ScreenShot
| Created | 2023.03.09 09:57 | Machine | s1_win7_x6401 |
| Filename | ChromeFIX_error.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 30 detected (malicious, high confidence, Babar, Ransomware, Tescrypt, unsafe, confidence, ZexaE, rq0@aWtQgJoi, Attribute, HighConfidence, Kryptik, HSEV, TrojanX, HPGen, high, score, ai score=82, Sabsik, Detected, Generic@AI, RDML, 8uDXWl4A0iafgL4WIjFueg, susgen) | ||
| md5 | 26db14ad0b3f52784f53f5a9cde42d6a | ||
| sha256 | ba0412f1b3344651077a3e0055cb60652040f070c28f1e7ac21212cce4b4955d | ||
| ssdeep | 6144:vidBppzpduDIwlxMNweGTq/0mrORdWq+/:vEBppzpduDjkpV0pdV+ | ||
| imphash | ed6858564510f205377e4e4cfbf8ff0b | ||
| impfuzzy | 24:oDVYvtqMjOov1lG/J3IXQFQ8RyvDkRT4QfRplWgLm:4YvtqMCdo3DgcQffI9 | ||
Network IP location
Signature (23cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 30 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | Win_Backdoor_AsyncRAT_Zero | Win Backdoor AsyncRAT | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41600c GetModuleHandleA
0x416010 FreeConsole
0x416014 GetProcAddress
0x416018 GetSystemInfo
0x41601c AddAtomW
0x416020 AreFileApisANSI
0x416024 TerminateProcess
0x416028 GetCurrentProcess
0x41602c UnhandledExceptionFilter
0x416030 SetUnhandledExceptionFilter
0x416034 IsDebuggerPresent
0x416038 RtlUnwind
0x41603c RaiseException
0x416040 GetCommandLineA
0x416044 GetLastError
0x416048 HeapFree
0x41604c GetModuleHandleW
0x416050 TlsGetValue
0x416054 TlsAlloc
0x416058 TlsSetValue
0x41605c TlsFree
0x416060 InterlockedIncrement
0x416064 SetLastError
0x416068 GetCurrentThreadId
0x41606c InterlockedDecrement
0x416070 HeapAlloc
0x416074 Sleep
0x416078 HeapSize
0x41607c ExitProcess
0x416080 WriteFile
0x416084 GetStdHandle
0x416088 GetModuleFileNameA
0x41608c FreeEnvironmentStringsA
0x416090 GetEnvironmentStrings
0x416094 FreeEnvironmentStringsW
0x416098 WideCharToMultiByte
0x41609c GetEnvironmentStringsW
0x4160a0 SetHandleCount
0x4160a4 GetFileType
0x4160a8 GetStartupInfoA
0x4160ac DeleteCriticalSection
0x4160b0 HeapCreate
0x4160b4 VirtualFree
0x4160b8 QueryPerformanceCounter
0x4160bc GetTickCount
0x4160c0 GetCurrentProcessId
0x4160c4 GetSystemTimeAsFileTime
0x4160c8 GetCPInfo
0x4160cc GetACP
0x4160d0 GetOEMCP
0x4160d4 IsValidCodePage
0x4160d8 LeaveCriticalSection
0x4160dc EnterCriticalSection
0x4160e0 VirtualAlloc
0x4160e4 HeapReAlloc
0x4160e8 LoadLibraryA
0x4160ec InitializeCriticalSectionAndSpinCount
0x4160f0 LCMapStringA
0x4160f4 MultiByteToWideChar
0x4160f8 LCMapStringW
0x4160fc GetStringTypeA
0x416100 GetStringTypeW
0x416104 GetLocaleInfoA
COMDLG32.dll
0x416000 GetSaveFileNameA
0x416004 GetOpenFileNameA
EAT(Export Address Table) is none
KERNEL32.dll
0x41600c GetModuleHandleA
0x416010 FreeConsole
0x416014 GetProcAddress
0x416018 GetSystemInfo
0x41601c AddAtomW
0x416020 AreFileApisANSI
0x416024 TerminateProcess
0x416028 GetCurrentProcess
0x41602c UnhandledExceptionFilter
0x416030 SetUnhandledExceptionFilter
0x416034 IsDebuggerPresent
0x416038 RtlUnwind
0x41603c RaiseException
0x416040 GetCommandLineA
0x416044 GetLastError
0x416048 HeapFree
0x41604c GetModuleHandleW
0x416050 TlsGetValue
0x416054 TlsAlloc
0x416058 TlsSetValue
0x41605c TlsFree
0x416060 InterlockedIncrement
0x416064 SetLastError
0x416068 GetCurrentThreadId
0x41606c InterlockedDecrement
0x416070 HeapAlloc
0x416074 Sleep
0x416078 HeapSize
0x41607c ExitProcess
0x416080 WriteFile
0x416084 GetStdHandle
0x416088 GetModuleFileNameA
0x41608c FreeEnvironmentStringsA
0x416090 GetEnvironmentStrings
0x416094 FreeEnvironmentStringsW
0x416098 WideCharToMultiByte
0x41609c GetEnvironmentStringsW
0x4160a0 SetHandleCount
0x4160a4 GetFileType
0x4160a8 GetStartupInfoA
0x4160ac DeleteCriticalSection
0x4160b0 HeapCreate
0x4160b4 VirtualFree
0x4160b8 QueryPerformanceCounter
0x4160bc GetTickCount
0x4160c0 GetCurrentProcessId
0x4160c4 GetSystemTimeAsFileTime
0x4160c8 GetCPInfo
0x4160cc GetACP
0x4160d0 GetOEMCP
0x4160d4 IsValidCodePage
0x4160d8 LeaveCriticalSection
0x4160dc EnterCriticalSection
0x4160e0 VirtualAlloc
0x4160e4 HeapReAlloc
0x4160e8 LoadLibraryA
0x4160ec InitializeCriticalSectionAndSpinCount
0x4160f0 LCMapStringA
0x4160f4 MultiByteToWideChar
0x4160f8 LCMapStringW
0x4160fc GetStringTypeA
0x416100 GetStringTypeW
0x416104 GetLocaleInfoA
COMDLG32.dll
0x416000 GetSaveFileNameA
0x416004 GetOpenFileNameA
EAT(Export Address Table) is none