ScreenShot
| Created | 2023.03.07 17:28 | Machine | s1_win7_x6402 |
| Filename | Injection.scr | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | 4e32c1ae7807c0a82e3b68b6791345fc | ||
| sha256 | ed7ef561ef84c2901198261782c15c757ed95e7fa3ce7b558d3a6a40570f4b47 | ||
| ssdeep | 3072:FDTiRbBJVx9O5hSxPNR+RwkyXakUcwNIC4cf6mzVg5+o6s51KJfDHAqRiNKl3Wq3:FDTix0TSxFRI08cwaCRS+q5+o1W | ||
| imphash | 8a29bd563b5a111b3402a07404ffca08 | ||
| impfuzzy | 24:mD9O4OovnOQFQjERyvDh/J3ISlRT47mfLplhqb:tXEOLDjhc7mfF7qb | ||
Network IP location
Signature (14cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x411000 GetProcAddress
0x411004 GetModuleHandleA
0x411008 GetCommandLineW
0x41100c GetProcessHeap
0x411010 FreeConsole
0x411014 GetCommandLineA
0x411018 SetUnhandledExceptionFilter
0x41101c GetModuleHandleW
0x411020 Sleep
0x411024 ExitProcess
0x411028 WriteFile
0x41102c GetStdHandle
0x411030 GetModuleFileNameA
0x411034 FreeEnvironmentStringsA
0x411038 GetEnvironmentStrings
0x41103c FreeEnvironmentStringsW
0x411040 WideCharToMultiByte
0x411044 GetLastError
0x411048 GetEnvironmentStringsW
0x41104c SetHandleCount
0x411050 GetFileType
0x411054 GetStartupInfoA
0x411058 DeleteCriticalSection
0x41105c TlsGetValue
0x411060 TlsAlloc
0x411064 TlsSetValue
0x411068 TlsFree
0x41106c InterlockedIncrement
0x411070 SetLastError
0x411074 GetCurrentThreadId
0x411078 InterlockedDecrement
0x41107c HeapCreate
0x411080 VirtualFree
0x411084 HeapFree
0x411088 QueryPerformanceCounter
0x41108c GetTickCount
0x411090 GetCurrentProcessId
0x411094 GetSystemTimeAsFileTime
0x411098 GetCPInfo
0x41109c GetACP
0x4110a0 GetOEMCP
0x4110a4 IsValidCodePage
0x4110a8 TerminateProcess
0x4110ac GetCurrentProcess
0x4110b0 UnhandledExceptionFilter
0x4110b4 IsDebuggerPresent
0x4110b8 LeaveCriticalSection
0x4110bc EnterCriticalSection
0x4110c0 LoadLibraryA
0x4110c4 InitializeCriticalSectionAndSpinCount
0x4110c8 HeapAlloc
0x4110cc VirtualAlloc
0x4110d0 HeapReAlloc
0x4110d4 RtlUnwind
0x4110d8 LCMapStringA
0x4110dc MultiByteToWideChar
0x4110e0 LCMapStringW
0x4110e4 GetStringTypeA
0x4110e8 GetStringTypeW
0x4110ec GetLocaleInfoA
0x4110f0 HeapSize
EAT(Export Address Table) is none
KERNEL32.dll
0x411000 GetProcAddress
0x411004 GetModuleHandleA
0x411008 GetCommandLineW
0x41100c GetProcessHeap
0x411010 FreeConsole
0x411014 GetCommandLineA
0x411018 SetUnhandledExceptionFilter
0x41101c GetModuleHandleW
0x411020 Sleep
0x411024 ExitProcess
0x411028 WriteFile
0x41102c GetStdHandle
0x411030 GetModuleFileNameA
0x411034 FreeEnvironmentStringsA
0x411038 GetEnvironmentStrings
0x41103c FreeEnvironmentStringsW
0x411040 WideCharToMultiByte
0x411044 GetLastError
0x411048 GetEnvironmentStringsW
0x41104c SetHandleCount
0x411050 GetFileType
0x411054 GetStartupInfoA
0x411058 DeleteCriticalSection
0x41105c TlsGetValue
0x411060 TlsAlloc
0x411064 TlsSetValue
0x411068 TlsFree
0x41106c InterlockedIncrement
0x411070 SetLastError
0x411074 GetCurrentThreadId
0x411078 InterlockedDecrement
0x41107c HeapCreate
0x411080 VirtualFree
0x411084 HeapFree
0x411088 QueryPerformanceCounter
0x41108c GetTickCount
0x411090 GetCurrentProcessId
0x411094 GetSystemTimeAsFileTime
0x411098 GetCPInfo
0x41109c GetACP
0x4110a0 GetOEMCP
0x4110a4 IsValidCodePage
0x4110a8 TerminateProcess
0x4110ac GetCurrentProcess
0x4110b0 UnhandledExceptionFilter
0x4110b4 IsDebuggerPresent
0x4110b8 LeaveCriticalSection
0x4110bc EnterCriticalSection
0x4110c0 LoadLibraryA
0x4110c4 InitializeCriticalSectionAndSpinCount
0x4110c8 HeapAlloc
0x4110cc VirtualAlloc
0x4110d0 HeapReAlloc
0x4110d4 RtlUnwind
0x4110d8 LCMapStringA
0x4110dc MultiByteToWideChar
0x4110e0 LCMapStringW
0x4110e4 GetStringTypeA
0x4110e8 GetStringTypeW
0x4110ec GetLocaleInfoA
0x4110f0 HeapSize
EAT(Export Address Table) is none