ScreenShot
| Created | 2023.04.10 09:36 | Machine | s1_win7_x6401 |
| Filename | ChromeFIX_error.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 38 detected (AIDetectNet, malicious, high confidence, Zusy, Save, confidence, Attribute, HighConfidence, Kryptik, HSVJ, score, Pgil, AGEN, Inject4, high, Generic ML PUA, Sabsik, Artemis, ai score=88, BScope, Bobik, unsafe, UJpWrpqriHJ, Static AI, Suspicious PE, susgen, HPND, ZexaF, gvW@a0GdQSh) | ||
| md5 | 8ae47c8391af6dab310f21335c7b3673 | ||
| sha256 | 3cfe80cbae6944a7e1a8203faec93e45d85929ea6de70e76e9b5890d0b527120 | ||
| ssdeep | 3072:OOqwKhYR4gXnTnFaRfUPLwRVomHud30ialfreUwkX4cJsJmJ:O5m4gwFHY0iadDwRcJsJmJ | ||
| imphash | 534add4c0cbea8afae98064a5b4a30b6 | ||
| impfuzzy | 24:VBS1jt5GhlJnc+pl3eDoLoEOovbODtURZHu93v3GMM:TS1jt5G5c+ppXc3D5i | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Executed a process and injected code into it |
| danger | File has been identified by 38 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40e000 LoadLibraryA
0x40e004 QueryProcessCycleTime
0x40e008 QueryPerformanceCounter
0x40e00c GetCurrentProcessId
0x40e010 GetCurrentThreadId
0x40e014 GetSystemTimeAsFileTime
0x40e018 InitializeSListHead
0x40e01c IsDebuggerPresent
0x40e020 UnhandledExceptionFilter
0x40e024 SetUnhandledExceptionFilter
0x40e028 GetStartupInfoW
0x40e02c IsProcessorFeaturePresent
0x40e030 GetModuleHandleW
0x40e034 GetCurrentProcess
0x40e038 TerminateProcess
0x40e03c WriteConsoleW
0x40e040 RaiseException
0x40e044 RtlUnwind
0x40e048 GetLastError
0x40e04c SetLastError
0x40e050 EnterCriticalSection
0x40e054 LeaveCriticalSection
0x40e058 DeleteCriticalSection
0x40e05c InitializeCriticalSectionAndSpinCount
0x40e060 TlsAlloc
0x40e064 TlsGetValue
0x40e068 TlsSetValue
0x40e06c TlsFree
0x40e070 FreeLibrary
0x40e074 GetProcAddress
0x40e078 LoadLibraryExW
0x40e07c GetStdHandle
0x40e080 WriteFile
0x40e084 GetModuleFileNameW
0x40e088 ExitProcess
0x40e08c GetModuleHandleExW
0x40e090 GetCommandLineA
0x40e094 GetCommandLineW
0x40e098 CompareStringW
0x40e09c LCMapStringW
0x40e0a0 HeapAlloc
0x40e0a4 HeapFree
0x40e0a8 FindClose
0x40e0ac FindFirstFileExW
0x40e0b0 FindNextFileW
0x40e0b4 IsValidCodePage
0x40e0b8 GetACP
0x40e0bc GetOEMCP
0x40e0c0 GetCPInfo
0x40e0c4 MultiByteToWideChar
0x40e0c8 WideCharToMultiByte
0x40e0cc GetEnvironmentStringsW
0x40e0d0 FreeEnvironmentStringsW
0x40e0d4 SetEnvironmentVariableW
0x40e0d8 SetStdHandle
0x40e0dc GetFileType
0x40e0e0 GetStringTypeW
0x40e0e4 GetProcessHeap
0x40e0e8 HeapSize
0x40e0ec HeapReAlloc
0x40e0f0 FlushFileBuffers
0x40e0f4 GetConsoleOutputCP
0x40e0f8 GetConsoleMode
0x40e0fc SetFilePointerEx
0x40e100 CreateFileW
0x40e104 CloseHandle
0x40e108 DecodePointer
EAT(Export Address Table) is none
KERNEL32.dll
0x40e000 LoadLibraryA
0x40e004 QueryProcessCycleTime
0x40e008 QueryPerformanceCounter
0x40e00c GetCurrentProcessId
0x40e010 GetCurrentThreadId
0x40e014 GetSystemTimeAsFileTime
0x40e018 InitializeSListHead
0x40e01c IsDebuggerPresent
0x40e020 UnhandledExceptionFilter
0x40e024 SetUnhandledExceptionFilter
0x40e028 GetStartupInfoW
0x40e02c IsProcessorFeaturePresent
0x40e030 GetModuleHandleW
0x40e034 GetCurrentProcess
0x40e038 TerminateProcess
0x40e03c WriteConsoleW
0x40e040 RaiseException
0x40e044 RtlUnwind
0x40e048 GetLastError
0x40e04c SetLastError
0x40e050 EnterCriticalSection
0x40e054 LeaveCriticalSection
0x40e058 DeleteCriticalSection
0x40e05c InitializeCriticalSectionAndSpinCount
0x40e060 TlsAlloc
0x40e064 TlsGetValue
0x40e068 TlsSetValue
0x40e06c TlsFree
0x40e070 FreeLibrary
0x40e074 GetProcAddress
0x40e078 LoadLibraryExW
0x40e07c GetStdHandle
0x40e080 WriteFile
0x40e084 GetModuleFileNameW
0x40e088 ExitProcess
0x40e08c GetModuleHandleExW
0x40e090 GetCommandLineA
0x40e094 GetCommandLineW
0x40e098 CompareStringW
0x40e09c LCMapStringW
0x40e0a0 HeapAlloc
0x40e0a4 HeapFree
0x40e0a8 FindClose
0x40e0ac FindFirstFileExW
0x40e0b0 FindNextFileW
0x40e0b4 IsValidCodePage
0x40e0b8 GetACP
0x40e0bc GetOEMCP
0x40e0c0 GetCPInfo
0x40e0c4 MultiByteToWideChar
0x40e0c8 WideCharToMultiByte
0x40e0cc GetEnvironmentStringsW
0x40e0d0 FreeEnvironmentStringsW
0x40e0d4 SetEnvironmentVariableW
0x40e0d8 SetStdHandle
0x40e0dc GetFileType
0x40e0e0 GetStringTypeW
0x40e0e4 GetProcessHeap
0x40e0e8 HeapSize
0x40e0ec HeapReAlloc
0x40e0f0 FlushFileBuffers
0x40e0f4 GetConsoleOutputCP
0x40e0f8 GetConsoleMode
0x40e0fc SetFilePointerEx
0x40e100 CreateFileW
0x40e104 CloseHandle
0x40e108 DecodePointer
EAT(Export Address Table) is none