ScreenShot
| Created | 2023.06.27 07:33 | Machine | s1_win7_x6401 |
| Filename | sxemabyrtk_crypted.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 15 detected (GenericRXWE, Attribute, HighConfidence, malicious, high confidence, score, FileRepMalware, Misc, Artemis, RedlineStealer, Detected, confidence) | ||
| md5 | d834c163435fbe314dec88b9a4fa7e3d | ||
| sha256 | 6c179d691a26bbd73a256b15dd6dfa87f1f829bd68126ebb7de672d0fd0653e6 | ||
| ssdeep | 24576:tjVLa8d1JtY49S/38dRifPo3kd2aT/lHx:5d1JtY49S/BYUd7T/lHx | ||
| imphash | db545565cd79ae4a0e6ac06ef80b9ee3 | ||
| impfuzzy | 24:2xS6cpVWZF9ZDrYtMS1wGzplJBl3eDoLoEOovbOZFuFZMvyTq+lEZHu9cGM36:2xdcpVeF9VrYtMS1wGzPpXc3fuFZGBW | ||
Network IP location
Signature (26cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | File has been identified by 15 AntiVirus engines on VirusTotal as malicious |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | One or more potentially interesting buffers were extracted |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
GDI32.dll
0x4b7000 SetEnhMetaFileBits
0x4b7004 GdiGetBatchLimit
0x4b7008 SetDCBrushColor
KERNEL32.dll
0x4b7038 VirtualProtect
0x4b703c FreeConsole
0x4b7040 WideCharToMultiByte
0x4b7044 MultiByteToWideChar
0x4b7048 GetStringTypeW
0x4b704c EnterCriticalSection
0x4b7050 LeaveCriticalSection
0x4b7054 InitializeCriticalSectionEx
0x4b7058 DeleteCriticalSection
0x4b705c EncodePointer
0x4b7060 DecodePointer
0x4b7064 LCMapStringEx
0x4b7068 FormatMessageA
0x4b706c GetLocaleInfoEx
0x4b7070 LocalFree
0x4b7074 CompareStringEx
0x4b7078 GetCPInfo
0x4b707c UnhandledExceptionFilter
0x4b7080 SetUnhandledExceptionFilter
0x4b7084 GetCurrentProcess
0x4b7088 TerminateProcess
0x4b708c IsProcessorFeaturePresent
0x4b7090 QueryPerformanceCounter
0x4b7094 GetCurrentProcessId
0x4b7098 GetCurrentThreadId
0x4b709c GetSystemTimeAsFileTime
0x4b70a0 InitializeSListHead
0x4b70a4 IsDebuggerPresent
0x4b70a8 GetStartupInfoW
0x4b70ac GetModuleHandleW
0x4b70b0 CreateFileW
0x4b70b4 RaiseException
0x4b70b8 RtlUnwind
0x4b70bc InterlockedPushEntrySList
0x4b70c0 InterlockedFlushSList
0x4b70c4 GetLastError
0x4b70c8 SetLastError
0x4b70cc InitializeCriticalSectionAndSpinCount
0x4b70d0 TlsAlloc
0x4b70d4 TlsGetValue
0x4b70d8 TlsSetValue
0x4b70dc TlsFree
0x4b70e0 FreeLibrary
0x4b70e4 GetProcAddress
0x4b70e8 LoadLibraryExW
0x4b70ec GetStdHandle
0x4b70f0 WriteFile
0x4b70f4 GetModuleFileNameW
0x4b70f8 ExitProcess
0x4b70fc GetModuleHandleExW
0x4b7100 GetCommandLineA
0x4b7104 GetCommandLineW
0x4b7108 GetCurrentThread
0x4b710c HeapFree
0x4b7110 HeapAlloc
0x4b7114 GetDateFormatW
0x4b7118 GetTimeFormatW
0x4b711c CompareStringW
0x4b7120 LCMapStringW
0x4b7124 GetLocaleInfoW
0x4b7128 IsValidLocale
0x4b712c GetUserDefaultLCID
0x4b7130 EnumSystemLocalesW
0x4b7134 GetFileType
0x4b7138 HeapReAlloc
0x4b713c SetConsoleCtrlHandler
0x4b7140 GetTimeZoneInformation
0x4b7144 OutputDebugStringW
0x4b7148 FindClose
