ScreenShot
| Created | 2023.03.07 17:32 | Machine | s1_win7_x6402 |
| Filename | Setup.scr | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | fe78071bcd7b5fd9105734aaa485f816 | ||
| sha256 | 6406f876d483184b4f310a406d222a1320bd433f7afe76ff89766edab3793754 | ||
| ssdeep | 6144:9YNzvLnjAOAgwobtV22imO2ev8R5/PAixWAixWAixWAixWNGgb3w6Cnq:LOyAV229R/5/PAixWAixWAixWAixWNF3 | ||
| imphash | c0a0dc5efcf313a25eeff245ebb1015c | ||
| impfuzzy | 48:KQ1xZn6GjQZWK3pN/UvlaSeGT6t6U0GAz1QhOHFEECAvlJDMCS1jt75cUpQyc3m:K0L4WHS1jt75cUpQyH | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
USER32.dll
0x411118 wvsprintfA
0x41111c CreateDialogParamA
0x411120 DestroyCursor
0x411124 PostMessageA
0x411128 ChildWindowFromPoint
0x41112c InvalidateRect
0x411130 RemoveMenu
0x411134 LoadAcceleratorsA
0x411138 GetMessageA
0x41113c TranslateAcceleratorA
0x411140 IsDialogMessageA
0x411144 OpenClipboard
0x411148 CharUpperA
0x41114c SetFocus
0x411150 SetClipboardData
0x411154 EmptyClipboard
0x411158 LoadIconA
0x41115c TranslateMessage
0x411160 DispatchMessageA
0x411164 DestroyAcceleratorTable
0x411168 DialogBoxParamA
0x41116c GetSysColorBrush
0x411170 SetCursor
0x411174 UnregisterClassA
0x411178 CheckRadioButton
0x41117c IsWindow
0x411180 GetSystemMetrics
0x411184 EnableWindow
0x411188 GetWindowTextA
0x41118c RedrawWindow
0x411190 FindWindowA
0x411194 SetWindowPos
0x411198 GetWindowLongA
KERNEL32.dll
0x411000 DeleteCriticalSection
0x411004 WriteConsoleW
0x411008 CloseHandle
0x41100c CreateFileW
0x411010 SetFilePointerEx
0x411014 GetConsoleMode
0x411018 GetConsoleOutputCP
0x41101c FlushFileBuffers
0x411020 HeapReAlloc
0x411024 HeapSize
0x411028 GetProcessHeap
0x41102c LCMapStringW
0x411030 CompareStringW
0x411034 GetStringTypeW
0x411038 GetFileType
0x41103c SetStdHandle
0x411040 SetEnvironmentVariableW
0x411044 FreeEnvironmentStringsW
0x411048 GetEnvironmentStringsW
0x41104c WideCharToMultiByte
0x411050 MultiByteToWideChar
0x411054 GetCPInfo
0x411058 GetOEMCP
0x41105c GetACP
0x411060 GetSystemInfo
0x411064 IsProcessorFeaturePresent
0x411068 GetModuleHandleA
0x41106c GetProcAddress
0x411070 FreeConsole
0x411074 QueryPerformanceCounter
0x411078 GetCurrentProcessId
0x41107c GetCurrentThreadId
0x411080 GetSystemTimeAsFileTime
0x411084 InitializeSListHead
0x411088 IsDebuggerPresent
0x41108c UnhandledExceptionFilter
0x411090 SetUnhandledExceptionFilter
0x411094 GetStartupInfoW
0x411098 GetModuleHandleW
0x41109c GetCurrentProcess
0x4110a0 TerminateProcess
0x4110a4 IsValidCodePage
0x4110a8 RtlUnwind
0x4110ac GetLastError
0x4110b0 SetLastError
0x4110b4 EnterCriticalSection
0x4110b8 LeaveCriticalSection
0x4110bc DecodePointer
0x4110c0 InitializeCriticalSectionAndSpinCount
0x4110c4 TlsAlloc
0x4110c8 TlsGetValue
0x4110cc TlsSetValue
0x4110d0 TlsFree
0x4110d4 FreeLibrary
0x4110d8 LoadLibraryExW
0x4110dc EncodePointer
0x4110e0 RaiseException
0x4110e4 GetStdHandle
