ScreenShot
| Created | 2023.04.04 17:22 | Machine | s1_win7_x6403 |
| Filename | ytsd6v.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 54 detected (AIDetectNet, Midie, RedLineStealer, Save, malicious, confidence, 100%, Attribute, HighConfidence, high confidence, Kryptik, HSQQ, score, CrypterX, Gencirc, AGEN, Siggen3, R002C0DCU23, moderate, Static AI, Suspicious PE, Redline, Detected, Artemis, ai score=87, unsafe, GdSda, kquhb2YZEUO, susgen, HSIR, ZexaF, ADW@am5eeZ) | ||
| md5 | cc6caf2c7b27fe45d8a148e1e9af9aae | ||
| sha256 | 97e8c0c5026b600f4f38eec846ff1d12a57a77f4c011d483e5465adb27a4b4c8 | ||
| ssdeep | 6144:93rsE1dDfbVV/Dy0uRjAOrQhAvgTh6R2u2CvNqNw39:93rsE1dDnKHvgTQsNCvNqNw9 | ||
| imphash | 0687d0d0d948483526792bab9d2b83f9 | ||
| impfuzzy | 24:UcpVWZMS1jt7GhlJBl3eDoLoEOovbO3gv9FZ8GMA+EZHu95:UcpVeMS1jt7GnpXc3y9FZK | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 54 AntiVirus engines on VirusTotal as malicious |
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x423000 GetModuleHandleA
0x423004 MultiByteToWideChar
0x423008 GetStringTypeW
0x42300c WideCharToMultiByte
0x423010 EnterCriticalSection
0x423014 LeaveCriticalSection
0x423018 InitializeCriticalSectionEx
0x42301c DeleteCriticalSection
0x423020 EncodePointer
0x423024 DecodePointer
0x423028 LCMapStringEx
0x42302c GetCPInfo
0x423030 QueryPerformanceCounter
0x423034 GetCurrentProcessId
0x423038 GetCurrentThreadId
0x42303c GetSystemTimeAsFileTime
0x423040 InitializeSListHead
0x423044 IsDebuggerPresent
0x423048 UnhandledExceptionFilter
0x42304c SetUnhandledExceptionFilter
0x423050 GetStartupInfoW
0x423054 IsProcessorFeaturePresent
0x423058 GetModuleHandleW
0x42305c GetCurrentProcess
0x423060 TerminateProcess
0x423064 CreateFileW
0x423068 RaiseException
0x42306c RtlUnwind
0x423070 GetLastError
0x423074 SetLastError
0x423078 InitializeCriticalSectionAndSpinCount
0x42307c TlsAlloc
0x423080 TlsGetValue
0x423084 TlsSetValue
0x423088 TlsFree
0x42308c FreeLibrary
0x423090 GetProcAddress
0x423094 LoadLibraryExW
0x423098 GetStdHandle
0x42309c WriteFile
0x4230a0 GetModuleFileNameW
0x4230a4 ExitProcess
0x4230a8 GetModuleHandleExW
0x4230ac GetCommandLineA
0x4230b0 GetCommandLineW
0x4230b4 HeapAlloc
0x4230b8 HeapFree
0x4230bc GetFileType
0x4230c0 CompareStringW
0x4230c4 LCMapStringW
0x4230c8 GetLocaleInfoW
0x4230cc IsValidLocale
0x4230d0 GetUserDefaultLCID
0x4230d4 EnumSystemLocalesW
0x4230d8 GetFileSizeEx
0x4230dc SetFilePointerEx
0x4230e0 CloseHandle
0x4230e4 FlushFileBuffers
0x4230e8 GetConsoleOutputCP
0x4230ec GetConsoleMode
0x4230f0 ReadFile
0x4230f4 HeapReAlloc
0x4230f8 FindClose
0x4230fc FindFirstFileExW
0x423100 FindNextFileW
0x423104 IsValidCodePage
0x423108 GetACP
0x42310c GetOEMCP
0x423110 GetEnvironmentStringsW
0x423114 FreeEnvironmentStringsW
0x423118 SetEnvironmentVariableW
0x42311c SetStdHandle
0x423120 GetProcessHeap
0x423124 ReadConsoleW
0x423128 HeapSize
0x42312c WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x423000 GetModuleHandleA
0x423004 MultiByteToWideChar
0x423008 GetStringTypeW
0x42300c WideCharToMultiByte
0x423010 EnterCriticalSection
0x423014 LeaveCriticalSection
0x423018 InitializeCriticalSectionEx
0x42301c DeleteCriticalSection
0x423020 EncodePointer
0x423024 DecodePointer
0x423028 LCMapStringEx
0x42302c GetCPInfo
0x423030 QueryPerformanceCounter
0x423034 GetCurrentProcessId
0x423038 GetCurrentThreadId
0x42303c GetSystemTimeAsFileTime
0x423040 InitializeSListHead
0x423044 IsDebuggerPresent
0x423048 UnhandledExceptionFilter
0x42304c SetUnhandledExceptionFilter
0x423050 GetStartupInfoW
0x423054 IsProcessorFeaturePresent
0x423058 GetModuleHandleW
0x42305c GetCurrentProcess
0x423060 TerminateProcess
0x423064 CreateFileW
0x423068 RaiseException
0x42306c RtlUnwind
0x423070 GetLastError
0x423074 SetLastError
0x423078 InitializeCriticalSectionAndSpinCount
0x42307c TlsAlloc
0x423080 TlsGetValue
0x423084 TlsSetValue
0x423088 TlsFree
0x42308c FreeLibrary
0x423090 GetProcAddress
0x423094 LoadLibraryExW
0x423098 GetStdHandle
0x42309c WriteFile
0x4230a0 GetModuleFileNameW
0x4230a4 ExitProcess
0x4230a8 GetModuleHandleExW
0x4230ac GetCommandLineA
0x4230b0 GetCommandLineW
0x4230b4 HeapAlloc
0x4230b8 HeapFree
0x4230bc GetFileType
0x4230c0 CompareStringW
0x4230c4 LCMapStringW
0x4230c8 GetLocaleInfoW
0x4230cc IsValidLocale
0x4230d0 GetUserDefaultLCID
0x4230d4 EnumSystemLocalesW
0x4230d8 GetFileSizeEx
0x4230dc SetFilePointerEx
0x4230e0 CloseHandle
0x4230e4 FlushFileBuffers
0x4230e8 GetConsoleOutputCP
0x4230ec GetConsoleMode
0x4230f0 ReadFile
0x4230f4 HeapReAlloc
0x4230f8 FindClose
0x4230fc FindFirstFileExW
0x423100 FindNextFileW
0x423104 IsValidCodePage
0x423108 GetACP
0x42310c GetOEMCP
0x423110 GetEnvironmentStringsW
0x423114 FreeEnvironmentStringsW
0x423118 SetEnvironmentVariableW
0x42311c SetStdHandle
0x423120 GetProcessHeap
0x423124 ReadConsoleW
0x423128 HeapSize
0x42312c WriteConsoleW
EAT(Export Address Table) is none