ScreenShot
| Created | 2023.07.05 07:35 | Machine | s1_win7_x6401 |
| Filename | 2.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | |||
| md5 | b4201f7cb7c1c06c4f728c8d92987285 | ||
| sha256 | a1de034354cb572f503d34ab3823b9c2a70607b10f6a380aa2002e1d81074729 | ||
| ssdeep | 6144:vFQ+cKPRBdsmyUzvw3AwPHDLd1x/AO99ZFvQ6JMJ5Wx6/umZxXzZApb4wdiNN:+WRBdsmyU7wPHxf3xRJAb/zZeiD | ||
| imphash | c0b982935066cb4c97fab7a3ba797919 | ||
| impfuzzy | 24:Kg+RjlhQKAWJcpH+PdLakbjeDfjdcPl94GtnbJh9LLOovbO3gv9FZ+GMACEZHu9n:Kg+poWJcpH+PdH/PcGtnDJ63y9FZs | ||
Network IP location
Signature (27cnts)
| Level | Description |
|---|---|
| danger | Executed a process and injected code into it |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Executes one or more WMI queries |
| watch | Harvests credentials from local FTP client softwares |
| watch | One or more of the buffers contains an embedded PE file |
| watch | Potential code injection by writing to the memory of another process |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Used NtSetContextThread to modify a thread in a remote process indicative of process injection |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Steals private information from local Internet browsers |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable contains unknown PE section names indicative of a packer (could be a false positive) |
| info | Tries to locate where the browsers are installed |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (14cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | RedLine_Stealer_m_Zero | RedLine stealer | memory |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
PE API
IAT(Import Address Table) Library
SHELL32.dll
0x426190 None
USER32.dll
0x426198 DragDetect
GDI32.dll
0x426000 GdiGetBatchLimit
KERNEL32.dll
0x426008 GetProcessHeap
0x42600c HeapSize
0x426010 CreateFileW
0x426014 CloseHandle
0x426018 WaitForSingleObject
0x42601c CreateThread
0x426020 VirtualProtectEx
0x426024 RaiseException
0x426028 InitializeSRWLock
0x42602c ReleaseSRWLockExclusive
0x426030 AcquireSRWLockExclusive
0x426034 EnterCriticalSection
0x426038 LeaveCriticalSection
0x42603c InitializeCriticalSectionEx
0x426040 TryEnterCriticalSection
0x426044 DeleteCriticalSection
0x426048 GetCurrentThreadId
0x42604c InitializeConditionVariable
0x426050 WakeConditionVariable
0x426054 WakeAllConditionVariable
0x426058 SleepConditionVariableCS
0x42605c SleepConditionVariableSRW
0x426060 WideCharToMultiByte
0x426064 InitOnceBeginInitialize
0x426068 InitOnceComplete
0x42606c GetLastError
0x426070 FreeLibraryWhenCallbackReturns
0x426074 CreateThreadpoolWork
0x426078 SubmitThreadpoolWork
0x42607c CloseThreadpoolWork
0x426080 GetModuleHandleExW
0x426084 IsProcessorFeaturePresent
0x426088 QueryPerformanceCounter
0x42608c GetSystemTimeAsFileTime
0x426090 GetModuleHandleW
0x426094 GetProcAddress
0x426098 WaitForSingleObjectEx
0x42609c EncodePointer
0x4260a0 DecodePointer
0x4260a4 MultiByteToWideChar
0x4260a8 LCMapStringEx
0x4260ac WriteConsoleW
0x4260b0 GetStringTypeW
0x4260b4 GetCPInfo
0x4260b8 InitializeCriticalSectionAndSpinCount
0x4260bc SetEvent
0x4260c0 ResetEvent
0x4260c4 CreateEventW
0x4260c8 GetCurrentProcessId
0x4260cc InitializeSListHead
0x4260d0 IsDebuggerPresent
0x4260d4 UnhandledExceptionFilter
0x4260d8 SetUnhandledExceptionFilter
0x4260dc GetStartupInfoW
0x4260e0 GetCurrentProcess
0x4260e4 TerminateProcess
0x4260e8 SetStdHandle
0x4260ec RtlUnwind
0x4260f0 SetLastError
0x4260f4 TlsAlloc
0x4260f8 TlsGetValue
0x4260fc TlsSetValue
