ScreenShot
| Created | 2023.06.26 10:20 | Machine | s1_win7_x6403 |
| Filename | 4444.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 26 detected (AIDetectMalware, malicious, high confidence, Artemis, Vg37, confidence, 100%, Attribute, HighConfidence, score, Exploitx, PWSX, RedLine, Wacatac, Detected, unsafe, Chgt, Generic@AI, RDML, R+odzN1l5GyYIonFflihaQ, susgen, PossibleThreat) | ||
| md5 | ee539424f2973dd2a45ab3b8f10128b6 | ||
| sha256 | e9c59b97d4d0be711dc6a0f47d8b16fa6d4e0a8cbfab702ab9f0642d1825319b | ||
| ssdeep | 12288:RRRDg99w/4aRmKCOrWtLvvsdO66GlJh69KRNjpgcf0vBPJJeRIlIu45y8jyISQRb:R0bDaRmZOrWtLv0dO6DJEE0vBPJJfdi | ||
| imphash | 031de5dc510e9e46afc18b1a5c0c3814 | ||
| impfuzzy | 48:VmCoWJcpH+PdD9vrxQSXtXVZrBt8XzbQo31uFZGHD:VmCoWJcpH+P51rxHXtXVxBt8XPQVU | ||
Network IP location
Signature (27cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| warning | File has been identified by 26 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
SHELL32.dll
0x4c62bc None
KERNEL32.dll
0x4c6000 InitializeCriticalSectionAndSpinCount
0x4c6004 CreateFileW
0x4c6008 VirtualProtect
0x4c600c GetModuleHandleW
0x4c6010 GetProcAddress
0x4c6014 RaiseException
0x4c6018 InitializeSRWLock
0x4c601c ReleaseSRWLockExclusive
0x4c6020 AcquireSRWLockExclusive
0x4c6024 EnterCriticalSection
0x4c6028 LeaveCriticalSection
0x4c602c InitializeCriticalSectionEx
0x4c6030 TryEnterCriticalSection
0x4c6034 DeleteCriticalSection
0x4c6038 GetCurrentThreadId
0x4c603c InitializeConditionVariable
0x4c6040 WakeConditionVariable
0x4c6044 WakeAllConditionVariable
0x4c6048 SleepConditionVariableCS
0x4c604c SleepConditionVariableSRW
0x4c6050 FormatMessageA
0x4c6054 WideCharToMultiByte
0x4c6058 MultiByteToWideChar
0x4c605c GetStringTypeW
0x4c6060 InitOnceBeginInitialize
0x4c6064 InitOnceComplete
0x4c6068 GetLastError
0x4c606c FreeLibraryWhenCallbackReturns
0x4c6070 CreateThreadpoolWork
0x4c6074 SubmitThreadpoolWork
0x4c6078 CloseThreadpoolWork
0x4c607c GetModuleHandleExW
0x4c6080 RtlCaptureStackBackTrace
0x4c6084 IsProcessorFeaturePresent
0x4c6088 QueryPerformanceCounter
0x4c608c QueryPerformanceFrequency
0x4c6090 SetFileInformationByHandle
0x4c6094 FlsAlloc
0x4c6098 FlsGetValue
0x4c609c FlsSetValue
0x4c60a0 FlsFree
0x4c60a4 InitOnceExecuteOnce
0x4c60a8 CreateEventExW
0x4c60ac CreateSemaphoreExW
0x4c60b0 FlushProcessWriteBuffers
0x4c60b4 GetCurrentProcessorNumber
0x4c60b8 GetSystemTimeAsFileTime
0x4c60bc GetTickCount64
0x4c60c0 CreateThreadpoolTimer
0x4c60c4 SetThreadpoolTimer
0x4c60c8 WaitForThreadpoolTimerCallbacks
0x4c60cc CloseThreadpoolTimer
0x4c60d0 CreateThreadpoolWait
0x4c60d4 SetThreadpoolWait
0x4c60d8 CloseThreadpoolWait
0x4c60dc GetFileInformationByHandleEx
0x4c60e0 CreateSymbolicLinkW
0x4c60e4 CloseHandle
0x4c60e8 WaitForSingleObjectEx
0x4c60ec Sleep
0x4c60f0 SwitchToThread
