ScreenShot
Created | 2023.03.20 09:42 | Machine | s1_win7_x6401 |
Filename | w6auj9ii3rp.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | 46 detected (AIDetectNet, malicious, high confidence, GenericKD, Artemis, Vkij, confidence, 100%, ZexaF, rDW@aqnsfwm, ESSF, score, PWSX, REDLINE, YXDCRZ, high, RedLineSteal, muocs, Casdet, Detected, ai score=82, unsafe, ZKEBmB8grvE, Static AI, Malicious PE, susgen) | ||
md5 | 57e3fc905b5cb1811f155ec4aef82795 | ||
sha256 | a8509b53acec11ea8c6ca3845a9110d0c3477a60f4ca418f7dfd1a29f320765d | ||
ssdeep | 6144:4mh3jJZ9TCrzK/AO3d+2FaVc7xbciJSf7jLi7tlSd3njau:4oz/zts24Vc7xbjUf7i7tQdt | ||
imphash | ad9a9e653c662aac447a2ff29709f237 | ||
impfuzzy | 24:bgIlQDwcpVWZjS1jtJGhlJBl3ELoEOovbO3Wv9FZ6GMA+EZHu9c:bVlbcpVejS1jtJGnpSc3Q9FZX |
Network IP location
Signature (22cnts)
Level | Description |
---|---|
danger | File has been identified by 46 AntiVirus engines on VirusTotal as malicious |
danger | Executed a process and injected code into it |
watch | Allocates execute permission to another process indicative of possible code injection |
watch | Collects information about installed applications |
watch | Communicates with host for which no DNS query was performed |
watch | Harvests credentials from local FTP client softwares |
watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | One or more potentially interesting buffers were extracted |
notice | Queries for potentially installed applications |
notice | Steals private information from local Internet browsers |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
info | One or more processes crashed |
info | Queries for the computername |
info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
info | Tries to locate where the browsers are installed |
info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
info | PE_Header_Zero | PE File Signature | binaries (upload) |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
USER32.dll
0x42513c UnregisterPowerSettingNotification
SHELL32.dll
0x425134 SHCreateShellItemArray
KERNEL32.dll
0x425000 GetProcAddress
0x425004 CreateFileW
0x425008 HeapSize
0x42500c ReadConsoleW
0x425010 GetModuleHandleA
0x425014 GetModuleHandleW
0x425018 WideCharToMultiByte
0x42501c MultiByteToWideChar
0x425020 GetStringTypeW
0x425024 EnterCriticalSection
0x425028 LeaveCriticalSection
0x42502c InitializeCriticalSectionEx
0x425030 DeleteCriticalSection
0x425034 EncodePointer
0x425038 DecodePointer
0x42503c LCMapStringEx
0x425040 GetCPInfo
0x425044 IsProcessorFeaturePresent
0x425048 QueryPerformanceCounter
0x42504c GetCurrentProcessId
0x425050 GetCurrentThreadId
0x425054 GetSystemTimeAsFileTime
0x425058 InitializeSListHead
0x42505c IsDebuggerPresent
0x425060 UnhandledExceptionFilter
0x425064 SetUnhandledExceptionFilter
0x425068 GetStartupInfoW
0x42506c GetCurrentProcess
0x425070 TerminateProcess
0x425074 GetProcessHeap
0x425078 RaiseException
0x42507c RtlUnwind
0x425080 GetLastError
0x425084 SetLastError
0x425088 InitializeCriticalSectionAndSpinCount
0x42508c TlsAlloc
