ScreenShot
| Created | 2023.06.08 09:21 | Machine | s1_win7_x6401 |
| Filename | metro.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | bbae70e8a90c7dee5fab03c19a86f1bb | ||
| sha256 | c70b59777594135f9859494393b094cda8cae0b7373cefbfc15bf271bfed2b3f | ||
| ssdeep | 6144:JQvoWvJpwcu1wvTygXUNVS4MGh1aBFrvz1xcxcWhErt:JUzXyR1aBFrvz1xcxdErt | ||
| imphash | f264906d4975bf1277da66f2124faba1 | ||
| impfuzzy | 24:INQL4DpLS1jt5GhlJnc+pl39/YoEOovbO3U4ZHu93vB3GMM:INtLS1jt5G5c+ppic30Bi | ||
Network IP location
Signature (24cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
COMDLG32.dll
0x410000 GetSaveFileNameA
0x410004 ChooseColorW
0x410008 GetOpenFileNameA
KERNEL32.dll
0x410010 GetModuleHandleA
0x410014 GetProcAddress
0x410018 MultiByteToWideChar
0x41001c QueryPerformanceFrequency
0x410020 QueryPerformanceCounter
0x410024 GetCurrentProcessId
0x410028 GetCurrentThreadId
0x41002c GetSystemTimeAsFileTime
0x410030 InitializeSListHead
0x410034 IsDebuggerPresent
0x410038 UnhandledExceptionFilter
0x41003c SetUnhandledExceptionFilter
0x410040 GetStartupInfoW
0x410044 IsProcessorFeaturePresent
0x410048 GetModuleHandleW
0x41004c GetCurrentProcess
0x410050 TerminateProcess
0x410054 WriteConsoleW
0x410058 RaiseException
0x41005c RtlUnwind
0x410060 GetLastError
0x410064 SetLastError
0x410068 EnterCriticalSection
0x41006c LeaveCriticalSection
0x410070 DeleteCriticalSection
0x410074 InitializeCriticalSectionAndSpinCount
0x410078 TlsAlloc
0x41007c TlsGetValue
0x410080 TlsSetValue
0x410084 TlsFree
0x410088 FreeLibrary
0x41008c LoadLibraryExW
0x410090 EncodePointer
0x410094 GetStdHandle
0x410098 WriteFile
0x41009c GetModuleFileNameW
0x4100a0 ExitProcess
0x4100a4 GetModuleHandleExW
0x4100a8 GetCommandLineA
0x4100ac GetCommandLineW
0x4100b0 HeapAlloc
0x4100b4 HeapFree
0x4100b8 FindClose
0x4100bc FindFirstFileExW
0x4100c0 FindNextFileW
0x4100c4 IsValidCodePage
0x4100c8 GetACP
0x4100cc GetOEMCP
0x4100d0 GetCPInfo
0x4100d4 WideCharToMultiByte
0x4100d8 GetEnvironmentStringsW
0x4100dc FreeEnvironmentStringsW
0x4100e0 SetEnvironmentVariableW
0x4100e4 SetStdHandle
0x4100e8 GetFileType
0x4100ec GetStringTypeW
0x4100f0 CompareStringW
0x4100f4 LCMapStringW
0x4100f8 GetProcessHeap
0x4100fc HeapSize
0x410100 HeapReAlloc
0x410104 FlushFileBuffers
0x410108 GetConsoleOutputCP
0x41010c GetConsoleMode
0x410110 SetFilePointerEx
0x410114 CreateFileW
0x410118 CloseHandle
0x41011c DecodePointer
EAT(Export Address Table) is none
COMDLG32.dll
0x410000 GetSaveFileNameA
0x410004 ChooseColorW
0x410008 GetOpenFileNameA
KERNEL32.dll
0x410010 GetModuleHandleA
0x410014 GetProcAddress
0x410018 MultiByteToWideChar
0x41001c QueryPerformanceFrequency
0x410020 QueryPerformanceCounter
0x410024 GetCurrentProcessId
0x410028 GetCurrentThreadId
0x41002c GetSystemTimeAsFileTime
0x410030 InitializeSListHead
0x410034 IsDebuggerPresent
0x410038 UnhandledExceptionFilter
0x41003c SetUnhandledExceptionFilter
0x410040 GetStartupInfoW
0x410044 IsProcessorFeaturePresent
0x410048 GetModuleHandleW
0x41004c GetCurrentProcess
0x410050 TerminateProcess
0x410054 WriteConsoleW
0x410058 RaiseException
0x41005c RtlUnwind
0x410060 GetLastError
0x410064 SetLastError
0x410068 EnterCriticalSection
0x41006c LeaveCriticalSection
0x410070 DeleteCriticalSection
0x410074 InitializeCriticalSectionAndSpinCount
0x410078 TlsAlloc
0x41007c TlsGetValue
0x410080 TlsSetValue
0x410084 TlsFree
0x410088 FreeLibrary
0x41008c LoadLibraryExW
0x410090 EncodePointer
0x410094 GetStdHandle
0x410098 WriteFile
0x41009c GetModuleFileNameW
0x4100a0 ExitProcess
0x4100a4 GetModuleHandleExW
0x4100a8 GetCommandLineA
0x4100ac GetCommandLineW
0x4100b0 HeapAlloc
0x4100b4 HeapFree
0x4100b8 FindClose
0x4100bc FindFirstFileExW
0x4100c0 FindNextFileW
0x4100c4 IsValidCodePage
0x4100c8 GetACP
0x4100cc GetOEMCP
0x4100d0 GetCPInfo
0x4100d4 WideCharToMultiByte
0x4100d8 GetEnvironmentStringsW
0x4100dc FreeEnvironmentStringsW
0x4100e0 SetEnvironmentVariableW
0x4100e4 SetStdHandle
0x4100e8 GetFileType
0x4100ec GetStringTypeW
0x4100f0 CompareStringW
0x4100f4 LCMapStringW
0x4100f8 GetProcessHeap
0x4100fc HeapSize
0x410100 HeapReAlloc
0x410104 FlushFileBuffers
0x410108 GetConsoleOutputCP
0x41010c GetConsoleMode
0x410110 SetFilePointerEx
0x410114 CreateFileW
0x410118 CloseHandle
0x41011c DecodePointer
EAT(Export Address Table) is none