0x4b714c FindFirstFileExW
0x4b7150 FindNextFileW
0x4b7154 IsValidCodePage
0x4b7158 GetACP
0x4b715c GetOEMCP
0x4b7160 GetEnvironmentStringsW
0x4b7164 FreeEnvironmentStringsW
0x4b7168 SetEnvironmentVariableW
0x4b716c SetStdHandle
0x4b7170 GetProcessHeap
0x4b7174 FlushFileBuffers
0x4b7178 GetConsoleOutputCP
0x4b717c GetConsoleMode
0x4b7180 GetFileSizeEx
0x4b7184 SetFilePointerEx
0x4b7188 HeapSize
0x4b718c CloseHandle
0x4b7190 ReadFile
0x4b7194 ReadConsoleW
0x4b7198 WriteConsoleW
EAT(Export Address Table) is none
GDI32.dll
0x4b7000 SetEnhMetaFileBits
0x4b7004 GdiGetBatchLimit
0x4b7008 SetDCBrushColor
KERNEL32.dll
0x4b7038 VirtualProtect
0x4b703c FreeConsole
0x4b7040 WideCharToMultiByte
0x4b7044 MultiByteToWideChar
0x4b7048 GetStringTypeW
0x4b704c EnterCriticalSection
0x4b7050 LeaveCriticalSection
0x4b7054 InitializeCriticalSectionEx
0x4b7058 DeleteCriticalSection
0x4b705c EncodePointer
0x4b7060 DecodePointer
0x4b7064 LCMapStringEx
0x4b7068 FormatMessageA
0x4b706c GetLocaleInfoEx
0x4b7070 LocalFree
0x4b7074 CompareStringEx
0x4b7078 GetCPInfo
0x4b707c UnhandledExceptionFilter
0x4b7080 SetUnhandledExceptionFilter
0x4b7084 GetCurrentProcess
0x4b7088 TerminateProcess
0x4b708c IsProcessorFeaturePresent
0x4b7090 QueryPerformanceCounter
0x4b7094 GetCurrentProcessId
0x4b7098 GetCurrentThreadId
0x4b709c GetSystemTimeAsFileTime
0x4b70a0 InitializeSListHead
0x4b70a4 IsDebuggerPresent
0x4b70a8 GetStartupInfoW
0x4b70ac GetModuleHandleW
0x4b70b0 CreateFileW
0x4b70b4 RaiseException
0x4b70b8 RtlUnwind
0x4b70bc InterlockedPushEntrySList
0x4b70c0 InterlockedFlushSList
0x4b70c4 GetLastError
0x4b70c8 SetLastError
0x4b70cc InitializeCriticalSectionAndSpinCount
0x4b70d0 TlsAlloc
0x4b70d4 TlsGetValue
0x4b70d8 TlsSetValue
0x4b70dc TlsFree
0x4b70e0 FreeLibrary
0x4b70e4 GetProcAddress
0x4b70e8 LoadLibraryExW
0x4b70ec GetStdHandle
0x4b70f0 WriteFile
0x4b70f4 GetModuleFileNameW
0x4b70f8 ExitProcess
0x4b70fc GetModuleHandleExW
0x4b7100 GetCommandLineA
0x4b7104 GetCommandLineW
0x4b7108 GetCurrentThread
0x4b710c HeapFree
0x4b7110 HeapAlloc
0x4b7114 GetDateFormatW
0x4b7118 GetTimeFormatW
0x4b711c CompareStringW
0x4b7120 LCMapStringW
0x4b7124 GetLocaleInfoW
0x4b7128 IsValidLocale
0x4b712c GetUserDefaultLCID
0x4b7130 EnumSystemLocalesW
0x4b7134 GetFileType
0x4b7138 HeapReAlloc
0x4b713c SetConsoleCtrlHandler
0x4b7140 GetTimeZoneInformation
0x4b7144 OutputDebugStringW
0x4b7148 FindClose
0x4b714c FindFirstFileExW
0x4b7150 FindNextFileW
0x4b7154 IsValidCodePage
0x4b7158 GetACP
0x4b715c GetOEMCP
0x4b7160 GetEnvironmentStringsW
0x4b7164 FreeEnvironmentStringsW
0x4b7168 SetEnvironmentVariableW
0x4b716c SetStdHandle
0x4b7170 GetProcessHeap
0x4b7174 FlushFileBuffers
0x4b7178 GetConsoleOutputCP
0x4b717c GetConsoleMode
0x4b7180 GetFileSizeEx
0x4b7184 SetFilePointerEx
0x4b7188 HeapSize
0x4b718c CloseHandle
0x4b7190 ReadFile
0x4b7194 ReadConsoleW
0x4b7198 WriteConsoleW
EAT(Export Address Table) is none