile
0x4400b4 GetModuleFileNameW
0x4400b8 ExitProcess
0x4400bc GetModuleHandleExW
0x4400c0 GetCommandLineA
0x4400c4 GetCommandLineW
0x4400c8 HeapAlloc
0x4400cc HeapFree
0x4400d0 GetDateFormatW
0x4400d4 GetTimeFormatW
0x4400d8 CompareStringW
0x4400dc LCMapStringW
0x4400e0 GetLocaleInfoW
0x4400e4 IsValidLocale
0x4400e8 GetUserDefaultLCID
0x4400ec EnumSystemLocalesW
0x4400f0 GetFileType
0x4400f4 HeapReAlloc
0x4400f8 GetFileSizeEx
0x4400fc SetFilePointerEx
0x440100 CloseHandle
0x440104 FlushFileBuffers
0x440108 GetConsoleOutputCP
0x44010c GetConsoleMode
0x440110 ReadFile
0x440114 GetTimeZoneInformation
0x440118 FindClose
0x44011c FindFirstFileExW
0x440120 FindNextFileW
0x440124 IsValidCodePage
0x440128 GetACP
0x44012c GetOEMCP
0x440130 GetEnvironmentStringsW
0x440134 FreeEnvironmentStringsW
0x440138 SetEnvironmentVariableW
0x44013c SetStdHandle
0x440140 GetProcessHeap
0x440144 ReadConsoleW
0x440148 HeapSize
0x44014c WriteConsoleW
EAT(Export Address Table) is none
ADVAPI32.dll
0x440000 AuditFree
KERNEL32.dll
0x440008 VirtualProtect
0x44000c FreeConsole
0x440010 MultiByteToWideChar
0x440014 GetStringTypeW
0x440018 WideCharToMultiByte
0x44001c EnterCriticalSection
0x440020 LeaveCriticalSection
0x440024 InitializeCriticalSectionEx
0x440028 DeleteCriticalSection
0x44002c EncodePointer
0x440030 DecodePointer
0x440034 LCMapStringEx
0x440038 GetLocaleInfoEx
0x44003c CompareStringEx
0x440040 GetCPInfo
0x440044 UnhandledExceptionFilter
0x440048 SetUnhandledExceptionFilter
0x44004c GetCurrentProcess
0x440050 TerminateProcess
0x440054 IsProcessorFeaturePresent
0x440058 QueryPerformanceCounter
0x44005c GetCurrentProcessId
0x440060 GetCurrentThreadId
0x440064 GetSystemTimeAsFileTime
0x440068 InitializeSListHead
0x44006c IsDebuggerPresent
0x440070 GetStartupInfoW
0x440074 GetModuleHandleW
0x440078 CreateFileW
0x44007c RaiseException
0x440080 RtlUnwind
0x440084 GetLastError
0x440088 SetLastError
0x44008c InitializeCriticalSectionAndSpinCount
0x440090 TlsAlloc
0x440094 TlsGetValue
0x440098 TlsSetValue
0x44009c TlsFree
0x4400a0 FreeLibrary
0x4400a4 GetProcAddress
0x4400a8 LoadLibraryExW
0x4400ac GetStdHandle
0x4400b0 WriteFile
0x4400b4 GetModuleFileNameW
0x4400b8 ExitProcess
0x4400bc GetModuleHandleExW
0x4400c0 GetCommandLineA
0x4400c4 GetCommandLineW
0x4400c8 HeapAlloc
0x4400cc HeapFree
0x4400d0 GetDateFormatW
0x4400d4 GetTimeFormatW
0x4400d8 CompareStringW
0x4400dc LCMapStringW
0x4400e0 GetLocaleInfoW
0x4400e4 IsValidLocale
0x4400e8 GetUserDefaultLCID
0x4400ec EnumSystemLocalesW
0x4400f0 GetFileType
0x4400f4 HeapReAlloc
0x4400f8 GetFileSizeEx
0x4400fc SetFilePointerEx
0x440100 CloseHandle
0x440104 FlushFileBuffers
0x440108 GetConsoleOutputCP
0x44010c GetConsoleMode
0x440110 ReadFile
0x440114 GetTimeZoneInformation
0x440118 FindClose
0x44011c FindFirstFileExW
0x440120 FindNextFileW
0x440124 IsValidCodePage
0x440128 GetACP
0x44012c GetOEMCP
0x440130 GetEnvironmentStringsW
0x440134 FreeEnvironmentStringsW
0x440138 SetEnvironmentVariableW
0x44013c SetStdHandle
0x440140 GetProcessHeap
0x440144 ReadConsoleW
0x440148 HeapSize
0x44014c WriteConsoleW
EAT(Export Address Table) is none