ScreenShot
| Created | 2023.06.01 18:38 | Machine | s1_win7_x6401 |
| Filename | javaw.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 50 detected (AIDetectMalware, RedLineNET, Zusy, Fugrafa, Save, malicious, ZexaF, qvZ@aWApYRf, Kryptik, Eldorado, high confidence, ESYR, score, PWSX, Ltgl, RedLineSteal, slasz, high, Static AI, Suspicious PE, ai score=89, Wacatac, RedLineStealer, Detected, RedLine, Artemis, unsafe, R002H0CEV23, D59cFM6mQcT, Outbreak, susgen, confidence, 100%) | ||
| md5 | a5293c169f7533a080b4487606ec1569 | ||
| sha256 | 296d7e9ac7f08f53dfad9c95d3859fe022d0bdcbb32d6d08d4250ffdc0e7a6fc | ||
| ssdeep | 12288:MTZOtcmA2c4eNjmxSV61oxSPTKgt+5yUi:MkOm5cXl6uYPOgAf | ||
| imphash | 89b3a6f6fa95f20a6ae4cdbb8278d185 | ||
| impfuzzy | 24:/R7Nzq8O/cpVWZttlS15GhlJBlCDoLoEOovSkFZMvtGMA+EZHu9n:/RNzqj/cpVettlS15GnVcuFZG9 | ||
Network IP location
Signature (23cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 50 AntiVirus engines on VirusTotal as malicious |
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
USER32.dll
0x42313c ShutdownBlockReasonCreate
SHELL32.dll
0x423130 SHLoadNonloadedIconOverlayIdentifiers
0x423134 CommandLineToArgvW
KERNEL32.dll
0x423000 FreeLibrary
0x423004 CreateFileW
0x423008 HeapSize
0x42300c ReadConsoleW
0x423010 GetProcessHeap
0x423014 GetCommandLineW
0x423018 GetModuleHandleW
0x42301c GetStringTypeW
0x423020 MultiByteToWideChar
0x423024 WideCharToMultiByte
0x423028 EnterCriticalSection
0x42302c LeaveCriticalSection
0x423030 InitializeCriticalSectionEx
0x423034 DeleteCriticalSection
0x423038 EncodePointer
0x42303c DecodePointer
0x423040 LCMapStringEx
0x423044 GetCPInfo
0x423048 IsProcessorFeaturePresent
0x42304c UnhandledExceptionFilter
0x423050 SetUnhandledExceptionFilter
0x423054 GetCurrentProcess
0x423058 TerminateProcess
0x42305c QueryPerformanceCounter
0x423060 GetCurrentProcessId
0x423064 GetCurrentThreadId
0x423068 GetSystemTimeAsFileTime
0x42306c InitializeSListHead
0x423070 IsDebuggerPresent
0x423074 GetStartupInfoW
0x423078 SetStdHandle
0x42307c RaiseException
0x423080 RtlUnwind
0x423084 GetLastError
0x423088 SetLastError
0x42308c InitializeCriticalSectionAndSpinCount
0x423090 TlsAlloc
0x423094 TlsGetValue
0x423098 TlsSetValue
0x42309c TlsFree
0x4230a0 WriteConsoleW
0x4230a4 GetProcAddress
0x4230a8 LoadLibraryExW
0x4230ac GetStdHandle
0x4230b0 WriteFile
0x4230b4 GetModuleFileNameW
0x4230b8 ExitProcess
0x4230bc GetModuleHandleExW
0x4230c0 GetCommandLineA
0x4230c4 HeapAlloc
0x4230c8 HeapFree
0x4230cc CompareStringW
0x4230d0 LCMapStringW
0x4230d4 GetLocaleInfoW
0x4230d8 IsValidLocale
0x4230dc GetUserDefaultLCID
0x4230e0 EnumSystemLocalesW
0x4230e4 GetFileType
0x4230e8 GetFileSizeEx
0x4230ec SetFilePointerEx
0x4230f0 CloseHandle
0x4230f4 FlushFileBuffers
0x4230f8 GetConsoleOutputCP
0x4230fc GetConsoleMode
0x423100 ReadFile
0x423104 HeapReAlloc
0x423108 FindClose
0x42310c FindFirstFileExW
0x423110 FindNextFileW
0x423114 IsValidCodePage
0x423118 GetACP
0x42311c GetOEMCP
0x423120 GetEnvironmentStringsW
0x423124 FreeEnvironmentStringsW
0x423128 SetEnvironmentVariableW
EAT(Export Address Table) is none
USER32.dll
0x42313c ShutdownBlockReasonCreate
SHELL32.dll
0x423130 SHLoadNonloadedIconOverlayIdentifiers
0x423134 CommandLineToArgvW
KERNEL32.dll
0x423000 FreeLibrary
0x423004 CreateFileW
0x423008 HeapSize
0x42300c ReadConsoleW
0x423010 GetProcessHeap
0x423014 GetCommandLineW
0x423018 GetModuleHandleW
0x42301c GetStringTypeW
0x423020 MultiByteToWideChar
0x423024 WideCharToMultiByte
0x423028 EnterCriticalSection
0x42302c LeaveCriticalSection
0x423030 InitializeCriticalSectionEx
0x423034 DeleteCriticalSection
0x423038 EncodePointer
0x42303c DecodePointer
0x423040 LCMapStringEx
0x423044 GetCPInfo
0x423048 IsProcessorFeaturePresent
0x42304c UnhandledExceptionFilter
0x423050 SetUnhandledExceptionFilter
0x423054 GetCurrentProcess
0x423058 TerminateProcess
0x42305c QueryPerformanceCounter
0x423060 GetCurrentProcessId
0x423064 GetCurrentThreadId
0x423068 GetSystemTimeAsFileTime
0x42306c InitializeSListHead
0x423070 IsDebuggerPresent
0x423074 GetStartupInfoW
0x423078 SetStdHandle
0x42307c RaiseException
0x423080 RtlUnwind
0x423084 GetLastError
0x423088 SetLastError
0x42308c InitializeCriticalSectionAndSpinCount
0x423090 TlsAlloc
0x423094 TlsGetValue
0x423098 TlsSetValue
0x42309c TlsFree
0x4230a0 WriteConsoleW
0x4230a4 GetProcAddress
0x4230a8 LoadLibraryExW
0x4230ac GetStdHandle
0x4230b0 WriteFile
0x4230b4 GetModuleFileNameW
0x4230b8 ExitProcess
0x4230bc GetModuleHandleExW
0x4230c0 GetCommandLineA
0x4230c4 HeapAlloc
0x4230c8 HeapFree
0x4230cc CompareStringW
0x4230d0 LCMapStringW
0x4230d4 GetLocaleInfoW
0x4230d8 IsValidLocale
0x4230dc GetUserDefaultLCID
0x4230e0 EnumSystemLocalesW
0x4230e4 GetFileType
0x4230e8 GetFileSizeEx
0x4230ec SetFilePointerEx
0x4230f0 CloseHandle
0x4230f4 FlushFileBuffers
0x4230f8 GetConsoleOutputCP
0x4230fc GetConsoleMode
0x423100 ReadFile
0x423104 HeapReAlloc
0x423108 FindClose
0x42310c FindFirstFileExW
0x423110 FindNextFileW
0x423114 IsValidCodePage
0x423118 GetACP
0x42311c GetOEMCP
0x423120 GetEnvironmentStringsW
0x423124 FreeEnvironmentStringsW
0x423128 SetEnvironmentVariableW
EAT(Export Address Table) is none