ScreenShot
| Created | 2023.06.15 14:44 | Machine | s1_win7_x6401 |
| Filename | spyr1xx_crypted_LAB.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 28 detected (AIDetectMalware, Save, grayware, confidence, Attribute, HighConfidence, malicious, high confidence, Kryptik, HTQR, score, PWSX, MultiPlug, high, Generic ML PUA, Wacatac, Detected, ZexaF, qzZ@au1sedhi, unsafe, Generic@AI, RDML, k4F7HVK+5tmCNU2bnnPQaw, Static AI, Suspicious PE, ESYR) | ||
| md5 | 25a9ce88fcac81aa271bbb34cedb1766 | ||
| sha256 | 960971f7b34990d6afc7234ee27035f91b0f839f22e242807887d358abf19b17 | ||
| ssdeep | 6144:sVRyfLFzZTBuf3EohjAOyEwtEnjYgvvnDMNk+SPMgbVW2ND4Ox/3C:sifLxZTSwsMgvLMNkjJ3/3C | ||
| imphash | 999c29d3ab50dba22218bf1739a565da | ||
| impfuzzy | 24:KcpVWZttlS1DGhlJBl3eDoLoEOovbO3kFZMvtGMA+EZHu95:KcpVettlS1DGnpXc30FZGz | ||
Network IP location
Signature (23cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 28 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x425000 GetModuleHandleW
0x425004 MultiByteToWideChar
0x425008 GetStringTypeW
0x42500c WideCharToMultiByte
0x425010 EnterCriticalSection
0x425014 LeaveCriticalSection
0x425018 InitializeCriticalSectionEx
0x42501c DeleteCriticalSection
0x425020 EncodePointer
0x425024 DecodePointer
0x425028 LCMapStringEx
0x42502c GetCPInfo
0x425030 IsProcessorFeaturePresent
0x425034 UnhandledExceptionFilter
0x425038 SetUnhandledExceptionFilter
0x42503c GetCurrentProcess
0x425040 TerminateProcess
0x425044 QueryPerformanceCounter
0x425048 GetCurrentProcessId
0x42504c GetCurrentThreadId
0x425050 GetSystemTimeAsFileTime
0x425054 InitializeSListHead
0x425058 IsDebuggerPresent
0x42505c GetStartupInfoW
0x425060 CreateFileW
0x425064 RaiseException
0x425068 RtlUnwind
0x42506c GetLastError
0x425070 SetLastError
0x425074 InitializeCriticalSectionAndSpinCount
0x425078 TlsAlloc
0x42507c TlsGetValue
0x425080 TlsSetValue
0x425084 TlsFree
0x425088 FreeLibrary
0x42508c GetProcAddress
0x425090 LoadLibraryExW
0x425094 GetStdHandle
0x425098 WriteFile
0x42509c GetModuleFileNameW
0x4250a0 ExitProcess
0x4250a4 GetModuleHandleExW
0x4250a8 GetCommandLineA
0x4250ac GetCommandLineW
0x4250b0 HeapAlloc
0x4250b4 HeapFree
0x4250b8 CompareStringW
0x4250bc LCMapStringW
0x4250c0 GetLocaleInfoW
0x4250c4 IsValidLocale
0x4250c8 GetUserDefaultLCID
0x4250cc EnumSystemLocalesW
0x4250d0 GetFileType
0x4250d4 GetFileSizeEx
0x4250d8 SetFilePointerEx
0x4250dc CloseHandle
0x4250e0 FlushFileBuffers
0x4250e4 GetConsoleOutputCP
0x4250e8 GetConsoleMode
0x4250ec ReadFile
0x4250f0 HeapReAlloc
0x4250f4 FindClose
0x4250f8 FindFirstFileExW
0x4250fc FindNextFileW
0x425100 IsValidCodePage
0x425104 GetACP
0x425108 GetOEMCP
0x42510c GetEnvironmentStringsW
0x425110 FreeEnvironmentStringsW
0x425114 SetEnvironmentVariableW
0x425118 SetStdHandle
0x42511c GetProcessHeap
0x425120 ReadConsoleW
0x425124 HeapSize
0x425128 WriteConsoleW
EAT(Export Address Table) is none
KERNEL32.dll
0x425000 GetModuleHandleW
0x425004 MultiByteToWideChar
0x425008 GetStringTypeW
0x42500c WideCharToMultiByte
0x425010 EnterCriticalSection
0x425014 LeaveCriticalSection
0x425018 InitializeCriticalSectionEx
0x42501c DeleteCriticalSection
0x425020 EncodePointer
0x425024 DecodePointer
0x425028 LCMapStringEx
0x42502c GetCPInfo
0x425030 IsProcessorFeaturePresent
0x425034 UnhandledExceptionFilter
0x425038 SetUnhandledExceptionFilter
0x42503c GetCurrentProcess
0x425040 TerminateProcess
0x425044 QueryPerformanceCounter
0x425048 GetCurrentProcessId
0x42504c GetCurrentThreadId
0x425050 GetSystemTimeAsFileTime
0x425054 InitializeSListHead
0x425058 IsDebuggerPresent
0x42505c GetStartupInfoW
0x425060 CreateFileW
0x425064 RaiseException
0x425068 RtlUnwind
0x42506c GetLastError
0x425070 SetLastError
0x425074 InitializeCriticalSectionAndSpinCount
0x425078 TlsAlloc
0x42507c TlsGetValue
0x425080 TlsSetValue
0x425084 TlsFree
0x425088 FreeLibrary
0x42508c GetProcAddress
0x425090 LoadLibraryExW
0x425094 GetStdHandle
0x425098 WriteFile
0x42509c GetModuleFileNameW
0x4250a0 ExitProcess
0x4250a4 GetModuleHandleExW
0x4250a8 GetCommandLineA
0x4250ac GetCommandLineW
0x4250b0 HeapAlloc
0x4250b4 HeapFree
0x4250b8 CompareStringW
0x4250bc LCMapStringW
0x4250c0 GetLocaleInfoW
0x4250c4 IsValidLocale
0x4250c8 GetUserDefaultLCID
0x4250cc EnumSystemLocalesW
0x4250d0 GetFileType
0x4250d4 GetFileSizeEx
0x4250d8 SetFilePointerEx
0x4250dc CloseHandle
0x4250e0 FlushFileBuffers
0x4250e4 GetConsoleOutputCP
0x4250e8 GetConsoleMode
0x4250ec ReadFile
0x4250f0 HeapReAlloc
0x4250f4 FindClose
0x4250f8 FindFirstFileExW
0x4250fc FindNextFileW
0x425100 IsValidCodePage
0x425104 GetACP
0x425108 GetOEMCP
0x42510c GetEnvironmentStringsW
0x425110 FreeEnvironmentStringsW
0x425114 SetEnvironmentVariableW
0x425118 SetStdHandle
0x42511c GetProcessHeap
0x425120 ReadConsoleW
0x425124 HeapSize
0x425128 WriteConsoleW
EAT(Export Address Table) is none