0x426100 TlsFree
0x426104 FreeLibrary
0x426108 LoadLibraryExW
0x42610c GetStdHandle
0x426110 WriteFile
0x426114 GetModuleFileNameW
0x426118 ExitProcess
0x42611c GetCommandLineA
0x426120 GetCommandLineW
0x426124 HeapAlloc
0x426128 HeapFree
0x42612c GetFileType
0x426130 CompareStringW
0x426134 LCMapStringW
0x426138 GetLocaleInfoW
0x42613c IsValidLocale
0x426140 GetUserDefaultLCID
0x426144 EnumSystemLocalesW
0x426148 GetFileSizeEx
0x42614c SetFilePointerEx
0x426150 FlushFileBuffers
0x426154 GetConsoleOutputCP
0x426158 GetConsoleMode
0x42615c ReadFile
0x426160 ReadConsoleW
0x426164 HeapReAlloc
0x426168 FindClose
0x42616c FindFirstFileExW
0x426170 FindNextFileW
0x426174 IsValidCodePage
0x426178 GetACP
0x42617c GetOEMCP
0x426180 GetEnvironmentStringsW
0x426184 FreeEnvironmentStringsW
0x426188 SetEnvironmentVariableW
EAT(Export Address Table) is none
SHELL32.dll
0x426190 None
USER32.dll
0x426198 DragDetect
GDI32.dll
0x426000 GdiGetBatchLimit
KERNEL32.dll
0x426008 GetProcessHeap
0x42600c HeapSize
0x426010 CreateFileW
0x426014 CloseHandle
0x426018 WaitForSingleObject
0x42601c CreateThread
0x426020 VirtualProtectEx
0x426024 RaiseException
0x426028 InitializeSRWLock
0x42602c ReleaseSRWLockExclusive
0x426030 AcquireSRWLockExclusive
0x426034 EnterCriticalSection
0x426038 LeaveCriticalSection
0x42603c InitializeCriticalSectionEx
0x426040 TryEnterCriticalSection
0x426044 DeleteCriticalSection
0x426048 GetCurrentThreadId
0x42604c InitializeConditionVariable
0x426050 WakeConditionVariable
0x426054 WakeAllConditionVariable
0x426058 SleepConditionVariableCS
0x42605c SleepConditionVariableSRW
0x426060 WideCharToMultiByte
0x426064 InitOnceBeginInitialize
0x426068 InitOnceComplete
0x42606c GetLastError
0x426070 FreeLibraryWhenCallbackReturns
0x426074 CreateThreadpoolWork
0x426078 SubmitThreadpoolWork
0x42607c CloseThreadpoolWork
0x426080 GetModuleHandleExW
0x426084 IsProcessorFeaturePresent
0x426088 QueryPerformanceCounter
0x42608c GetSystemTimeAsFileTime
0x426090 GetModuleHandleW
0x426094 GetProcAddress
0x426098 WaitForSingleObjectEx
0x42609c EncodePointer
0x4260a0 DecodePointer
0x4260a4 MultiByteToWideChar
0x4260a8 LCMapStringEx
0x4260ac WriteConsoleW
0x4260b0 GetStringTypeW
0x4260b4 GetCPInfo
0x4260b8 InitializeCriticalSectionAndSpinCount
0x4260bc SetEvent
0x4260c0 ResetEvent
0x4260c4 CreateEventW
0x4260c8 GetCurrentProcessId
0x4260cc InitializeSListHead
0x4260d0 IsDebuggerPresent
0x4260d4 UnhandledExceptionFilter
0x4260d8 SetUnhandledExceptionFilter
0x4260dc GetStartupInfoW
0x4260e0 GetCurrentProcess
0x4260e4 TerminateProcess
0x4260e8 SetStdHandle
0x4260ec RtlUnwind
0x4260f0 SetLastError
0x4260f4 TlsAlloc
0x4260f8 TlsGetValue
0x4260fc TlsSetValue
0x426100 TlsFree
0x426104 FreeLibrary
0x426108 LoadLibraryExW
0x42610c GetStdHandle
0x426110 WriteFile
0x426114 GetModuleFileNameW
0x426118 ExitProcess
0x42611c GetCommandLineA
0x426120 GetCommandLineW
0x426124 HeapAlloc
0x426128 HeapFree
0x42612c GetFileType
0x426130 CompareStringW
0x426134 LCMapStringW
0x426138 GetLocaleInfoW
0x42613c IsValidLocale
0x426140 GetUserDefaultLCID
0x426144 EnumSystemLocalesW
0x426148 GetFileSizeEx
0x42614c SetFilePointerEx
0x426150 FlushFileBuffers
0x426154 GetConsoleOutputCP
0x426158 GetConsoleMode
0x42615c ReadFile
0x426160 ReadConsoleW
0x426164 HeapReAlloc
0x426168 FindClose
0x42616c FindFirstFileExW
0x426170 FindNextFileW
0x426174 IsValidCodePage
0x426178 GetACP
0x42617c GetOEMCP
0x426180 GetEnvironmentStringsW
0x426184 FreeEnvironmentStringsW
0x426188 SetEnvironmentVariableW
EAT(Export Address Table) is none