0x4c60f4 GetExitCodeThread
0x4c60f8 GetNativeSystemInfo
0x4c60fc LocalFree
0x4c6100 EncodePointer
0x4c6104 DecodePointer
0x4c6108 LCMapStringEx
0x4c610c GetLocaleInfoEx
0x4c6110 CompareStringEx
0x4c6114 GetCPInfo
0x4c6118 WriteConsoleW
0x4c611c SetEvent
0x4c6120 ResetEvent
0x4c6124 CreateEventW
0x4c6128 IsDebuggerPresent
0x4c612c UnhandledExceptionFilter
0x4c6130 SetUnhandledExceptionFilter
0x4c6134 GetStartupInfoW
0x4c6138 GetCurrentProcess
0x4c613c TerminateProcess
0x4c6140 GetCurrentProcessId
0x4c6144 InitializeSListHead
0x4c6148 ReadConsoleW
0x4c614c RtlUnwind
0x4c6150 InterlockedPushEntrySList
0x4c6154 InterlockedFlushSList
0x4c6158 SetLastError
0x4c615c TlsAlloc
0x4c6160 TlsGetValue
0x4c6164 TlsSetValue
0x4c6168 TlsFree
0x4c616c FreeLibrary
0x4c6170 LoadLibraryExW
0x4c6174 CreateThread
0x4c6178 ExitThread
0x4c617c ResumeThread
0x4c6180 FreeLibraryAndExitThread
0x4c6184 ExitProcess
0x4c6188 GetModuleFileNameW
0x4c618c GetStdHandle
0x4c6190 WriteFile
0x4c6194 GetCommandLineA
0x4c6198 GetCommandLineW
0x4c619c GetCurrentThread
0x4c61a0 HeapFree
0x4c61a4 HeapAlloc
0x4c61a8 SetConsoleCtrlHandler
0x4c61ac GetDateFormatW
0x4c61b0 GetTimeFormatW
0x4c61b4 CompareStringW
0x4c61b8 LCMapStringW
0x4c61bc GetLocaleInfoW
0x4c61c0 IsValidLocale
0x4c61c4 GetUserDefaultLCID
0x4c61c8 EnumSystemLocalesW
0x4c61cc GetFileType
0x4c61d0 GetFileSizeEx
0x4c61d4 SetFilePointerEx
0x4c61d8 HeapReAlloc
0x4c61dc GetTimeZoneInformation
0x4c61e0 FindClose
0x4c61e4 FindFirstFileExW
0x4c61e8 FindNextFileW
0x4c61ec IsValidCodePage
0x4c61f0 GetACP
0x4c61f4 GetOEMCP
0x4c61f8 GetEnvironmentStringsW
0x4c61fc FreeEnvironmentStringsW
0x4c6200 SetEnvironmentVariableW
0x4c6204 GetProcessHeap
0x4c6208 OutputDebugStringW
0x4c620c SetStdHandle
0x4c6210 FlushFileBuffers
0x4c6214 GetConsoleOutputCP
0x4c6218 GetConsoleMode
0x4c621c HeapSize
0x4c6220 ReadFile
EAT(Export Address Table) is none
SHELL32.dll
0x4c62bc None
KERNEL32.dll
0x4c6000 InitializeCriticalSectionAndSpinCount
0x4c6004 CreateFileW
0x4c6008 VirtualProtect
0x4c600c GetModuleHandleW
0x4c6010 GetProcAddress
0x4c6014 RaiseException
0x4c6018 InitializeSRWLock
0x4c601c ReleaseSRWLockExclusive
0x4c6020 AcquireSRWLockExclusive
0x4c6024 EnterCriticalSection
0x4c6028 LeaveCriticalSection
0x4c602c InitializeCriticalSectionEx
0x4c6030 TryEnterCriticalSection
0x4c6034 DeleteCriticalSection
0x4c6038 GetCurrentThreadId
0x4c603c InitializeConditionVariable
0x4c6040 WakeConditionVariable
0x4c6044 WakeAllConditionVariable
0x4c6048 SleepConditionVariableCS
0x4c604c SleepConditionVariableSRW
0x4c6050 FormatMessageA
0x4c6054 WideCharToMultiByte
0x4c6058 MultiByteToWideChar
0x4c605c GetStringTypeW
0x4c6060 InitOnceBeginInitialize
0x4c6064 InitOnceComplete
0x4c6068 GetLastError
0x4c606c FreeLibraryWhenCallbackReturns
0x4c6070 CreateThreadpoolWork
0x4c6074 SubmitThreadpoolWork
0x4c6078 CloseThreadpoolWork
0x4c607c GetModuleHandleExW
0x4c6080 RtlCaptureStackBackTrace
0x4c6084 IsProcessorFeaturePresent
0x4c6088 QueryPerformanceCounter
0x4c608c QueryPerformanceFrequency
0x4c6090 SetFileInformationByHandle
0x4c6094 FlsAlloc
0x4c6098 FlsGetValue
0x4c609c FlsSetValue
0x4c60a0 FlsFree
0x4c60a4 InitOnceExecuteOnce
0x4c60a8 CreateEventExW
0x4c60ac CreateSemaphoreExW
0x4c60b0 FlushProcessWriteBuffers
0x4c60b4 GetCurrentProcessorNumber
0x4c60b8 GetSystemTimeAsFileTime
0x4c60bc GetTickCount64
0x4c60c0 CreateThreadpoolTimer
0x4c60c4 SetThreadpoolTimer
0x4c60c8 WaitForThreadpoolTimerCallbacks
0x4c60cc CloseThreadpoolTimer
0x4c60d0 CreateThreadpoolWait
0x4c60d4 SetThreadpoolWait
0x4c60d8 CloseThreadpoolWait
0x4c60dc GetFileInformationByHandleEx
0x4c60e0 CreateSymbolicLinkW
0x4c60e4 CloseHandle
0x4c60e8 WaitForSingleObjectEx
0x4c60ec Sleep
0x4c60f0 SwitchToThread
0x4c60f4 GetExitCodeThread
0x4c60f8 GetNativeSystemInfo
0x4c60fc LocalFree
0x4c6100 EncodePointer
0x4c6104 DecodePointer
0x4c6108 LCMapStringEx
0x4c610c GetLocaleInfoEx
0x4c6110 CompareStringEx
0x4c6114 GetCPInfo
0x4c6118 WriteConsoleW
0x4c611c SetEvent
0x4c6120 ResetEvent
0x4c6124 CreateEventW
0x4c6128 IsDebuggerPresent
0x4c612c UnhandledExceptionFilter
0x4c6130 SetUnhandledExceptionFilter
0x4c6134 GetStartupInfoW
0x4c6138 GetCurrentProcess
0x4c613c TerminateProcess
0x4c6140 GetCurrentProcessId
0x4c6144 InitializeSListHead
0x4c6148 ReadConsoleW
0x4c614c RtlUnwind
0x4c6150 InterlockedPushEntrySList
0x4c6154 InterlockedFlushSList
0x4c6158 SetLastError
0x4c615c TlsAlloc
0x4c6160 TlsGetValue
0x4c6164 TlsSetValue
0x4c6168 TlsFree
0x4c616c FreeLibrary
0x4c6170 LoadLibraryExW
0x4c6174 CreateThread
0x4c6178 ExitThread
0x4c617c ResumeThread
0x4c6180 FreeLibraryAndExitThread
0x4c6184 ExitProcess
0x4c6188 GetModuleFileNameW
0x4c618c GetStdHandle
0x4c6190 WriteFile
0x4c6194 GetCommandLineA
0x4c6198 GetCommandLineW
0x4c619c GetCurrentThread
0x4c61a0 HeapFree
0x4c61a4 HeapAlloc
0x4c61a8 SetConsoleCtrlHandler
0x4c61ac GetDateFormatW
0x4c61b0 GetTimeFormatW
0x4c61b4 CompareStringW
0x4c61b8 LCMapStringW
0x4c61bc GetLocaleInfoW
0x4c61c0 IsValidLocale
0x4c61c4 GetUserDefaultLCID
0x4c61c8 EnumSystemLocalesW
0x4c61cc GetFileType
0x4c61d0 GetFileSizeEx
0x4c61d4 SetFilePointerEx
0x4c61d8 HeapReAlloc
0x4c61dc GetTimeZoneInformation
0x4c61e0 FindClose
0x4c61e4 FindFirstFileExW
0x4c61e8 FindNextFileW
0x4c61ec IsValidCodePage
0x4c61f0 GetACP
0x4c61f4 GetOEMCP
0x4c61f8 GetEnvironmentStringsW
0x4c61fc FreeEnvironmentStringsW
0x4c6200 SetEnvironmentVariableW
0x4c6204 GetProcessHeap
0x4c6208 OutputDebugStringW
0x4c620c SetStdHandle
0x4c6210 FlushFileBuffers
0x4c6214 GetConsoleOutputCP
0x4c6218 GetConsoleMode
0x4c621c HeapSize
0x4c6220 ReadFile
EAT(Export Address Table) is none