ScreenShot
| Created | 2023.04.20 09:40 | Machine | s1_win7_x6401 |
| Filename | 119.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 36 detected (AIDetect, malware1, malicious, high confidence, Zusy, RedLineStealer, Save, confidence, ZexaF, ivW@aq1mQKe, Eldorado, Attribute, HighConfidence, Kryptik, HSQQ, score, AGEN, high, Generic ML PUA, Static AI, Malicious PE, ai score=82, Sabsik, Detected, unsafe, Convagent, dSi8yGi8PME, susgen, HPND) | ||
| md5 | 17011725e7f5f634421c0678014b0ef8 | ||
| sha256 | 28571927ef1ac3a554f4933953e9089167d0f896c78e8a7abf34bddd541f641f | ||
| ssdeep | 12288:RaKg/x3r1zYO86zZJy27u1kmCxDx4I0H:RaKgp7PzflC9IDx43 | ||
| imphash | f5839b6d1037ae03f6db5eb4e0e468cb | ||
| impfuzzy | 24:KcpVWZMS1jtCGhlJBl3eDoLoEOovbOIkFZVv5GMAkEZHu9J:KcpVeMS1jtCGnpXc3NFZdn | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Executed a process and injected code into it |
| danger | File has been identified by 36 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41f000 GetModuleHandleW
0x41f004 MultiByteToWideChar
0x41f008 GetStringTypeW
0x41f00c WideCharToMultiByte
0x41f010 EnterCriticalSection
0x41f014 LeaveCriticalSection
0x41f018 InitializeCriticalSectionEx
0x41f01c DeleteCriticalSection
0x41f020 EncodePointer
0x41f024 DecodePointer
0x41f028 LCMapStringEx
0x41f02c GetCPInfo
0x41f030 QueryPerformanceCounter
0x41f034 GetCurrentProcessId
0x41f038 GetCurrentThreadId
0x41f03c GetSystemTimeAsFileTime
0x41f040 InitializeSListHead
0x41f044 IsDebuggerPresent
0x41f048 UnhandledExceptionFilter
0x41f04c SetUnhandledExceptionFilter
0x41f050 GetStartupInfoW
0x41f054 IsProcessorFeaturePresent
0x41f058 GetCurrentProcess
0x41f05c TerminateProcess
0x41f060 CreateFileW
0x41f064 RaiseException
0x41f068 RtlUnwind
0x41f06c GetLastError
0x41f070 SetLastError
0x41f074 InitializeCriticalSectionAndSpinCount
0x41f078 TlsAlloc
0x41f07c TlsGetValue
0x41f080 TlsSetValue
0x41f084 TlsFree
0x41f088 FreeLibrary
0x41f08c GetProcAddress
0x41f090 LoadLibraryExW
0x41f094 GetStdHandle
0x41f098 WriteFile
0x41f09c GetModuleFileNameW
0x41f0a0 ExitProcess
0x41f0a4 GetModuleHandleExW
0x41f0a8 GetCommandLineA
0x41f0ac GetCommandLineW
0x41f0b0 HeapFree
0x41f0b4 CompareStringW
0x41f0b8 LCMapStringW
0x41f0bc GetLocaleInfoW
0x41f0c0 IsValidLocale
0x41f0c4 GetUserDefaultLCID
0x41f0c8 EnumSystemLocalesW
0x41f0cc HeapAlloc
0x41f0d0 GetFileType
0x41f0d4 CloseHandle
0x41f0d8 FlushFileBuffers
0x41f0dc GetConsoleOutputCP
0x41f0e0 GetConsoleMode
0x41f0e4 ReadFile
0x41f0e8 GetFileSizeEx
0x41f0ec SetFilePointerEx
0x41f0f0 ReadConsoleW
0x41f0f4 HeapReAlloc
0x41f0f8 FindClose
0x41f0fc FindFirstFileExW
0x41f100 FindNextFileW
0x41f104 IsValidCodePage
0x41f108 GetACP
0x41f10c GetOEMCP
0x41f110 GetEnvironmentStringsW
0x41f114 FreeEnvironmentStringsW
0x41f118 SetEnvironmentVariableW
0x41f11c SetStdHandle
0x41f120 GetProcessHeap
0x41f124 HeapSize
0x41f128 WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x41f000 GetModuleHandleW
0x41f004 MultiByteToWideChar
0x41f008 GetStringTypeW
0x41f00c WideCharToMultiByte
0x41f010 EnterCriticalSection
0x41f014 LeaveCriticalSection
0x41f018 InitializeCriticalSectionEx
0x41f01c DeleteCriticalSection
0x41f020 EncodePointer
0x41f024 DecodePointer
0x41f028 LCMapStringEx
0x41f02c GetCPInfo
0x41f030 QueryPerformanceCounter
0x41f034 GetCurrentProcessId
0x41f038 GetCurrentThreadId
0x41f03c GetSystemTimeAsFileTime
0x41f040 InitializeSListHead
0x41f044 IsDebuggerPresent
0x41f048 UnhandledExceptionFilter
0x41f04c SetUnhandledExceptionFilter
0x41f050 GetStartupInfoW
0x41f054 IsProcessorFeaturePresent
0x41f058 GetCurrentProcess
0x41f05c TerminateProcess
0x41f060 CreateFileW
0x41f064 RaiseException
0x41f068 RtlUnwind
0x41f06c GetLastError
0x41f070 SetLastError
0x41f074 InitializeCriticalSectionAndSpinCount
0x41f078 TlsAlloc
0x41f07c TlsGetValue
0x41f080 TlsSetValue
0x41f084 TlsFree
0x41f088 FreeLibrary
0x41f08c GetProcAddress
0x41f090 LoadLibraryExW
0x41f094 GetStdHandle
0x41f098 WriteFile
0x41f09c GetModuleFileNameW
0x41f0a0 ExitProcess
0x41f0a4 GetModuleHandleExW
0x41f0a8 GetCommandLineA
0x41f0ac GetCommandLineW
0x41f0b0 HeapFree
0x41f0b4 CompareStringW
0x41f0b8 LCMapStringW
0x41f0bc GetLocaleInfoW
0x41f0c0 IsValidLocale
0x41f0c4 GetUserDefaultLCID
0x41f0c8 EnumSystemLocalesW
0x41f0cc HeapAlloc
0x41f0d0 GetFileType
0x41f0d4 CloseHandle
0x41f0d8 FlushFileBuffers
0x41f0dc GetConsoleOutputCP
0x41f0e0 GetConsoleMode
0x41f0e4 ReadFile
0x41f0e8 GetFileSizeEx
0x41f0ec SetFilePointerEx
0x41f0f0 ReadConsoleW
0x41f0f4 HeapReAlloc
0x41f0f8 FindClose
0x41f0fc FindFirstFileExW
0x41f100 FindNextFileW
0x41f104 IsValidCodePage
0x41f108 GetACP
0x41f10c GetOEMCP
0x41f110 GetEnvironmentStringsW
0x41f114 FreeEnvironmentStringsW
0x41f118 SetEnvironmentVariableW
0x41f11c SetStdHandle
0x41f120 GetProcessHeap
0x41f124 HeapSize
0x41f128 WriteConsoleW
EAT(Export Address Table) is none