ScreenShot
| Created | 2023.06.20 09:19 | Machine | s1_win7_x6401 |
| Filename | bqn1kx9furd80.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 24 detected (AIDetectMalware, Strab, malicious, high confidence, V9t8, confidence, Attribute, HighConfidence, Kryptik, HTVR, score, PWSX, Artemis, Wacatac, CLOUD, susgen, ZexaF, HuZ@ayK) | ||
| md5 | f8f90dde30c804bc48218e20ccec81bc | ||
| sha256 | d04210206e7c5ae0538c00ad882bcdd998ce4515fa44f37d85fcfbdfa0926dfd | ||
| ssdeep | 12288:9l8R3Z64BX90Qzt/MrqQBXbRztnCjF9x1W3Ec12SPk0y9t9D:MR3ZNBX90QtEhbRhAnx1eEcAOk0yHx | ||
| imphash | 309a5f556f3c87ce9ff6c47cb16a3929 | ||
| impfuzzy | 24:ZZLqocpVWZsmrYtMS14GhlJBlxeDoLoEOovbOIFuFZMvDWEZHu9cGMc:ZZLpcpVeVrYtMS14GnXXc3iuFZGDY | ||
Network IP location
Signature (23cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 24 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
USER32.dll
0x43f14c GetWindowRect
0x43f150 ShowWindow
ole32.dll
0x43f158 OleSetClipboard
GDI32.dll
0x43f000 GdiGetBatchLimit
KERNEL32.dll
0x43f008 CloseHandle
0x43f00c CreateFileW
0x43f010 TlsFree
0x43f014 VirtualProtectEx
0x43f018 GetConsoleWindow
0x43f01c WideCharToMultiByte
0x43f020 MultiByteToWideChar
0x43f024 EnterCriticalSection
0x43f028 LeaveCriticalSection
0x43f02c InitializeCriticalSectionEx
0x43f030 DeleteCriticalSection
0x43f034 EncodePointer
0x43f038 DecodePointer
0x43f03c LCMapStringEx
0x43f040 GetLocaleInfoEx
0x43f044 GetStringTypeW
0x43f048 CompareStringEx
0x43f04c GetCPInfo
0x43f050 UnhandledExceptionFilter
0x43f054 SetUnhandledExceptionFilter
0x43f058 GetCurrentProcess
0x43f05c TerminateProcess
0x43f060 IsProcessorFeaturePresent
0x43f064 QueryPerformanceCounter
0x43f068 GetCurrentProcessId
0x43f06c GetCurrentThreadId
0x43f070 GetSystemTimeAsFileTime
0x43f074 InitializeSListHead
0x43f078 IsDebuggerPresent
0x43f07c GetStartupInfoW
0x43f080 GetModuleHandleW
0x43f084 HeapSize
0x43f088 RaiseException
0x43f08c RtlUnwind
0x43f090 GetLastError
0x43f094 SetLastError
0x43f098 InitializeCriticalSectionAndSpinCount
0x43f09c TlsAlloc
0x43f0a0 TlsGetValue
0x43f0a4 TlsSetValue
0x43f0a8 WriteConsoleW
0x43f0ac FreeLibrary
0x43f0b0 GetProcAddress
0x43f0b4 LoadLibraryExW
0x43f0b8 GetStdHandle
0x43f0bc WriteFile
0x43f0c0 GetModuleFileNameW
0x43f0c4 ExitProcess
0x43f0c8 GetModuleHandleExW
0x43f0cc GetCommandLineA
0x43f0d0 GetCommandLineW
0x43f0d4 HeapFree
0x43f0d8 HeapAlloc
0x43f0dc GetDateFormatW
0x43f0e0 GetTimeFormatW
0x43f0e4 CompareStringW
0x43f0e8 LCMapStringW
0x43f0ec GetLocaleInfoW
0x43f0f0 IsValidLocale
0x43f0f4 GetUserDefaultLCID
0x43f0f8 EnumSystemLocalesW
0x43f0fc GetFileType
0x43f100 HeapReAlloc
0x43f104 GetTimeZoneInformation
