ScreenShot
| Created | 2023.05.23 09:31 | Machine | s1_win7_x6402 |
| Filename | @mossad_lzt_packlab.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 33 detected (AIDetectMalware, Malicious, score, Save, Kryptik, Eldorado, Attribute, HighConfidence, high confidence, ESYR, PWSX, Ctsinf, high, Generic ML PUA, 20WAXC, Sabsik, Detected, Redline, FDQM, unsafe, RtI7Iq5RkTF, Static AI, Malicious PE, susgen, HSKS, ZexaF, qvZ@aygZ6dd) | ||
| md5 | 25d97aa66e4925975190a7566b5a8dc0 | ||
| sha256 | 7dec463486d2ed216e219adc3d8421ab4916155db9c3e067bedd2ad8e9e7a4d2 | ||
| ssdeep | 6144:IsBk45NbeNY+Je2wbXJWFW1mAO3wU8iCSNZUdEg1G2hRSmXIp9QKzL9ss:IstrbeNY+J7WaCAUa8XIp9QsL9ss | ||
| imphash | a8b173ed265ab4e7bdee65718f2fc6bb | ||
| impfuzzy | 24:c0kcpVWZttlS1xGhlJBl3eDYoEOovbO3gv9FZ8GMACEZHu9n:CcpVettlS1xGnpLc3y9FZm | ||
Network IP location
Signature (23cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| danger | File has been identified by 33 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
USER32.dll
0x427134 ShowWindow
KERNEL32.dll
0x427000 LoadLibraryExW
0x427004 CreateFileW
0x427008 GetModuleHandleW
0x42700c GetConsoleWindow
0x427010 MultiByteToWideChar
0x427014 GetStringTypeW
0x427018 WideCharToMultiByte
0x42701c EnterCriticalSection
0x427020 LeaveCriticalSection
0x427024 InitializeCriticalSectionEx
0x427028 DeleteCriticalSection
0x42702c EncodePointer
0x427030 DecodePointer
0x427034 LCMapStringEx
0x427038 GetCPInfo
0x42703c IsProcessorFeaturePresent
0x427040 UnhandledExceptionFilter
0x427044 SetUnhandledExceptionFilter
0x427048 GetCurrentProcess
0x42704c TerminateProcess
0x427050 QueryPerformanceCounter
0x427054 GetCurrentProcessId
0x427058 GetCurrentThreadId
0x42705c GetSystemTimeAsFileTime
0x427060 InitializeSListHead
0x427064 IsDebuggerPresent
0x427068 GetStartupInfoW
0x42706c HeapSize
0x427070 RaiseException
0x427074 RtlUnwind
0x427078 GetLastError
0x42707c SetLastError
0x427080 InitializeCriticalSectionAndSpinCount
0x427084 TlsAlloc
0x427088 TlsGetValue
0x42708c TlsSetValue
0x427090 TlsFree
0x427094 FreeLibrary
0x427098 GetProcAddress
0x42709c WriteConsoleW
0x4270a0 GetStdHandle
0x4270a4 WriteFile
0x4270a8 GetModuleFileNameW
0x4270ac ExitProcess
0x4270b0 GetModuleHandleExW
0x4270b4 GetCommandLineA
0x4270b8 GetCommandLineW
0x4270bc HeapAlloc
0x4270c0 HeapFree
0x4270c4 GetFileType
0x4270c8 CompareStringW
0x4270cc LCMapStringW
0x4270d0 GetLocaleInfoW
0x4270d4 IsValidLocale
0x4270d8 GetUserDefaultLCID
0x4270dc EnumSystemLocalesW
0x4270e0 GetFileSizeEx
0x4270e4 SetFilePointerEx
0x4270e8 CloseHandle
0x4270ec FlushFileBuffers
0x4270f0 GetConsoleOutputCP
0x4270f4 GetConsoleMode
0x4270f8 ReadFile
0x4270fc ReadConsoleW
0x427100 HeapReAlloc
0x427104 FindClose
0x427108 FindFirstFileExW
0x42710c FindNextFileW
0x427110 IsValidCodePage
0x427114 GetACP
0x427118 GetOEMCP
0x42711c GetEnvironmentStringsW
0x427120 FreeEnvironmentStringsW
0x427124 SetEnvironmentVariableW
0x427128 SetStdHandle
0x42712c GetProcessHeap
EAT(Export Address Table) is none
USER32.dll
0x427134 ShowWindow
KERNEL32.dll
0x427000 LoadLibraryExW
0x427004 CreateFileW
0x427008 GetModuleHandleW
0x42700c GetConsoleWindow
0x427010 MultiByteToWideChar
0x427014 GetStringTypeW
0x427018 WideCharToMultiByte
0x42701c EnterCriticalSection
0x427020 LeaveCriticalSection
0x427024 InitializeCriticalSectionEx
0x427028 DeleteCriticalSection
0x42702c EncodePointer
0x427030 DecodePointer
0x427034 LCMapStringEx
0x427038 GetCPInfo
0x42703c IsProcessorFeaturePresent
0x427040 UnhandledExceptionFilter
0x427044 SetUnhandledExceptionFilter
0x427048 GetCurrentProcess
0x42704c TerminateProcess
0x427050 QueryPerformanceCounter
0x427054 GetCurrentProcessId
0x427058 GetCurrentThreadId
0x42705c GetSystemTimeAsFileTime
0x427060 InitializeSListHead
0x427064 IsDebuggerPresent
0x427068 GetStartupInfoW
0x42706c HeapSize
0x427070 RaiseException
0x427074 RtlUnwind
0x427078 GetLastError
0x42707c SetLastError
0x427080 InitializeCriticalSectionAndSpinCount
0x427084 TlsAlloc
0x427088 TlsGetValue
0x42708c TlsSetValue
0x427090 TlsFree
0x427094 FreeLibrary
0x427098 GetProcAddress
0x42709c WriteConsoleW
0x4270a0 GetStdHandle
0x4270a4 WriteFile
0x4270a8 GetModuleFileNameW
0x4270ac ExitProcess
0x4270b0 GetModuleHandleExW
0x4270b4 GetCommandLineA
0x4270b8 GetCommandLineW
0x4270bc HeapAlloc
0x4270c0 HeapFree
0x4270c4 GetFileType
0x4270c8 CompareStringW
0x4270cc LCMapStringW
0x4270d0 GetLocaleInfoW
0x4270d4 IsValidLocale
0x4270d8 GetUserDefaultLCID
0x4270dc EnumSystemLocalesW
0x4270e0 GetFileSizeEx
0x4270e4 SetFilePointerEx
0x4270e8 CloseHandle
0x4270ec FlushFileBuffers
0x4270f0 GetConsoleOutputCP
0x4270f4 GetConsoleMode
0x4270f8 ReadFile
0x4270fc ReadConsoleW
0x427100 HeapReAlloc
0x427104 FindClose
0x427108 FindFirstFileExW
0x42710c FindNextFileW
0x427110 IsValidCodePage
0x427114 GetACP
0x427118 GetOEMCP
0x42711c GetEnvironmentStringsW
0x427120 FreeEnvironmentStringsW
0x427124 SetEnvironmentVariableW
0x427128 SetStdHandle
0x42712c GetProcessHeap
EAT(Export Address Table) is none