Report - w6auj9ii3rp.exe

RedLine stealer[m] UPX Malicious Library Malicious Packer AntiDebug AntiVM OS Processor Check PE32 PE File
ScreenShot
Created 2023.03.20 09:42 Machine s1_win7_x6401
Filename w6auj9ii3rp.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
11
Behavior Score
10.0
ZERO API file : malware
VT API (file) 46 detected (AIDetectNet, malicious, high confidence, GenericKD, Artemis, Vkij, confidence, 100%, ZexaF, rDW@aqnsfwm, ESSF, score, PWSX, REDLINE, YXDCRZ, high, RedLineSteal, muocs, Casdet, Detected, ai score=82, unsafe, ZKEBmB8grvE, Static AI, Malicious PE, susgen)
md5 57e3fc905b5cb1811f155ec4aef82795
sha256 a8509b53acec11ea8c6ca3845a9110d0c3477a60f4ca418f7dfd1a29f320765d
ssdeep 6144:4mh3jJZ9TCrzK/AO3d+2FaVc7xbciJSf7jLi7tlSd3njau:4oz/zts24Vc7xbjUf7i7tQdt
imphash ad9a9e653c662aac447a2ff29709f237
impfuzzy 24:bgIlQDwcpVWZjS1jtJGhlJBl3ELoEOovbO3Wv9FZ6GMA+EZHu9c:bVlbcpVejS1jtJGnpSc3Q9FZX
  Network IP location

Signature (22cnts)

Level Description
danger File has been identified by 46 AntiVirus engines on VirusTotal as malicious
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Harvests credentials from local FTP client softwares
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice One or more potentially interesting buffers were extracted
notice Queries for potentially installed applications
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (15cnts)

Level Name Description Collection
danger RedLine_Stealer_m_Zero RedLine stealer memory
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (1cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
46.3.197.223 RU Alexhost S.r.l. 46.3.197.223 clean

Suricata ids

PE API

IAT(Import Address Table) Library

USER32.dll
 0x42513c UnregisterPowerSettingNotification
SHELL32.dll
 0x425134 SHCreateShellItemArray
KERNEL32.dll
 0x425000 GetProcAddress
 0x425004 CreateFileW
 0x425008 HeapSize
 0x42500c ReadConsoleW
 0x425010 GetModuleHandleA
 0x425014 GetModuleHandleW
 0x425018 WideCharToMultiByte
 0x42501c MultiByteToWideChar
 0x425020 GetStringTypeW
 0x425024 EnterCriticalSection
 0x425028 LeaveCriticalSection
 0x42502c InitializeCriticalSectionEx
 0x425030 DeleteCriticalSection
 0x425034 EncodePointer
 0x425038 DecodePointer
 0x42503c LCMapStringEx
 0x425040 GetCPInfo
 0x425044 IsProcessorFeaturePresent
 0x425048 QueryPerformanceCounter
 0x42504c GetCurrentProcessId
 0x425050 GetCurrentThreadId
 0x425054 GetSystemTimeAsFileTime
 0x425058 InitializeSListHead
 0x42505c IsDebuggerPresent
 0x425060 UnhandledExceptionFilter
 0x425064 SetUnhandledExceptionFilter
 0x425068 GetStartupInfoW
 0x42506c GetCurrentProcess
 0x425070 TerminateProcess
 0x425074 GetProcessHeap
 0x425078 RaiseException
 0x42507c RtlUnwind
 0x425080 GetLastError
 0x425084 SetLastError
 0x425088 InitializeCriticalSectionAndSpinCount
 0x42508c TlsAlloc
 0x425090 TlsGetValue
 0x425094 TlsSetValue
 0x425098 TlsFree
 0x42509c FreeLibrary
 0x4250a0 WriteConsoleW
 0x4250a4 LoadLibraryExW
 0x4250a8 GetStdHandle
 0x4250ac WriteFile
 0x4250b0 GetModuleFileNameW
 0x4250b4 ExitProcess
 0x4250b8 GetModuleHandleExW
 0x4250bc GetCommandLineA
 0x4250c0 GetCommandLineW
 0x4250c4 HeapAlloc
 0x4250c8 HeapFree
 0x4250cc GetFileSizeEx
 0x4250d0 SetFilePointerEx
 0x4250d4 GetFileType
 0x4250d8 CompareStringW
 0x4250dc LCMapStringW
 0x4250e0 GetLocaleInfoW
 0x4250e4 IsValidLocale
 0x4250e8 GetUserDefaultLCID
 0x4250ec EnumSystemLocalesW
 0x4250f0 CloseHandle
 0x4250f4 FlushFileBuffers
 0x4250f8 GetConsoleOutputCP
 0x4250fc GetConsoleMode
 0x425100 ReadFile
 0x425104 HeapReAlloc
 0x425108 FindClose
 0x42510c FindFirstFileExW
 0x425110 FindNextFileW
 0x425114 IsValidCodePage
 0x425118 GetACP
 0x42511c GetOEMCP
 0x425120 GetEnvironmentStringsW
 0x425124 FreeEnvironmentStringsW
 0x425128 SetEnvironmentVariableW
 0x42512c SetStdHandle

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure