ScreenShot
| Created | 2023.03.29 10:15 | Machine | s1_win7_x6403 |
| Filename | 99.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 46 detected (AIDetectNet, malicious, high confidence, Zusy, GenericRXAA, Save, None, Kryptik, Eldorado, Attribute, HighConfidence, HSQQ, score, PWSX, Gencirc, REDLINE, YXDC1Z, moderate, Static AI, Suspicious PE, AGEN, ai score=89, Detected, ZexaF, evW@ayyFwak, CLASSIC, Raccoon, susgen, GenKryptik, GAWR, Chgt) | ||
| md5 | 3769516d37fcc4a870aee040c22dfc81 | ||
| sha256 | 6199dea22769be27718efc834dac97781ded77e3fc4e0eceb281016e73a61c8c | ||
| ssdeep | 6144:F+/ljQhToWxUIvq7w1MLBkZEAO7x8Lk+POSHe8dXvLx/pIW4:Fij0ToWx/vRE78tPOSHVXbIW4 | ||
| imphash | 0687d0d0d948483526792bab9d2b83f9 | ||
| impfuzzy | 24:UcpVWZMS1jt7GhlJBl3eDoLoEOovbO3gv9FZ8GMA+EZHu95:UcpVeMS1jt7GnpXc3y9FZK | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 46 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x425000 GetModuleHandleA
0x425004 MultiByteToWideChar
0x425008 GetStringTypeW
0x42500c WideCharToMultiByte
0x425010 EnterCriticalSection
0x425014 LeaveCriticalSection
0x425018 InitializeCriticalSectionEx
0x42501c DeleteCriticalSection
0x425020 EncodePointer
0x425024 DecodePointer
0x425028 LCMapStringEx
0x42502c GetCPInfo
0x425030 QueryPerformanceCounter
0x425034 GetCurrentProcessId
0x425038 GetCurrentThreadId
0x42503c GetSystemTimeAsFileTime
0x425040 InitializeSListHead
0x425044 IsDebuggerPresent
0x425048 UnhandledExceptionFilter
0x42504c SetUnhandledExceptionFilter
0x425050 GetStartupInfoW
0x425054 IsProcessorFeaturePresent
0x425058 GetModuleHandleW
0x42505c GetCurrentProcess
0x425060 TerminateProcess
0x425064 CreateFileW
0x425068 RaiseException
0x42506c RtlUnwind
0x425070 GetLastError
0x425074 SetLastError
0x425078 InitializeCriticalSectionAndSpinCount
0x42507c TlsAlloc
0x425080 TlsGetValue
0x425084 TlsSetValue
0x425088 TlsFree
0x42508c FreeLibrary
0x425090 GetProcAddress
0x425094 LoadLibraryExW
0x425098 GetStdHandle
0x42509c WriteFile
0x4250a0 GetModuleFileNameW
0x4250a4 ExitProcess
0x4250a8 GetModuleHandleExW
0x4250ac GetCommandLineA
0x4250b0 GetCommandLineW
0x4250b4 HeapAlloc
0x4250b8 HeapFree
0x4250bc GetFileType
0x4250c0 CompareStringW
0x4250c4 LCMapStringW
0x4250c8 GetLocaleInfoW
0x4250cc IsValidLocale
0x4250d0 GetUserDefaultLCID
0x4250d4 EnumSystemLocalesW
0x4250d8 GetFileSizeEx
0x4250dc SetFilePointerEx
0x4250e0 CloseHandle
0x4250e4 FlushFileBuffers
0x4250e8 GetConsoleOutputCP
0x4250ec GetConsoleMode
0x4250f0 ReadFile
0x4250f4 HeapReAlloc
0x4250f8 FindClose
0x4250fc FindFirstFileExW
0x425100 FindNextFileW
0x425104 IsValidCodePage
0x425108 GetACP
0x42510c GetOEMCP
0x425110 GetEnvironmentStringsW
0x425114 FreeEnvironmentStringsW
0x425118 SetEnvironmentVariableW
0x42511c SetStdHandle
0x425120 GetProcessHeap
0x425124 ReadConsoleW
0x425128 HeapSize
0x42512c WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x425000 GetModuleHandleA
0x425004 MultiByteToWideChar
0x425008 GetStringTypeW
0x42500c WideCharToMultiByte
0x425010 EnterCriticalSection
0x425014 LeaveCriticalSection
0x425018 InitializeCriticalSectionEx
0x42501c DeleteCriticalSection
0x425020 EncodePointer
0x425024 DecodePointer
0x425028 LCMapStringEx
0x42502c GetCPInfo
0x425030 QueryPerformanceCounter
0x425034 GetCurrentProcessId
0x425038 GetCurrentThreadId
0x42503c GetSystemTimeAsFileTime
0x425040 InitializeSListHead
0x425044 IsDebuggerPresent
0x425048 UnhandledExceptionFilter
0x42504c SetUnhandledExceptionFilter
0x425050 GetStartupInfoW
0x425054 IsProcessorFeaturePresent
0x425058 GetModuleHandleW
0x42505c GetCurrentProcess
0x425060 TerminateProcess
0x425064 CreateFileW
0x425068 RaiseException
0x42506c RtlUnwind
0x425070 GetLastError
0x425074 SetLastError
0x425078 InitializeCriticalSectionAndSpinCount
0x42507c TlsAlloc
0x425080 TlsGetValue
0x425084 TlsSetValue
0x425088 TlsFree
0x42508c FreeLibrary
0x425090 GetProcAddress
0x425094 LoadLibraryExW
0x425098 GetStdHandle
0x42509c WriteFile
0x4250a0 GetModuleFileNameW
0x4250a4 ExitProcess
0x4250a8 GetModuleHandleExW
0x4250ac GetCommandLineA
0x4250b0 GetCommandLineW
0x4250b4 HeapAlloc
0x4250b8 HeapFree
0x4250bc GetFileType
0x4250c0 CompareStringW
0x4250c4 LCMapStringW
0x4250c8 GetLocaleInfoW
0x4250cc IsValidLocale
0x4250d0 GetUserDefaultLCID
0x4250d4 EnumSystemLocalesW
0x4250d8 GetFileSizeEx
0x4250dc SetFilePointerEx
0x4250e0 CloseHandle
0x4250e4 FlushFileBuffers
0x4250e8 GetConsoleOutputCP
0x4250ec GetConsoleMode
0x4250f0 ReadFile
0x4250f4 HeapReAlloc
0x4250f8 FindClose
0x4250fc FindFirstFileExW
0x425100 FindNextFileW
0x425104 IsValidCodePage
0x425108 GetACP
0x42510c GetOEMCP
0x425110 GetEnvironmentStringsW
0x425114 FreeEnvironmentStringsW
0x425118 SetEnvironmentVariableW
0x42511c SetStdHandle
0x425120 GetProcessHeap
0x425124 ReadConsoleW
0x425128 HeapSize
0x42512c WriteConsoleW
EAT(Export Address Table) is none