ScreenShot
| Created | 2023.04.03 16:52 | Machine | s1_win7_x6403 |
| Filename | ChromeFIX_errorMEM.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 49 detected (AIDetectNet, malicious, high confidence, Zusy, Artemis, Save, confidence, 100%, ZexaF, eHW@aKfljKn, Kryptik, HSQQ, score, Bdhl, AGEN, REDLINE, YXDDCZ, high, Static AI, Malicious PE, Detected, R565828, BScope, Bobik, ai score=85, unsafe, 9Cu7hGyYXIO, HSIR) | ||
| md5 | e7c31cd054f469c689a28cdaf1f3c50e | ||
| sha256 | 0c58c80d4e98864168be4d8c4eb795994d7964a8f7835ca9043167c8d232aaa2 | ||
| ssdeep | 6144:S+i0XUaVUOAOx/7hMRLE0ewMMMMxMMGMf+/sAdO27t9vC:S+i0XD/7qRg0ehMMMxMMGMGs4O4C | ||
| imphash | 6006a64dc74ce041b99c2ab005455ade | ||
| impfuzzy | 24:VVcpVWZMS1jt7GhlJBl3eDoLoEOovbOIkFZVvtGMA+EZHu95:zcpVeMS1jt7GnpXc3NFZdz | ||
Network IP location
Signature (22cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 49 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41d000 LoadLibraryA
0x41d004 MultiByteToWideChar
0x41d008 GetStringTypeW
0x41d00c WideCharToMultiByte
0x41d010 EnterCriticalSection
0x41d014 LeaveCriticalSection
0x41d018 InitializeCriticalSectionEx
0x41d01c DeleteCriticalSection
0x41d020 EncodePointer
0x41d024 DecodePointer
0x41d028 LCMapStringEx
0x41d02c GetCPInfo
0x41d030 QueryPerformanceCounter
0x41d034 GetCurrentProcessId
0x41d038 GetCurrentThreadId
0x41d03c GetSystemTimeAsFileTime
0x41d040 InitializeSListHead
0x41d044 IsDebuggerPresent
0x41d048 UnhandledExceptionFilter
0x41d04c SetUnhandledExceptionFilter
0x41d050 GetStartupInfoW
0x41d054 IsProcessorFeaturePresent
0x41d058 GetModuleHandleW
0x41d05c GetCurrentProcess
0x41d060 TerminateProcess
0x41d064 CreateFileW
0x41d068 RaiseException
0x41d06c RtlUnwind
0x41d070 GetLastError
0x41d074 SetLastError
0x41d078 InitializeCriticalSectionAndSpinCount
0x41d07c TlsAlloc
0x41d080 TlsGetValue
0x41d084 TlsSetValue
0x41d088 TlsFree
0x41d08c FreeLibrary
0x41d090 GetProcAddress
0x41d094 LoadLibraryExW
0x41d098 GetStdHandle
0x41d09c WriteFile
0x41d0a0 GetModuleFileNameW
0x41d0a4 ExitProcess
0x41d0a8 GetModuleHandleExW
0x41d0ac GetCommandLineA
0x41d0b0 GetCommandLineW
0x41d0b4 HeapFree
0x41d0b8 CompareStringW
0x41d0bc LCMapStringW
0x41d0c0 GetLocaleInfoW
0x41d0c4 IsValidLocale
0x41d0c8 GetUserDefaultLCID
0x41d0cc EnumSystemLocalesW
0x41d0d0 HeapAlloc
0x41d0d4 GetFileType
0x41d0d8 GetFileSizeEx
0x41d0dc SetFilePointerEx
0x41d0e0 CloseHandle
0x41d0e4 FlushFileBuffers
0x41d0e8 GetConsoleOutputCP
0x41d0ec GetConsoleMode
0x41d0f0 ReadFile
0x41d0f4 HeapReAlloc
0x41d0f8 FindClose
0x41d0fc FindFirstFileExW
0x41d100 FindNextFileW
0x41d104 IsValidCodePage
0x41d108 GetACP
0x41d10c GetOEMCP
0x41d110 GetEnvironmentStringsW
0x41d114 FreeEnvironmentStringsW
0x41d118 SetEnvironmentVariableW
0x41d11c SetStdHandle
0x41d120 GetProcessHeap
0x41d124 ReadConsoleW
0x41d128 HeapSize
0x41d12c WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x41d000 LoadLibraryA
0x41d004 MultiByteToWideChar
0x41d008 GetStringTypeW
0x41d00c WideCharToMultiByte
0x41d010 EnterCriticalSection
0x41d014 LeaveCriticalSection
0x41d018 InitializeCriticalSectionEx
0x41d01c DeleteCriticalSection
0x41d020 EncodePointer
0x41d024 DecodePointer
0x41d028 LCMapStringEx
0x41d02c GetCPInfo
0x41d030 QueryPerformanceCounter
0x41d034 GetCurrentProcessId
0x41d038 GetCurrentThreadId
0x41d03c GetSystemTimeAsFileTime
0x41d040 InitializeSListHead
0x41d044 IsDebuggerPresent
0x41d048 UnhandledExceptionFilter
0x41d04c SetUnhandledExceptionFilter
0x41d050 GetStartupInfoW
0x41d054 IsProcessorFeaturePresent
0x41d058 GetModuleHandleW
0x41d05c GetCurrentProcess
0x41d060 TerminateProcess
0x41d064 CreateFileW
0x41d068 RaiseException
0x41d06c RtlUnwind
0x41d070 GetLastError
0x41d074 SetLastError
0x41d078 InitializeCriticalSectionAndSpinCount
0x41d07c TlsAlloc
0x41d080 TlsGetValue
0x41d084 TlsSetValue
0x41d088 TlsFree
0x41d08c FreeLibrary
0x41d090 GetProcAddress
0x41d094 LoadLibraryExW
0x41d098 GetStdHandle
0x41d09c WriteFile
0x41d0a0 GetModuleFileNameW
0x41d0a4 ExitProcess
0x41d0a8 GetModuleHandleExW
0x41d0ac GetCommandLineA
0x41d0b0 GetCommandLineW
0x41d0b4 HeapFree
0x41d0b8 CompareStringW
0x41d0bc LCMapStringW
0x41d0c0 GetLocaleInfoW
0x41d0c4 IsValidLocale
0x41d0c8 GetUserDefaultLCID
0x41d0cc EnumSystemLocalesW
0x41d0d0 HeapAlloc
0x41d0d4 GetFileType
0x41d0d8 GetFileSizeEx
0x41d0dc SetFilePointerEx
0x41d0e0 CloseHandle
0x41d0e4 FlushFileBuffers
0x41d0e8 GetConsoleOutputCP
0x41d0ec GetConsoleMode
0x41d0f0 ReadFile
0x41d0f4 HeapReAlloc
0x41d0f8 FindClose
0x41d0fc FindFirstFileExW
0x41d100 FindNextFileW
0x41d104 IsValidCodePage
0x41d108 GetACP
0x41d10c GetOEMCP
0x41d110 GetEnvironmentStringsW
0x41d114 FreeEnvironmentStringsW
0x41d118 SetEnvironmentVariableW
0x41d11c SetStdHandle
0x41d120 GetProcessHeap
0x41d124 ReadConsoleW
0x41d128 HeapSize
0x41d12c WriteConsoleW
EAT(Export Address Table) is none