popup

Report - @sogood1337_crypted%20%283%29.exe

RedLine stealer UPX Malicious Library Malicious Packer AntiDebug AntiVM OS Processor Check PE File PE32 PE64
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.06.21 05:39 Machine s1_win7_x6401
Filename @sogood1337_crypted%20%283%29.exe
Type PE32 executable (console) Intel 80386, for MS Windows
AI Score
8
 Behavior Score
16.0
ZERO API file : clean
VT API (file) 41 detected (AIDetectMalware, Convagent, malicious, high confidence, Artemis, unsafe, Save, confidence, 100%, Kryptik, Eldorado, Attribute, HighConfidence, HTQR, score, PWSX, RedLineSteal, bnwxm, Siggen20, REDLINE, YXDFTZ, high, Static AI, Malicious PE, Cordimik, 9TRPUN, Detected, ZexaF, qzZ@aSTrA0ki, TLIh66g2JcC, susgen, ESYR)
md5 02e3ce5f9cff3521b4e443a7a98955ab
sha256 1551371a8c26e90e3ce229fd4f68351373e6bafcd7cfbe51e4892605bda772d0
ssdeep 6144:SBsloyGJpqpn9PZZiQ3/0tAOVfuuJR+BnuonkENk6C8ZmMxonUMFO/NogCP2:S6XGJpqdNctbfpInuokWk6leQ2P2
imphash 6f3eb99ede26190ebb4d18e0266260bb
impfuzzy 24:0L8jTcpVWZjxD2te4GhlJBl39WuPLOovbO3kFZMv5GMA+EZHu95:20cpVejQte4Gnpn630FZGf
  Network IP location

Signature (36cnts)

Level Description
danger File has been identified by 41 AntiVirus engines on VirusTotal as malicious
danger Executed a process and injected code into it
watch Allocates execute permission to another process indicative of possible code injection
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Detects the presence of Wine emulator
watch Executes one or more WMI queries
watch Harvests credentials from local FTP client softwares
watch Looks for the Windows Idle Time to determine the uptime
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process installutil.exe
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Created a process named as a common system process
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries which can be used to identify virtual machines
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (21cnts)

Level Name Description Collection
danger RedLine_Stealer_m_Zero RedLine stealer memory
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (7cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://217.196.96.158/svchost.exe
whois
RU CJSC Kolomna-Sviaz TV 217.196.96.158 clean
http://217.196.96.158/conhost.exe
whois
RU CJSC Kolomna-Sviaz TV 217.196.96.158 clean
https://api.ip.sb/ip
whois
US CLOUDFLARENET 104.26.12.31 clean
api.ip.sb
whois
US CLOUDFLARENET 104.26.13.31 clean
104.26.12.31
whois
US CLOUDFLARENET 104.26.12.31 clean
94.142.138.4
whois
RU Ihor Hosting LLC 94.142.138.4 clean
217.196.96.158
whois
RU CJSC Kolomna-Sviaz TV 217.196.96.158 clean

Suricata ids

ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious svchost.exe in URI - Possible Process Dump/Trojan Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Possible Kelihos.F EXE Download Common Structure

PE API

IAT(Import Address Table) Library

GDI32.dll
 0x426000 SetWindowOrgEx
 0x426004 Polygon
KERNEL32.dll
 0x42600c FreeConsole
 0x426010 GetModuleHandleW
 0x426014 MultiByteToWideChar
 0x426018 GetStringTypeW
 0x42601c WideCharToMultiByte
 0x426020 GetCurrentThreadId
 0x426024 CloseHandle
 0x426028 WaitForSingleObjectEx
 0x42602c GetExitCodeThread
 0x426030 EnterCriticalSection
 0x426034 LeaveCriticalSection
 0x426038 InitializeCriticalSectionEx
 0x42603c DeleteCriticalSection
 0x426040 EncodePointer
 0x426044 DecodePointer
 0x426048 LCMapStringEx
 0x42604c QueryPerformanceCounter
 0x426050 GetSystemTimeAsFileTime
 0x426054 GetProcAddress
 0x426058 GetCPInfo
 0x42605c IsProcessorFeaturePresent
 0x426060 UnhandledExceptionFilter
 0x426064 SetUnhandledExceptionFilter
 0x426068 GetCurrentProcess
 0x42606c TerminateProcess
 0x426070 GetCurrentProcessId
 0x426074 InitializeSListHead
 0x426078 IsDebuggerPresent
 0x42607c GetStartupInfoW
 0x426080 CreateFileW
 0x426084 RaiseException
 0x426088 RtlUnwind
 0x42608c GetLastError
 0x426090 SetLastError
 0x426094 InitializeCriticalSectionAndSpinCount
 0x426098 TlsAlloc
 0x42609c TlsGetValue
 0x4260a0 TlsSetValue
 0x4260a4 TlsFree
 0x4260a8 FreeLibrary
 0x4260ac LoadLibraryExW
 0x4260b0 CreateThread
 0x4260b4 ExitThread
 0x4260b8 FreeLibraryAndExitThread
 0x4260bc GetModuleHandleExW
 0x4260c0 GetStdHandle
 0x4260c4 WriteFile
 0x4260c8 GetModuleFileNameW
 0x4260cc ExitProcess
 0x4260d0 GetCommandLineA
 0x4260d4 GetCommandLineW
 0x4260d8 HeapAlloc
 0x4260dc HeapFree
 0x4260e0 CompareStringW
 0x4260e4 LCMapStringW
 0x4260e8 GetLocaleInfoW
 0x4260ec IsValidLocale
 0x4260f0 GetUserDefaultLCID
 0x4260f4 EnumSystemLocalesW
 0x4260f8 GetFileType
 0x4260fc GetFileSizeEx
 0x426100 SetFilePointerEx
 0x426104 FlushFileBuffers
 0x426108 GetConsoleOutputCP
 0x42610c GetConsoleMode
 0x426110 ReadFile
 0x426114 HeapReAlloc
 0x426118 FindClose
 0x42611c FindFirstFileExW
 0x426120 FindNextFileW
 0x426124 IsValidCodePage
 0x426128 GetACP
 0x42612c GetOEMCP
 0x426130 GetEnvironmentStringsW
 0x426134 FreeEnvironmentStringsW
 0x426138 SetEnvironmentVariableW
 0x42613c SetStdHandle
 0x426140 GetProcessHeap
 0x426144 ReadConsoleW
 0x426148 HeapSize
 0x42614c WriteConsoleW

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure