ScreenShot
| Created | 2023.06.29 07:42 | Machine | s1_win7_x6403 |
| Filename | TopSofts.Setup.exe | ||
| Type | PE32 executable (console) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 32 detected (AIDetectMalware, Lazy, Artemis, malicious, confidence, CNCA, Attribute, HighConfidence, high confidence, Kryptik, HTXZ, Exploitx, Reline, PWSX, RedLineNET, ai score=82, Sabsik, score, R588752, BScope, TrojanPSW, RedLine, susgen) | ||
| md5 | 7b6479306a1bb71a9fb4413e295bf683 | ||
| sha256 | 39215d069afee8965abfee97b1c32dcd45e3cccc2282dc8118a1e2f6990ec02c | ||
| ssdeep | 24576:YSHN/eXZGlK69vW1dXPvA8BkYbIg/moir37:YXZGlK69ujAE/1uoiH | ||
| imphash | 68fdd1c7294ac28e69cf031b36cbf00b | ||
| impfuzzy | 48:KgtJUXoWJcpH+PdD9vrxQSXtX3rmbt8zzbQo31uFZGH4:sXoWJcpH+P51rxHXtXbmbt8zPQV7 | ||
Network IP location
Signature (21cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Executed a process and injected code into it |
| danger | File has been identified by 32 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Communicates with host for which no DNS query was performed |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | One or more potentially interesting buffers were extracted |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | The executable uses a known packer |
| info | This executable has a PDB path |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
SHELL32.dll
0x5132f4 None
USER32.dll
0x513324 SetCapture
0x513328 GetWindowRect
GDI32.dll
0x513000 GdiGetBatchLimit
0x513004 MoveToEx
0x513008 SetSystemPaletteUse
KERNEL32.dll
0x513038 HeapSize
0x51303c ReadFile
0x513040 ReadConsoleW
0x513044 CreateFileW
0x513048 LCMapStringEx
0x51304c VirtualProtect
0x513050 GetModuleHandleW
0x513054 GetProcAddress
0x513058 RaiseException
0x51305c InitializeSRWLock
0x513060 ReleaseSRWLockExclusive
0x513064 AcquireSRWLockExclusive
0x513068 EnterCriticalSection
0x51306c LeaveCriticalSection
0x513070 InitializeCriticalSectionEx
0x513074 TryEnterCriticalSection
0x513078 DeleteCriticalSection
0x51307c GetCurrentThreadId
0x513080 InitializeConditionVariable
0x513084 WakeConditionVariable
0x513088 WakeAllConditionVariable
0x51308c SleepConditionVariableCS
0x513090 SleepConditionVariableSRW
0x513094 FormatMessageA
0x513098 WideCharToMultiByte
0x51309c MultiByteToWideChar
0x5130a0 GetStringTypeW
0x5130a4 InitOnceBeginInitialize
0x5130a8 InitOnceComplete
0x5130ac GetLastError
0x5130b0 FreeLibraryWhenCallbackReturns
0x5130b4 CreateThreadpoolWork
0x5130b8 SubmitThreadpoolWork
0x5130bc CloseThreadpoolWork
0x5130c0 GetModuleHandleExW
0x5130c4 RtlCaptureStackBackTrace
0x5130c8 IsProcessorFeaturePresent
0x5130cc QueryPerformanceCounter
0x5130d0 QueryPerformanceFrequency
0x5130d4 SetFileInformationByHandle
0x5130d8 FlsAlloc
0x5130dc FlsGetValue
0x5130e0 FlsSetValue
0x5130e4 FlsFree
0x5130e8 InitOnceExecuteOnce
0x5130ec CreateEventExW
0x5130f0 CreateSemaphoreExW
0x5130f4 FlushProcessWriteBuffers
0x5130f8 GetCurrentProcessorNumber
0x5130fc GetSystemTimeAsFileTime
0x513100 GetTickCount64
0x513104 CreateThreadpoolTimer
0x513108 SetThreadpoolTimer
0x51310c WaitForThreadpoolTimerCallbacks
0x513110 CloseThreadpoolTimer
0x513114 CreateThreadpoolWait
0x513118 SetThreadpoolWait
0x51311c CloseThreadpoolWait
0x513120 GetFileInformationByHandleEx
0x513124 CreateSymbolicLinkW
0x513128 CloseHandle
0x51312c WaitForSingleObjectEx
0x513130 Sleep
0x513134 SwitchToThread
0x513138 GetExitCodeThread
0x51313c GetNativeSystemInfo
0x513140 LocalFree
0x513144 EncodePointer
0x513148 DecodePointer
0x51314c WriteConsoleW
0x513150 GetLocaleInfoEx
0x513154 CompareStringEx
0x513158 GetCPInfo
0x51315c InitializeCriticalSectionAndSpinCount
0x513160 SetEvent
0x513164 ResetEvent
0x513168 CreateEventW
0x51316c IsDebuggerPresent
0x513170 UnhandledExceptionFilter
0x513174 SetUnhandledExceptionFilter
0x513178 GetStartupInfoW
0x51317c GetCurrentProcess
0x513180 TerminateProcess
0x513184 GetCurrentProcessId
0x513188 InitializeSListHead
0x51318c GetConsoleMode
0x513190 RtlUnwind
0x513194 InterlockedPushEntrySList
0x513198 InterlockedFlushSList
0x51319c SetLastError
0x5131a0 TlsAlloc
0x5131a4 TlsGetValue
0x5131a8 TlsSetValue
0x5131ac TlsFree
0x5131b0 FreeLibrary
0x5131b4 LoadLibraryExW
0x5131b8 CreateThread
0x5131bc ExitThread
0x5131c0 ResumeThread
0x5131c4 FreeLibraryAndExitThread
0x5131c8 ExitProcess
0x5131cc GetModuleFileNameW
0x5131d0 GetStdHandle
0x5131d4 WriteFile
0x5131d8 GetCommandLineA
0x5131dc GetCommandLineW
0x5131e0 GetCurrentThread
0x5131e4 HeapFree
0x5131e8 HeapAlloc
0x5131ec SetConsoleCtrlHandler
0x5131f0 GetDateFormatW
0x5131f4 GetTimeFormatW
0x5131f8 CompareStringW
0x5131fc LCMapStringW
0x513200 GetLocaleInfoW
0x513204 IsValidLocale
0x513208 GetUserDefaultLCID
0x51320c EnumSystemLocalesW
0x513210 GetFileType
0x513214 GetFileSizeEx
0x513218 SetFilePointerEx
0x51321c HeapReAlloc
0x513220 GetTimeZoneInformation
0x513224 FindClose
0x513228 FindFirstFileExW
0x51322c FindNextFileW
0x513230 IsValidCodePage
0x513234 GetACP
0x513238 GetOEMCP
0x51323c GetEnvironmentStringsW
0x513240 FreeEnvironmentStringsW
0x513244 SetEnvironmentVariableW
0x513248 GetProcessHeap
0x51324c OutputDebugStringW
0x513250 SetStdHandle
0x513254 FlushFileBuffers
0x513258 GetConsoleOutputCP
EAT(Export Address Table) is none
SHELL32.dll
0x5132f4 None
USER32.dll
0x513324 SetCapture
0x513328 GetWindowRect
GDI32.dll
0x513000 GdiGetBatchLimit
0x513004 MoveToEx
0x513008 SetSystemPaletteUse
KERNEL32.dll
0x513038 HeapSize
0x51303c ReadFile
0x513040 ReadConsoleW
0x513044 CreateFileW
0x513048 LCMapStringEx
0x51304c VirtualProtect
0x513050 GetModuleHandleW
0x513054 GetProcAddress
0x513058 RaiseException
0x51305c InitializeSRWLock
0x513060 ReleaseSRWLockExclusive
0x513064 AcquireSRWLockExclusive
0x513068 EnterCriticalSection
0x51306c LeaveCriticalSection
0x513070 InitializeCriticalSectionEx
0x513074 TryEnterCriticalSection
0x513078 DeleteCriticalSection
0x51307c GetCurrentThreadId
0x513080 InitializeConditionVariable
0x513084 WakeConditionVariable
0x513088 WakeAllConditionVariable
0x51308c SleepConditionVariableCS
0x513090 SleepConditionVariableSRW
0x513094 FormatMessageA
0x513098 WideCharToMultiByte
0x51309c MultiByteToWideChar
0x5130a0 GetStringTypeW
0x5130a4 InitOnceBeginInitialize
0x5130a8 InitOnceComplete
0x5130ac GetLastError
0x5130b0 FreeLibraryWhenCallbackReturns
0x5130b4 CreateThreadpoolWork
0x5130b8 SubmitThreadpoolWork
0x5130bc CloseThreadpoolWork
0x5130c0 GetModuleHandleExW
0x5130c4 RtlCaptureStackBackTrace
0x5130c8 IsProcessorFeaturePresent
0x5130cc QueryPerformanceCounter
0x5130d0 QueryPerformanceFrequency
0x5130d4 SetFileInformationByHandle
0x5130d8 FlsAlloc
0x5130dc FlsGetValue
0x5130e0 FlsSetValue
0x5130e4 FlsFree
0x5130e8 InitOnceExecuteOnce
0x5130ec CreateEventExW
0x5130f0 CreateSemaphoreExW
0x5130f4 FlushProcessWriteBuffers
0x5130f8 GetCurrentProcessorNumber
0x5130fc GetSystemTimeAsFileTime
0x513100 GetTickCount64
0x513104 CreateThreadpoolTimer
0x513108 SetThreadpoolTimer
0x51310c WaitForThreadpoolTimerCallbacks
0x513110 CloseThreadpoolTimer
0x513114 CreateThreadpoolWait
0x513118 SetThreadpoolWait
0x51311c CloseThreadpoolWait
0x513120 GetFileInformationByHandleEx
0x513124 CreateSymbolicLinkW
0x513128 CloseHandle
0x51312c WaitForSingleObjectEx
0x513130 Sleep
0x513134 SwitchToThread
0x513138 GetExitCodeThread
0x51313c GetNativeSystemInfo
0x513140 LocalFree
0x513144 EncodePointer
0x513148 DecodePointer
0x51314c WriteConsoleW
0x513150 GetLocaleInfoEx
0x513154 CompareStringEx
0x513158 GetCPInfo
0x51315c InitializeCriticalSectionAndSpinCount
0x513160 SetEvent
0x513164 ResetEvent
0x513168 CreateEventW
0x51316c IsDebuggerPresent
0x513170 UnhandledExceptionFilter
0x513174 SetUnhandledExceptionFilter
0x513178 GetStartupInfoW
0x51317c GetCurrentProcess
0x513180 TerminateProcess
0x513184 GetCurrentProcessId
0x513188 InitializeSListHead
0x51318c GetConsoleMode
0x513190 RtlUnwind
0x513194 InterlockedPushEntrySList
0x513198 InterlockedFlushSList
0x51319c SetLastError
0x5131a0 TlsAlloc
0x5131a4 TlsGetValue
0x5131a8 TlsSetValue
0x5131ac TlsFree
0x5131b0 FreeLibrary
0x5131b4 LoadLibraryExW
0x5131b8 CreateThread
0x5131bc ExitThread
0x5131c0 ResumeThread
0x5131c4 FreeLibraryAndExitThread
0x5131c8 ExitProcess
0x5131cc GetModuleFileNameW
0x5131d0 GetStdHandle
0x5131d4 WriteFile
0x5131d8 GetCommandLineA
0x5131dc GetCommandLineW
0x5131e0 GetCurrentThread
0x5131e4 HeapFree
0x5131e8 HeapAlloc
0x5131ec SetConsoleCtrlHandler
0x5131f0 GetDateFormatW
0x5131f4 GetTimeFormatW
0x5131f8 CompareStringW
0x5131fc LCMapStringW
0x513200 GetLocaleInfoW
0x513204 IsValidLocale
0x513208 GetUserDefaultLCID
0x51320c EnumSystemLocalesW
0x513210 GetFileType
0x513214 GetFileSizeEx
0x513218 SetFilePointerEx
0x51321c HeapReAlloc
0x513220 GetTimeZoneInformation
0x513224 FindClose
0x513228 FindFirstFileExW
0x51322c FindNextFileW
0x513230 IsValidCodePage
0x513234 GetACP
0x513238 GetOEMCP
0x51323c GetEnvironmentStringsW
0x513240 FreeEnvironmentStringsW
0x513244 SetEnvironmentVariableW
0x513248 GetProcessHeap
0x51324c OutputDebugStringW
0x513250 SetStdHandle
0x513254 FlushFileBuffers
0x513258 GetConsoleOutputCP
EAT(Export Address Table) is none