0x43f108 FindClose
0x43f10c FindFirstFileExW
0x43f110 FindNextFileW
0x43f114 IsValidCodePage
0x43f118 GetACP
0x43f11c GetOEMCP
0x43f120 GetEnvironmentStringsW
0x43f124 FreeEnvironmentStringsW
0x43f128 SetEnvironmentVariableW
0x43f12c SetStdHandle
0x43f130 GetProcessHeap
0x43f134 FlushFileBuffers
0x43f138 GetConsoleOutputCP
0x43f13c GetConsoleMode
0x43f140 GetFileSizeEx
0x43f144 SetFilePointerEx
EAT(Export Address Table) is none
USER32.dll
0x43f14c GetWindowRect
0x43f150 ShowWindow
ole32.dll
0x43f158 OleSetClipboard
GDI32.dll
0x43f000 GdiGetBatchLimit
KERNEL32.dll
0x43f008 CloseHandle
0x43f00c CreateFileW
0x43f010 TlsFree
0x43f014 VirtualProtectEx
0x43f018 GetConsoleWindow
0x43f01c WideCharToMultiByte
0x43f020 MultiByteToWideChar
0x43f024 EnterCriticalSection
0x43f028 LeaveCriticalSection
0x43f02c InitializeCriticalSectionEx
0x43f030 DeleteCriticalSection
0x43f034 EncodePointer
0x43f038 DecodePointer
0x43f03c LCMapStringEx
0x43f040 GetLocaleInfoEx
0x43f044 GetStringTypeW
0x43f048 CompareStringEx
0x43f04c GetCPInfo
0x43f050 UnhandledExceptionFilter
0x43f054 SetUnhandledExceptionFilter
0x43f058 GetCurrentProcess
0x43f05c TerminateProcess
0x43f060 IsProcessorFeaturePresent
0x43f064 QueryPerformanceCounter
0x43f068 GetCurrentProcessId
0x43f06c GetCurrentThreadId
0x43f070 GetSystemTimeAsFileTime
0x43f074 InitializeSListHead
0x43f078 IsDebuggerPresent
0x43f07c GetStartupInfoW
0x43f080 GetModuleHandleW
0x43f084 HeapSize
0x43f088 RaiseException
0x43f08c RtlUnwind
0x43f090 GetLastError
0x43f094 SetLastError
0x43f098 InitializeCriticalSectionAndSpinCount
0x43f09c TlsAlloc
0x43f0a0 TlsGetValue
0x43f0a4 TlsSetValue
0x43f0a8 WriteConsoleW
0x43f0ac FreeLibrary
0x43f0b0 GetProcAddress
0x43f0b4 LoadLibraryExW
0x43f0b8 GetStdHandle
0x43f0bc WriteFile
0x43f0c0 GetModuleFileNameW
0x43f0c4 ExitProcess
0x43f0c8 GetModuleHandleExW
0x43f0cc GetCommandLineA
0x43f0d0 GetCommandLineW
0x43f0d4 HeapFree
0x43f0d8 HeapAlloc
0x43f0dc GetDateFormatW
0x43f0e0 GetTimeFormatW
0x43f0e4 CompareStringW
0x43f0e8 LCMapStringW
0x43f0ec GetLocaleInfoW
0x43f0f0 IsValidLocale
0x43f0f4 GetUserDefaultLCID
0x43f0f8 EnumSystemLocalesW
0x43f0fc GetFileType
0x43f100 HeapReAlloc
0x43f104 GetTimeZoneInformation
0x43f108 FindClose
0x43f10c FindFirstFileExW
0x43f110 FindNextFileW
0x43f114 IsValidCodePage
0x43f118 GetACP
0x43f11c GetOEMCP
0x43f120 GetEnvironmentStringsW
0x43f124 FreeEnvironmentStringsW
0x43f128 SetEnvironmentVariableW
0x43f12c SetStdHandle
0x43f130 GetProcessHeap
0x43f134 FlushFileBuffers
0x43f138 GetConsoleOutputCP
0x43f13c GetConsoleMode
0x43f140 GetFileSizeEx
0x43f144 SetFilePointerEx
EAT(Export Address Table) is none