0x425090 TlsGetValue
0x425094 TlsSetValue
0x425098 TlsFree
0x42509c FreeLibrary
0x4250a0 WriteConsoleW
0x4250a4 LoadLibraryExW
0x4250a8 GetStdHandle
0x4250ac WriteFile
0x4250b0 GetModuleFileNameW
0x4250b4 ExitProcess
0x4250b8 GetModuleHandleExW
0x4250bc GetCommandLineA
0x4250c0 GetCommandLineW
0x4250c4 HeapAlloc
0x4250c8 HeapFree
0x4250cc GetFileSizeEx
0x4250d0 SetFilePointerEx
0x4250d4 GetFileType
0x4250d8 CompareStringW
0x4250dc LCMapStringW
0x4250e0 GetLocaleInfoW
0x4250e4 IsValidLocale
0x4250e8 GetUserDefaultLCID
0x4250ec EnumSystemLocalesW
0x4250f0 CloseHandle
0x4250f4 FlushFileBuffers
0x4250f8 GetConsoleOutputCP
0x4250fc GetConsoleMode
0x425100 ReadFile
0x425104 HeapReAlloc
0x425108 FindClose
0x42510c FindFirstFileExW
0x425110 FindNextFileW
0x425114 IsValidCodePage
0x425118 GetACP
0x42511c GetOEMCP
0x425120 GetEnvironmentStringsW
0x425124 FreeEnvironmentStringsW
0x425128 SetEnvironmentVariableW
0x42512c SetStdHandle
EAT(Export Address Table) is none
USER32.dll
0x42513c UnregisterPowerSettingNotification
SHELL32.dll
0x425134 SHCreateShellItemArray
KERNEL32.dll
0x425000 GetProcAddress
0x425004 CreateFileW
0x425008 HeapSize
0x42500c ReadConsoleW
0x425010 GetModuleHandleA
0x425014 GetModuleHandleW
0x425018 WideCharToMultiByte
0x42501c MultiByteToWideChar
0x425020 GetStringTypeW
0x425024 EnterCriticalSection
0x425028 LeaveCriticalSection
0x42502c InitializeCriticalSectionEx
0x425030 DeleteCriticalSection
0x425034 EncodePointer
0x425038 DecodePointer
0x42503c LCMapStringEx
0x425040 GetCPInfo
0x425044 IsProcessorFeaturePresent
0x425048 QueryPerformanceCounter
0x42504c GetCurrentProcessId
0x425050 GetCurrentThreadId
0x425054 GetSystemTimeAsFileTime
0x425058 InitializeSListHead
0x42505c IsDebuggerPresent
0x425060 UnhandledExceptionFilter
0x425064 SetUnhandledExceptionFilter
0x425068 GetStartupInfoW
0x42506c GetCurrentProcess
0x425070 TerminateProcess
0x425074 GetProcessHeap
0x425078 RaiseException
0x42507c RtlUnwind
0x425080 GetLastError
0x425084 SetLastError
0x425088 InitializeCriticalSectionAndSpinCount
0x42508c TlsAlloc
0x425090 TlsGetValue
0x425094 TlsSetValue
0x425098 TlsFree
0x42509c FreeLibrary
0x4250a0 WriteConsoleW
0x4250a4 LoadLibraryExW
0x4250a8 GetStdHandle
0x4250ac WriteFile
0x4250b0 GetModuleFileNameW
0x4250b4 ExitProcess
0x4250b8 GetModuleHandleExW
0x4250bc GetCommandLineA
0x4250c0 GetCommandLineW
0x4250c4 HeapAlloc
0x4250c8 HeapFree
0x4250cc GetFileSizeEx
0x4250d0 SetFilePointerEx
0x4250d4 GetFileType
0x4250d8 CompareStringW
0x4250dc LCMapStringW
0x4250e0 GetLocaleInfoW
0x4250e4 IsValidLocale
0x4250e8 GetUserDefaultLCID
0x4250ec EnumSystemLocalesW
0x4250f0 CloseHandle
0x4250f4 FlushFileBuffers
0x4250f8 GetConsoleOutputCP
0x4250fc GetConsoleMode
0x425100 ReadFile
0x425104 HeapReAlloc
0x425108 FindClose
0x42510c FindFirstFileExW
0x425110 FindNextFileW
0x425114 IsValidCodePage
0x425118 GetACP
0x42511c GetOEMCP
0x425120 GetEnvironmentStringsW
0x425124 FreeEnvironmentStringsW
0x425128 SetEnvironmentVariableW
0x42512c SetStdHandle
EAT(Export Address Table) is none