ScreenShot
| Created | 2023.03.23 18:24 | Machine | s1_win7_x6401 |
| Filename | rumf61h.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 50 detected (AIDetectNet, Siggen3, GenericKD, Artemis, Save, malicious, confidence, 100%, ZexaF, evW@aGqkU8j, ABRisk, SNKW, Attribute, HighConfidence, high confidence, ESSF, score, Dzlw, REDLINE, YXDCUZ, high, Static AI, Suspicious PE, RedLineSteal, fqgxm, ai score=88, Casdet, Detected, unsafe, DcRat, Ili4oDt1PfH, Opbplvp57WU, susgen, Chgt) | ||
| md5 | 0fba69e599437eb61d2abc86569621be | ||
| sha256 | c9dd9e8e2c42dcaca6c8f24e073c53b89cf8cd1bd55d8dd95553f967099d5808 | ||
| ssdeep | 6144:1fP2ruTLG1WlBLO8KUU1LOWYeXBc7BVXYJXWGhDtF:1fOroQUI6WZBc9oLhD7 | ||
| imphash | 9eb04b55fd629a57d204326e64f95475 | ||
| impfuzzy | 24:lbS1jtTGhlJnc+pl3eDo/YoEOovbOevJkFZoRZHu9iGMs:lbS1jtTG5c+ppsc3YaFZj | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 50 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
SHELL32.dll
0x417120 SHCreateShellItemArray
KERNEL32.dll
0x417000 CreateFileW
0x417004 GetModuleHandleW
0x417008 QueryPerformanceCounter
0x41700c GetCurrentProcessId
0x417010 GetCurrentThreadId
0x417014 GetSystemTimeAsFileTime
0x417018 InitializeSListHead
0x41701c IsDebuggerPresent
0x417020 UnhandledExceptionFilter
0x417024 SetUnhandledExceptionFilter
0x417028 GetStartupInfoW
0x41702c IsProcessorFeaturePresent
0x417030 GetCurrentProcess
0x417034 TerminateProcess
0x417038 CloseHandle
0x41703c RaiseException
0x417040 RtlUnwind
0x417044 GetLastError
0x417048 SetLastError
0x41704c EnterCriticalSection
0x417050 LeaveCriticalSection
0x417054 DeleteCriticalSection
0x417058 InitializeCriticalSectionAndSpinCount
0x41705c TlsAlloc
0x417060 TlsGetValue
0x417064 TlsSetValue
0x417068 TlsFree
0x41706c FreeLibrary
0x417070 GetProcAddress
0x417074 LoadLibraryExW
0x417078 EncodePointer
0x41707c GetStdHandle
0x417080 WriteFile
0x417084 GetModuleFileNameW
0x417088 ExitProcess
0x41708c GetModuleHandleExW
0x417090 GetCommandLineA
0x417094 GetCommandLineW
0x417098 WriteConsoleW
0x41709c GetFileSizeEx
0x4170a0 SetFilePointerEx
0x4170a4 GetFileType
0x4170a8 HeapAlloc
0x4170ac HeapFree
0x4170b0 CompareStringW
0x4170b4 LCMapStringW
0x4170b8 GetLocaleInfoW
0x4170bc IsValidLocale
0x4170c0 GetUserDefaultLCID
0x4170c4 EnumSystemLocalesW
0x4170c8 FindClose
0x4170cc FindFirstFileExW
0x4170d0 FindNextFileW
0x4170d4 IsValidCodePage
0x4170d8 GetACP
0x4170dc GetOEMCP
0x4170e0 GetCPInfo
0x4170e4 MultiByteToWideChar
0x4170e8 WideCharToMultiByte
0x4170ec GetEnvironmentStringsW
0x4170f0 FreeEnvironmentStringsW
0x4170f4 SetEnvironmentVariableW
0x4170f8 SetStdHandle
0x4170fc GetStringTypeW
0x417100 GetProcessHeap
0x417104 DecodePointer
0x417108 GetConsoleOutputCP
0x41710c GetConsoleMode
0x417110 HeapSize
0x417114 HeapReAlloc
0x417118 FlushFileBuffers
EAT(Export Address Table) is none
SHELL32.dll
0x417120 SHCreateShellItemArray
KERNEL32.dll
0x417000 CreateFileW
0x417004 GetModuleHandleW
0x417008 QueryPerformanceCounter
0x41700c GetCurrentProcessId
0x417010 GetCurrentThreadId
0x417014 GetSystemTimeAsFileTime
0x417018 InitializeSListHead
0x41701c IsDebuggerPresent
0x417020 UnhandledExceptionFilter
0x417024 SetUnhandledExceptionFilter
0x417028 GetStartupInfoW
0x41702c IsProcessorFeaturePresent
0x417030 GetCurrentProcess
0x417034 TerminateProcess
0x417038 CloseHandle
0x41703c RaiseException
0x417040 RtlUnwind
0x417044 GetLastError
0x417048 SetLastError
0x41704c EnterCriticalSection
0x417050 LeaveCriticalSection
0x417054 DeleteCriticalSection
0x417058 InitializeCriticalSectionAndSpinCount
0x41705c TlsAlloc
0x417060 TlsGetValue
0x417064 TlsSetValue
0x417068 TlsFree
0x41706c FreeLibrary
0x417070 GetProcAddress
0x417074 LoadLibraryExW
0x417078 EncodePointer
0x41707c GetStdHandle
0x417080 WriteFile
0x417084 GetModuleFileNameW
0x417088 ExitProcess
0x41708c GetModuleHandleExW
0x417090 GetCommandLineA
0x417094 GetCommandLineW
0x417098 WriteConsoleW
0x41709c GetFileSizeEx
0x4170a0 SetFilePointerEx
0x4170a4 GetFileType
0x4170a8 HeapAlloc
0x4170ac HeapFree
0x4170b0 CompareStringW
0x4170b4 LCMapStringW
0x4170b8 GetLocaleInfoW
0x4170bc IsValidLocale
0x4170c0 GetUserDefaultLCID
0x4170c4 EnumSystemLocalesW
0x4170c8 FindClose
0x4170cc FindFirstFileExW
0x4170d0 FindNextFileW
0x4170d4 IsValidCodePage
0x4170d8 GetACP
0x4170dc GetOEMCP
0x4170e0 GetCPInfo
0x4170e4 MultiByteToWideChar
0x4170e8 WideCharToMultiByte
0x4170ec GetEnvironmentStringsW
0x4170f0 FreeEnvironmentStringsW
0x4170f4 SetEnvironmentVariableW
0x4170f8 SetStdHandle
0x4170fc GetStringTypeW
0x417100 GetProcessHeap
0x417104 DecodePointer
0x417108 GetConsoleOutputCP
0x41710c GetConsoleMode
0x417110 HeapSize
0x417114 HeapReAlloc
0x417118 FlushFileBuffers
EAT(Export Address Table) is none