0x4110e8 WriteFile
0x4110ec GetModuleFileNameW
0x4110f0 ExitProcess
0x4110f4 GetModuleHandleExW
0x4110f8 GetCommandLineA
0x4110fc GetCommandLineW
0x411100 HeapAlloc
0x411104 HeapFree
0x411108 FindClose
0x41110c FindFirstFileExW
0x411110 FindNextFileW
EAT(Export Address Table) is none
USER32.dll
0x411118 wvsprintfA
0x41111c CreateDialogParamA
0x411120 DestroyCursor
0x411124 PostMessageA
0x411128 ChildWindowFromPoint
0x41112c InvalidateRect
0x411130 RemoveMenu
0x411134 LoadAcceleratorsA
0x411138 GetMessageA
0x41113c TranslateAcceleratorA
0x411140 IsDialogMessageA
0x411144 OpenClipboard
0x411148 CharUpperA
0x41114c SetFocus
0x411150 SetClipboardData
0x411154 EmptyClipboard
0x411158 LoadIconA
0x41115c TranslateMessage
0x411160 DispatchMessageA
0x411164 DestroyAcceleratorTable
0x411168 DialogBoxParamA
0x41116c GetSysColorBrush
0x411170 SetCursor
0x411174 UnregisterClassA
0x411178 CheckRadioButton
0x41117c IsWindow
0x411180 GetSystemMetrics
0x411184 EnableWindow
0x411188 GetWindowTextA
0x41118c RedrawWindow
0x411190 FindWindowA
0x411194 SetWindowPos
0x411198 GetWindowLongA
KERNEL32.dll
0x411000 DeleteCriticalSection
0x411004 WriteConsoleW
0x411008 CloseHandle
0x41100c CreateFileW
0x411010 SetFilePointerEx
0x411014 GetConsoleMode
0x411018 GetConsoleOutputCP
0x41101c FlushFileBuffers
0x411020 HeapReAlloc
0x411024 HeapSize
0x411028 GetProcessHeap
0x41102c LCMapStringW
0x411030 CompareStringW
0x411034 GetStringTypeW
0x411038 GetFileType
0x41103c SetStdHandle
0x411040 SetEnvironmentVariableW
0x411044 FreeEnvironmentStringsW
0x411048 GetEnvironmentStringsW
0x41104c WideCharToMultiByte
0x411050 MultiByteToWideChar
0x411054 GetCPInfo
0x411058 GetOEMCP
0x41105c GetACP
0x411060 GetSystemInfo
0x411064 IsProcessorFeaturePresent
0x411068 GetModuleHandleA
0x41106c GetProcAddress
0x411070 FreeConsole
0x411074 QueryPerformanceCounter
0x411078 GetCurrentProcessId
0x41107c GetCurrentThreadId
0x411080 GetSystemTimeAsFileTime
0x411084 InitializeSListHead
0x411088 IsDebuggerPresent
0x41108c UnhandledExceptionFilter
0x411090 SetUnhandledExceptionFilter
0x411094 GetStartupInfoW
0x411098 GetModuleHandleW
0x41109c GetCurrentProcess
0x4110a0 TerminateProcess
0x4110a4 IsValidCodePage
0x4110a8 RtlUnwind
0x4110ac GetLastError
0x4110b0 SetLastError
0x4110b4 EnterCriticalSection
0x4110b8 LeaveCriticalSection
0x4110bc DecodePointer
0x4110c0 InitializeCriticalSectionAndSpinCount
0x4110c4 TlsAlloc
0x4110c8 TlsGetValue
0x4110cc TlsSetValue
0x4110d0 TlsFree
0x4110d4 FreeLibrary
0x4110d8 LoadLibraryExW
0x4110dc EncodePointer
0x4110e0 RaiseException
0x4110e4 GetStdHandle
0x4110e8 WriteFile
0x4110ec GetModuleFileNameW
0x4110f0 ExitProcess
0x4110f4 GetModuleHandleExW
0x4110f8 GetCommandLineA
0x4110fc GetCommandLineW
0x411100 HeapAlloc
0x411104 HeapFree
0x411108 FindClose
0x41110c FindFirstFileExW
0x411110 FindNextFileW
EAT(Export Address Table) is none